Quixote 0.4.6 CHANGES * a last-minute patch to http_request.py just before release 0.4.5 broke extracting form data from GET requests -- fixed that 0.4.5 (11 Apr 2002): * The meaning of the DISPLAY_EXCEPTIONS configuration variable has changed. It's no longer a Boolean, and instead can take three different values: None (or any false value) [default] an "Internal Server Error" page that exposes no information about the traceback 'plain' a plain text page showing the traceback and the request variables 'html' a more elaborate HTML display showing the local variables and a few lines of context for each level of the traceback. (This setting requires the cgitb module that comes with Python 2.2.) (Idea and first version of the patch by David Ascher) * Fixed SessionManager.expire_session() method so it actually works (spotted by Robin Wohler). * Fixed docs so they don't refer to the obsolete URL_PREFIX configuration variable (spotted by Robin Wohler). * Various other documentation tweaks and improvements. * Fixed sample Apache rewrite rules in demo.txt and web-server.txt (spotted by Joel Shprentz). * Generate new form tokens when rendering a form rather then when intializing it. This prevents an extra token from being created when processing a valid form (suggested by Robin Wohler). * Ensure filenames are included in SyntaxError tracebacks from PTL modules. * Changed format of session cookies: they're now just random 64-bit numbers in hex. * Use HTTP 1.1 cache control headers ("Date" and "Expires") instead of the older "Pragma: no-cache". * In the form/widget library: make some effort to generate HTML that is XHTML-compliant. * New method: HTTPRequest.get_accepted_types() returns the MIME content types a client will accept as a dictionary mapping MIME type to the quality factor. (Example: {'text/html':1.0, 'text/plain':0.5, ...}) * Changed escape hatch for XML-RPC handlers; standard input will only be consumed when the HTTP method is POST and the Content-Type is either application/x-www-form-urlencoded or multipart/form-data. * Added quixote.util module to contain various miscellaneous utility functions. Right now, it contains a single function for processing requests as XML-RPC invocations. 0.4.4 (29 Jan 2002): * Simplify munging of SCRIPT_NAME variable, fixing a bug. Depending on how Quixote was called, the path could have been appended to SCRIPT_NAME without a separating slash. (Found by Quinn Dunkan.) * On Windows, set mode of sys.stdout to binary. This is important because responses may contain binary data. Also, EOL translation can throw off content length calculations. (Found by David Ascher) * Added a demonstration of the form framework. (Neil) * Added an escape hatch for XML-RPC handlers; http_request.process_inputs() will no longer consume all of standard input when the Content-Type is text/xml. * Removed a debug print from form.widget. 0.4.3 (17 Dec 2001): * Removed the URL_PREFIX configuration variable; it's not actually needed anywhere, and caused some user confusion. * Added FORM_TOKENS configuration variable to enable/disable unique form identifiers. (These are useful as a measure against cross-site request forgery [CSRF] attacks, but disabled by default because some form of persistent session management is required, which is not currently included with Quixote.) * Added demonstration and documentation for the widget classes (the first part of the Quixote Form Library). * Added HTTPResponse.set_content_type() method. * Fixed some minor bugs in the widget library. * Fixed to work with Python 2.2. * Greatly reduced the set of symbols imported by "from quixote import *" -- it's useful for interactive sessions. 0.4.2 (14 Nov 2001): * Made the quixote.sendmail module a bit more flexible and robust. * Fix so it doesn't blow up under Windows if debug logging is disabled (ie. write to NUL, not /dev/null). * Clarified some documenation inconsistencies, and added description of logging to doc/programming.txt. * Fixed some places that we forgot to update when the PTL-related modules were renamed. * Fixed ptl_compile.py so PTL tracebacks include the full path of source file(s). * Fixed bug where a missing _q_index() triggered a confusing ImportError; now it triggers a TraversalError, as expected. * Various fixes and improvements to the Config class. * Miscellaneous fixes to session.py. * Miscellaneous fixes to widget classes. * Reorganized internal PTL methods of the Form class. * Removed the "test" directory from the distribution, since it's not used for anything -- ie., there's no formal test suite yet ;-( 0.4.1 (10 Oct 2001): * Made access logging a little more portable (don't depend on Apache's REQUEST_URI environment variable). * Work around the broken value of PATH_INFO returned by IIS. * Work around IIS weird handling of SERVER_SECURE_PORT (for non-SSL requests, it is set to "0"). * Reassign sys.stderr so all application output to stderr goes to the Quixote error log. 0.4 (4 Oct 2001): * TraversalError now takes a public and a private message, instead of just a single message string. The private message is