Eve Changelog
=============

Here you can see the full list of changes between each Eve release.

Version 0.2
-----------

Released on 30 November, 2013.

- [new] Sub-Resources. It is now possible to configure endpoints such as:
  ``/companies/<company_id>/invoices``. Also, the corresponding item endpoints,
  such as ``/companies/<company_id>/invoices/<invoice_id>``, are available. All
  CRUD operations on these endpoints are allowed. Closes 156.
- [new] ``resource_title`` allows to customize the endpoint title (HATEOAS).
- [new][dev] ``extra`` cursor property, when present, will be added to ``GET``
  responses (with same key). This feature can be used by Eve extensions to
  inject proprietary data into the response stream (Petr Jašek).
- [new] ``IF_MATCH`` allows to disable checks for ETag matches on edit, replace
  and delete requests. If disabled, requests without an If-Match header will be
  honored without returning a 403 error. Defaults to True (enabled by default). 
- [new] ``LINKS`` allows to customize the links field. Default to '_links'.
- [new] ``ITEMS`` allows to customize the items field. Default to '_items'.
- [new] ``STATUS`` allows to customize the status field. Default to 'status'.
- [new] ``ISSUES`` allows to customize the issues field. Default to 'issues'.
- [new] Handling custom ID fields tutorial.
- [new] A new ``json_encoder`` initialization argument is available. It allows
  to pass custom JSONEncoder or eve.io.BaseJSONEncoder to the Eve instance.
- [new] A new ``url_converters`` initialization argument is available. It
  allows to pass custom Flask url converters to the Eve constructor. 
- [new] ID_FIELD fields can now be of arbitrary types, not only ObjectIds.
  Thanks to Kelvin Hammond for contributing to this one.  Closes #136.
- [new] ``pre_<method>`` and ``pre_<method>_<resource>`` event hooks are now
  available. They are raised when a request is received and before processing
  it. The resource involved and the Flask request object are returned to the
  callback function (dccrazyboy).
- [new] ``embedded_fields`` activates default Embedded Resource Serialization
  on a list of selected document fields. Eventual embedding requests by clients
  will be processed along with default embedding. In order for default
  embedding to work, the field must be defined as embeddable, and embedding
  must be active for the resource (with help from Christoph Witzany).
- [new] ``default_sort`` option added to the ``datasource`` resource setting.
  It allows to set default sorting for the endpoint. Default sorting will be
  overriden by a client request that happens to include a ``?sort`` argument
  within the query string (with help from Christoph Witzany).
- [new] You can now choose to provide custom settings as a Python dictionary.
- [new] New method ``Eve.register_resource()`` for registering new resource
  after initialization of Eve object. This is needed for simpler initialization
  API of all ORM/ODM extensions (Stanislav Heller).
- [change] Rely on Flask endpoints to map urls to resources.
- [change] For better consistency with new ``pre_<method>`` hooks,
  ``on_<method>`` event hooks have been renamed to ``on_post_<method>``.
- [change] Custom authentication classes can now be set at endpoint level. When
  set, an endpoint-level auth class will override the eventual global level
  auth class.  Authentication docs have been updated (and greatly revised)
  accordingly.  Closes #89.
- [change] JSON encoding is now handled at the DataLayer level allowing for
  specialized, granular, data-aware encoding. Also, since the JSON encoder is
  now a class attribute, extensions can replace the pre-defined data layer
  encoder with their own implementation. Closes #102. - [fix] HMAC example and
  docs updated to align with new hmac in Python 2.7.3, which is only accepting
  bytes string. Closes #199.
- [fix] Properly escape leaf values in XML responses (Florian Rathgeber).
- [fix] A read-only field with a default value would trigger a validation error
  on POST and PUT methods.

Version 0.1.1
-------------

Released on October 31th, 2013.

