kinto

Bug fixes

• Fix cache heartbeat test (fixes #2107)
• Fix support of sqlalchemy.pool.NullPool for PostgreSQL backends.
  The default pool_size of 25 is maintained on the default pool class
  (QueuePoolWithMaxBacklog). When using custom connection pools, please
  refer to SQLAlchemy documentation for default values.

Internal changes

• Remove dependency to kinto-redis in core tests

New features

• Expose the user_profile in the user field of the hello page. (#1989)
• Add an "account validation" option to the accounts plugin. (#1973)
• Add a validate endpoint at /accounts/{user id}/validate/{validation key} which can be used to validate an account when the account
  validation option is enabled on the accounts plugin.
• Add a reset-password endpoint at /accounts/(user id)/reset-password which can be used to reset a user's password when the account validation option is enabled on the accounts plugin.

Bug fixes

• Fixed two potential bugs relating to mutable default values.
• Fix crash on validating records with errors in arrays (#1508)
• Fix crash on deleting multiple accounts (#2009)

Documentation

• Fixed spelling and Filtering docs

Internal changes

• Use setup.cfg for package metadata (ref #1921)

API is now at version 1.22. See API changelog

Bug fixes

• Loosen up the Content-Security policies in the Kinto Admin plugin to prevent Webpack inline script to be rejected (fixes #2000)

New features

• Expose the user_profile in the user field of the hello page with OpenID authentication (#1989)

Breaking changes

• Update Kinto OpenID plugin to redirect with a base64 JSON encoded token. (#1988).
  This will work with kinto-admin 1.23

Bug fixes

• security: Fix a pagination bug in the PostgreSQL backend that could leak records between collections

Internal changes

• Upgrade kinto-admin to v1.23.0

Bug fixes

• security: Fix a pagination bug in the PostgreSQL backend that could leak records between collections

Bug Fixes

• Fix bumping of tombstones timestamps when deleting objects in PostgreSQL storage backend (fixes #1981)
• Fix ETag header in responses of DELETE on plural endpoints (ref #1981)

Breaking changes

• Remove Python 3.5 support and upgrade to Python 3.6. (#1886)
• Remove record from UnicityError class (#1919). This enabled us to fix #1545.
• Storage backend API has changed, notions of collection and records were replaced
  by the generic terms resource and object. Plugins that subclass the internal
  ShareableResource class may also break.
• GET requests no longer include the Total-Records header. To get a count in a collection
  you need to do a HEAD request. And the new header name is Total-Objects. (#1624)
• Remove the UserResource class. And ShareableResource is now deprecated in
  favor of Resource.
• Removed kinto.core.utils.parse_resource(). Use kinto.core.utils.view_lookup_registry() instead (#1828)
• Remove the delete-collection command (#1959)

API is now at version 1.21. See API changelog.

New features

• Add a user-data endpoint at /__user_data__/ which can be used to delete all data
  associated with a principal. This might be helpful for pursuing GDPR
  compliance, for instance. (Fixes #442.)

Bug Fixes

• Like query now returns 400 when a non string value is used. (#1899)
• Record ID is validated if explicitly mentioned in the collection schema (#1942)
• The Memory permission backend implementation of remove_principal
  is now less generous with what it removes (#1955).

Documentation

• Change PostgreSQL backend URLs to be postgresql:// instead of the deprecated postgres://

Internal changes

• Remove depreciation warning for mapping (#1904)
• Fix depreciated warn method (#1903)
• Use f-string instead of % or format operators. (#1886)
• Ignore admin plugin node_modules folder while running black (#1902)
• Remove regexp py36 warnings. (#1907)
• Changed psycopg2 dependency for psycopg2-binary. (#1905)
• Renamed core notions (ie. record and collection) (#710)
• JSON Schema validation is optimized by keeping instances of validator cached. (#1807)

• Still supports jsonschema 2.6 before 3.0 is released as a production release. (#1923)

New features

• Return a 500 Internal Error on __version__ instead of 404 if the version file
  cannot be found (fixes #1841)

Bug fixes

• Fix the http_api_version exposed in the /v1/ endpoint. The
  version 1.20 was getting parsed as a number 1.2.
• Fix record:create not taken into account from settings. (fixes #1813)

Internal changes

• Build the admin on the CI. (#1857)
• Migrate JSON Hyper-Schema to Draft-07 (#1808)

