=====

Kotti

|pypi| |license|

|buildstatus_stable_postgresql| |buildstatus_stable_mysql| |buildstatus_stable_sqlite|

.. |pypi| image:: https://img.shields.io/pypi/v/Kotti.svg?style=flat-square .. _pypi: https://pypi.python.org/pypi/Kotti/

.. |license| image:: https://img.shields.io/pypi/l/Kotti.svg?style=flat-square .. _license: http://www.repoze.org/LICENSE.txt

.. |build_status_stable_postgresql| image:: https://github.com/Kotti/Kotti/workflows/PostgreSQL/badge.svg?branch=stable .. _build_status_stable_postgresql: https://github.com/Kotti/Kotti/actions?query=workflow%3APostgreSQL+branch%3Astable

.. |build_status_stable_mysql| image:: https://github.com/Kotti/Kotti/workflows/MySQL/badge.svg?branch=stable .. _build_status_stable_mysql: https://github.com/Kotti/Kotti/actions?query=workflow%3AMySQL+branch%3Astable

.. |build_status_stable_sqlite| image:: https://github.com/Kotti/Kotti/workflows/SQLite/badge.svg?branch=stable .. _build_status_stable_sqlite: https://github.com/Kotti/Kotti/actions?query=workflow%3ASQLite+branch%3Astable

Kotti is a high-level, Pythonic web application framework based on Pyramid and SQLAlchemy. It includes an extensible Content Management System called the Kotti CMS (see below).

Kotti is most useful when you are developing applications that

• have complex security requirements,
• use workflows, and/or
• work with hierarchical data.

Built on top of a number of best-of-breed software components, most notably Pyramid and SQLAlchemy, Kotti introduces only a few concepts of its own, thus hopefully keeping the learning curve flat for the developer.

.. _Pyramid: http://docs.pylonsproject.org/projects/pyramid/dev/ .. _SQLAlchemy: http://www.sqlalchemy.org/

Kotti CMS

.. You can try out the Kotti CMS on Kotti's demo page_.

Kotti CMS is a content management system that's heavily inspired by Plone_. Its main features are:

• User-friendliness: editors can edit content where it appears; thus the edit interface is contextual and intuitive

• WYSIWYG editor: includes a rich text editor

• Responsive design: Kotti builds on Bootstrap_, which looks good both on desktop and mobile

• Templating: you can extend the CMS with your own look & feel with almost no programming required

• Add-ons: install a variety of add-ons and customize them as well as many aspects of the built-in CMS by use of an INI configuration file

• Security: the advanced user and permissions management is intuitive and scales to fit the requirements of large organizations

• Internationalized: the user interface is fully translatable, Unicode is used everywhere to store data

.. _Kotti's demo page: http://kottidemo.danielnouri.org/ .. _Plone: http://plone.org/ .. _Bootstrap: http://getbootstrap.com/

License

Kotti is offered under the BSD-derived Repoze Public License <http://repoze.org/license.html>_.

Install

See installation instructions_.

.. _installation instructions: https://kotti.readthedocs.io/en/latest/first_steps/installation.html

Support and Documentation

Read Kotti's extensive documentation <https://kotti.readthedocs.io/> on Read the Docs <https://readthedocs.org/>.

If you have questions or need help, you can post on our mailing list / forum <http://groups.google.com/group/kotti> or join us on IRC: #kotti on irc.freenode.net <irc://irc.freenode.net/#kotti>.

If you think you found a bug, open an issue on our Github bugtracker <https://github.com/Kotti/Kotti/issues>_.

Development

|buildstatus_master_postgresql| |buildstatus_master_mysql| |buildstatus_master_sqlite|

|coveralls| |codacy| |codeclimate| |scrutinizer| |requires.io|_

|ghforks| |ghstars|

Kotti is actively developed and maintained. We adhere to high quality coding standards, have an extensive test suite with high coverage and use continuous integration_.

Contributions are always welcome, read our contribution guidelines and visit our Github repository.

.. _continuous integration: http://travis-ci.org/Kotti/Kotti

.. |build_status_master_postgresql| image:: https://github.com/Kotti/Kotti/workflows/PostgreSQL/badge.svg?branch=master .. _build_status_master_postgresql: https://github.com/Kotti/Kotti/actions?query=workflow%3APostgreSQL+branch%3Amaster

.. |build_status_master_mysql| image:: https://github.com/Kotti/Kotti/workflows/MySQL/badge.svg?branch=master .. _build_status_master_mysql: https://github.com/Kotti/Kotti/actions?query=workflow%3AMySQL+branch%3Amaster

.. |build_status_master_sqlite| image:: https://github.com/Kotti/Kotti/workflows/SQLite/badge.svg?branch=master .. _build_status_master_sqlite: https://github.com/Kotti/Kotti/actions?query=workflow%3ASQLite+branch%3Amaster

.. |requires.io| image:: https://img.shields.io/requires/github/Kotti/Kotti.svg?style=flat-square .. _requires.io: https://requires.io/github/Kotti/Kotti/requirements/?branch=master

.. |gh_forks| image:: https://img.shields.io/github/forks/Kotti/Kotti.svg?style=flat-square .. _gh_forks: https://github.com/Kotti/Kotti/network

.. |gh_stars| image:: https://img.shields.io/github/stars/Kotti/Kotti.svg?style=flat-square .. _gh_stars: https://github.com/Kotti/Kotti/stargazers

.. |coveralls| image:: https://img.shields.io/coveralls/Kotti/Kotti.svg?style=flat-square .. _coveralls: https://coveralls.io/r/Kotti/Kotti .. _high coverage: https://coveralls.io/r/Kotti/Kotti

.. |codacy| image:: https://api.codacy.com/project/badge/Grade/fb10cbc3497148d2945d61ce6ad2e4f5 .. _codacy: https://www.codacy.com/app/disko/Kotti?utm_source=github.com&utm_medium=referral&utm_content=Kotti/Kotti&utm_campaign=Badge_Grade .. _high quality coding standards: https://www.codacy.com/app/disko/Kotti?utm_source=github.com&utm_medium=referral&utm_content=Kotti/Kotti&utm_campaign=Badge_Grade

.. |codeclimate| image:: https://api.codeclimate.com/v1/badges/3a4a61548fcc195e4ba1/maintainability .. _codeclimate: https://codeclimate.com/github/Kotti/Kotti/maintainability

.. |scrutinizer| image:: https://scrutinizer-ci.com/g/Kotti/Kotti/badges/quality-score.png?b=master .. _scrutinizer: https://scrutinizer-ci.com/g/Kotti/Kotti/

.. _contribution guidelines: https://kotti.readthedocs.io/en/latest/contributing.html .. _Github repository: https://github.com/Kotti/Kotti

Authors

Kotti was created by Daniel Nouri and is currently maintained by Andreas Kaiser.

Major contributing authors include:

• Andreas Kaiser
• Andreas Zeidler
• Christian Neumann
• Daniel Nouri
• Jure Cerjak
• Marco Scheidhuber
• Nuno Teixeira
• Tom Lazar

For a complete list of contributors, see https://github.com/Kotti/Kotti/graphs/contributors

Change History

2.0.9 - 2022-05-05

• Replace py-bcrypt (unmaintained, last release in 2013) with bcrypt.
• Pin bleach to <5 (incompatible API changes).

2.0.8 - 2022-05-05

• Brownbag release (hidden).

2.0.7 - 2021-09-02

• Add compatibility for (and require) SQLAlchemy 1.4.
• Fix url_normalizer tests (not picked up before).
• Optimize traversal for applications with large Node subclass hierarchies.
• Add proper caching for get_root.

2.0.6 - 2021-05-12

• Fix performance issue: Content._tags is configured with lazy="select" now. This doesn't cause any change in API usage, however it speeds up selects on Node and descendants by 1-2 orders of magnitude in some cases at the price of a slight performance degradation in scenarios with few tables and heavy tag usage.
• Update dependencies to their most recent compatible versions.

