0.5.1 (8 Oct 2002): * (incompatible change for anyone doing HTTP upload with Quixote) Improved support for HTTP upload requests: any HTTP request with a Content-Type of "multipart/form-data" -- which is generally only used for uploads -- is now represented by HTTPUploadRequest, a subclass of HTTPRequest, and the uploaded files themselves are represented by Upload objects. See doc/upload.txt for details. * (possible incompatible changes for anyone subclassing Publisher, or using it for custom purposes) Various rearrangements and refactoring in the Publisher class. Added create_request() method, which takes responsibility for creating the HTTPRequest (or HTTPUploadRequest) object away from parse_request(). As a consequence, the signature of parse_request() has changed. Added process_request() method. Changed publish() so it catches exceptions coming from either parse_request() or process_request(). Consult the source code (publish.py) for details. * A new subpackage, quixote.server, is intended for code that publishes a Quixote application through HTTP, making it possible to run Quixote applications without having to configure Apache or some other full-blown Web server. Right now there's only an implementation on top of Medusa; contributions of support for Python's BaseHTTPServer, Twisted, or other frameworks would be welcome. * Modified SessionManager.maintain_session() so it explicitly removes a session if that session used to have useful info (ie. exists in the session manager), but no longer does (patch by Jon Corbet). * Make the PTL compiler a bit smarter about recognizing "template" lines; PTL code should now be able to use 'template' as an identifier, which is handy when converting existing Python code to PTL. * Replaced HTTPRequest.redirect() with a cleaner, more general version supplied by Andreas Kostyrka . Redirects to fully relative URLs (no leading slash) now work. * Added support for putting bits of JavaScript into HTML form documents: added HTTPResponse.add_javascript() to collect snippts of JavaScript code, and Form._render_javascript() to emit them as part of the HTML document. * Added global convenience functions get_path() and redirect(). * Change Publisher so it never modifies SCRIPT_NAME or PATH_INFO. * Fixed bug in quixote.sendmail._add_recip_headers(): it crashed if passed an empty list. * Factor out get_action_url() method in Form class. * Add the HTML version of the documentation to the source release. 0.5 (10 June 2002): * To fix installation problems on Win98 and Mac OS (pre OS X), setup.py now uses os.curdir instead of ''. * Overhauled handling of PublishError exceptions: Quixote now looks for the nearest _q_exception_handler() function in your application's namespace; the format_*error() methods of Publisher are gone. * Documented and overhauled the session management API. If you were previously using session management, you will almost certainly need to change your code; see doc/session-mgmt.txt and doc/session-upgrade.txt. If you've been wanting to use session management in your application but were put off by the lack of documentation, see doc/session-mgmt.txt. Specific changes: * removed the global singleton SessionManager object in session.py and several related functions * removed everything having to do with "application state", an unnecessary abstraction caused by premature over-generalization * removed the 'actual_user' attribute from Session -- it is specific to the MEMS Exchange and just confuses matters in Quixote * made most instance attributes of Session private * defined a sensible persistence API that should work with a wide variety of session persistence schemes * COOKIE_* config variables renamed to SESSION_COOKIE_* * Fix HTTPResponse so that the cookie domain and path can be None, and they will simply not be set in the cookie sent to the client -- that way the browser will simply do the right thing. Set COOKIE_DOMAIN and COOKIE_PATH in config.py to None, since that's usually fine. (You may need to set COOKIE_PATH to "/".) * Subtle but far-reaching change to the publishing algorithm: objects found by the publisher to handle the terminal component of a URL can now be strings as well as callables; a string simply substitutes for a callable's return value. The immediate reason for this was to allow _q_getname() functions to return a string, but a consequence is that you can now put static text in global variables and simply publish them. * Add CHECK_SESSION_ADDR config variable to control whether we check that requests in a session all come from the same IP address, as a defence against playback attacks. (Thanks to Jonathan Corbet.) * In error reports, print the traceback first, ahead of form variables, cookies, and the environment. * Include the HTTP_USER_AGENT variable in access log lines. * Add 'sort' option to SelectWidget class, to force the list of allowed values to be sorted in case-insensitive lexicographic order, with None first. 