Enhancements
~~~~~~~~~~~~
- DELETE now uses the original document ID_FIELD when issuing the delete
  command to the underlying data layer (Xavi Cubillas).
- Embedded Resource Serialization also available at item endpoints
  (``/invoices/<id>/?embedded={'person':1}``),
- ``collection`` (used when setting up a data relation, see Embedded Resource
  Serialization) has been renamed to ``resource`` in order to avoid confusion
  between the Eve schema and underlying MongoDB collections.
- Nested endpoints. Endpoints with deep paths like ``/contacts/overseas`` can
  now function in conjuction with top-level endpoints (``/contacts``).
  Endpoints are completely independent: each can allow item lookups
  (``/contacts/<id>`` and ``contacts/overseas/<id>``) and different access
  methods. Previously, while you could have complex urls, you could not get
  nested endpoints to work properly.
- PyMongo 2.6.3 is now supported.
- item-id wrappers have been removed from POST/PATCH/PUT requests and
  responses. Requests for single document insertion/edition are now performed
  by just submitting the relevant document. Bulk insert requests are performed
  by submitting a list of documents. The response to bulk requests is a list
  itself in which every list item contains the state of the corresponding
  request document. Please note that this is a breaking change. Also be aware
  that when the request content-type is ``x-www-form-urlencoded``, single
  document insert is performed. Closes #139.
- ObjectId are properly serialized on POST/PATCH/PUT methods.
- Queries on ObjectId and datetime values in nested documents.
- ``auth.user_id`` renamed to ``auth.request_auth_value`` for better
  consistency with the ``auth_field`` setting. Closes #132 (Ryan Shea).
- Same behavior as Flask, SERVER_NAME now defaults to None. It allows much
  easier development on distant machine that may changes IP (Ronan Delacroix).

Fixes
~~~~~
- CORS support was not available for ``additional_lookup`` urls (Petr Jašek.)
- 'default' field values that could be assimilated to ``None`` (0, None, "")
  would be ignored.
- POST and PUT would fail with 400 if there was no auth class while
  ``auth_field`` was set for a resource.
- Fix order of string arguments in exception message in
  flaskapp.validate_schema() (Roy Smith).

Version 0.1
-----------

Released on September 30th, 2013.

New Features
~~~~~~~~~~~~
- ``PUT`` method for completely replace a document while keeping the same
  unique identifier. Closes #96.
- Embedded Resource Serialization. If a document field is referencing
  a document in another resource, clients can request the referenced document
  to be embedded within the requested document (Bryan Cattle).  Closes #68.
- "No trailing slash" URLs are now supported. Closes #118.
- HATEOAS is now optional and can be disabled both at global and resource
  level.
- ``X-HTTP-Method-Override`` supported for all HTTP Methods. Closes #95.

Enhancements
~~~~~~~~~~~~
- HTTP method is now passed into ``authenticate()`` and ``check_auth()`` (Ken
  Carpenter). Closes #90 .
- Cleanup and hardening of User-Restricted Resource Access Edit (Bryan Cattle).
- Account Management tutorial updated to reflect the event hooks naming update
  introduced in v0.0.9.
- Some more Python 3 refactoring (Dong Wei Ming).
- Events 0.2.0 is now supported.
- PyMongo 2.6.2 is now supported.
- Cerberus 0.4.0 is now supported.