2.0.5 - 2021-03-16

• Fix sanitizer error when values are None (ie nothing to sanitize at all).
• Pin Pyramid to < 2 (for now).
• Pin SQLAlchemy to < 1.4 to prevent no longer working private import in sqlalchemy-utils.

2.0.4 - 2020-11-20

• Replace deprecated bleach_whitelist with its successor bleach-allowlist.
• Upgrade iso8601.

2.0.3 - 2020-11-18

• Upgrade to pytest>=6.
• Replace pytest-pep8 with pytest-flake8; fix or silence flake8 warnings/errors in existing code (mostly tests and migrations).

2.0.2 - 2020-06-22

• Upgrade requirements.txt. [fixes #576]

• Remove CircleCI

• Fix broken tags widget (#562).

• Run pyupgrade --py36-plus on all Python files to use some more modern language features where appropriate (for example f-strings).

• Declare Python 3.7 and 3.8 compatibility.

• Remove Python 3.5 compatibility.

• Remove rfc6266-parser dependency.

2.0.1 - 2019-01-09

• Reformat source code with black.

• Remove testing import from package code.

2.0.0 - 2019-01-07

• Update documentation (kotti-cookiecutter is the new scaffolding template). See https://github.com/Kotti/kotti-cookiecutter

• Require pytest >= 4.1.0, use request.node.get_closest_marker instead of deprecated request.keywords.

2.0.0b2 - 2018-04-04

• Fix CSRF issue in @@share view (#551).

2.0.0b1 - 2018-03-19

• Remove links to the demo site, which has been down for too long.

2.0.0a1 - 2018-02-22

This is a alpha release. Blindly upgrading your production environments will make the universe collapse!

Backward Incompatibilities

- **Python 3 compatibility**

  Kotti now runs on Python >= 3.5.

  Python 2.x support was dropped entirely and won't come back until somebody implements it or is willing to pay for it.

- Everything marked as deprecated in Kotti 1.x was removed.

- Scaffolding support via ``pcreate`` was dropped as it's deprecated by Pyramid now.
  An alternate solution (cookiecutter template) might become available again in the future.

New Features
~~~~~~~~~~~~

- **Python 3 compatibility**

- Extensive testing and code analysis on Circle CI, Travis CI and Scrutinizer.

Fixes
~~~~~

- Avoid deprecation warning ``pyramid.security.has_permission``

1.3.2 - 2018-04-04
------------------

**This release fixes a CSRF (Cross Site Request Forgery) security vulnerablity which was reported in #551. You should upgrade your installations ASAP.**

1.3.1 - 2018-01-17
------------------

- When rendering slot views, use ``request.blank()`` to create the request.
  This is the proper behaviour, in tune with customizing
  ``kotti.request_factory``. Also added ``blank()`` method to
  ``kotti.testing.DummyRequest``.

- When authenticated, show workflow state in the edit bar. Before it was
  shown only if the 'edit' permission was available.

- Optimize the File edit form: don't load initial file data to session data
  and don't rewrite the file data after saving the form if that data has not
  been changed through the edit form.

- Bugfix: when showing addable content in the menu, check if the factory has
  a defined add_view. This avoids a hard crash with, for example, a content
  type derived from Content that has no add_view defined.

- Added ``nav-bar`` slot to ``edit/master.pt``, ``edit-bar`` and ``nav-bar``
  slots to ``view/master.pt``

- Bugfix: Simplify 404 page, no longer crash when authenticated

- Change: simplify `kotti.util.LinkBase.selected()`: use request.view_name
  instead of deriving the view name from request.url. Also, consider the View
  editor bar entry as selected even when the url doesn't end with a slash '/'

- Feature: add Czech translation.

