Here you can see the full list of changes between each Eve release.
Unreleased
- Replace the broken
make audit
shortcut withmake check
, then add the command toCONTRIBUTING.rst
where it is missing. (#1144)
- Fix documentation builds on Read the Docs. (#1147)
- Add a
ISSUE_TEMPLATE.md
GitHub template file. (#1146) - Install a bot that flags and closes stale issues/pull requests (#1145)
- Improve changelog format to reduce noise and increase readability. (#1143)
- Only set the package version in
__init__.py
. (#1142)
Released on May 10, 2018.
Note
Make sure you read the :ref:`Breaking Changes <breaking_changes>` section below.
- New: support for partial media requests. Clients can request partial file
downloads by adding a
Range
header to their media request (#1050). - New: Renderer classes.
RENDERER
allows to change enabled renderers. Defaults to['eve.render.JSONRenderer', 'eve.render.XMLRenderer']
. You can create your own renderer by subclassingeve.render.Renderer
. Each renderer should set valid mime attr and have.render()
method implemented. Please note that at least one renderer must always be enabled (#1092). - New:
on_delete_resource_originals
fired when soft deletion occurs (#1030). - New:
before_aggregation
andafter_aggregation
event hooks allow to attach custom callbacks to aggregation endpoints (#1057). - New:
JSON_REQUEST_CONTENT_TYPES
or supported JSON content types. Useful when you need support for vendor-specific json types. Please note: responses will still carry the standardapplication/json
type. Defaults to['application/json']
(#1024). - New: when the media endpoint is enabled, the default authentication class will be used to secure it. (#1083; #1049).
- New:
MERGE_NESTED_DOCUMENTS
. IfTrue
, updates to nested fields are merged with the current data onPATCH
. IfFalse
, the updates overwrite the current data. Defaults toTrue
(#1140). - New: support for MongoDB decimal type
bson.decimal128.Decimal128
(#1045). - New: Support for
Feature
andFeatureCollection
GeoJSON objects (#769). - New: Add support for MongoDB
$box
geo query operator (#1122). - New:
ALLOW_CUSTOM_FIELDS_IN_GEOJSON
allows custom fields in GeoJSON (#1004). - New: Add support for MongoDB
$caseSensitive
and$diactricSensitive
query operators (#1126). - New: Add support for MongoDB bitwise query operators
$bitsAllClear
,$bitsAllSet
,$bitsAnyClear
,$bitsAnySet
(#1053). - New: support for
MONGO_AUTH_MECHANISM
andMONGO_AUTH_MECHANISM_PROPERTIES
. - New:
MONGO_DBNAME
can now be used in conjuction withMONGO_URI
. Previously, ifMONGO_URI
was missing the database name, an exception would be rised (#1037). - Fix: OPLOG skipped even if
OPLOG = True
(#1074). - Fix: Cannot define default projection and request specific field. (#1036).
- Fix:
VALIDATE_FILTERS
andALLOWED_FILTERS
do not work with sub-document fields. (#1123). - Fix: Aggregation query parameter does not replace keys in the lists (#1025).
- Fix: serialization bug that randomly skips fields if "x_of" is encountered (#1042)
- Fix: PUT behavior with User Restricted Resource Access. Ensure that, under every circumstance, users are unable to overwrite items owned by other users (#1130).
- Fix: Crash with Cerberus 1.2 (#1137).
- Fix documentation typos (#1114, #1102)
- Fix: broken documentation links to Cerberus validation rules.
- Fix: add sphinxcontrib-embedly to dev-requirements.txt.
- Fix: Removed OrderedDict dependency; use
OrderedDict
frombackport_collections
instead (#1070). - Performance improved on retrieving a list of embedded documents (#1029).
- Dev: Refactor index creation. We now have a new
eve.io.mongo.ensure_mongo_indexes()
function which ensures that eventualmongo_indexes
defined for a resource are created on the active database. The function can be imported and invoked, for example in multi-db workflows where a db is activated based on the authenticated user performing the request (via custom auth classes). - Dev: Add a Makefile with shortcuts for testing, docs building, and development install.
- Dev: Switch to pytest as the standard testing tool.
- Dev: Drop
requiments.txt
anddev-requirements.txt
. Usepip install -e .[dev|tests|docs]
instead. - Tests: finally acknowledge the existence of modern APIs for both Mongo and Python (get rid of most deprecation warnings).
- Change: Support for Cerberus 1.0+ (#776).
- Change:
JSON
andXML
settings are deprecated and will be removed in a future update. UseRENDERERS
instead (#1092). - Flask dependency set to >=1.0 (#1111).
- PyMongo dependency set to >=3.5.
- Events dependency set to >=v0.3.
- Drop Flask-PyMongo dependency, use custom code instead (#855).
- Docs: Comprehensive rewrite of the How to contribute page.
- Docs: Drop the testing page; merge its contents with How to contribute.
- Docs: Add link to the Eve course. It was authored by the project author, and it is hosted by TalkPython Training.
- Docs: code snippets are now Python 3 compatibile (Pahaz Blinov).
- Dev: Delete and cleanup of some unnecessary code.
- Dev: after the latest update (May 4th) travis-ci would not run tests on Python 2.6.
- Dev: all branches are now tested on travis-ci. Previously, only 'master' was being tested.
- Dev: fix insidious bug in
tests.methods.post.TestPost
class.
Python 2.6 and Python 3.3 are no longer supported (#1129).
Eve now relies on Cerberus 1.1+ (#776). It allows for many new powerful validation and trasformation features (like schema registries), improved performance and, in general, a more streamlined API. It also brings some notable breaking changes.
keyschema
was renamed tovalueschema
, andpropertyschema
tokeyschema
.- A PATCH on a document which misses a field having a default value will now result in setting this value, even if the field was not provided in the PATCH's payload.
- Error messages for
keyschema
are now returned as dictionary. Example:{'a_dict': {'a_field': "value does not match regex '[a-z]+'"}}
. - Error messages for type validations are different now.
- It is no longer valid to have a field with
default = None
andnullable = False
(see patch.py:test_patch_nested_document_nullable_missing). - And more. A complete list of breaking changes is available here. For detailed upgrade instructions, see Cerberus upgrade notes. An in-depth analysis of changes made to the codebase (useful if you wrote a custom validator which needs to be upgraded) is available with this commit message.
- Special thanks to Dominik Kellner and Brad P. Crochet for the amazing job done on this upgrade.
Config setting
MONGO_AUTHDBNAME
renamed intoMONGO_AUTH_SOURCE
for naming consistency with PyMongo.Config options
MONGO_MAX_POOL_SIZE
,MONGO_SOCKET_TIMEOUT_MS
,MONGO_CONNECT_TIMEOUT_MS
,MONGO_REPLICA_SET
,MONGO_READ_PREFERENCE
removed. UseMONGO_OPTIONS
orMONGO_URI
instead.Be aware that
DELETE
on sub-resource endpoint will now only delete the documents matching endpoint semantics. A delete operation onpeople/51f63e0838345b6dcd7eabff/invoices
will delete all documents matching the followig query:{'contact_id': '51f63e0838345b6dcd7eabff'}
(#1010).
Released on May 10, 2018
- Python 2.6 and Python 3.3 are deprecated. Closes #1129.
Released on 7 February, 2018
- Fix: breaking syntax error in v0.7.7
Released on 7 February, 2018
- Fix: geo queries now properly support
$geometry
and$maxDistance
operators. Closes #1103.
Released on 14 January, 2018
- Improve query parsing robustness.
Released on 4 December, 2017
- Fix: A query was not fully traversed in the sanitization. Therefore the
blacklist for mongo wueries could be bypassed, allowing for dangerous
$where
queries (Moritz Schneider).
Released on 24 May, 2017
- Fix:
post_internal
fails when usingURL_PREFIX
orAPI_VERSION
. Closes #810.
Released on 3 May, 2017
- Eve and Cerberus are now collaboratively funded projects, see: https://nicolaiarocci.com/eve-and-cerberus-funding-campaign/
- Fix: Internal resource, oplog enabled: a
*_internal
method defined inOPLOG_METHODS
triggers keyerror (Einar Huseby). - Dev: use official Alabaster theme instead of custom fork.
- Fix: docstrings typos (Martin Fous).
- Docs: explain that
ALLOW_UNKNOWN
can also be used to expose the whole document as found in the database, with no explicit validation schema. Addresses #995. - Docs: add Eve-Healthcheck to extensions list (Luis Fernando Gomes).
Released on 6 March, 2017
- Fix: Validation exceptions are returned in
doc_issues['validator exception']
across all edit methods (POST, PUT, PATCH). Closes #994. - Fix: When there is
MONGO_URI
defined it will be used no matter if the resource is using a prefix or not (Petr Jašek). - Docs: Add code snippet with an example of how to implement a simple list of items that supports both list-level and item-level CRUD operations (John Chang).
Released on 14 February, 2017
- Fix: "Cannot create a consistent method resolution order" on Python 3.5.2 and 3.6 since Eve 0.7. Closes #984.
- Docs: update README with svg bade (Sobolev Nikita).
- Docs: fix typo and dead link to Nicola's website (Dominik Kellner).
develop
branch has been dropped.master
is now the default project branch.
Released on 6 February, 2017
- New: Add Python 3.6 as a supported interpreter.
- New:
OPTIMIZE_PAGINATION_FOR_SPEED
. Set this toTrue
to improve pagination performance. When optimization is active no count operation, which can be slow on large collections, is performed on the database. This does have a few consequences. Firstly, no document count is returned. Secondly,HATEOAS
is less accurate: no last page link is available, and next page link is always included, even on last page. On big collections, switching this feature on can greatly improve performance. Defaults toFalse
(slower performance; document count included; accurateHATEOAS
). Closes #944 and #853. - New:
Location
header is returned on201 Created
POST responses. If will contain the URI to the created document. If bulk inserts are enabled, only the first document URI is returned. Closes #795. - New: Pretty printing.You can pretty print the response by specifying a query
parameter named
?pretty
(Hasan Pekdemir). - New:
AUTO_COLLAPSE_MULTI_KEYS
. If set toTrue
, multiple values sent with the same key, submitted using theapplication/x-www-form-urlencoded
ormultipart/form-data
content types, will automatically be converted to a list of values. When using this together withAUTO_CREATE_LISTS
it becomes possible to use lists of media fields. Defaults toFalse
. Closes #932 (Conrad Burchert). - New:
AUTO_CREATE_LISTS
. When submitting a nonlist
type value for a field with typelist
, automatically create a one element list before running the validators. Defaults toFalse
(Conrad Burchert). - New: Flask-PyMongo compatibility for for
MONGO_CONNECT
config setting (Massimo Scamarcia). - New: Add Python 3.5 as a supported interpreter (Mattias Lundberg).
- New:
MONGO_OPTIONS
allows MongoDB arguments to be passed to the MongoClient object. Defaults to{}
(Massimo Scamarcia). - New: Regexes are allowed by setting
X_DOMAINS_RE
values. This allows CORS to support websites with dynamic ranges of subdomains. Closes #660 and #974. - New: If
ENFORCE_IF_MATCH
option is active, then all requests are expected to include theIf-Match
or they will be rejected (same as old behavior). However, ifENFORCE_IF_MATCH
is disabled, then client determines whether request is conditional. WhenIf-Match
is included, then request is conditional, otherwise the request is processed with no conditional checks. Closes #657 (Arthur Burkart). - New: Allow old document versions to be cache validated using ETags (Nick Park).
- New: Support weak ETags, commonly applied by servers transmitting gzipped content (Nick Park).
- New:
on_oplog_push
event is fired when OPLOG is about to be updated. Callbacks receive two arguments:resource
(resource name) andentries
(list of oplog entries which are about to be written). - New: optional
extra
field is available for OPLOG entries. Can be updated by callbacks hooked to the newon_oplog_push
event. - New: OPLOG audit now include the username or token when available. Closes #846.
- New
get_internal
andgetitem_internal
functions can be used for internal GET calls. These methods are not rate limited, authentication is not checked and pre-request events are not raised. - New: Add support for MongoDB
DBRef
fields (Roman Gavrilov). - New:
MULTIPART_FORM_FIELDS_AS_JSON
. In case you are submitting your resource asmultipart/form-data
all form data fields will be submitted as strings, breaking any validation rules you might have on the resource fields. If you want to treat all submitted form data as JSON strings you will have to activate this setting. Closes #806 (Stratos Gerakakis). - New: Support for MongoDB Aggregation Framework. Endpoints can respond with
aggregation results. Clients can optionally influence aggregation
results by using the new
aggregate
option:aggregate={"$year": 2015}
. - New: Flask views (
@app.route
) can now setmongo_prefix
via Flask'sg
object:g.mongo_prefix = 'MONGO2'
(Gustavo Vargas). - New: Query parameters not recognised by Eve are now returned in HATEOAS URLs (Mugur Rus).
- New:
OPLOG_CHANGE_METHODS
is a list of HTTP methods which operations will include changes into the OpLog (mmizotin). - Change: Return
428 Precondition Required
instead of a generic403 Forbidden
when theIf-Match
request header is missing (Arnau Orriols). - Change: ETag response header now conforms to RFC 7232/2.3 and is surrounded by double quotes. Closes #794.
- Fix: Better locating of
settings.py
. On startup, if settings flag is omitted in constructor, Eve will try to locate file named settings.py, first in the application folder and then in one of the application's subfolders. You can choose an alternative filename/path, just pass it as an argument when you instantiate the application. If the file path is relative, Eve will try to locate it recursively in one of the folders in your sys.path, therefore you have to be sure that your application root is appended to it. This is useful, for example, in testing environments, when settings file is not necessarily located in the root of your application. Closes #820 (Mario Kralj). - Fix: Versioning does not work with User Restricted Resource Access. Closes #967 (Kris Lambrechts)
- Fix:
test_create_indexes()
typo. Closes 960. - Fix: fix crash when attempting to modify a document
_id
on MongoDB 3.4 (Giorgos Margaritis) - Fix: improve serialization of boolean values. Closes #947 (NotSpecial).
- Fix: fix intermittently failing test. Closes #934 (Conrad Burchert).
- Fix: Multiple, fast (within a 1 second window) and neutral (no actual changes)
PATCH requests should not raise
412 Precondition Failed
. Closes #920. - Fix: Resource titles are not properly escaped during the XML rendering of the root document (Kris Lambrechts).
- Fix: ETag request headers which conform to RFC 7232/2.3 (double quoted value) are now properly processed. Addresses #794.
- Fix: Deprecation warning from Flask. Closes #898 (George Lestaris).
- Fix: add Support serialization on lists using anyof, oneof, allof, noneof. Closes #876 (Carles Bruguera).
- Fix: update security example snippets to match with current API (Stanislav Filin).
- Fix:
notifications.py
example snippet crashes due to lack ofDOMAIN
setting (Stanislav Filin). - Docs: clarify documentation for custom validators: Cerberus dependency is still pinned to version 0.9.2. Upgrade to Cerberus 1.0+ is planned with v0.8. Closes #796.
- Docs: remove the deprecated
--ditribute
virtualenv option (Eugene Prikazchikov). - Docs: add date and subdocument fields filtering examples. Closes #924.
- Docs: add Eve-Neo4j to the extensions page (Rodrigo Rodriguez).
- Docs: stress that alternate backends are supported via community extensions.
- Docs: clarify that Redis is an optional dependency (Mateusz Łoskot).
- Update license to 2017. Closes #955.
- Update: Flask 0.12. Closes #945, #904 and #963.
- Update: PyMongo 3.4 is now required. Closes #964.
Released on 8 June, 2016
- Fix: Cannot serialize data when a field that has a
valueschema
that is ofdict
type. Closes #874. - Fix: Authorization header bearer tokens not parsed correctly. Closes #866 (James Stewart).
- Fix: TokenAuth prevents base64 decoding of Tokens. Closes #840.
- Fix: If datasource source is specified no fields are included by default. Closes #842.
- Docs: streamline Quickstart guide. Closes #868.
- Docs: fix broken link in Installation page. Closes #861.
- Docs: Resource configuration doesn't mention
versioning
override. Closes #845.
Released on 16 March, 2016
- Fix: Since 0.6.2, static projections are not honoured. Closes #837.
Released on 14 March, 2016
- Fix:
Access-Control-Allow-Max-Age
should actually beAccess-Control-Max-Age
. Closes #829. - Fix:
unique
validation rule is checked against soft deleted documents. Closes #831. - Fix: Mongo does not allow
$
and.
in field names. Apply this validation in schemas and dict fields. Closes #780. - Fix: Remove "ensure uniqueness of (custom) id fields" feature. Addresses #788.
- Fix:
409 Conflict
not reported since upgrading to PyMongo 3. Closes #680. - Fix: when a document is soft deleted, the OPLOG _updated field is not the time of the deletion but the time of the previous last update (Cyril Bonnard).
- Fix: TokenAuth. When the tokens are passed as "Authorization: " or
"Authorization: Token " headers, werkzeug does not recognize them as valid
authorization header, therefore the
request.authorization
field is empty (Luca Di Gaspero). - Fix:
SCHEMA_ENDPOINT
does not work when schema has lambda function ascoerce
rule. Closes #790. - Fix: CORS pre-flight requests malfunction on
SCHEMA_ENDPOINT
endpoint (Valerie Coffman). - Fix: do not attempt to parse
number
values as strings when they are numerical (Nick Park). - Fix: the
__init__.py
ITEM_URL
does not match default_settings.py. Closes #786 (Ralph Smith). - Fix: startup crash when both
SOFT_DELETE
andALLOW_UNKNOWN
are enabled. Closes #800. - Fix: Serialize inside
of
andof_type
rules new in Cerberus 0.9. Closes #692 (Arnau Orriols). - Fix: In
put_internal
Validator is not set whenskip_validation
istrue
(Wei Guan). - Fix: In
patch_internal
Validator is not set whenskip_validation
istrue
(Stratos Gerakakis). - Fix: Add missing serializer for fields of type
number
(Arnau Orriols). - Fix: Skip any null value from serialization (Arnau Orriols).