Fixes
~~~~~
- Item ``GET`` on documents with non-existent 'created' field (because
  stored outside of API context) were not returning a default value for the
  field.
- Edits on documents with non-existent 'created' or 'updated' fields
  (because stored outside of the API context) were returning ``412 Precondition
  Failed``. Closes #123.
- ``on_insert`` is raised when a ``PUT`` (replace action) is about to be
  performed. Closes #120.
- Installation on Windows with Python 3 was returning encoding errors.
- Fixed #99: malformed XML render when href includes forbidden URI/URL chars.
- Fixed a bug introduced with 0.0.9 and Python 3 support. Filters (``?where``)
  on datetime values were not working when running on Python 2.x.
- Fixed some typos and minor grammatical errors all across the documentation
  (Ken Carpenter, Jean Boussier, Kracekumar, Francisco Corrales Morales).

Version 0.0.9
-------------

Released on August 29, 2013

- PyMongo 2.6 is now supported.
- ``FILTERS`` boolean replaced by ``ALLOWED_FILTERS`` list which allows for
  explicit whitelisting of filter-enabled fields (Bryan Cattle). Closes #78.
- Custom user ids for User-Restricted Resource Access, allowing for more
  flexibility and token revocation with token-based authentication. Closes #73.
- ``AUTH_USERNAME_FIELD`` renamed to ``AUTH_FIELD``.
- ``auth_username_field`` renamed to ``auth_field``.
- BasicAuth and subclasses now support ``user_id`` property.
- Updated the event hooks naming system to be more robuts and consistent.
  Closes #80.
- To emphasize the fact that they are tied to a method, all ``on_<method>``
  hooks now have ``<method>`` in uppercase.
- ``on_getting`` hook renamed to ``on_fetch_resource``.
- ``on_getting_<resource>`` hook renamed to ``on_fetch_resource_<resource>``
- ``on_getting_item`` hook renamed to ``on_fetch_item``.
- ``on_getting_item_<item_title>`` hook renamed to
  ``on_fetch_item_<item_title>``.
- ``on_posting`` hook renamed to ``on_insert``.
- Datasource  projections always include automatic fields (``ID_FIELD``,
  ``LAST_UPDATED``, ``DATE_CREATED``). Closes #85.
- Public HTTP methods now override `auth_username_field` Edit. Closes #70
  (Bryan Cattle).
- Response date fields are now using GMT instead of UTC. Closes #83.
- Handle the case of 'additional_lookup' field being an integer. If this is the
  case you can omit the 'url' key, as it will be ignored, and the integer value
  correctly parsed.
- More informative HTTP error messages. Some more informative error messages
  have been added for HTTP 400/3/12 and 500 errors. The error messages only
  show if DEBUG==True (Bryan Cattle).
- ``on_getting(resource, documents)`` is now ``on_getting_resource(resource,
  documents)``; ``on_getting_<resource>(documents) is now known as
  ``on_getting_resource_<resource>(documents)`` (Ryan Shea).
- Added a new event hook: ``on_getting_item_<title>(_id, document)`` (Ryan
  Shea).
- Allow ``auth_username_field`` to be set to ``ID_FIELD`` (Bryan Cattle).
- Python 3.3 is now supported.
- Flask 0.10.1 is now supported.
- Werkzeug 0.9.4 is now supported.
- Copyright finally updated to 2013.

Version 0.0.8
-------------

Released on July 25th 2013.

- Only run RateLimiting tests if redis-py is installed and redis-server is
  running.
- CORS ``Access-Control-Allow-Headers`` header support (Garrin Kimmell).
- CORS ``OPTIONS`` support for resource and items endpoints (Garrin Kimmell).
- ``float`` is now available as a data-type in the schema definition ruleset.
- ``nullable`` field schema rule is now available. If ``True`` the field value
  can be set to null. Defaults to ``False``.
- v0.3.0 of Cerberus is now a requirement.
- ``on_getting``, ``on_getting_<resource>`` and ``on_getting_item`` event
  hooks. These events are raised when documents have just been read from the
  database and are about to be sent to the client. Registered callback
  functions can eventually manipulate the documents as needed. Please be aware
  that ``last_modified`` and ``etag`` headers will always be consistent with
  the state of the documents on the database (they  won't be updated to reflect
  changes eventually applied by the callback functions). Closes #65.
- Documentation fix: ``AUTH_USERFIELD_NAME`` renamed to ``AUTH_USERNAME_FIELD``
  (Julien Barbot).
- Responses to GET requests for resource endpoints now include a ``last`` item
  in the `_links` dictionary. The value is a link to the last page available.
  The item itself is only provided if pagination is enabled and the page being
  requested isn't the last one. Closes #62.
- It is now possible to set the MongoDB write concern level at both global
  (``MONGO_WRITE_CONCERN``) and endpoint (``mongo_write_concern``) levels. The
  value is a dictionary with all valid MongoDB write_concern settings (w,
  wtimeout, j and fsync) as keys. ``{'w': 1}`` is the default, which is also
  MongoDB's default setting.
- ``TestMininal`` class added to the test suite. This will allow to start the
  building of the tests for an application based on Eve, by subclassing the
  TestMinimal class (Daniele Pizzolli).

Version 0.0.7
-------------

Released on June 18th 2013.

- Pinned Werkzeug requirement to v0.8.3 to avoid issues with the latest release
  which breaks backward compatibility (actually a Flask 0.9 requirements issue,
  which backtracked to Eve).
- Support for Rate Limiting on all HTTP methods. Closes #58. Please note: to