Documentation

• Add documentation on troubleshooting Auth0 multiauth issue. (#1889)

New features

• Add ability to configure the project_name in settings, shown in the root URL (fixes #1809)
• Use . as bucket/collection separator in cache control settings (fixes #1815)

Bug fixes

• Fix missing favicon and inline images in kinto-admin plugin

Internal changes

• Use mock from the standard library.
• Blackify the whole code base (#1799, huge thanks to @Cnidarias for this!)
• Upgrade kinto-admin to v1.22

Breaking changes

• The basicauth policy is not used by default anymore (#1736)

If your application relies on this specific behaviour, you now have to add explicitly settings:

    multiauth.policies = basicauth

But it is recommended to use other authentication policies like the OpenID Connect or the accounts plugin instead.

    # Enable plugin.
    kinto.includes = kinto.plugins.accounts

    # Enable authenticated policy.
    multiauth.policies = account
    multiauth.policy.account.use = kinto.plugins.accounts.AccountsPolicy

    # Allow anyone to create their own account.
    kinto.account_create_principals = system.Everyone

You will find more details the authentication settings section of the documentation

Bug fixes

• Fix crash when querystring filter contains NUL (0x00) character (fixes #1704)
• Many bugs were fixed in the Kinto Admin UI (see v1.21.0)

Documentation

• Huge refactor of documentation about authentication (#1736)

Internal changes

• Upgrade kinto-admin to v1.21.0
• Deprecate assertEquals and use assertEqual (fixes #1780)
• Set schema to an instance instead of class (fixes #1781)
• Fix DeprecationWarning for unrecognized backslash escapes (#1758)

Bug fixes

• Fix OpenID login in Kinto-Admin (Kinto/kinto-admin#641)

Internal changes

• Upgrade kinto-admin to v1.20.2

Bug fixes

• Fix for adding extra OpenId providers (fixes #1509)
• Change the meaning of event.payload["timestamp"]. Previously it
  was @reifyd, which meant that it was calculated from before
  whatever thing triggered the event. Now we use a "fresh"
  timestamp. (Fixes #1469.)

Bug fixes

• Deleting a collection doesn't delete access_control_entrries for its children (fixes #1647)

New features

• The registry now has a "command" attribute during one-off commands
  such as kinto migrate. This can be useful for plugins that want
  to behave differently during a migration, for instance. (#1762)

10.0.0 (2018-08-16)

Breaking changes

• kinto.core.events.get_resource_events now returns a generator
  rather than a list.

New features

• Include Python 3.7 support.
• kinto.core.events.notify_resource_event now supports
  resource_name and resource_data. These are useful when
  emitting events from one view "as though" they came from another
  view.
• Resource events can now trigger other resource events, which are
  handled correctly. This might be handy if one resource wants to
  simulate events on another "virtual" resource, as in kinto-changes.

Bug fixes

• Raise a configuration error if the kinto.plugin.accounts is included without being enabled in policies.
  Without this kinto-admin would present a confusing login experience (fixes #1734).

Internal changes

• Upgrade kinto-admin to v1.20.0

Internal changes

• Upgrade to kinto-admin v1.19.2

Internal changes

• Upgrade to kinto-admin v1.19.1

Bug fixes

• Fixed bug where unresolved JSON pointers would crash server (fixes #1685)

Internal changes

• Update the Dockerfile with the new kinto --cache-backend option. (#1686)
• Upgrade to kinto-admin v1.19.0

API

• JSON schemas can now be defined in the bucket metadata and will apply to every
  underlying collection, group or record (fixes #1555)

API is now at version 1.20. See API changelog

New features

• Kinto Admin plugin now supports OpenID Connect
• Limit network requests to current domain in Kinto Admin using Content-Security Policies <https://hacks.mozilla.org/2016/02/implementing-content-security-policy/>_
• Prompt for cache backend type in kinto init (#1653)
• kinto.core.utils now has new features route_path_registry and
  instance_uri_registry, suitable for use when you don't
  necessarily have a request object around. The existing functions
  will remain in place.
• openid plugin will carry prompt=none querystring parameter if appended
  to authorize endpoint.

Internal changes

• Upgrade to kinto-admin v1.18.0

Security fix

• OpenID plugin used the same cache key for every access-token (fixes #1660)