Commit cdfb5ee8 authored by Nicolas Chauvat's avatar Nicolas Chauvat
Browse files

chore(pkg): proof-reading release notes

parent 99aba98e8c6e
Pipeline #68151 passed with stages
in 8 minutes and 3 seconds
......@@ -4,9 +4,9 @@
🔒 Security, breaking changes
----------------------------
:file:`self.w` API has been changed to automatically escape arguments used to format the string to mitiage XSS attacks.
:file:`self.w` API has been changed to automatically escape arguments used to format the string to mitigate XSS attacks.
This means that instead of writting:
This means that instead of writing:
.. code:: python
......@@ -18,7 +18,7 @@ You need to write:
self.w("some %s string %s", a, b)
And CubicWeb will escapes all arguments given to :file:`self.w` which are :file:`a` and :file:`b` here.
And CubicWeb will escape all arguments given to :file:`self.w` which are :file:`a` and :file:`b` here.
If for a specific reason (for example generating javascript) you don't want to escape the arguments of :file:`self.w` you can use the :file:`escape` kwarg argument of :file:`self.w` like this:
......@@ -34,18 +34,18 @@ This is normally retrocompatible since :file:`self.w` old API with only one argu
Also note that :file:`UStringIO.write` function has also been modified to be compatible with :file:`self.w` new API (so if you are using it you won't need to port this code).
A CSRF protection machanism has been integrated in CubicWeb using Pyramid CSRF built in protection. Regarding breaking changes:
A CSRF protection machanism has been integrated in CubicWeb using Pyramid CSRF built-in protection. Regarding breaking changes:
- Cubicweb now only works **with pyramid**
- Cubicweb now **only works with pyramid**
- if you are only using cubicweb "web" without ajax and you have been doing advanced modification at the session management level this shouldn't break anything for you
- if you are doing POST/PUT/DELETE... requests using AJAX, you need to adapt you code to send the csrf_token otherwise all you requests will be denied. This is explain in the AJAX seciton of the documentation: :ref:`csrf_protection`
- if you are doing POST/PUT/DELETE... requests using AJAX, you need to adapt your code to send the csrf_token otherwise all you requests will be denied. This is explained in the AJAX section of the documentation: :ref:`csrf_protection`
The whole mechanism is explained in the documentation: :ref:`csrf_protection`
🚧 Other breaking changes
------------------------
We decide to stop releasing cubicweb as debian packages. Thanks for all the fishes.
We decided to stop releasing cubicweb as debian packages that we used on multi-purpose servers in favor of docker images that we run with docker-compose or on kubernetes. Thanks for all the fishes.
🎉 New features
--------------
......@@ -55,12 +55,18 @@ We decide to stop releasing cubicweb as debian packages. Thanks for all the fish
👷 Bug fixes
-----------
- [reledit] display reledit for a relation if some conditions are satisfied ([1] the relation dont have rqlexpr permissions and can be deleted [2] at least one of related entites can be deleted)
- [reledit] display reledit for a relation if some conditions are satisfied ([1] the relation don't have rqlexpr permissions and can be deleted [2] at least one of related entites can be deleted)
- pyramid/predicates: avoid to show an error without a session connection
- be sure db-statement-timeout is not None
- correctly transform cubicweb.web.RemoteCallFailed into pyramid corresponding exceptions, this allow to propagate the correct content type (for example for json exceptions)
- "cubicweb-ctl list" now supports multiple dependencies constraints
🤷 Various changes
-----------------
- fix error cases when internationalizable is not defined on rdef
- improve docstring in web.views.basecontrollers
🤖 Continuous integration
------------------------
......@@ -74,12 +80,6 @@ We decide to stop releasing cubicweb as debian packages. Thanks for all the fish
- trigger py3-* jobs on tox.ini/.gitlab-ci.yml/requirements modifications
- use gitlab readthedocs integration
🤷 Various changes
-----------------
- fix error cases when internationalizable is not defined on rdef
- improve docstring in web.views.basecontrollers
📋 Developer experience
--------------------
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment