0.6.1 (2003-07-14) r22004:

  * Make Form.add_widget() return the widget.

  * Allow the "Expires" header to be suppressed by setting the 'cache'
    attribute of HTTPResponse to None.

  * Use title case for header names added by HTTPResponse.set_headers().
    Clients are not supposed to care about case but it's better to be
    conservative.

  * Catch IOError exceptions raised when writing the response and log a
    message (rather than exiting with a traceback).

  * Fix bug regarding _q_exception_handler.  namespace_stack needs to be
    updated while the traversal is occuring.  Thanks to Jason Sibre for
    spotting it and for the fix.

  * Add If-Modified-Since support for StaticFile objects.  Also, don't
    set the Expires header by default.  Instead, set the Last-Modified
    header based on the modification time of the file.  The Expires
    header can be enabled by providing a value for the 'cache_time'
    argument.


0.6 final (2003-04-30) r21480:

  * Add a 'pass' to setup.py to make it easier to comment out the C
    extension.

  * Simplify 'From:' header in traceback e-mails.

        
0.6b6 (2003-04-15):

  * Rename _q_getname() to _q_lookup().  The name '_q_getname' is still
    supported, but will log a warning whenever it's encountered.
    This change will require users to modify their applications.

  * quixote.form.form has been translated from PTL to Python, meaning 
    that you can now use the form framework without enabling PTL.
    (Original suggestion by Jim Dukarm, who also provided a patch 
    that underwent considerable tweaking.)

  * Fix generation of temporary filenames in upload.py: filename
    collisions should be impossible now.

  * In medusa_http.py, convert HTTP headers into title case before
    passing them to Medusa, fixing duplicate Content-length headers.  
    (Fix by Graham Fawcett.)

  * Added quixote.server.twisted_http, which serves a Quixote application
    using the Twisted event-driven framework (www.twistedmatrix.com).
    Contributed by Graham Fawcett.  We don't use this code ourselves,
    but patches and bug fixes from Twisted users will be gratefully
    accepted.


0.6b5 (2003-03-13):

  * Fix incorrect parameter name for _traverse_url()


0.6b4 (2003-03-13):

  * The C version of the htmltext type is now compiled by default;
    you can edit setup.py manually to disable it.

  * StaticDirectory's list_folder argument renamed to list_directory.

  * StaticFile now supports the HTTP encoding for files.  
    (Absence of this feature noted by Jim Dukarm.)

  * If Quixote looks for _q_index() in a namespace and doesn't find
    it, it raises AccessError (resulting in an HTTP 403 Forbidden error)
    rather than failing with an ImportError.  A minor side effect of
    this change: Quixote will never attempt to import a module named
    '_q_index', nor will it pass '_q_index' to any _q_resolve() function.
    We don't expect this to be a backward compatibility problem .

  * Factored out the traverse_url() and get_component() method 
    from the Publisher class.  

  * Documented _q_exception_handler().


0.6b3 (2003-03-07):

  * Fixed errors in demo_scgi.py. (David M. Cooke)

  * Avoid using True/False and enable nested scopes in _py_htmltext.py 
    for Python 2.1 compatibility. (Noted by Jeff Bauer)

    Note that this means HTML templates will not work with Python 2.0
    unless you compile the C extension.

  * Added StaticFile and StaticDirectory classes to quixote.util.
    Consult doc/static-files.txt for examples.  (Contributed and
    documented by Hamish Lawson.)


0.6b2 (2003-01-27):

  * Added a new hook, _q_resolve(), that can be used to delay 
    importing modules until they're actually accessed.  Consult
    doc/programming.txt for an explanation.  (Original
    suggestion and patch by Jon Corbet.  In the process of adding it,
    Publisher.get_component() was rearranged to clarify the logic.)

  * Fixed the Medusa HTTP server to work with HTML templates (David M. Cooke)
    and to call finish_failed_request (pointed out by Graham Fawcett).

  * Added HTTP_USER_AGENT and ACCEPT_ENCODING to Medusa HTTP server. 
    (Graham Fawcett)

  * Fixed _c_htmltext.c to compile on Windows.  (Graham Fawcett)

  * Fixed two bugs in _c_htmltext.c found by code review,
    and one bug in _py_htmltext.py found by Nicola Larosa.  
    (Neil Schemenauer)

  * Added a page to the demo that dumps the contents of the HTTPRequest.