  successfully execute the tests in 'eve.tests.methods.ratelimit.py`, a running
  redis server is needed.
- ``utils.request_method`` internal helper function added, which allowed  for
  some nice code cleanup (DRY).
- Setting the default 'field' value would not happen if a 'data_relation' was
  nested deeper than the first schema level. Fixes #60.
- Support for ``EXTRA_RESPONSE_FIELDS``. It is now possible to configure a list
  of additonal document fields that should be provided with POST responses.
  Normally only automatically handled fields (``ID_FIELD``, ``LAST_UPDATED``,
  ``DATE_CREATED``, ``etag``) are included in POST payloads.
  ``EXTRA_RESPONSE_FIELDS`` is a global setting that will apply to all resource
  endpoint . Defaults to ``[]``, effectively disabling the feature.
  ``extra_response_fields`` is a local resource setting and will override
  ``EXTRA_RESPONSE_FIELDS`` when present.
- ``on_posting`` and ``on_posting_<resource>`` event hooks. ``on_posting`` and
  ``on_posting_<resource>`` events are raised when documents are about to be
  stored. Among other things this allows callback functions to arbitrarily
  update the documents being inserted. ``on_posting(resource, documents)`` is
  raised on every successful POST while ``on_posting_<resource>(documents)`` is
  only raised when <resource> is being updated. In both circumstances events
  will be raised only if at least one document passed validation and is going
  to be inserted.
- Flask native ``request.json`` is now used when decoding request payloads.
- *resource* argument added to Authorization classes. The ``check_auth()``
  method of all classes in the ``eve.auth`` package (``BasicAuth``,
  ``HMACAuth``, ``TokenAuth``) now supports the *resource* argument. This
  allows subclasses to eventually build their custom authorization logic around
  the resource being accessed.
- ``MONGO_QUERY_BLACKLIST`` option added. Allows to blacklist mongo query
  operators that should not be allowed in resource queries (``?where=``).
  Defaults to ['$where', '$regex']. Mongo Javascript operators are disabled by
  default as they might be used as vectors for injection attacks. Javascript
  queries also tend to be slow and generally can be easily replaced with the
  (very rich) Mongo query dialect.
- ``MONGO_HOST`` defaults to 'localhost'.
- ``MONGO_PORT`` defaults to 27017.
- Support alternative hosts/ports for the test suite (Paul Doucet).

Version 0.0.6
-------------

Released on May 13th 2013.

- Content-Type header now properly parsed when additional arguments are
  included (Ondrej Slinták).
- Only fields defined in the resource schema are now returned from the
  database. Closes #52.
- Default ``SERVER_NAME`` is now set to ``127.0.0.1:5000``.
- ``auth_username_field`` is honored even when there is no query in the request
  (Thomas Sileo).
- Pagination links in XML payloads are now properly escaped. Fixes #49.
- HEAD requests supported. Closes #48.
- Event Hooks. Each time a GET, POST, PATCH, DELETE method has been executed,
  both global ``on_<method>`` and resource-level ``on_<method>_<resource>``
  events will be raised. You can subscribe to these events with multiple
  callback functions. Callbacks will receive the original flask.request object
  and the response payload as arguments.
- Proper ``max_results`` handling in ``eve.utils.parse_request``, refactored
  tests (Tomasz Jezierski).
- Projections. Projections are conditional queries where the client dictates
  which fields should be returned by the API (Nicolas Bazire).
- ``ALLOW_UNKNOWN`` option, and the corresponding ``allow_options`` local
  setting, allow for a less strict schema validation. Closes #34.
- ETags are now provided with POST responses. Closes #36.
- PATCH performance improvement: ETag is now computed in memory; performing an
  extra database lookup is not needed anymore.
- Bulk Inserts on the database. POST method heavily refactored to take
  advantage of MongoDB native support for Bulk Inserts. Please note: validation
  constraints are checked against the database, and not between the payload
  documents themselves. This causes an interesting corner case: in the event of
  a multiple documents payload where two or more documents carry the same value
  for a field where the ``unique`` constraint is set, the payload will validate
  successfully, as there are no duplicates in the database (yet). If this is an
  issue, the client can always send the documents once at a time for insertion,
  or validate locally before submitting the payload to the API.
- Responses to document GET requests now include the ETag in both the header
  and the payload. Closes #29.
- ``methods`` settings keyword renamed to ``resource_methods`` for coherence
  with the global ``RESOURCE_METHODS`` (Nicolas Carlier).

Version 0.0.5
-------------

Released on April 11th 2013.

- Fixed an issue that apparently caused the test suite to only run successfully
  on the dev box. Thanks Chronidev for reporting this.
- Referential integrity validation via the new ``data_relation`` schema
  keyword.  Closes #25.
- Support for ``Content-Type: application/json`` for POST and PATCH methods.
  Closes #28.
- User-restricted resource access. Works in conjunction with Authentication.
  When enabled, users can only read/update/delete resource items created by
  themselves. Can be switched on and off at global level via the
  ``AUTH_USERFIELD_NAME`` keywork, or at single resource endpoints with the
  user_userfield_name keyword (the latter will override the former). The
  keyword contains the actual name of the field used to store the username of
  the user who created the resource item. Defaults to '', which disables the
  feature (Thomas Sileo).
- ``PAGING_LIMIT`` keyword setting renamed to ``PAGINATION_LIMIT`` for better
  coherency with the new ``PAGINATION`` keyword. This could break backward
  compatibility in some cases.
- ``PAGING_DEFAULT`` keyword settings renamed to ``PAGINATION_DEFAULT`` for
  better coherence with the new ``PAGINATION`` keyword. This could break
  backward compatibility in some cases.
- ``ITEM_CACHE_CONTROL`` removed as it seems unnecessary at the moment.
- Added an example on how to handle events to perform custom actions. Closes
  #23 and #22.
- ``eve.validation_schema()`` now collects offending items and returns all of
  them into the exception message. Closes #24.
- Filters (``?where=``), sorting (``?sort=``) and pagination (``?page=10``) can
  now be be disabled at both global and endpoint level. Closes #7.
- CORS (Cross-Origin Resource Sharing) support. The new ``X-DOMAINS`` keywords
  allows API maintainers to specify which domains are allowed to perform CORS
  requests. Allowed values are: None, a list of domains, or '*' for a wide-open
  API. Closes #1.
- HMAC (Hash Message Authentication Code) based Autentication.
- Token Based Authentication, a variation of Basic Authentication. Closes #20.
- Orphan function removed (``eve.methods.get.standard_links`` ).
- ``DATE_CREATED`` and ``LAST_UPDATED`` fields now show default values for
  documents created outside the API context. Fixes #18.

Version 0.0.4
-------------

Released on February 25th 2013.

- Consistent ETag computation between runs/instances. Closes #16.
- Support for Basic Authentication (RFC2617).
- Support for fine-tuning authentication with ``PUBLIC_METHODS`` and
  ``PUBLIC_ITEM_METHODS``. By default, access is restricted to *all* endpoints,
  for *all* HTTP verbs (methods), effectively locking down the whole API.
- Supporto for role-based access control with ``ALLOWED_ROLES`` and
  ``allowed_roles``.
- Support for all standard Flask initialization parameters.
- Support for default values in resource fields. The new ``default`` keyword
  can now be used when defining a field rule set.  Please note: currently
  default values are supported only for main document fields. Default values
  for fields in embedded documents will be ignored.
- Multiple API endpoints can now target the same database collection. For
  example now you can set both ``/admins/`` and ``/users/`` to read and write
  from the same collection on the db, *people*.  The new ``datasource`` setting
  allows to explicitly link API resources to database collections. It is
  a dictionary with two allowed keys: *source* and *filter*. *source* dictates
  the database collection consumed by the resource.  *filter* is the underlying
  query, applied by the API when retrieving and validating data for the
  resource.  Previously, the resource name would dictate the linked datasource
  (and of course you could not have two resources with the same name). This
  remains the default behaviour: if you omit the ``datasource`` setting for
  a resource, its name will be used to determine the database collection.
- It is now possibile to set predefined db filters for each resource.
  Predefined filters run on top of user queries (GET requests with ``where``
  clauses) and standard conditional requests (``If-Modified-Since``, etc.)
  Please note that datasource filters are applied on GET, PATCH and DELETE
  requests. If your resource allows for POST requests (document insertions),
  then you will probably want to set the validation rules accordingly (in our
  example, 'username' should probably be a required field).
- JSON-Datetime dependency removed.
- Support for Cerberus v0.0.3 and later.
- Support for Flask-PyMongo v0.2.0 and later.
- Repeated XML requests to the same endpoint could occasionally return an
  Internal Server Error (Fixes #8).

Version 0.0.3
-------------

Released on January 22th 2013.

- XML rendering love. Lots of love.
- JSON links are always wrapped in a ``_links`` dictionary. Key values match
  the relation between the item being represented and the linked resource.
- Streamlined JSON responses. Superflous ``response`` root key has been removed
  from JSON payloads. GET requests to resource endpoints: items are now wrapped
  with an ``_items`` list. GET requests to item endpoints: item is now at root
  level, with no wrappers around it.
- Support for API versioning through the new API_VERSION configuration setting.
- Boolean values in request forms are now correctly parsed.
- Tests now run under Python 2.6.


Version 0.0.2
-------------

Released on November 27th 2012.

- Homepage/api entry point resource links fixed. They had bad 'href'
  tags which also caused XML validation issues when processing responses
  (especially when accessing the API via browser).
- Version number in 'Server' response headers.
- Added support for DELETE at resource endpoints. Expected behavior:
  will delete all items in the collection. Disabled by default.
- :class:`eve.io.mongo.Validator` now supports :class:`~cerberus.Validator`
  signature, allowing for further subclassing.

Version 0.0.1
-------------

Released on November 20th 2012.

- First public preview release.
