kinto

Internal changes

• Correct spelling of GitHub.
• Upgrade to kinto-admin v1.17.2

API

• Batch endpoint now checks for and aborts any parent request if subrequest encounters 409 constraint violation (fixes #1569)

Bug fixes

• Fix a bug where you could not reach the last records via Next-Header when deleting with pagination (fixes #1170)
• Slight optimizations on the get_all query in the Postgres
  storage backend which should make it faster for result sets that
  have a lot of records (#1622). This is the first change meant to
  address #1507, though more can still be done.
• Fix a bug where the batch route accepted all content-types (fixes #1529)

Internal changes

• Upgrage to kinto-admin v1.17.1

API

• Introduce contains and contains_any filter operators (fixes #343).

API is now at version 1.19. See API changelog.

Breaking changes

• The storage class now exposes bump_timestamp() and bump_and_store_timestamp() methods
  so that memory based storage backends can use them. (#1596)

Internal changes

• Authentication policies can now hard code and override the name specified in settings

Documentation

• Version number is taken from package in order to ease release process (#1594)
• Copyright year is now dynamic (#1595)

Internal changes

• Upgrade the kinto-admin UI to 1.17.0

Security fix

• Validate the account user password even when the session is cached (fixes #1583).
  Since Kinto 8.2.0 the account plugin had a security flaw where the password wasn't verified during the session duration.

Security fix

• Validate the account user password even when the session is cached (fixes #1583).
  Since Kinto 8.2.0 the account plugin had a security flaw where the password wasn't verified during the session duration.

New features

• Add bucket and account creation permissions in the permissions endpoint (fixes #1510)

Bug fixes

• Reduce the OpenID state string length to fit in the PostgreSQL cache backend (fixes #1566)

Documentation

• Improve OpenID settings and API documentation

Internal Changes

• Now fully rely on Pyup.io (or contributors) to update the versions in the requirements.txt file (fixes #1512)
• Move from importing pip to running it in a subprocess (see https://github.com/pypa/pip/issues/5081).
• Remove useless print when using the OpenID policy (ref #1509)
• Try to recover from the race condition where two requests can delete the same record. (Fix #1557; refs #1407.)

Internal changes

• Fix kinto-admin dependency error in 8.2.1 to actually really upgrade it to 1.15.1

Internal changes

• Upgraded the kinto-admin to version 1.15.1
• Upgraded newrelic to 2.106.1.88

New features

• Add Openid connect support (#939, #1425). See demo
• Account plugin now caches authentication verification (#1413)

Bug fixes

• Fix missing principals from user info in root URL when default bucket plugin is enabled (fixes #1495)
• Fix crash in Postgresql when the value of url param is empty (fixes #1305)

Internal changes

• Upgraded the kinto-admin to version 1.15.0

Bug fixes

• Restore "look before you leap" behavior in the Postgres storage
  backend create() method to check whether a record exists before
  running the INSERT query (#1487). This check is "optimistic" in the sense
  that we can still fail to INSERT after the check succeeded, but it
  can reduce write load in configurations where there are a lot of
  create()s (i.e. when using the default_bucket plugin).

Bug fixes

• Allow inherited resources to set a custom model instance before instantiating (fixes #1472)
• Fix collection timestamp retrieval when the stack is configured as readonly (fixes #1474)

Bug fixes

• Optimize the PostgreSQL permission backend's
  delete_object_permissions function in the case where we are only
  matching one object_id (or object_id prefix).

Bug fixes

• Flushing a server no longer breaks migration of the storage backend
  (#1460). If you have ever flushed a server in the past, migration
  may be broken. This version of Kinto tries to guess what version of
  the schema you're running, but may guess wrong. See
  https://github.com/Kinto/kinto/wiki/Schema-versions for some
  additional information.

Internal changes

• We now allow migration of the permission backend's schema.

Operational concerns

• The schema for the Postgres permission backend has changed. This
  changes another ID column to use the "C" collation, which should
  speed up the delete_object_permissions query when deleting a
  bucket.

Operational concerns

• The schema for the Postgres storage backend has changed. This
  changes some more ID columns to use the "C" collation, which fixes a
  bug where the bump_timestamps trigger was very slow.

Internal changes

• Introduce an experimental setting,
  experimental_disable_purge_deleted, which can be used to try to
  diagnose excessive CPU usage in production.

Internal changes

• Update the Docker compose configuration to use memcache for the cache backend (#1405)
• Refactor the way postgresql.storage.create_from_settings ignores settings (#1410)

Operational concerns

• The schema for the Postgres storage backend has changed. This
  changes some ID columns to use the "C" collation, which will make
  delete_all queries faster. (See
  e.g. https://www.postgresql.org/docs/9.6/static/indexes-opclass.html,
  which says "If you do use the C locale, you do not need the
  xxx_pattern_ops operator classes, because an index with the default
  operator class is usable for pattern-matching queries in the C
  locale.") This may change the default sort order and grouping of
  record IDs.

New features

• New setting kinto.backoff_percentage to only set the backoff header a portion of the time.
• make tdd allows development in a TDD style by rerunning tests every time a file is changed.

Bug fixes

• Optimize the Postgres collection_timestamp method by one query. It
  now only makes two queries instead of three.
• Update other dependencies: newrelic to 2.98.0.81 (#1409), setuptools
  to 38.4.0 (#1411, #1429, #1438, #1440), pytest to 3.3.2 (#1412,
  #1437), raven to 6.4.0 (#1421), werkzeug to 0.14.1 (#1418, #1434),
  python-memcached to 1.59 (#1423), zest.releaser to 6.13.3 (#1427),
  bravado_core to 4.11.2 (#1426, #1441), statsd to 3.2.2 (#1422),
  jsonpatch to 1.21 (#1432), sqlalchemy to 1.2.0 (#1430), sphinx to
  1.6.6 (#1442).

Internal changes

• Remove the FOR UPDATE locking from the delete_all query, on the
  off chance that it's somehow related to the increased CPU
  utilization we're seeing.

Internal changes

• Optimize the Postgres collection_timestamp method by one query. It
  now only makes two queries instead of three.

Breaking changes

• Storage backends no longer support the ignore_conflict
  argument (#1401). Instead of using this argument, consider catching the
  UnicityError and handling it. ignore_conflict was only ever
  used in one place, in the default_bucket plugin, and was
  eventually backed out in favor of catching and handling a
  UnicityError.

Bug fixes

• Fix a TOCTOU bug in the Postgres storage backend where a transaction
  doing a create() would fail because a row had been inserted after
  the transaction had checked for it (#1376).

Operational concerns

• The schema for the Postgres storage backend has changed. This
  lets us prevent a race condition where deleting and creating a thing
  at the same time can leave it in an inconsistent state (#1386). You
  will have to run the kinto migrate command in order to migrate
  the schema.

Bug fixes

• Document how to create an account using the POST /accounts endpoint (#1385).

Internal changes

• Update dependency on pytest to move to 3.3.0 (#1403).
• Update other dependencies: setuptools to 38.2.1 (#1380, #1381,
  #1392, #1395), jsonpatch to 1.20 (#1393), zest.releaser to 6.13.2
  (#1397), paste-deploy to 0.4.2 (#1384), webob to 1.7.4 (#1383),
  simplejson to 3.13.2 (#1389, #1390).
• Undo workaround for broken kinto-http.js in the kinto-admin plugin
  (#1382).

Bug fixes

• Fix kinto-admin loading.