  * Made upload.py write out HTTP upload data in binary mode, so
    binary content-types work correctly on Windows.  (Graham Fawcett)

  * Added classifiers for use with Python 2.3's "register" command.


0.6b1 (2003-01-09):

  * Merged form/form.py and form/form_templates.ptl into
    form/form.ptl. (This means that you should completely remove (or
    rename) your old Quixote installation directory *before* installing
    0.6, or the old form/form.py will shadow the new form.ptl.)

  * A new and preferred syntax for declaring PTL templates has been added.
    Instead of 'template func(): ...', the new form is 'def func [plain] ()'.

    This uses a notation that's been suggested for adding type
    information to Python functions.  The Emacs Python mode already handles 
    this properly, and it may be more compatible with future versions of 
    Python.

    The 'template' keyword is still supported, but we encourage you 
    to switch to the new syntax when you get a chance.

  * Quixote now supports a new kind of template that automatically performs
    HTML escaping.  Here's an example.  (Notice that the '[plain]'
    annotation is changed to '[html]' to enable this feature.)

        def header [html] (title):
            "<title>%s</title>" % title

    If the 'title' argument is something like "R&D", it will    
    automatically be converted to "R&amp;D" following the rules 
    for escaping HTML special characters.  The aim is to avoid cross-site 
    scripting attacks by removing the need for the programmer to remember
    to HTML-escape unsafe text, instead relying on Quixote to 
    escape text where necessary.

    See doc/PTL.txt for more information about how this works.

    This escaping is implemented using a 'htmltext' class implemented in 
    Python, and is currently in production use on our web site.

  * An experimental C implementation of the 'htmltext' type is also
    included; it hasn't been put into production use yet.  Edit 
    setup.py and uncomment the appropriate line if you want to try the
    C implementation.
    
  * The form framework now uses automatic HTML escaping.  This
    means that applications using the form framework will have 
    to either be changed to use automatic HTML escaping themselves, 
    or to use str() to convert 'htmltext' instances back to Python
    strings.
    
    See doc/upgrading.txt for more information.

  * Make Quixote a bit more friendly to multi-threaded applications
    by allowing multiple simultaneous requests (patch by Titus Brown).

  * Make util.xmlrpc() return an HTTP 405 Method Not Allowed error
    if the method isn't a POST.

  * Added demo/run_cgi.py, a script that makes it easy to write one
    file CGI applications that use Quixote.  See the comments at the 
    top of the demo/run_cgi.py file for instructions.


0.5.1 (2002-10-08):

  * (incompatible change for anyone doing HTTP upload with Quixote)
    Improved support for HTTP upload requests: any HTTP request with
    a Content-Type of "multipart/form-data" -- which is generally only
    used for uploads -- is now represented by HTTPUploadRequest, a
    subclass of HTTPRequest, and the uploaded files themselves are
    represented by Upload objects.  See doc/upload.txt for details.

  * (possible incompatible changes for anyone subclassing Publisher,
    or using it for custom purposes)
    Various rearrangements and refactoring in the Publisher class.
    Added create_request() method, which takes responsibility for
    creating the HTTPRequest (or HTTPUploadRequest) object away
    from parse_request().  As a consequence, the signature of
    parse_request() has changed.  Added process_request() method.
    Changed publish() so it catches exceptions coming from either
    parse_request() or process_request().  Consult the source code
    (publish.py) for details.

  * A new subpackage, quixote.server, is intended for code that
    publishes a Quixote application through HTTP, making it possible
    to run Quixote applications without having to configure Apache or
    some other full-blown Web server.  Right now there's only an
    implementation on top of Medusa; contributions of support for
    Python's BaseHTTPServer, Twisted, or other frameworks would be
    welcome.

  * Modified SessionManager.maintain_session() so it explicitly removes
    a session if that session used to have useful info (ie. exists in
    the session manager), but no longer does (patch by Jon Corbet).

  * Make the PTL compiler a bit smarter about recognizing "template"
    lines; PTL code should now be able to use 'template' as an
    identifier, which is handy when converting existing Python code
    to PTL.

  * Replaced HTTPRequest.redirect() with a cleaner, more general
    version supplied by Andreas Kostyrka <andreas@kostyrka.priv.at>.
    Redirects to fully relative URLs (no leading slash) now work.

  * Added support for putting bits of JavaScript into HTML form
    documents: added HTTPResponse.add_javascript() to collect snippts
    of JavaScript code, and Form._render_javascript() to emit them
    as part of the HTML document.