- Fix: When
SOFT_DELETE
is active an exclusivedatasource.projection
causes a500
error. Closes #752. - Update: PyMongo 3.2 is now required.
- Update: Flask-PyMongo 0.4+ is now required.
- Update: Werkzeug up to 0.11.4 is now required
- Change: simplejson v3.8.2 is now required.
- Docs: fix some typos (Manquer, Patrick Decat).
- Docs: add missing imports to authentication docs (Hamdy)
- Update license to 2016 (Prayag Verma)
Released on 29 October, 2015
- New:
BULK_ENABLED
enables/disables bulk insert. Defaults toTrue
(Julian Hille). - New:
VALIDATE_FILTERS
enables/disables validating of query filters against resource schema. Closes #728 (Stratos Gerakakis). - New:
TRANSPARENT_SCHEMA_RULES
enables/disables schema validation globally andtransparent_schema_rules
per resource (Florian Rathgeber). - New:
ALLOW_OVERRIDE_HTTP_METHOD
enables/disables support for overriding request methods withX-HTTP-Method-Override
headers (Julian Hille). - Fix: flake8 fails on Python 3. Closes #747 (Simon Schönfeld).
- Fix: recursion for dotted field normalization (Matt Tucker).
- Fix: dependendencies on sub-document fields always return 422. Closes #706.
- Fix: invoking
post_internal
withskpi_validation = True
causes a422
response. Closes #726. - Fix: explict inclusive datasource projection is ignored. Closes #722.
- Dev: fix rate limiting tests so they don't occasionally fail.
- Dev: make sure connections opened by test suite are properly closed on teardown.
- Dev: use middleware to parse overrides and eventually update request method (Julian Hille).
- Dev: optimize versioning by building specific versions without deepcopying the root document (Nick Park).
- Dev:
_client_projection
method has been moved up from the mongo layer to the base DataLayer class. It is now available for other data layers implementations, such as Eve-SQLAlchemy (Gonéri Le Bouder). - Docs: add instructions for installing dependencies and building docs (Florian Rathgeber).
- Docs: fix link to contributing guidelines (Florian Rathgeber).
- Docs: fix some typos (Stratos Gerakakis, Julian Hille).
- Docs: add Eve-Swagger to Extensions page.
- Docs: fix broken link to Mongo's capped collections (Nathan Reynolds).
Released on 28 September, 2015
New: support for embedding simple ObjectId fields: you can now use the
data_relation
rule on them (Gonéri Le Bouder).New: support for multiple layers of embedding (Gonéri Le Bouder).
New:
SCHEMA_ENDPOINT
allows resource schema to be returned from an API endpoint (Nick Park).New: HATEOAS links can be customized from within callback functions (Magdas Adrian).
New:
_INFO
: string value to include an info section, with the given INFO name, at the Eve homepage (suggested value_info
). The info section will include Eve server version and API version (API_VERSION, if set).None
otherwise, if you do not want to expose any server info. Defaults toNone
(Stratos Gerakakis).New:
id_field
sets a field used to uniquely identify resource items within the database. Locally overridesID_FIELD
(Dominik Kellner).New:
UPSERT_ON_PUT
allows document creation on PUT if the document does not exist. Defaults toTrue
. See below for details.New: PUT attempts to create a document if it does not exist. The URL endpoint will be used as
ID_FIELD
value (ifID_FIELD
is included with the payload, it will be ignored). Normal validation rules apply. The response will be a201 Created
on successful creation. Response payload will be identical the one you would get by performing a single document POST to the resource endpoint. SetUPSET_ON_PUT
toFalse
to disable this behaviour, and get a404
instead. Closes #634.New: POST accepts documents which include
ID_FIELD
(_id
) values. This is in addition to the old behaviour of auto-generatingID_FIELD
values when the submitted document does not contain it. Please note that, while you can addID_FIELD
to the schema (previously not allowed), you don't really have to, unless its type is different from theObjectId
default. This means that in most cases you can start storingID_FIELD
-included documents right away, without making any changes.New: Log MongoDB and HTTP methods exceptions (Sebastien Estienne).
New: Enhanced Logging.
New:
VALIDATION_ERROR_AS_LIST
. IfTrue
even single field errors will be returned in a list. By default single field errors are returned as strings while multiple field errors are bundled in a list. If you want to standardize the field errors output, set this setting toTrue
and you will always get a list of field issues. Defaults toFalse
. Closes #536.New:
STANDARD_ERRORS
is a list of HTTP codes that will be served with the canonical API response format, which includes a JSON body providing both error code and description. Addresses #586.New:
anyof
validation rule allows you to list multiple sets of rules to validate against.New:
alloff
validation rule, same asanyof
except that all rule collections in the list must validate.New:
noneof
validation rule. Same asanyof
except that it requires no rule collections in the list to validate.New:
oneof
validation rule. Same asanyof
except that only one rule collections in the list can validate.New:
valueschema
validation rules replaces the now deprecatedkeyschema
rule.New:
propertyschema
is the counterpart tovalueschema
that validates the keys of a dict.New:
coerce
validation rule. Type coercion allows you to apply a callable to a value before any other validators run.New:
MONGO_AUTHDBNAME
allows to specify a MongoDB authorization database. Defaults toNone
(David Wood).New:
remove
method in Mongo data layer now returns the deletion status orNone
if write acknowledgement is disabled (Mayur Dhamanwala).New:
unique_to_user
validation rule allows to validate that a field value is unique to the user. Different users can share the same value for the field. This is useful when User Restricted Resource Access is enabled on an endpoint. If URRA is not active on the endpoint, this rule behaves likeunique
. Closes #646.New:
MEDIA_BASE_URL
allows to set a custom base URL to be used whenRETURN_MEDIA_AS_URL
is active (Henrique Barroso).New:
SOFT_DELETE
enables soft deletes when set toTrue
(Nick Park.)New:
mongo_indexes
allows for creation of MongoDB indexes at application launch (Pau Freixes.)New: clients can opt out of default embedded fields:
?embedded={"author":0}
would cause the embedded author not to be included with response payload. (Tobias Betz.)New: CORS: Support for
X-ALLOW-CREDENTIALS
(Cyprien Pannier.)New: Support for dot notation in POST, PATCH and PUT methods. Be aware that, for PATCH and PUT, if dot notation is used even on just one field, the whole sub-document will be replaced. So if this document is stored:
{"name": "john", "location": {"city": "New York", "address": "address"}}
A PATCH like this:
{"location.city": "Boston"}
(which is exactly equivalent to:)
{"location": {"city": "a nested city"}}
Will update the document to:
{"name": "john", "location": {"city": "Boston"}}
New: JSONP Support (Tim Jacobi.)
New: Support for multiple MongoDB databases and/or servers.
mongo_prefix
resource setting allows overriding of the defaultMONGO
prefix used when retrieving MongoDB settings from configuration. For example, set a resourcemongo_prefix
toMONGO2
to read/write from the database configured with that prefix in your settings file (MONGO2_HOST
,MONGO2_DBNAME
, etc.)set_mongo_prefix()
andget_mongo_prefix()
have been added toBasicAuth
class and derivates. These can be used to arbitrarily set the target database depending on the token/client performing the request.
Database connections are cached in order to not to loose performance. Also, this change only affects the MongoDB engine, so extensions currently targetting other databases should not need updates (they will not inherit this feature however.)
New: Enable
on_pre_GET
hook for HEAD requests (Daniel Lytkin.).New: Add
X-Total-Count
header for collection GET/HEAD requests (Daniel Lytkin.).New:
RETURN_MEDIA_AS_URL
,MEDIA_ENDPOINT
andMEDIA_URL
allow for serving files at a dedicated media endpoint while urls are returned in document media fields (Daniel Lytkin.)New:
etag_ignore_fields
. Resource setting with a list of fields belonging to the schema that won't be used to compute the ETag value. Defaults toNone
(Olivier Carrère.)Change: when HATEOAS is off the home endpoint will respond with
200 OK
instead of404 Not Found
(Stratos Gerakakis).Change: PUT does not return
404
if a document URL does not exist. It will attempt to create the document instead. SetUPSET_ON_PUT
toFalse
to disable this behaviour and get a404
instead.Change: A PATCH including an
ID_FIELD
field which value is different than the original will get a400 Bad Request
, along with an explanation in the message body that the field is immutable. Previously, it would get anunknown field
validation error.Dev: Improve GET perfomance on large versioned documents (Nick Park.)
Dev: The
MediaStorage
base class now accepts the active resource as an argument for its methods. This allows data-layers to avoid resorting to the Flask request object to determine the active resource. To preserve backward compatibility the newresource
argument defaults toNone
(Magdas Adrian).Dev: The Mongo data-layer is not dependant on the Flask request object anymore. It will still fallback to it if the
resource
argument isNone
. Closes #632. (Magdas Adrian).Fix: store versions in the same mongo collection when
datasource
is used (Magdas Adrian).Fix: Update
serialize
to gracefully handle non-dictionary values in dict type fields (Nick Park).Fix: changes to the
updates
argument, applied by callbacks hooked to theon_updated
event, were not persisted to the database (Magdas Adrian). Closes #682.Fix: Changes applied to the
updates
argument``on_updated`` returns the whole updated document. Previously, it was only returning the updates sent with the request. Closes #682.Fix: Replace the Cerberus rule
keyschema
, now deprecated, with the newpropertyschema
(Julian Hille).Fix: some error message are not filtered out of debug mode anymore, as they are useful for users and do not leak informations. Closes #671 (Sebastien Estienne).
Fix: reinforce Content-Type Header handling to avoid possible crash when it is missing (Sebastien Estienne).
Fix: some schema errors were not being reported as SchemaError exceptions. A more generic 'DOMAIN missing or wrong' message was returned instead.
Fix: When versioning is enabled on a resource with a custom ID_FIELD, versioning documents will inherit their ID from the versioned document, making any update of the document result in a DuplicateKeyError (Matthieu Prat).
Fix: Filter validation fails to validate query selectors that contain a value of the list data-type, which is not a list of sub-queries. See #674 (Matthieu Prat).
Fix:
_validate_dependencies
always returnsNone
.Fix:
412 Precondition Failed
does not return a JSON body. Closes #661.Fix:
embedded_fields
may point on a field that come from another embedded document. For example,['a.b.c', 'a.b', 'a']
(Gonéri Le Bouder).Fix: add handling of sub-resource resolving for PUT method (Olivier Poitrey).
Fix:
dependencies
rule would mistakenly validate documents when target fields happened to also have adefault
value.Fix: According to RFC2617 the separator should be (=) instead of (:). This caused at least Chrome not to prompt user for the credentials, and not to send the Authorization header even when credentials were in the url (Samuli Tuomola).
Fix: make sure
unique
validation rule is consistent between HTTP methods. A field value must be unique within the datasource, regardless of the user who created it. Closes #646.Fix: OpLog domain entry is not created if
OPLOG_ENDPOINT
isNone
. Closes #628.Fix: Do not overwrite
ID_FIELD
as it is not a sub resource. See #641 for details (Olivier Poitrey).Fix: ETag computation crash when non-standard json serializers are used (Kevin Roy.)
Fix: Remove duplicate item in Mongo operators list. Closes #619.
Fix: Versioning: invalidate cache when
_latest_version
changes in versioned doc (Nick Park.)Fix: snippet in account management tutorial (xgddsg.)
Fix:
MONGO_REPLICA_SET
and other significant Flask-PyMongo settings have been added to the documentation. Closes #615.Fix: Serialization of lists of lists (Nick Park.)
Fix: Make sure
original
is not modified duringPATCH
. Closes #611 (Petr Jašek.)Fix: Route parameters are applied to new documents before they are validated. This ensures that documents with required fields will be populated before they are validated. Addresses #354. (Matthew Ellison.)
Fix:
GridFSMediaStorage
does not save filename. Closes #605 (Sam Luu).Fix: Reinforce GeoJSON validation (Joakim Uddholm.)
Fix: Geopoint coordinates do not accept integers. Closes #591 (Joakim Uddholm.)
Fix: OpLog enabled makes PUT return wrong Etag. Closes #590.
Update: Cerberus 0.9.2 is now required.
Update: PyMongo 2.8 is now required (which in turn supports MongoDB 3.0)
Released on 17 March, 2015.
- Fix: Support for Cerberus 0.8.1.
- Fix: Don't block on first field serialization exception. Closes #568.
- Fix: Ignore read-only fields in
PUT
requests when their values aren't changed compared to the stored document (Bjorn Andersson.) - Docs: replace
file
withmedia
type. Closes #566.
Released on 23 Feb, 2015. Codename: 'Giulia'.
- Fix: hardening of database concurrency checks. See #561 (Olivier Carrère.)
- Fix:
PATCH
andPUT
do not include Etag header (Marcus Cobden.) - Fix: endpoint-level authentication crash when a callable is passed. Closes #558.
- Fix: serialization of
keyschema
fields withobjetid
values. Closes #525. - Fix: typos in schema rules might lead to arbitrary payloads being validated (Emmanuel Leblond.)
- Fix: ObjectId value in ID field of type string (Jaroslav Semančík.)
- Fix: User Restricted Resource Access does not work with HMAC Auth classes.
- Fix: Crash when
embedded
is used on subdocument with a missing field (Emmanuel Leblond.) - Docs: add
MONGO_URI
as an alternative to other MongoDB connection options. Closes #551. - Change: Werkzeug 0.10.1 is now required.
- Change:
DataLayer
API methodsupdate()
andreplace()
have a neworiginal
argument.
Released on 16 Jan, 2015.
- Fix: dependencies with value checking seem broken (#547.)
- Fix: documentation typo (Marc Abramowitz.)
- Fix: pretty url for regex with a colon in the expression (Magdas Adrian.)
Released on 12 Jan, 2015.
- New: Operations Log (http://python-eve.org/features#operations-log.)
- New: GeoJSON (http://python-eve.org/features.html#geojson) (Juan Madurga.)
- New: Internal Resources (http://python-eve.org/features#internal-resources) (Magdas Adrian.)
- New: Support for multiple origins when using CORS (Josh Villbrandt, #532.)
- New: Regexes are stripped out of HATEOAS urls when present. You now get
games/<game_id>/images
where previously you would getgames/<regex('[a-f0-9]{24}'):game_id>/images
). Closes #466. - New:
JSON_SORT_KEYS
enables JSON key sorting (Matt Creenan). - New: Add the current query string to the self link for responses with multiple documents. Closes #464 (Jen Montes).
- New: When document versioning is on, add
?version=<version_num>
to HATEOAS self links. Also adds pagination links for?version=all
and?version=diffs
requests when the number exceeds the max results. Partially addresses #475 (Jen Montes). - New:
QUERY_WHERE
allows to set the query parameter key for filters. Defaults towhere
. - New:
QUERY_SORT
allows to set the query parameter key for sorting. Defaults tosort
. - New:
QUERY_PAGE
allows to set the query parameter key for pagination. Defaults topage
. - New:
QUERY_PROJECTION
allows to set the query parameter key for projections. Defaults toprojection
. - New:
QUERY_MAX_RESULTS
allows to set the query parameter key for max results. Defaults tomax_results
. - New:
QUERY_EMBEDDED
allows to set the query parameter key embedded documents. Defaults toembedded
. - New: Fire
on_fetched
events forversion=all
requests (Jen Montes). - New: Support for CORS
Access-Control-Expose-Headers
(Christian Henke). - New:
post_internal()
can be used for intenral post calls. This method is not rate limited, authentication is not checked and pre-request events are not raised (Magdas Adrian). - New:
put_internal()
can be used for intenral PUT calls. This method is not rate limited, authentication is not checked and pre-request events are not raised (Kevin Funk). - New:
patch_internal()
can be used for intenral PATCH calls. This method is not rate limited, authentication is not checked and pre-request events are not raised (Kevin Funk). - New:
delete_internal()
can be used for intenral DELETE calls. This method is not rate limited, authentication is not checked and pre-request events are not raised (Kevin Funk). - New: Add an option to
_internal
methods to skip payload validation (Olivier Poitrey). - New: Comma delimited sort syntax in queries. The MongoDB data layer now also
supports queries like
?sort=lastname,-age
. Addresses #443. - New: Add extra 4xx response codes for proper handling. Only
405
Method not allowed,406
Not acceptable,409
Conflict, and410
Gone have been added to the list (Kurt Doherty). - New: Add serializers for integer and float types (Grisha K.)
- New: dev-requirements.txt added to the repo.
- New: Embedding of documents by references located in any subdocuments. For
example, query
embedded={"user.friends":1}
will return a document with "user" and all his "friends" embedded, but only ifuser
is a subdocument andfriends
is a list of references (Dmitry Anoshin). - New: Allow mongoengine to work properly with cursor counts (Johan Bloemberg)
- New:
ALLOW_UNKNOWN
allows unknown fields to be read, not only written as before. Closes #397 and #250. - New:
VALIDATION_ERROR_STATUS
allows setting of the HTTP status code to use for validation errors. Defaults to422
(Olivier Poitrey). - New: Support for sub-document projections. Fixes #182 (Olivier Poitrey).
- New: Return
409 Conflict
on pymongoDuplicateKeyError
forPOST
requests, as already happens withPUT
requests (Matt Creenan, #537.) - Change:
DELETE
returns204 NoContent
on a successful delete. - Change: SERVER_NAME removed as it is not needed anymore.
- Change: URL_PROTOCOL removed as it is not needed anymore.
- Change: HATEOAS links are now relative to the API root. Closes #398 #401.
- Change: If-Modified-Since has been disabled on resource (collections)
endpoints. Same functionality is available with a
?where={"_udpated": {"$gt": "<RFC1123 date>"}}
request. The OpLog also allows retrieving detailed changes happened at any endpoint, deleted documents included. Closes #334. - Change: etags are now persisted with the documents. This ensures that etags are consistent across queries, even when projection queries are issued. Please note that etags will only be stored along with new documents created and/or edited via API methods (POST/PUT/PATCH). Documents inserted by other means and those stored with v0.4 and below will keep working as previously: their etags will be computed on-the-fly and you will get still be getting inconsistent etags when projection queries are issued. Closes #369.
- Change: XML item, meta and link nodes are now ordered. Closes #441.
- Change:
put
method signature forMediaStorage
base class has been updated.filemame
is now optional. Closes #414. - Change: CORS behavior to be compatible with browsers (Chrome). Eve is now echoing back the contents of the Origin header if said content is whitelisted in X_DOMAINS. This also safer as it avoids exposing internal server configuration. Closes #408. This commit was carefully handcrafed on a flight to EuroPython 2014.
- Change: Specify a range of dependant package versions. #379 (James Stewart).
- Change: Cerberus 0.8 is now required.
- Change: pymongo v2.7.2 is now required.
- Change: simplejson v3.6.5 is now required.
- Change: update
dev-requirements.txt
to most recent tools available. - Fix: add
README.rst
toMANIFEST.in
(Niall Donegan.) - Fix:
LICENSE
variable insetup.py
should be "shortstring". Closes #540 (Niall Donegan.) - Fix:
PATCH
on fields with original value ofNone
(Marcus Cobden, #534). - Fix: Fix impossible version ranges in setup.py (Marcus Cobden, #531.)
- Fix: Bug with expanding lists of roles, compromising authorization (Mikael Berg, #527)
- Fix:
PATCH
on subdocument fields does not overwrite the whole subdocument anymore. Closes #519. - Fix: Added support for validation on field attribute with type list (Jorge Morales).
- Fix: Fix a serialization bug with integer and float when value is 0 (Olivier Poitrey).
- Fix: Custom ID fields tutorial: if custom ID fields are being used, then MongoDB/Eve won't be able to create them automatically as it does with the ObjectId default type. Closes #511.
- Fix: Dependencies with default values were reported as missing if omitted. Closes #353.
- Fix: Dependencies always fails on PATCH if dependent field isn't part of the update. #363.
- Fix: client projections work when
allow_unknown
is active. Closes #497. - Fix: datasource projections are active when
allow_unknown
is active. closes #497. - Fix: Properly serialize nullable floats and integers. Closes #469.
- Fix:
_mongotize()
turns non-ObjectId strings (but not unicode) into ObjectIds. Closes #508 (Or Neeman). - Fix: Fix validation of read-only fields inside dicts. Closes #474 (Arnau Orriols).
- Fix: Parent and collection links follow the scheme described in #475 (Jen Montes).
- Fix: Ignore read-only fields in
PATCH
requests when their values aren't changed compared to the stored document. Closes #479. - Fix: Allow
EVE_SETTINGS
envvar to be used exclusively. Previously, a settings file in the working directory was always required. Closes #461. - Fix: exception when trying to set nullable media field to null (Daniel Lytkin)
- Fix: Add missing
$options
and$list
MongoDB operators to the allowed list (Jaroslav Semančík). - Fix: Get document when it is missing embedded media. In case you try to embedd a document which has media fields and that document has been deleted, you would get an error (Petr Jašek).
- Fix: fix additional lookup regex in RESTful Account Management tutorial (Ashley Roach).
- Fix:
utils.weak_date
always returns a RFC-1123 date (Petr Jašek). - Fix: Can't embed a ressource with a custom _id (non ObjectId). Closes #427.
- Fix: Do not follow DATE_FORMAT for HTTP headers. Closes #429 (Olivier Poitrey).
- Fix: Fix app initialization with resource level versioning #409 (Sebastián Magrí).
- Fix: KeyError when trying to use embedding on a field that is missing from document. It was fixed earlier in #319, but came back again after new embedding mechanism (Daniel Lytkin).
- Fix: Support for list of strings as default value for fields (hansotronic).
- Fix: Media fields are now properly returned even in embedded documents. Closes #305.
- Fix: auth in domain configuration can be either a callable or a class instance (Gino Zhang).
- Fix: Schema definition: a default value of [] for a list causes IndexError. Closes #417.
- Fix: Close file handles in setup.py (Harro van der Klauw)
- Fix: Querying a collection should always return pagination information (even when no data is being returned). Closes #415.
- Fix: Recursively validate the whole query string.
- Fix: If the data layer supports a list of allowed query operators, take them into consideration when validating a query string. Closes #388.
- Fix: Abort with 400 if unsupported query operators are used. Closes #387.
- Fix: Return the error if a blacklisted MongoDB operator is used in a query (debug mode).
- Fix: Invalid sort syntax raises 500 instead of 400. Addresses #378.
- Fix: Fix serialization when type is missing in schema. #404 (Jaroslav Semančík).
- Fix: When PUTting or PATCHing media fields, they would not be properly replaced as needed (Stanislav Heller).
- Fix:
test_get_sort_disabled
occasional failure. - Fix: A POST with an empty array leads to a server crash. Now returns a 400 error isntead and ensure the server won't crash in case of mongo invalid operations (Olivier Poitrey).
- Fix: PATCH and PUT don't respect flask.abort() in a pre-update event. Closes #395 (Christopher Larsen).
- Fix: Validating keyschema rules would cause a TypeError since 0.4. Closes pyeve/cerberus#48.
- Fix: Crash if client projection is not a dict #390 (Olivier Poitrey).
- Fix: Server crash in case of invalid "where" syntax #386 (Olivier Poitrey).
Released on 20 June, 2014.
- [new] You can now start the app without any resource defined and use
app.register_resource
later as needed (Petr Jašek). - [new] Data layer is now usable outside request context, for example within a Celery task where there's no request context (Petr Jašek).
- [new][change] Add pagination info to get results whatever the HATEOAS status. Closes #355 (Olivier Poitrey).
- [new] Ensure all errors return a parseable body (JSON or XML). Closes #365 (Olivier Poitrey).
- [new] Apply sub-request route's params to the created document if matching
the schema, e.g. a POST on
/people/1234…/invoices
will set thecontact_id
field to 1234… so created invoice is automatically associated with the parent resource (Olivier Poitrey). - [new] Allow some more HTTP errors (403 and 404) to be thrown from db hooks (Olivier Poitrey).
- [new]
ALLOWED_READ_ROLES
. A list of allowed roles for resource endpoints with GET and OPTIONS methods (Olivier Poitrey). - [new]
ALLOWED_WRITE_ROLES
. A list of allowed roles for resource endpoints with POST, PUT and DELETE methods (Olivier Poitrey). - [new]
ALLOWED_ITEM_READ_ROLES
. A list of allowed roles for item endpoints with GET and OPTIONS methods (Olivier Poitrey). - [new]
ALLOWED_ITEM_WRITE_ROLES
. A list of allowed roles for item endpoints with PUT, PATCH and DELETE methods (Olivier Poitrey). - [new] 'dependencies' validation rule.
- [new] 'keyschema' validation rule.
- [new] 'regex' validation rule.
- [new] 'set' as a core data type.
- [new] 'min' and 'max' now apply to floats and numbers too.
- [new] File Storage.
EXTENDED_MEDIA_INFO
allows a list of meta fields (file properties) to forward from the file upload driver (Ben Demaree). - [new] Python 3.4 is now supported.
- [new] Support for default values in documents with more than one level of data (Javier Gonel).
- [new] Ability to send entire document in write responses.
BANDWITH_SAVER
aka Coherence Mode (Josh Villbrandt). - [new]
on_pre_<METHOD>
events expose the lookup dictionary which allows for setting up dynamic database lookups on both resource and item endpoints. - [new] Return a 400 response on pymongo DuplicateKeyError, with exception message if debug mode is on (boosh).
- [new] PyPy officially supported and tested (Javier Gonel).
- [new] tox support (Javier Gonel).
- [new] Post database events (Javier Gonel). Addresses #272.
- [new] Versioned Documents (Josh Villbrandt). Closes #224.
- [new] Python trove classifiers added to setup.py.
- [new] Client projections are also honored at item endpoints.
- [new] validate that ID_FIELD is not set as a resource
auth_field
. Addresses #266. - [new]
URL_PROTOCOL
defines the HTTP protocol used when building HATEOAS links. Defaults to''
for relative paths (Junior Vidotti). - [new]
on_delete_item
andon_deleted_item
is raised on DELETE requests sent to document endpoints. Addresses #232. - [new]
on_delete_resource
andon_deleted_resource
is raised on DELETE requests sent to resource endpoints. Addresses #232. - [new]
on_update
is raised on PATCH requests, when a document is about to be updated on the database. Addresses #232. - [new]
on_replace
is raised on PUT requests, when a document is about to be replaced on the database. Addresses #232. - [new]
auth
constructor argument accepts either a class instance or a callable. Closes #248. - [change] Cerberus 0.7.2 is now required.
- [change] Jinja2 2.7.3 is now required.
- [change] Werkzeug 0.9.6 is now required.
- [change] simplejson 3.5.2 is now required.
- [change] itsdangerous 0.24 is now required. Addresses #378.
- [change] Events 0.2.1 is now required.
- [change] MarkupSafe 0.23 is now required.
- [change] For bulk and non-bulk inserts, response status now always either 201
when everything was ok or 400 when something went wrong. For bulk inserts, if
at least one document doesn't validate, the whole request is rejected, and
none of the documents are inserted into the database. Additionnaly, this
commit adopts the same response format as collections: responses are always
a dict with a
_status
field at its root and an eventual_error
object if_status
isERR
to comply with #366. Documents status are stored in the_items
field (Olivier Poitrey). - [change] Callbacks get whole json response on
on_fetched
. This allows for callbacks functions to alter the whole payload, even when HATEOAS is enabled and_items
and_links
metafields are present. - [change]
on_insert
is not raised anymore on PUT requests (replaced by above mentionedon_replace
). - [change]
auth.request_auth_value
is no more. Yay. See below. - [change]
auth.set_request_auth_value()
allows to set theauth_field
value for the current request. - [change]
auth.get_request_auth_value()
allows to retrieve theauth_field
value for the current request. - [change]
on_update(ed)
andon_replace(ed)
callbacks now receive both the original document and the updates (Jaroslav Semančík). - [change] Review event names (Javier Gonel).
- [fix] return 500 instead of 404 if CORS is enabled. Closes #381.
- [fix] Crash on GET requests on resource endpoints when ID_FIELD is missing on one or more documents. Closes #351.
- [fix] Cannot change a nullable objectid type field to contain null. Closes #341.
- [fix] HATEOAS links as business unit values even when regexes are configured for the endpoint.
- [fix] Documentation improvements (Jen Montes).
- [fix] KeyError exception was raised when field specified in schema as embeddable was missing in a particular document (Jaroslav Semančík).
- [fix] Tests on HEAD requests would very occasionally fail. See #316.
- [change] PyMongo 2.7.1 is now required.
- [fix] Automatic fields such as
DATE_CREATD
andDATE_CREATED
are correctly handled in client projections (Josh Villbrandt). Closes #282. - [fix] Make codebase compliant with latest PEP8/flake8 release (Javier Gonel).
- [fix] If you had a media field, and set datasource projection to 0 for that field, the media would not be deleted. Closes #284.
- [fix] tests cleanup (Javier Gonel).
- [fix] tests now run on any system without needing to set
ulimit
to a higher value (Javier Gonel). - [fix] media files: don't try to delete a field that does not exist (Taylor Brown).
- [fix] Occasional KeyError while building
_media
helper dict. See #271 (Alexander Hendorf). - [fix]
If-Modified-Since
misbehaviour when a datasource filter is set. Closes #258. - [fix] Trouble serializing list of dicts. Closes #265 and #244.
- [fix]
HATEOAS
item links are now coherent actual endpoint URL even when natural immutable keys are used in URLs (Junior Vidotti). Closes #256. - [fix] Replaced
ID_FIELD
byitem_lookup_field
on self link. item_lookup_field will default toID_FIELD
if blank.
Released on 14 February, 2014.
- [fix] Serialization of sub-documents (Hannes Tiede). Closes #244.
- [new]
X_MAX_AGE
allows to configure CORS Access-Control-Max-Age (David Buchmann). - [fix]
GET
withIf-Modified-Since
on list endpoint returns incorrect 304 if resource is empty. Closes #243. - [change]
POST
will return201 Created
if at least one document was accepted for insertion;200 OK
otherwise (meaning the request was accepted and processed). It is still client's responsability to parse the response payload to check if any document did not pass validation. Addresses #201 #202 #215. - [new]
number
data type. Allows both integers and floats as field values. - [fix] Using primary keys other than _id. Closes #237.
- [fix] Add tests for
PUT
when User Restricted Resource Access is active. - [fix] Auth field not set if resource level authentication is set. Fixes #231.
- [fix] RateLimit check was occasionally failing and returning a 429 (John Deng).
- [change] Jinja2 2.7.2 is now required.
- [new] media files (images, pdf, etc.) can be uploaded as
media
document fields. When a document is requested, eventual media files will be returned as Base64 strings. Upload is done viaPOST
,PUT
andPATCH
using themultipart/form-data
content-type. For optmized performance, by default files are stored in GridFS, however customMediaStorage
classes can be provided to support alternative storage systems. Clients and API maintainers can exploit the projections feature to include/exclude media fields from requests. For example, a request like/url/<id>?projection={"image": 0}
will return the document without the image field. Also, while setting a resourcedatasource
it is possible to explicitly exclude media fields from standard responses (clients will need to explicitly add them to the payload with?projection={"image": 1}
). - [new]
media
type for schema fields. - [new]
media
application argument. Allows to specify a media storage class to be used to store media files. Defaults toGridFSMediaStorage
. - [new]
GridFSMediaStorage
class. Stores files into GridFS. - [new]
MediaStorage
class provides a standardized API for storing files, along with a set of default behaviors that all other storage systems can inherit or override as necessary. - [new]
file
data type support and validation for resource schema. - [new]
multipart/form-data
content-type is now supported for requests. - [fix] Field exclusion (
?projection={"fieldname": 0}
) now supported in client projections. Remember, mixing field inclusion and exclusion is still not supported by MongoDB. - [fix]
URL_PREFIX
andAPI_VERSION
are correctly reported in HATOEAS links. - [fix]
DELETE
on sub-resources should only delete documents referenced by the parent. Closes #212. - [fix]
DELETE
on a resource endpoint honors User-Restricted Resource Access. Closes #213. - [new]
JSON
allows to enable/disable JSON responses. Defaults toTrue
(JSON enabled). - [new]
XML
allows to enable/disable XML responses. Defaults toTrue
(XML enabled). - [fix] XML properly honors
_LINKS
and_ITEMS
settings. - [fix] return all document fields when resource schema is empty.
- [new] pytest.ini for pytest support.
- [fix] All tests should now run with nose and pytest. Closes #209.
- [new]
query_objectid_as_string
resource setting. Defaults toFalse
. Addresses #207. - [new]
ETAG
allows to customize the etag field. Defaults to_etag
. - [change]
etag
is now_etag
in all default response payloads (see above). - [change]
STATUS
defaults to '_status'. - [change]
ISSUES
defaults to '_issues'. - [change]
DATE_CREATED
defaults to '_created'. Upgrade existing collections by runningdb.<collection>.update({}, { $rename: { "created": "_created" } }, { multi: true })
in the mongo shell. If an index exists on the field, drop it and create a new one using the new field name. - [change]
LAST_UPDATED
defaults to '_updated'. Upgrade existing collections by runningdb.<collection>.update({}, { $rename: { "updated": "_updated" } }, { multi: true })
in the mongo shell. If an index exists on the field, drop it and create a new one usung the new field name. - [change] Exclude
etag
from both response payload and headers if concurrency control is disabled (IF_MATCH
=False
). Closes #205. - [fix] Custom
ID_FIELD
would fail on update/insert methods. Fixes #203 (Jaroslav Semančík). - [change] GET: when If-Modified-Since header is present, either no documents
(304) or all documents (200) are sent per the HTTP spec. Original behavior
can be achieved with:
/resource?where={"updated":{"$gt":"if-modified-since-date"}}
(Josh Villbrandt). - [change] Validation errors are now reported as a dictionary with offending fields as keys and issues descriptions as values.
- [change] Cerberus v0.6 is now required.
Released on 30 November, 2013.
- [new] Sub-Resources. It is now possible to configure endpoints such as:
/companies/<company_id>/invoices
. Also, the corresponding item endpoints, such as/companies/<company_id>/invoices/<invoice_id>
, are available. All CRUD operations on these endpoints are allowed. Closes 156. - [new]
resource_title
allows to customize the endpoint title (HATEOAS). - [new][dev]
extra
cursor property, when present, will be added toGET
responses (with same key). This feature can be used by Eve extensions to inject proprietary data into the response stream (Petr Jašek). - [new]
IF_MATCH
allows to disable checks for ETag matches on edit, replace and delete requests. If disabled, requests without an If-Match header will be honored without returning a 403 error. Defaults to True (enabled by default). - [new]
LINKS
allows to customize the links field. Default to '_links'. - [new]
ITEMS
allows to customize the items field. Default to '_items'. - [new]
STATUS
allows to customize the status field. Default to 'status'. - [new]
ISSUES
allows to customize the issues field. Default to 'issues'. - [new] Handling custom ID fields tutorial.
- [new] A new
json_encoder
initialization argument is available. It allows to pass custom JSONEncoder or eve.io.BaseJSONEncoder to the Eve instance. - [new] A new
url_converters
initialization argument is available. It allows to pass custom Flask url converters to the Eve constructor. - [new] ID_FIELD fields can now be of arbitrary types, not only ObjectIds. Thanks to Kelvin Hammond for contributing to this one. Closes #136.
- [new]
pre_<method>
andpre_<method>_<resource>
event hooks are now available. They are raised when a request is received and before processing it. The resource involved and the Flask request object are returned to the callback function (dccrazyboy). - [new]
embedded_fields
activates default Embedded Resource Serialization on a list of selected document fields. Eventual embedding requests by clients will be processed along with default embedding. In order for default embedding to work, the field must be defined as embeddable, and embedding must be active for the resource (with help from Christoph Witzany). - [new]
default_sort
option added to thedatasource
resource setting. It allows to set default sorting for the endpoint. Default sorting will be overriden by a client request that happens to include a?sort
argument within the query string (with help from Christoph Witzany). - [new] You can now choose to provide custom settings as a Python dictionary.
- [new] New method
Eve.register_resource()
for registering new resource after initialization of Eve object. This is needed for simpler initialization API of all ORM/ODM extensions (Stanislav Heller). - [change] Rely on Flask endpoints to map urls to resources.
- [change] For better consistency with new
pre_<method>
hooks,on_<method>
event hooks have been renamed toon_post_<method>
. - [change] Custom authentication classes can now be set at endpoint level. When set, an endpoint-level auth class will override the eventual global level auth class. Authentication docs have been updated (and greatly revised) accordingly. Closes #89.
- [change] JSON encoding is now handled at the DataLayer level allowing for specialized, granular, data-aware encoding. Also, since the JSON encoder is now a class attribute, extensions can replace the pre-defined data layer encoder with their own implementation. Closes #102.
- [fix] HMAC example and docs updated to align with new hmac in Python 2.7.3, which is only accepting bytes string. Closes #199.
- [fix] Properly escape leaf values in XML responses (Florian Rathgeber).
- [fix] A read-only field with a default value would trigger a validation error on POST and PUT methods.
Released on October 31th, 2013.
- DELETE now uses the original document ID_FIELD when issuing the delete command to the underlying data layer (Xavi Cubillas).
- Embedded Resource Serialization also available at item endpoints
(
/invoices/<id>/?embedded={'person':1}
), collection
(used when setting up a data relation, see Embedded Resource Serialization) has been renamed toresource
in order to avoid confusion between the Eve schema and underlying MongoDB collections.- Nested endpoints. Endpoints with deep paths like
/contacts/overseas
can now function in conjuction with top-level endpoints (/contacts
). Endpoints are completely independent: each can allow item lookups (/contacts/<id>
andcontacts/overseas/<id>
) and different access methods. Previously, while you could have complex urls, you could not get nested endpoints to work properly. - PyMongo 2.6.3 is now supported.
- item-id wrappers have been removed from POST/PATCH/PUT requests and
responses. Requests for single document insertion/edition are now performed
by just submitting the relevant document. Bulk insert requests are performed
by submitting a list of documents. The response to bulk requests is a list
itself in which every list item contains the state of the corresponding
request document. Please note that this is a breaking change. Also be aware
that when the request content-type is
x-www-form-urlencoded
, single document insert is performed. Closes #139. - ObjectId are properly serialized on POST/PATCH/PUT methods.
- Queries on ObjectId and datetime values in nested documents.
auth.user_id
renamed toauth.request_auth_value
for better consistency with theauth_field
setting. Closes #132 (Ryan Shea).- Same behavior as Flask, SERVER_NAME now defaults to None. It allows much easier development on distant machine that may changes IP (Ronan Delacroix).
- CORS support was not available for
additional_lookup
urls (Petr Jašek.) - 'default' field values that could be assimilated to
None
(0, None, "") would be ignored. - POST and PUT would fail with 400 if there was no auth class while
auth_field
was set for a resource. - Fix order of string arguments in exception message in flaskapp.validate_schema() (Roy Smith).
Released on September 30th, 2013.
PUT
method for completely replace a document while keeping the same unique identifier. Closes #96.- Embedded Resource Serialization. If a document field is referencing a document in another resource, clients can request the referenced document to be embedded within the requested document (Bryan Cattle). Closes #68.
- "No trailing slash" URLs are now supported. Closes #118.
- HATEOAS is now optional and can be disabled both at global and resource level.
X-HTTP-Method-Override
supported for all HTTP Methods. Closes #95.- HTTP method is now passed into
authenticate()
andcheck_auth()
(Ken Carpenter). Closes #90 . - Cleanup and hardening of User-Restricted Resource Access Edit (Bryan Cattle).
- Account Management tutorial updated to reflect the event hooks naming update introduced in v0.0.9.
- Some more Python 3 refactoring (Dong Wei Ming).
- Events 0.2.0 is now supported.
- PyMongo 2.6.2 is now supported.
- Cerberus 0.4.0 is now supported.
- Item
GET
on documents with non-existent 'created' field (because stored outside of API context) were not returning a default value for the field. - Edits on documents with non-existent 'created' or 'updated' fields
(because stored outside of the API context) were returning
412 Precondition Failed
. Closes #123. on_insert
is raised when aPUT
(replace action) is about to be performed. Closes #120.- Installation on Windows with Python 3 was returning encoding errors.
- Fixed #99: malformed XML render when href includes forbidden URI/URL chars.
- Fixed a bug introduced with 0.0.9 and Python 3 support. Filters (
?where
) on datetime values were not working when running on Python 2.x. - Fixed some typos and minor grammatical errors all across the documentation (Ken Carpenter, Jean Boussier, Kracekumar, Francisco Corrales Morales).
Released on August 29, 2013
- PyMongo 2.6 is now supported.
FILTERS
boolean replaced byALLOWED_FILTERS
list which allows for explicit whitelisting of filter-enabled fields (Bryan Cattle). Closes #78.- Custom user ids for User-Restricted Resource Access, allowing for more flexibility and token revocation with token-based authentication. Closes #73.
AUTH_USERNAME_FIELD
renamed toAUTH_FIELD
.auth_username_field
renamed toauth_field
.- BasicAuth and subclasses now support
user_id
property. - Updated the event hooks naming system to be more robuts and consistent. Closes #80.
- To emphasize the fact that they are tied to a method, all
on_<method>
hooks now have<method>
in uppercase. on_getting
hook renamed toon_fetch_resource
.on_getting_<resource>
hook renamed toon_fetch_resource_<resource>
on_getting_item
hook renamed toon_fetch_item
.on_getting_item_<item_title>
hook renamed toon_fetch_item_<item_title>
.on_posting
hook renamed toon_insert
.- Datasource projections always include automatic fields (
ID_FIELD
,LAST_UPDATED
,DATE_CREATED
). Closes #85. - Public HTTP methods now override auth_username_field Edit. Closes #70 (Bryan Cattle).
- Response date fields are now using GMT instead of UTC. Closes #83.
- Handle the case of 'additional_lookup' field being an integer. If this is the case you can omit the 'url' key, as it will be ignored, and the integer value correctly parsed.
- More informative HTTP error messages. Some more informative error messages have been added for HTTP 400/3/12 and 500 errors. The error messages only show if DEBUG==True (Bryan Cattle).
on_getting(resource, documents)
is nowon_getting_resource(resource, documents)
;on_getting_<resource>(documents) is now known as ``on_getting_resource_<resource>(documents)
(Ryan Shea).- Added a new event hook:
on_getting_item_<title>(_id, document)
(Ryan Shea). - Allow
auth_username_field
to be set toID_FIELD
(Bryan Cattle). - Python 3.3 is now supported.
- Flask 0.10.1 is now supported.
- Werkzeug 0.9.4 is now supported.
- Copyright finally updated to 2013.
Released on July 25th 2013.
- Only run RateLimiting tests if redis-py is installed and redis-server is running.
- CORS
Access-Control-Allow-Headers
header support (Garrin Kimmell). - CORS
OPTIONS
support for resource and items endpoints (Garrin Kimmell). float
is now available as a data-type in the schema definition ruleset.nullable
field schema rule is now available. IfTrue
the field value can be set to null. Defaults toFalse
.- v0.3.0 of Cerberus is now a requirement.
on_getting
,on_getting_<resource>
andon_getting_item
event hooks. These events are raised when documents have just been read from the database and are about to be sent to the client. Registered callback functions can eventually manipulate the documents as needed. Please be aware thatlast_modified
andetag
headers will always be consistent with the state of the documents on the database (they won't be updated to reflect changes eventually applied by the callback functions). Closes #65.- Documentation fix:
AUTH_USERFIELD_NAME
renamed toAUTH_USERNAME_FIELD
(Julien Barbot). - Responses to GET requests for resource endpoints now include a
last
item in the _links dictionary. The value is a link to the last page available. The item itself is only provided if pagination is enabled and the page being requested isn't the last one. Closes #62. - It is now possible to set the MongoDB write concern level at both global
(
MONGO_WRITE_CONCERN
) and endpoint (mongo_write_concern
) levels. The value is a dictionary with all valid MongoDB write_concern settings (w, wtimeout, j and fsync) as keys.{'w': 1}
is the default, which is also MongoDB's default setting. TestMininal
class added to the test suite. This will allow to start the building of the tests for an application based on Eve, by subclassing the TestMinimal class (Daniele Pizzolli).
Released on June 18th 2013.
- Pinned Werkzeug requirement to v0.8.3 to avoid issues with the latest release which breaks backward compatibility (actually a Flask 0.9 requirements issue, which backtracked to Eve).
- Support for Rate Limiting on all HTTP methods. Closes #58. Please note: to successfully execute the tests in 'eve.tests.methods.ratelimit.py`, a running redis server is needed.
utils.request_method
internal helper function added, which allowed for some nice code cleanup (DRY).- Setting the default 'field' value would not happen if a 'data_relation' was nested deeper than the first schema level. Fixes #60.
- Support for
EXTRA_RESPONSE_FIELDS
. It is now possible to configure a list of additonal document fields that should be provided with POST responses. Normally only automatically handled fields (ID_FIELD
,LAST_UPDATED
,DATE_CREATED
,etag
) are included in POST payloads.EXTRA_RESPONSE_FIELDS
is a global setting that will apply to all resource endpoint . Defaults to[]
, effectively disabling the feature.extra_response_fields
is a local resource setting and will overrideEXTRA_RESPONSE_FIELDS
when present. on_posting
andon_posting_<resource>
event hooks.on_posting
andon_posting_<resource>
events are raised when documents are about to be stored. Among other things this allows callback functions to arbitrarily update the documents being inserted.on_posting(resource, documents)
is raised on every successful POST whileon_posting_<resource>(documents)
is only raised when <resource> is being updated. In both circumstances events will be raised only if at least one document passed validation and is going to be inserted.- Flask native
request.json
is now used when decoding request payloads. - resource argument added to Authorization classes. The
check_auth()
method of all classes in theeve.auth
package (BasicAuth
,HMACAuth
,TokenAuth
) now supports the resource argument. This allows subclasses to eventually build their custom authorization logic around the resource being accessed. MONGO_QUERY_BLACKLIST
option added. Allows to blacklist mongo query operators that should not be allowed in resource queries (?where=
). Defaults to ['$where', '$regex']. Mongo Javascript operators are disabled by default as they might be used as vectors for injection attacks. Javascript queries also tend to be slow and generally can be easily replaced with the (very rich) Mongo query dialect.MONGO_HOST
defaults to 'localhost'.MONGO_PORT
defaults to 27017.- Support alternative hosts/ports for the test suite (Paul Doucet).
Released on May 13th 2013.
- Content-Type header now properly parsed when additional arguments are included (Ondrej Slinták).
- Only fields defined in the resource schema are now returned from the database. Closes #52.
- Default
SERVER_NAME
is now set to127.0.0.1:5000
. auth_username_field
is honored even when there is no query in the request (Thomas Sileo).- Pagination links in XML payloads are now properly escaped. Fixes #49.
- HEAD requests supported. Closes #48.
- Event Hooks. Each time a GET, POST, PATCH, DELETE method has been executed,
both global
on_<method>
and resource-levelon_<method>_<resource>
events will be raised. You can subscribe to these events with multiple callback functions. Callbacks will receive the original flask.request object and the response payload as arguments. - Proper
max_results
handling ineve.utils.parse_request
, refactored tests (Tomasz Jezierski). - Projections. Projections are conditional queries where the client dictates which fields should be returned by the API (Nicolas Bazire).
ALLOW_UNKNOWN
option, and the correspondingallow_options
local setting, allow for a less strict schema validation. Closes #34.- ETags are now provided with POST responses. Closes #36.
- PATCH performance improvement: ETag is now computed in memory; performing an extra database lookup is not needed anymore.
- Bulk Inserts on the database. POST method heavily refactored to take
advantage of MongoDB native support for Bulk Inserts. Please note: validation
constraints are checked against the database, and not between the payload
documents themselves. This causes an interesting corner case: in the event of
a multiple documents payload where two or more documents carry the same value
for a field where the
unique
constraint is set, the payload will validate successfully, as there are no duplicates in the database (yet). If this is an issue, the client can always send the documents once at a time for insertion, or validate locally before submitting the payload to the API. - Responses to document GET requests now include the ETag in both the header and the payload. Closes #29.
methods
settings keyword renamed toresource_methods
for coherence with the globalRESOURCE_METHODS
(Nicolas Carlier).
Released on April 11th 2013.
- Fixed an issue that apparently caused the test suite to only run successfully on the dev box. Thanks Chronidev for reporting this.
- Referential integrity validation via the new
data_relation
schema keyword. Closes #25. - Support for
Content-Type: application/json
for POST and PATCH methods. Closes #28. - User-restricted resource access. Works in conjunction with Authentication.
When enabled, users can only read/update/delete resource items created by
themselves. Can be switched on and off at global level via the
AUTH_USERFIELD_NAME
keywork, or at single resource endpoints with the user_userfield_name keyword (the latter will override the former). The keyword contains the actual name of the field used to store the username of the user who created the resource item. Defaults to '', which disables the feature (Thomas Sileo). PAGING_LIMIT
keyword setting renamed toPAGINATION_LIMIT
for better coherency with the newPAGINATION
keyword. This could break backward compatibility in some cases.PAGING_DEFAULT
keyword settings renamed toPAGINATION_DEFAULT
for better coherence with the newPAGINATION
keyword. This could break backward compatibility in some cases.ITEM_CACHE_CONTROL
removed as it seems unnecessary at the moment.- Added an example on how to handle events to perform custom actions. Closes #23 and #22.
eve.validation_schema()
now collects offending items and returns all of them into the exception message. Closes #24.- Filters (
?where=
), sorting (?sort=
) and pagination (?page=10
) can now be be disabled at both global and endpoint level. Closes #7. - CORS (Cross-Origin Resource Sharing) support. The new
X-DOMAINS
keywords allows API maintainers to specify which domains are allowed to perform CORS requests. Allowed values are: None, a list of domains, or '*' for a wide-open API. Closes #1. - HMAC (Hash Message Authentication Code) based Autentication.
- Token Based Authentication, a variation of Basic Authentication. Closes #20.
- Orphan function removed (
eve.methods.get.standard_links
). DATE_CREATED
andLAST_UPDATED
fields now show default values for documents created outside the API context. Fixes #18.
Released on February 25th 2013.
- Consistent ETag computation between runs/instances. Closes #16.
- Support for Basic Authentication (RFC2617).
- Support for fine-tuning authentication with
PUBLIC_METHODS
andPUBLIC_ITEM_METHODS
. By default, access is restricted to all endpoints, for all HTTP verbs (methods), effectively locking down the whole API. - Supporto for role-based access control with
ALLOWED_ROLES
andallowed_roles
. - Support for all standard Flask initialization parameters.
- Support for default values in resource fields. The new
default
keyword can now be used when defining a field rule set. Please note: currently default values are supported only for main document fields. Default values for fields in embedded documents will be ignored. - Multiple API endpoints can now target the same database collection. For
example now you can set both
/admins/
and/users/
to read and write from the same collection on the db, people. The newdatasource
setting allows to explicitly link API resources to database collections. It is a dictionary with two allowed keys: source and filter. source dictates the database collection consumed by the resource. filter is the underlying query, applied by the API when retrieving and validating data for the resource. Previously, the resource name would dictate the linked datasource (and of course you could not have two resources with the same name). This remains the default behaviour: if you omit thedatasource
setting for a resource, its name will be used to determine the database collection. - It is now possibile to set predefined db filters for each resource.
Predefined filters run on top of user queries (GET requests with
where
clauses) and standard conditional requests (If-Modified-Since
, etc.) Please note that datasource filters are applied on GET, PATCH and DELETE requests. If your resource allows for POST requests (document insertions), then you will probably want to set the validation rules accordingly (in our example, 'username' should probably be a required field). - JSON-Datetime dependency removed.
- Support for Cerberus v0.0.3 and later.
- Support for Flask-PyMongo v0.2.0 and later.
- Repeated XML requests to the same endpoint could occasionally return an Internal Server Error (Fixes #8).
Released on January 22th 2013.
- XML rendering love. Lots of love.
- JSON links are always wrapped in a
_links
dictionary. Key values match the relation between the item being represented and the linked resource. - Streamlined JSON responses. Superflous
response
root key has been removed from JSON payloads. GET requests to resource endpoints: items are now wrapped with an_items
list. GET requests to item endpoints: item is now at root level, with no wrappers around it. - Support for API versioning through the new API_VERSION configuration setting.
- Boolean values in request forms are now correctly parsed.
- Tests now run under Python 2.6.
Released on November 27th 2012.
- Homepage/api entry point resource links fixed. They had bad 'href' tags which also caused XML validation issues when processing responses (especially when accessing the API via browser).
- Version number in 'Server' response headers.
- Added support for DELETE at resource endpoints. Expected behavior: will delete all items in the collection. Disabled by default.
- :class:`eve.io.mongo.Validator` now supports :class:`~cerberus.Validator` signature, allowing for further subclassing.
Released on November 20th 2012.
- First public preview release.