Laurent Peuch <cortex@worlddomination.be> [Wed, 15 May 2019 12:06:15 +0200] rev 12601
[pyramid/misc] remove useless variable
Laurent Peuch <cortex@worlddomination.be> [Wed, 15 May 2019 12:05:52 +0200] rev 12600
[pyramid/test] add test for pyramid.ini generation
Denis Laxalde <denis.laxalde@logilab.fr> [Wed, 15 May 2019 15:44:35 +0200] rev 12599
Added tag 3.26.10 for changeset 74cc5de1ee6c
Denis Laxalde <denis.laxalde@logilab.fr> [Wed, 15 May 2019 15:44:26 +0200] rev 12598
[pkg] Version 3.26.10
Philippe Pepiot <philippe.pepiot@logilab.fr> [Fri, 10 May 2019 16:07:32 +0200] rev 12597
Move CWSchemaTC to RQLExpressionTC
The test actually doesn't require a cubicweb schema, except for testing
EmailAdress which is out of scope of the test (testing RQLExpression.transform_has_permission()).
Just move the test in existing RQLExpressionTC inheriting from TestCase and
rename the tests to be more explicit.
Denis Laxalde <denis.laxalde@logilab.fr> [Wed, 17 Apr 2019 16:41:41 +0200] rev 12596
[skeleton] Drop py27 tox environment
Since we dropped py2 support from cubicweb, it does not make
much sense to keep it in skeleton from now on.
Denis Laxalde <denis.laxalde@logilab.fr> [Wed, 17 Apr 2019 15:30:42 +0200] rev 12595
[skeleton] Do not ship Debian and RPM packaging files in sdist
Denis Laxalde <denis.laxalde@logilab.fr> [Wed, 17 Apr 2019 15:06:57 +0200] rev 12594
[skeleton] Add a check-manifest tox environment
Philippe Pepiot <philippe.pepiot@logilab.fr> [Fri, 10 May 2019 16:04:37 +0200] rev 12593
Fix pyramid tests
Followup fa292e9 which require cubicweb.session.secret to be set.
Philippe Pepiot <philippe.pepiot@logilab.fr> [Fri, 10 May 2019 11:42:24 +0200] rev 12592
Fix flake8 and check-manifest
Followup fa292e9
Philippe Pepiot <philippe.pepiot@logilab.fr> [Fri, 10 May 2019 15:58:01 +0200] rev 12591
Merge 3.26
This fixes tests with psycopg2
Laurent Peuch <cortex@worlddomination.be> [Wed, 08 May 2019 21:37:13 +0200] rev 12590
DeprecationWarning: In future versions of Waitress clear_untrusted_proxy_headers will be set to True by default. You may opt-out by setting this value to False, or opt-in explicitly by setting this to True.
Source: https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html?highlight=clear_untrusted_proxy_headers
> This tells Waitress to remove any untrusted proxy headers ("Forwarded",
> "X-Forwared-For", "X-Forwarded-By", "X-Forwarded-Host", "X-Forwarded-Port",
> "X-Forwarded-Proto") not explicitly allowed by trusted_proxy_headers.
According to grep we don't use any of those headers so let's turn it on for
security reasons.
Laurent Peuch <cortex@worlddomination.be> [Wed, 08 May 2019 21:30:44 +0200] rev 12589
DeprecationWarning: The default pickle serializer is deprecated as of Pyramid 1.9 and it will be changed to use pyramid.session.JSONSerializer in version 2.0. Explicitly set the serializer to avoid future incompatibilities
. See "Upcoming Changes to ISession in Pyramid 2.0" for more information about this change.
As describe here https://docs.pylonsproject.org/projects/pyramid/en/1.10-branch/narr/sessions.html#pickle-session-deprecation
use a serializer that fallback on pickle if needed to avoid impacting users.
Laurent Peuch <cortex@worlddomination.be> [Wed, 08 May 2019 20:53:49 +0200] rev 12588
[pyramid/enh] generate pyramid.ini "create" and on "pyramid" command if needed
Laurent Peuch <cortex@worlddomination.be> [Wed, 08 May 2019 21:00:45 +0200] rev 12587
DeprecationWarning: The SafeConfigParser class has been renamed to ConfigParser in Python 3.2. This alias will be removed in future versions. Use ConfigParser directly instead.
Denis Laxalde <denis.laxalde@logilab.fr> [Mon, 08 Apr 2019 11:24:53 +0200] rev 12586
Account for new psycopg2 exception classes mapping
From psycopg2 >= 2.8, specific exceptions are raised corresponding to
postgresql errors. E.g. a CheckViolation exception is raised instead of
a generic IntegrityError previously when a constraint violation occurs.
The way we intercept database errors, especially for constraint
violation, is not compliant with that because we do not catch subclasses
of IntegrityError in native source's doexec() method.
We fix this by checking for the presence of IntegrityError error in
exception class's mro. This is still overcomplicated and clumsy, because
we still use string comparison, but this is the best we can do as far as
I know. (A better fix would be 'isinstance(ex, IntegrityError)' but we
have no engine-independent error classes, so this is not possible.
Something like sqlalchemy's DBAPI Errors [1] might help:
https://docs.sqlalchemy.org/en/latest/errors.html#dbapi-errors)
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 02:26:28 +0200] rev 12585
[cubicweb-ctl] remove "cubicweb-ctl wsgi" command following pyramid standardization
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 12:31:14 +0200] rev 12584
Use secure hash algorithm in WebConfiguration.sign_text
Fix: PendingDeprecationWarning: HMAC() without an explicit digestmod argument is deprecated.
The default hash algorithm used by hmac.new is md5. As of today, md5 is so weak
that it's the equivalent of plaintext and can't be considered to be secured at all.
Therefor, we switch to a secure hash algorithm.
The rational for choosing sha3_512 is:
* the recommended algorithm is at least sha_256
* the stronger, the more secured and sha3_512 is the stronger available
* thinking about the future this should keep this part of the code safe long
enough before people think about checking it again
You can read more about choosing a secure hash algorithm in the NIST
recommendations https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions
This code modification should normally be transparent since check_text_sign is
exactly this code 'self.sign_text(text) == signature' and that sign_text is
only used in combination with it. The only impact is that the hash is going to
move from 32 char to 128 which might make html page a bit bigger and that
sha3_512 is slow to compute (which is a good thing for security)
Laurent Peuch <cortex@worlddomination.be> [Tue, 23 Apr 2019 09:33:52 +0200] rev 12583
[enh] don't catch all exceptions in notification hooks during tests
Noe Gaumont <ngaumont@logilab.fr> [Thu, 18 Apr 2019 15:09:36 +0200] rev 12582
[doc] add a reference to static-messages.pot usage
Noe Gaumont <ngaumont@logilab.fr> [Thu, 18 Apr 2019 15:10:35 +0200] rev 12581
[doc] Clarify sentences
Noe Gaumont <ngaumont@logilab.fr> [Thu, 18 Apr 2019 15:05:13 +0200] rev 12580
[doc] Fix format and typo
Nsukami Patrick <ndkpatt at gmail dot com> [Thu, 18 Apr 2019 04:40:23 +0000] rev 12579
Fix DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated
Nsukami Patrick <ndkpatt at gmail dot com> [Thu, 18 Apr 2019 04:34:34 +0000] rev 12578
Fix DeprecationWarning: invalid escape sequence
Philippe Pepiot <philippe.pepiot@logilab.fr> [Tue, 16 Apr 2019 15:49:03 +0200] rev 12577
[devtools/testlib] avoid hidding AttributeError in create_user()
commit() might raise a AttributeError too.
Use getattr(req, 'cnx', req) instead, which is a form already used to get the real cnx
in some code:
cubicweb/rset.py:577: cnx = getattr(self.req, 'cnx', self.req)
cubicweb/schema.py:353: with getattr(_cw, 'cnx', _cw).security_enabled(read=False):
We could use if hasattr(req, 'commit') here too but it lead to 3 additionals lines.
Maybe we should have commit() and rollback() on
cubicweb.web.request.ConnectionCubicWebRequestBase too ?
Nsukami Patrick <ndkpatt at gmail dot com> [Wed, 10 Apr 2019 17:59:17 +0000] rev 12576
Fix DeprecationWarning: invalid escape sequence \
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 11:56:13 +0200] rev 12575
DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 13:52:17 +0200] rev 12574
[mod] remove backward compatible code for passlib and force modern version
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 11:54:42 +0200] rev 12573
DeprecationWarning: Please use assertEqual instead.