  * Added global convenience functions get_path() and redirect().

  * Change Publisher so it never modifies SCRIPT_NAME or PATH_INFO.

  * Fixed bug in quixote.sendmail._add_recip_headers(): it crashed
    if passed an empty list.

  * Factor out get_action_url() method in Form class.

  * Add the HTML version of the documentation to the source release.


0.5 (2002-06-10):

  * To fix installation problems on Win98 and Mac OS (pre OS X), 
    setup.py now uses os.curdir instead of ''.

  * Overhauled handling of PublishError exceptions: Quixote now 
    looks for the nearest _q_exception_handler() function in your
    application's namespace; the format_*error() methods of Publisher
    are gone.

  * Documented and overhauled the session management API.  If you
    were previously using session management, you will almost certainly
    need to change your code; see doc/session-mgmt.txt and
    doc/session-upgrade.txt.  If you've been wanting to use session
    management in your application but were put off by the lack of
    documentation, see doc/session-mgmt.txt.

    Specific changes:
      * removed the global singleton SessionManager object in session.py
        and several related functions
      * removed everything having to do with "application state", an
        unnecessary abstraction caused by premature over-generalization
      * removed the 'actual_user' attribute from Session -- it is
        specific to the MEMS Exchange and just confuses matters
        in Quixote
      * made most instance attributes of Session private
      * defined a sensible persistence API that should work with
        a wide variety of session persistence schemes
      * COOKIE_* config variables renamed to SESSION_COOKIE_*

  * Fix HTTPResponse so that the cookie domain and path can be None,
    and they will simply not be set in the cookie sent to the client --
    that way the browser will simply do the right thing.  Set
    COOKIE_DOMAIN and COOKIE_PATH in config.py to None, since that's
    usually fine.  (You may need to set COOKIE_PATH to "/".)

  * Subtle but far-reaching change to the publishing algorithm: objects
    found by the publisher to handle the terminal component of a URL can
    now be strings as well as callables; a string simply substitutes for
    a callable's return value.  The immediate reason for this was to
    allow _q_lookup() functions to return a string, but a consequence
    is that you can now put static text in global variables and simply
    publish them.

  * Add CHECK_SESSION_ADDR config variable to control whether we
    check that requests in a session all come from the same IP address,
    as a defence against playback attacks.  (Thanks to Jonathan Corbet.)

  * In error reports, print the traceback first, ahead of form variables,
    cookies, and the environment.

  * Include the HTTP_USER_AGENT variable in access log lines.

  * Add 'sort' option to SelectWidget class, to force the list of
    allowed values to be sorted in case-insensitive lexicographic order,
    with None first.


0.4.7 (2002-04-18):

  * Move ACCESS_TIME_RESOLUTION to SessionManager class.  This was another
    embarrassing bug introduced in 0.4.5.

  * In http_request.py, make the test that prevents stdin from being consumed
    less restrictive (e.g.  for PUT methods).

  * Add some simple test code.


0.4.6 (2002-04-12):

  * a last-minute patch to http_request.py just before release 0.4.5 broke
    extracting form data from GET requests -- fixed that


0.4.5 (2002-04-11):

  * The meaning of the DISPLAY_EXCEPTIONS configuration variable has
    changed.  It's no longer a Boolean, and instead can take three
    different values:
      None (or any false value) [default]
        an "Internal Server Error" page that exposes no information
        about the traceback
      'plain'
        a plain text page showing the traceback and the request variables
      'html'
        a more elaborate HTML display showing the local variables and a
        few lines of context for each level of the traceback.  (This
        setting requires the cgitb module that comes with Python 2.2.)

    (Idea and first version of the patch by David Ascher)

  * Fixed SessionManager.expire_session() method so it actually works
    (spotted by Robin Wohler).

  * Fixed docs so they don't refer to the obsolete URL_PREFIX
    configuration variable (spotted by Robin Wohler).

  * Various other documentation tweaks and improvements.

  * Fixed sample Apache rewrite rules in demo.txt and web-server.txt
    (spotted by Joel Shprentz).

  * Generate new form tokens when rendering a form rather then when
    intializing it.  This prevents an extra token from being created when
    processing a valid form (suggested by Robin Wohler).

  * Ensure filenames are included in SyntaxError tracebacks from PTL modules.