- remove pytest-warnings from test dependencies (already integrated in
  modern pytest versions)

1.3.0 - 2016-10-10
------------------

Breaking Changes
~~~~~~~~~~~~~~~~

- Upgrade to ``repoze.workflow==1.0b``.  **If your application has a custom
  ``workflow.zcml``, it needs a little modification: ``state`` and
  ``transition`` titles are no longer ``key`` nodes, but attributes on the
  respective ``state`` or ``transition`` nodes.  See Kotti's ``workflow.zcml``
  for an example.**

Features and Fixes
~~~~~~~~~~~~~~~~~~

- Add a fallback in ``contents.pt`` when ``creation_date`` or
  ``modification_date`` is ``None``.

- Transform workflow state title to TranslationStrings without eval and
  deprecate it.

- Replace some Python 2 only code with equivalents that also support Python 3.

- Use generic SQLAlchemy type Text as base type for JsonType. This allows
  SQLAlchemy to map Text type to the most suitable type available on given
  database system. Previously used TEXT type is not available in Oracle
  database. In case of existing installation of Kotti with database system,
  for which SQLAlchemy maps generic Text type to type different than TEXT it's
  necessary to either convert existing columns "nodes._acl" and
  "nodes.annotations" to that type or configure SQLAlchemy to map generic Text
  type to existing type of these two columns. For example of how to do this
  please see http://stackoverflow.com/a/36506666/95735. For all database
  systems for which SQLAlchemy provides dialects except Oracle (Firebird,
  Microsoft SQL Server, MySQL, Postgres, SQLite, Sybase) there's no need to
  do anything.

- We use PEP 440 normalized form for the project's version thus current
  "1.3.0-alpha.5-dev" became "1.3.0a5.dev0".

- Upgrade tests to ``zope.testbrowser>=5.0.0``.  This removes the ``mechanize``
  and ``wsgi_intercept`` dependencies and thus the last blocker for Python 3
  compatibility.

- Move ``pytest`` config from ``setup.cfg`` to new ``pytest.ini``.  This
  prevents a deprecation warning with ``pytest>=3.0``.

- Rename ``kotti.testing.TestingRootFactory`` to
  ``kotti.testing.RootFactory`` to prevent another deprecation warning with
  ``pytest>=3.0``.

1.3.0-alpha.4 - 2015-01-15
--------------------------

**This is a alpha release.  Blindly upgrading your production environments will
make the universe collapse!**


- Add a ``kotti.depot_replace_wsgi_file_wrapper`` option to replace the WSGI
  file wrapper with ``pyramid.response.FileIter`` for problematic environments.

1.3.0-alpha.3 - 2016-01-11
--------------------------

**This is a alpha release.  Blindly upgrading your production environments will
make the universe collapse!**


- Bugfix: don't try to get api.root via the lineage if not in a location aware
  context (for example 404 view).  Return the site root instead.

1.3.0-alpha.2 - 2016-01-05
--------------------------

**This is a alpha release.  Blindly upgrading your production environments will
make the universe collapse!**

- Add a custom traverser, which gets all nodes in a single DB query.  For deeply
  nested trees this results in drastic performance improvements.  See
  https://kotti.readthedocs.io/en/master/api/kotti.traversal.html for details.

- Bugfix: copy and paste of file nodes wouldn't create a new depot file, but
  instead lead to multiple references to a single file which would cause
  undesired results when one of them was deleted later.

- Bugfix: local 'role:owner' was not set when a new node was created by copy
  and paste.

- Bugfix: kotti.events._update_children_paths could fail under unclear
  conditions (at least under Python 2.6 with SQLite).

- Get rid of more browser doctests (converted to webtest).

1.3.0-alpha.1 - 2015-12-22
--------------------------

**This is a alpha release.  Blindly upgrading your production environments will
make the universe collapse!**

- Completely revised ``Depot`` integration.  See
  https://kotti.readthedocs.io/en/latest/developing/advanced/blobs.html
  for details.