shown if SECURE_ERRORS is false; otherwise, the public message is shown. See the class docstring for TraversalError for more details. * Add the Quixote Form Library, a basic form and widget framework for HTML. * Allow classes and functions inside PTL modules. * Return a string object from templates rather than a TemplateIO instance. * Improve the security of session cookies. * Don't save empty sessions. * Detect expired sessions. * Add the quixote.sendmail module, useful for applications that need to send outgoing mail (as many web apps do). * Code reorganization -- various modules moved or renamed: quixote.util.fcgi -> quixote.fcgi quixote.compile_template -> quixote.ptl_compile quixote.imphooks -> quixote.ptl_import quixote.dumpptlc -> quixote.ptcl_dump * More code reorganization: the quixote.zope package is gone, as are the BaseRequest and BaseResponse modules. Only HTTPRequest and HTTPResponse survive, in the quixote.http_request and quixote.http_response modules. All remaining Zope-isms have been removed, so the code now looks much like the rest of Quixote. Many internal interfaces changed. * Added the quixote.mod_python module, contributed by Erno Kuusela <erno@iki.fi>. Allows Quixote applications to be driven by the Apache module mod_python, so no CGI or or FastCGI driver script is required. 0.3 (11 Jun 2001): * Now supports Python 2.1. * Names of the form __*__ are reserved for Python, and 2.1 is beginning to enforce this rule. Accordingly the Quixote special methods have been renamed: __access__ -> _q_access __exports__ -> _q_exports __getname__ -> _q_getname index -> _q_index * Massive changes to quixote.publisher and quixote.config, to make the publishing loop more flexible and more easily changed by applications. For example, it's now possible to catch the ZODB's ConflictErrors and retry an operation. * Added an ACCESS_LOG configuration setting, which allows setting up a file logging every call made to Quixote. * The error log now contains the time of each error, and a dump of the user's session object. * Added handy functions for getting request, session, user, etc.: quixote.get_publisher(), quixote.get_request(), quixote.get_session(), quixote.get_user(). * quixote.publish can now gzip-compress its output if the browser claims to support it. Only the 'gzip' and 'x-gzip' content encodings are supported; 'deflate' isn't because we couldn't get it to work reliably. Compression can be enabled by setting the 'compress_pages' config option to true. * Some fixes and minor optimizations to the FCGI code. * Added HTTPRequest.get_encoding() method to find the encodings a client accepts. 0.2 (16 Jan 2001): * Only pass HTTPRequest object to published functions. The HTTPResponse object is available as an attribute of the request. * Removed more unused Zope code from HTTPRequest. Add redirect() method to HTTPRequest. * Simplify HTTPResponse. __init__() no longer requires the server name. redirect() requires a full URL. * Fix a bug in the PTL compiler. PTL modules can now have doc strings. * Added a config parser. Individual Quixote applications can now have their own configuration settings (overriding the Quixote defaults). See the config.py module for details. * Re-wrote the exception handling code for exceptions raised inside of published functions. * Non-empty PATH_INFO is no longer supported. __getname__ or query strings are a cleaner solution. * Add FIX_TRAILING_SLASH option and make code changes to carefully preserve trailing slashes (ie. an empty component on the end of paths). * Session management has been over-hauled. DummySessionManager can be used for applications that don't require sessions. * Set Content-length header correctly in HTTPResponse object * Added a demo application. 0.1: * Officially given a license (the Python 1.6 license, so it's free software). * Added SECURE_ERRORS variable to prevent exception tracebacks from being returned to the Web browser * Added a __getname__() function to traversal, which is called if the current name isn't in the current namespace's export list. This allows interpolation of arbitrary user object IDs into the URL, which is why it has to circumvent the __exports__ check: the object IDs won't be known until runtime, so it would be silly to add them to __exports__. Very useful and powerful feature, but it has security implications, so be careful! * compile_template.py should now work for both Python 1.5.2 or 2.0. * Better reporting of syntax errors in PTL * Always assume regular CGI on Windows 0.02 (12 Aug 2000): * Neil Schemenauer has completely rewritten the PTL compiler and changed the syntax to match Python's. The compiler now relies on Jeremy Hylton's compiler code from the Python 2.0 CVS tree. * Added functions to quixote.sessions: get_session(), has_session(), get_app_state() * Simplified reload-checking logic * Added .browser_version() method to HTTPRequest * Various bugfixes * session classes slightly tweaked, so you can subclass them * Added .session attribute to request object * Added quixote.errors module to hold exceptions 0.01: * Initial release.