  * Changed format of session cookies: they're now just random 64-bit
    numbers in hex.

  * Use HTTP 1.1 cache control headers ("Date" and "Expires") instead
    of the older "Pragma: no-cache".

  * In the form/widget library: make some effort to generate HTML that
    is XHTML-compliant.

  * New method: HTTPRequest.get_accepted_types() returns the
    MIME content types a client will accept as a dictionary mapping
    MIME type to the quality factor.  (Example: {'text/html':1.0,
    'text/plain':0.5, ...})

  * Changed escape hatch for XML-RPC handlers; standard input will
    only be consumed when the HTTP method is POST and the Content-Type 
    is either application/x-www-form-urlencoded or multipart/form-data.

  * Added quixote.util module to contain various miscellaneous utility
    functions.  Right now, it contains a single function for 
    processing requests as XML-RPC invocations.


0.4.4 (2002-01-29):

  * Simplify munging of SCRIPT_NAME variable, fixing a bug.
    Depending on how Quixote was called, the path could have been
    appended to SCRIPT_NAME without a separating slash.  (Found by
    Quinn Dunkan.)

  * On Windows, set mode of sys.stdout to binary.  This is important
    because responses may contain binary data.  Also, EOL translation
    can throw off content length calculations.  (Found by David Ascher)

  * Added a demonstration of the form framework. (Neil)

  * Added an escape hatch for XML-RPC handlers;
    http_request.process_inputs() will no longer consume all of standard
    input when the Content-Type is text/xml.

  * Removed a debug print from form.widget.


0.4.3 (2001-12-17):

  * Removed the URL_PREFIX configuration variable; it's not actually
    needed anywhere, and caused some user confusion.

  * Added FORM_TOKENS configuration variable to enable/disable
    unique form identifiers.  (These are useful as a measure against
    cross-site request forgery [CSRF] attacks, but disabled by default
    because some form of persistent session management is required,
    which is not currently included with Quixote.)

  * Added demonstration and documentation for the widget classes
    (the first part of the Quixote Form Library).

  * Added HTTPResponse.set_content_type() method.

  * Fixed some minor bugs in the widget library.

  * Fixed to work with Python 2.2.

  * Greatly reduced the set of symbols imported by
    "from quixote import *" -- it's useful for interactive sessions.


0.4.2 (2001-11-14):

  * Made the quixote.sendmail module a bit more flexible and robust.

  * Fix so it doesn't blow up under Windows if debug logging is disabled
    (ie. write to NUL, not /dev/null).

  * Clarified some documenation inconsistencies, and added description
    of logging to doc/programming.txt.

  * Fixed some places that we forgot to update when the PTL-related
    modules were renamed.

  * Fixed ptl_compile.py so PTL tracebacks include the full path of
    source file(s).

  * Fixed bug where a missing _q_index() triggered a confusing
    ImportError; now it triggers a TraversalError, as expected.

  * Various fixes and improvements to the Config class.

  * Miscellaneous fixes to session.py.

  * Miscellaneous fixes to widget classes.

  * Reorganized internal PTL methods of the Form class.

  * Removed the "test" directory from the distribution, since it's not
    used for anything -- ie., there's no formal test suite yet ;-(


0.4.1 (2001-10-10):

  * Made access logging a little more portable (don't depend on Apache's
    REQUEST_URI environment variable).

  * Work around the broken value of PATH_INFO returned by IIS.

  * Work around IIS weird handling of SERVER_SECURE_PORT (for non-SSL
    requests, it is set to "0").

  * Reassign sys.stderr so all application output to stderr goes to the
    Quixote error log.


0.4 (2001-10-04):

  * TraversalError now takes a public and a private message, instead of
    just a single message string.  The private message is shown if
    SECURE_ERRORS is false; otherwise, the public message is shown.  See
    the class docstring for TraversalError for more details.

  * Add the Quixote Form Library, a basic form and widget framework
    for HTML.

  * Allow classes and functions inside PTL modules.

  * Return a string object from templates rather than a TemplateIO
    instance.

  * Improve the security of session cookies.

  * Don't save empty sessions.

  * Detect expired sessions.

  * Add the quixote.sendmail module, useful for applications that need
    to send outgoing mail (as many web apps do).