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 17:25:40 +0200] rev 12572
DeprecationWarning: Please use assertRaisesRegex instead.
Laurent Peuch <cortex@worlddomination.be> [Thu, 11 Apr 2019 20:15:09 +0200] rev 12571
DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()
Laurent Peuch <cortex@worlddomination.be> [Thu, 11 Apr 2019 16:47:27 +0200] rev 12570
[README] add testing instructions
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 12:19:03 +0200] rev 12569
Add pytest-subtests to dev requirements
This pytest plugin adds support for unittest's TestCase.subTest (for
Python >= 3.4). Since we we now only support python3 and since we use a
fair amount of these, let's benefit of better reporting by using this
plugin.
Denis Laxalde <denis.laxalde@logilab.fr> [Tue, 26 Mar 2019 16:22:31 +0100] rev 12568
[test] use unittest.mock instead of mock library
Now that we use Python 3 only, this is possible.
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:58:19 +0200] rev 12567
Drop python2 support
This mostly consists in removing the dependency on "six" and updating
the code to use only Python3 idioms.
Notice that we previously used TemporaryDirectory from
cubicweb.devtools.testlib for compatibility with Python2. We now
directly import it from tempfile.
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:21:14 +0200] rev 12566
Merge with 3.26
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:40:02 +0200] rev 12565
Remove unused imports in cubicweb.pyramid.config
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:20:01 +0200] rev 12564
Added tag 3.26.9 for changeset 4d6909de765a
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:19:56 +0200] rev 12563
[pkg] Version 3.26.9
Laurent Peuch <cortex@worlddomination.be> [Tue, 12 Feb 2019 17:00:55 +0100] rev 12562
[pyramid/security] use cryptographically secure random generator
Based on django source code in case SystemRandom is not available.
According to python documentation:
https://docs.python.org/2/library/random.html
> Warning
> The pseudo-random generators of this module should not be used for security
> purposes. Use os.urandom() or SystemRandom if you require a cryptographically
> secure pseudo-random number generator.
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 14:11:40 +0200] rev 12561
Reclosing branch after merge
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 13:49:34 +0200] rev 12560
Merging heads of old, closed branch
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 14:08:10 +0200] rev 12559
Reclosing branch after merge
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 13:45:23 +0200] rev 12558
Merging heads of old, closed branch
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:15:28 +0100] rev 12557
[doc/changes] document that legacy cube support has been dropped
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:13:12 +0100] rev 12556
[doc] replace legacy import to new style cube import in various places
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:09:29 +0100] rev 12555
[web/views] drop deprecated module cubicweb.web.views.timeline
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:06:02 +0100] rev 12554
[web/views] drop deprecated module cubicweb.web.views.massmailing
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:05:35 +0100] rev 12553
[web/views] drop deprecated module cubicweb.web.views.isioc
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:04:51 +0100] rev 12552
[web/views] drop deprecated module cubicweb.web.views.embedding
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:04:07 +0100] rev 12551
[web/views] drop deprecated module cubicweb.web.views.igeocodable
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:00:55 +0100] rev 12550
[pyramid/core] drop fallback import of legacy cubes
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 10:33:54 +0100] rev 12549
[cwconfig] drop importing legacy cubes
This finally drop support for legacy cubes.
In cwconfig, don't load modules in the "cubes" namespace.
In cube_pkginfo() handle CW_MIGRATION_MAP which wasn't working with new style cube.
Drop all method specific to legacy cubes importer: cubes_search_path(), extrapath(), cls_adjust_sys_path()
Drop environment variables related to legacy cubes: CW_CUBES_PATH and CW_CUBES_DIR
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 10:11:36 +0100] rev 12548
[doc] better documentation for "cubicweb-ctl newcube"
cubicweb-ctl newcube create cubicweb-<name> in current directory.
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 10:09:49 +0100] rev 12547
[test] make unittest_cwconfig.py does not depend on legacy cube machinery
By dropping legacy cube tests in various places.
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 10:07:02 +0100] rev 12546
[devtools/test] drop legacy cube i18n tests
test_i18ncube_legacy_layout() is droped and make others tests uses a new style
cube "cubicweb_i18ntestcube", so it doesn't depends on legacy cube machinery.