Version 0.14.2
--------------
Released 2017-01-10
- Fix bug where ``FlaskForm`` assumed ``meta`` argument was not ``None`` if it
was passed. (`#278`_)
.. _#278: https://github.com/lepture/flask-wtf/issues/278
Version 0.14.1
--------------
Released 2017-01-10
- Fix bug where the file validators would incorrectly identify an empty file as
valid data. (`#276`_, `#277`_)
- ``FileField`` is no longer deprecated. The data is checked during
processing and only set if it's a valid file.
- ``has_file`` *is* deprecated; it's now equivalent to ``bool(field.data)``.
- ``FileRequired`` and ``FileAllowed`` work with both the Flask-WTF and
WTForms ``FileField`` classes.
- The ``Optional`` validator now works with ``FileField``.
.. _#276: https://github.com/lepture/flask-wtf/issues/276
.. _#277: https://github.com/lepture/flask-wtf/pull/277
Version 0.14
------------
Released 2017-01-06
- Use itsdangerous to sign CSRF tokens and check expiration instead of doing it
ourselves. (`#264`_)
- All tokens are URL safe, removing the ``url_safe`` parameter from
``generate_csrf``. (`#206`_)
- All tokens store a timestamp, which is checked in ``validate_csrf``. The
``time_limit`` parameter of ``generate_csrf`` is removed.
- Remove the ``app`` attribute from ``CsrfProtect``, use ``current_app``.
(`#264`_)
- ``CsrfProtect`` protects the ``DELETE`` method by default. (`#264`_)
- The same CSRF token is generated for the lifetime of a request. It is exposed
as ``g.csrf_token`` for use during testing. (`#227`_, `#264`_)
- ``CsrfProtect.error_handler`` is deprecated. (`#264`_)
- Handlers that return a response work in addition to those that raise an
error. The behavior was not clear in previous docs.
- (`#200`_, `#209`_, `#243`_, `#252`_)
- Use ``Form.Meta`` instead of deprecated ``SecureForm`` for CSRF (and
everything else). (`#216`_, `#271`_)
- ``csrf_enabled`` parameter is still recognized but deprecated. All other
attributes and methods from ``SecureForm`` are removed. (`#271`_)
- Provide ``WTF_CSRF_FIELD_NAME`` to configure the name of the CSRF token.
(`#271`_)
- ``validate_csrf`` raises ``wtforms.ValidationError`` with specific messages
instead of returning ``True`` or ``False``. This breaks anything that was
calling the method directly. (`#239`_, `#271`_)
- CSRF errors are logged as well as raised. (`#239`_)
- ``CsrfProtect`` is renamed to ``CSRFProtect``. A deprecation warning is issued
when using the old name. ``CsrfError`` is renamed to ``CSRFError`` without
deprecation. (`#271`_)
- ``FileField`` is deprecated because it no longer provides functionality over
the provided validators. Use ``wtforms.FileField`` directly. (`#272`_)
.. _`#200`: https://github.com/lepture/flask-wtf/issues/200
.. _`#209`: https://github.com/lepture/flask-wtf/pull/209
.. _`#216`: https://github.com/lepture/flask-wtf/issues/216
.. _`#227`: https://github.com/lepture/flask-wtf/issues/227
.. _`#239`: https://github.com/lepture/flask-wtf/issues/239
.. _`#243`: https://github.com/lepture/flask-wtf/pull/243
.. _`#252`: https://github.com/lepture/flask-wtf/pull/252
.. _`#264`: https://github.com/lepture/flask-wtf/pull/264
.. _`#271`: https://github.com/lepture/flask-wtf/pull/271
.. _`#272`: https://github.com/lepture/flask-wtf/pull/272
Version 0.13.1
--------------
Released 2016/10/6
- Deprecation warning for ``Form`` is shown during ``__init__`` instead of immediately when subclassing. (`#262`_)
- Don't use ``pkg_resources`` to get version, for compatibility with GAE. (`#261`_)
.. _`#261`: https://github.com/lepture/flask-wtf/issues/261
.. _`#262`: https://github.com/lepture/flask-wtf/issues/262
Version 0.13
------------
Released 2016/09/29
- ``Form`` is renamed to ``FlaskForm`` in order to avoid name collision with WTForms's base class. Using ``Form`` will show a deprecation warning. (`#250`_)
- ``hidden_tag`` no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (`#217`_, `#193`_)
- ``flask_wtf.html5`` is deprecated. Import directly from ``wtforms.fields.html5``. (`#251`_)
- ``is_submitted`` is true for ``PATCH`` and ``DELETE`` in addition to ``POST`` and ``PUT``. (`#187`_)
- ``generate_csrf`` takes a ``token_key`` parameter to specify the key stored in the session. (`#206`_)
- ``generate_csrf`` takes a ``url_safe`` parameter to allow the token to be used in URLs. (`#206`_)
- ``form.data`` can be accessed multiple times without raising an exception. (`#248`_)
- File extension with multiple parts (``.tar.gz``) can be used in the ``FileAllowed`` validator. (`#201`_)
.. _`#187`: https://github.com/lepture/flask-wtf/pull/187
.. _`#193`: https://github.com/lepture/flask-wtf/issues/193
.. _`#201`: https://github.com/lepture/flask-wtf/issues/201
.. _`#206`: https://github.com/lepture/flask-wtf/pull/206
.. _`#217`: https://github.com/lepture/flask-wtf/issues/217
.. _`#248`: https://github.com/lepture/flask-wtf/pull/248
.. _`#250`: https://github.com/lepture/flask-wtf/pull/250
.. _`#251`: https://github.com/lepture/flask-wtf/pull/251
Version 0.12
------------
Released 2015/07/09
- Abstract protect_csrf() into a separate method
- Update reCAPTCHA configuration
- Fix reCAPTCHA error handle
Version 0.9.5
-------------
Released 2014/03/21
- ``csrf_token`` for all template types `#112`_.
- Make FileRequired a subclass of InputRequired `#108`_.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
Version 0.9.4
-------------
Released 2013/12/20
- Bugfix for csrf module when form has a prefix
- Compatible support for wtforms2
- Remove file API for FileField
(No changelog for 0.9.3 supplied, but includes maintainer change.)
Version 0.9.2
-------------
Released 2013/9/11
- Upgrade wtforms to 1.0.5.
- No lazy string for i18n `#77`_.
- No DateInput widget in html5 `#81`_.
- PUT and PATCH for CSRF `#86`_.
.. _`#77`: https://github.com/lepture/flask-wtf/issues/77
.. _`#81`: https://github.com/lepture/flask-wtf/issues/81
.. _`#86`: https://github.com/lepture/flask-wtf/issues/86
Version 0.9.1
-------------
Released 2013/8/21
This is a patch version for backward compitable for Flask<0.10 `#82`_.
.. _`#82`: https://github.com/lepture/flask-wtf/issues/82
Version 0.9.0
-------------
Released 2013/8/15
- Add i18n support (issue #65)
- Use default html5 widgets and fields provided by wtforms
- Python 3.3+ support
- Redesign form, replace SessionSecureForm
- CSRF protection solution
- Drop wtforms imports
- Fix recaptcha i18n support
- Fix recaptcha validator for python 3
- More test cases, it's 90%+ coverage now
- Redesign documentation
Version 0.8.4
-------------
Released 2013/3/28
- Recaptcha Validator now returns provided message (issue #66)
- Minor doc fixes
- Fixed issue with tests barking because of nose/multiprocessing issue.