  * Code reorganization -- various modules moved or renamed:
      quixote.util.fcgi        -> quixote.fcgi
      quixote.compile_template -> quixote.ptl_compile
      quixote.imphooks         -> quixote.ptl_import
      quixote.dumpptlc         -> quixote.ptcl_dump

  * More code reorganization: the quixote.zope package is gone, as are
    the BaseRequest and BaseResponse modules.  Only HTTPRequest and
    HTTPResponse survive, in the quixote.http_request and
    quixote.http_response modules.  All remaining Zope-isms have been
    removed, so the code now looks much like the rest of Quixote.  Many
    internal interfaces changed.

  * Added the quixote.mod_python module, contributed by Erno Kuusela
    <erno@iki.fi>.  Allows Quixote applications to be driven by the
    Apache module mod_python, so no CGI or or FastCGI driver script is
    required.


0.3 (2001-06-11):

  * Now supports Python 2.1.

  * Names of the form __*__ are reserved for Python, and 2.1 is
    beginning to enforce this rule.  Accordingly the Quixote special
    methods have been renamed:
        __access__     -> _q_access
        __exports__    -> _q_exports
        __getname__    -> _q_getname
        index          -> _q_index

  * Massive changes to quixote.publisher and quixote.config, to make the
    publishing loop more flexible and more easily changed by
    applications.  For example, it's now possible to catch the ZODB's
    ConflictErrors and retry an operation.

  * Added an ACCESS_LOG configuration setting, which allows setting up a
    file logging every call made to Quixote.

  * The error log now contains the time of each error, and a dump of the
    user's session object.

  * Added handy functions for getting request, session, user, etc.:
    quixote.get_publisher(), quixote.get_request(),
    quixote.get_session(), quixote.get_user().

  * quixote.publish can now gzip-compress its output if the browser
    claims to support it.  Only the 'gzip' and 'x-gzip' content
    encodings are supported; 'deflate' isn't because we couldn't get it
    to work reliably.  Compression can be enabled by setting the
    'compress_pages' config option to true.

  * Some fixes and minor optimizations to the FCGI code.

  * Added HTTPRequest.get_encoding() method to find the encodings a
    client accepts.


0.2 (2001-01-16):

  * Only pass HTTPRequest object to published functions.  The
    HTTPResponse object is available as an attribute of the request.

  * Removed more unused Zope code from HTTPRequest.  Add redirect()
    method to HTTPRequest.

  * Simplify HTTPResponse.  __init__() no longer requires the server
    name.  redirect() requires a full URL.

  * Fix a bug in the PTL compiler.  PTL modules can now have doc
    strings.

  * Added a config parser.  Individual Quixote applications can now have
    their own configuration settings (overriding the Quixote defaults).
    See the config.py module for details.

  * Re-wrote the exception handling code for exceptions raised inside of
    published functions.

  * Non-empty PATH_INFO is no longer supported.  __getname__ or query
    strings are a cleaner solution.

  * Add FIX_TRAILING_SLASH option and make code changes to carefully
    preserve trailing slashes (ie. an empty component on the end of
    paths).

  * Session management has been over-hauled.  DummySessionManager can be
    used for applications that don't require sessions.

  * Set Content-length header correctly in HTTPResponse object

  * Added a demo application.

0.1:

  * Officially given a license (the Python 1.6 license, so it's free
    software).

  * Added SECURE_ERRORS variable to prevent exception tracebacks from
    being returned to the Web browser

  * Added a __getname__() function to traversal, which is called if the
    current name isn't in the current namespace's export list. This
    allows interpolation of arbitrary user object IDs into the URL,
    which is why it has to circumvent the __exports__ check: the object
    IDs won't be known until runtime, so it would be silly to add them
    to __exports__.  Very useful and powerful feature, but it has
    security implications, so be careful!

  * compile_template.py should now work for both Python 1.5.2 or 2.0.
    
  * Better reporting of syntax errors in PTL
    
  * Always assume regular CGI on Windows

0.02 (2000-08-12):

  * Neil Schemenauer has completely rewritten the PTL compiler and
    changed the syntax to match Python's.  The compiler now relies on
    Jeremy Hylton's compiler code from the Python 2.0 CVS tree.

  * Added functions to quixote.sessions: get_session(), has_session(),
    get_app_state()

  * Simplified reload-checking logic 

  * Added .browser_version() method to HTTPRequest

  * Various bugfixes

  * session classes slightly tweaked, so you can subclass them

  * Added .session attribute to request object

  * Added quixote.errors module to hold exceptions

0.01:

  * Initial release.