0.4.7 (18 Apr 2002): * Move ACCESS_TIME_RESOLUTION to SessionManager class. This was another embarrassing bug introduced in 0.4.5. * In http_request.py, make the test that prevents stdin from being consumed less restrictive (e.g. for PUT methods). * Add some simple test code. 0.4.6 (12 Apr 2002): * a last-minute patch to http_request.py just before release 0.4.5 broke extracting form data from GET requests -- fixed that 0.4.5 (11 Apr 2002): * The meaning of the DISPLAY_EXCEPTIONS configuration variable has changed. It's no longer a Boolean, and instead can take three different values: None (or any false value) [default] an "Internal Server Error" page that exposes no information about the traceback 'plain' a plain text page showing the traceback and the request variables 'html' a more elaborate HTML display showing the local variables and a few lines of context for each level of the traceback. (This setting requires the cgitb module that comes with Python 2.2.) (Idea and first version of the patch by David Ascher) * Fixed SessionManager.expire_session() method so it actually works (spotted by Robin Wohler). * Fixed docs so they don't refer to the obsolete URL_PREFIX configuration variable (spotted by Robin Wohler). * Various other documentation tweaks and improvements. * Fixed sample Apache rewrite rules in demo.txt and web-server.txt (spotted by Joel Shprentz). * Generate new form tokens when rendering a form rather then when intializing it. This prevents an extra token from being created when processing a valid form (suggested by Robin Wohler). * Ensure filenames are included in SyntaxError tracebacks from PTL modules. * Changed format of session cookies: they're now just random 64-bit numbers in hex. * Use HTTP 1.1 cache control headers ("Date" and "Expires") instead of the older "Pragma: no-cache". * In the form/widget library: make some effort to generate HTML that is XHTML-compliant. * New method: HTTPRequest.get_accepted_types() returns the MIME content types a client will accept as a dictionary mapping MIME type to the quality factor. (Example: {'text/html':1.0, 'text/plain':0.5, ...}) * Changed escape hatch for XML-RPC handlers; standard input will only be consumed when the HTTP method is POST and the Content-Type is either application/x-www-form-urlencoded or multipart/form-data. * Added quixote.util module to contain various miscellaneous utility functions. Right now, it contains a single function for processing requests as XML-RPC invocations. 0.4.4 (29 Jan 2002): * Simplify munging of SCRIPT_NAME variable, fixing a bug. Depending on how Quixote was called, the path could have been appended to SCRIPT_NAME without a separating slash. (Found by Quinn Dunkan.) * On Windows, set mode of sys.stdout to binary. This is important because responses may contain binary data. Also, EOL translation can throw off content length calculations. (Found by David Ascher) * Added a demonstration of the form framework. (Neil) * Added an escape hatch for XML-RPC handlers; http_request.process_inputs() will no longer consume all of standard input when the Content-Type is text/xml. * Removed a debug print from form.widget. 0.4.3 (17 Dec 2001): * Removed the URL_PREFIX configuration variable; it's not actually needed anywhere, and caused some user confusion. * Added FORM_TOKENS configuration variable to enable/disable unique form identifiers. (These are useful as a measure against cross-site request forgery [CSRF] attacks, but disabled by default because some form of persistent session management is required, which is not currently included with Quixote.) * Added demonstration and documentation for the widget classes (the first part of the Quixote Form Library). * Added HTTPResponse.set_content_type() method. * Fixed some minor bugs in the widget library. * Fixed to work with Python 2.2. * Greatly reduced the set of symbols imported by "from quixote import *" -- it's useful for interactive sessions. 0.4.2 (14 Nov 2001): * Made the quixote.sendmail module a bit more flexible and robust. * Fix so it doesn't blow up under Windows if debug logging is disabled (ie. write to NUL, not /dev/null). * Clarified some documenation inconsistencies, and added description of logging to doc/programming.txt. * Fixed some places that we forgot to update when the PTL-related modules were renamed. * Fixed ptl_compile.py so PTL tracebacks include the full path of source file(s). * Fixed bug where a missing _q_index() triggered a confusing ImportError; now it triggers a TraversalError, as expected. * Various fixes and improvements to the Config class. * Miscellaneous fixes to session.py. * Miscellaneous fixes to widget classes. * Reorganized internal PTL methods of the Form class. * Removed the "test" directory from the distribution, since it's not used for anything -- ie., there's no formal test suite yet ;-( 0.4.1 (10 Oct 2001): * Made access logging a little more portable (don't depend on Apache's REQUEST_URI environment variable). * Work around the broken value of PATH_INFO returned by IIS. * Work around IIS weird handling of SERVER_SECURE_PORT (for non-SSL requests, it is set to "0"). * Reassign sys.stderr so all application output to stderr goes to the Quixote error log. 0.4 (4 Oct 2001): * TraversalError now takes a public and a private message, instead of just a single message string. The private message is shown if SECURE_ERRORS is false; otherwise, the public message is shown. See the class docstring for TraversalError for more details. * Add the Quixote Form Library, a basic form and widget framework for HTML. * Allow classes and functions inside PTL modules. * Return a string object from templates rather than a TemplateIO instance. * Improve the security of session cookies. * Don't save empty sessions. * Detect expired sessions. * Add the quixote.sendmail module, useful for applications that need to send outgoing mail (as many web apps do). * Code reorganization -- various modules moved or renamed: quixote.util.fcgi -> quixote.fcgi quixote.compile_template -> quixote.ptl_compile quixote.imphooks -> quixote.ptl_import quixote.dumpptlc -> quixote.ptcl_dump * More code reorganization: the quixote.zope package is gone, as are the BaseRequest and BaseResponse modules. Only HTTPRequest and HTTPResponse survive, in the quixote.http_request and quixote.http_response modules. All remaining Zope-isms have been removed, so the code now looks much like the rest of Quixote. Many internal interfaces changed. * Added the quixote.mod_python module, contributed by Erno Kuusela . Allows Quixote applications to be driven by the Apache module mod_python, so no CGI or or FastCGI driver script is required. 0.3 (11 Jun 2001): * Now supports Python 2.1. * Names of the form __*__ are reserved for Python, and 2.1 is beginning to enforce this rule. Accordingly the Quixote special methods have been renamed: __access__ -> _q_access __exports__ -> _q_exports __getname__ -> _q_getname index -> _q_index * Massive changes to quixote.publisher and quixote.config, to make the publishing loop more flexible and more easily changed by applications. For example, it's now possible to catch the ZODB's ConflictErrors and retry an operation. * Added an ACCESS_LOG configuration setting, which allows setting up a file logging every call made to Quixote. * The error log now contains the time of each error, and a dump of the user's session object. * Added handy functions for getting request, session, user, etc.: quixote.get_publisher(), quixote.get_request(), quixote.get_session(), quixote.get_user(). * quixote.publish can now gzip-compress its output if the browser claims to support it. Only the 'gzip' and 'x-gzip' content encodings are supported; 'deflate' isn't because we couldn't get it to work reliably. Compression can be enabled by setting the 'compress_pages' config option to true. * Some fixes and minor optimizations to the FCGI code. * Added HTTPRequest.get_encoding() method to find the encodings a client accepts. 0.2 (16 Jan 2001): * Only pass HTTPRequest object to published functions. The HTTPResponse object is available as an attribute of the request. * Removed more unused Zope code from HTTPRequest. Add redirect() method to HTTPRequest. * Simplify HTTPResponse. __init__() no longer requires the server name. redirect() requires a full URL. * Fix a bug in the PTL compiler. PTL modules can now have doc strings. * Added a config parser. Individual Quixote applications can now have their own configuration settings (overriding the Quixote defaults). See the config.py module for details. * Re-wrote the exception handling code for exceptions raised inside of published functions. * Non-empty PATH_INFO is no longer supported. __getname__ or query strings are a cleaner solution. * Add FIX_TRAILING_SLASH option and make code changes to carefully preserve trailing slashes (ie. an empty component on the end of paths). * Session management has been over-hauled. DummySessionManager can be used for applications that don't require sessions. * Set Content-length header correctly in HTTPResponse object * Added a demo application. 0.1: * Officially given a license (the Python 1.6 license, so it's free software). * Added SECURE_ERRORS variable to prevent exception tracebacks from being returned to the Web browser * Added a __getname__() function to traversal, which is called if the current name isn't in the current namespace's export list. This allows interpolation of arbitrary user object IDs into the URL, which is why it has to circumvent the __exports__ check: the object IDs won't be known until runtime, so it would be silly to add them to __exports__. Very useful and powerful feature, but it has security implications, so be careful! * compile_template.py should now work for both Python 1.5.2 or 2.0. * Better reporting of syntax errors in PTL * Always assume regular CGI on Windows 0.02 (12 Aug 2000): * Neil Schemenauer has completely rewritten the PTL compiler and changed the syntax to match Python's. The compiler now relies on Jeremy Hylton's compiler code from the Python 2.0 CVS tree. * Added functions to quixote.sessions: get_session(), has_session(), get_app_state() * Simplified reload-checking logic * Added .browser_version() method to HTTPRequest * Various bugfixes * session classes slightly tweaked, so you can subclass them * Added .session attribute to request object * Added quixote.errors module to hold exceptions 0.01: * Initial release.