- Make ``kotti.resources.SaveDataMixin`` more versatile in that it now supports
  a ``data_filters`` attribute (or even a completely overridden ``data``
  attribute) on subclasses.  For an example for what this is useful, see the
  new ``kotti_image`` package's readme and the Depot documentation
  (https://depot.readthedocs.io/en/latest/database.html#custom-behaviour-in-attachments).

  **These changes require a database migration.**

  A migration script is included, which can be executed by running
  ``kotti-migrate <your.ini> upgrade_all``.  However, this script will fail if
  you subclassed from ``kotti.resources.Image`` in your application.  It also
  doesn't cover custom classes inherited from ``kotti.resources.File`` (other
  than Kotti's ``Image``).  Migration of those can be performed easily, by
  copying the code from the included migration step to your package's migration
  environment and adjust it to your needs.

- Move all image related code to the new ``kotti_image`` add on package.
  All classes and functions are imported into their former place, so that code
  that imports from there will still be working.

- Fix broken upload type selector.

- Create RFC6266 compliant content disposition headers for non-ASCII filenames.

- Add request.uploaded_file_response method.

1.2.4 - 2015-11-26
------------------

- Fix broken packaging of 1.2.3.  Sorry for the inconvenience!

1.2.3 - 2015-11-26
------------------

- Add Kotti logo and icon to static assets.
- Use Kotti logo as favicon.
- Move favicon definition to separate template to make it easily overridable.
- Fix permission check in ``kotti.views.util.nodes_tree``.

1.2.2 - 2015-10-28
------------------

- Add simple, default ``not found view``.
- In ``workflow-dropdown`` replace hard-coded permission check with individual
  permission checks for each existing transition.
- Upgrade requirements.

1.2.1 - 2015-10-07
------------------

- Outfactor the code that runs after successful authentication into a
  configurable ``kotti.login_success_callback`` function.
- Outfactor the code that runs after a valid password reset request into a
  configurable ``kotti.password_reset_callback`` function.
- Support principal search on non string attributes.
- Support principal searches matching *all* arguments
  (i.e. using the ``and`` operator, ``or`` is still the default).
- Support optional --rev with kotti-migrate upgrade.

1.2.0 - 2015-09-27
------------------

- **Greatly** reduce the number of queries that are sent to the DB:
  - Add caching for the root node.
  - Use eager / joined loading for local_groups.
  - Don't query principals for roles
- Add "missing" foreign key indices (with corresponding migration step).
- Add a ``kotti.modification_date_excludes`` configuration option.
  It takes a list of attributes in dotted name notation that should not trigger
  an update of ``modification_date`` on change.  Defaults to
  ``kotti.resources.Node.position``.
- Don't try to set a caching header from the NewRequest handler when Pyramid's
  tweens didn't follow the usual chain of calls. This fixes compatibility with
  ``bowerstatic``.
- Don't assume ``renderer_name`` exists in a rendering event (ex.
  BeforeRender). The official docstring of ``pyramid.interfaces.IRenderer`` is
  a bit ambigous in regards to what the ``system`` parameter should include
  when a renderer gets called. This fixes compatibility with
  ``pyramid_layout``.
- Add a ``kotti.modification_date_excludes`` configuration option.
  It takes a list of attributes in dotted name notation that should not trigger
  an update of ``modification_date`` on change.  Defaults to
  ``kotti.resources.Node.position``.

1.1.5 - 2015-09-04
------------------

- Fix migration error on MySQL.
- Only wrap methods that do exist on the wrapped type (in
  ``kotti.sqla.MutationList`` / ``kotti.sqla.MutationDict``).  This
  fixes an error that occurs when MutationLists are exposed to the UI
  via ``colander.SequenceSchema``.
- Upgrade requirements to latest versions (``filedepot``, ``waitress``).

1.1.4 - 2015-06-27
------------------

- Add compatibility with SQLAlchemy 1.0.  Also require SQLAlchemy 1.0.6 now.
- Ignore HTTPForbidden exceptions during slot rendering

1.1.3 - 2015-06-17
------------------

- Fix a bug in kotti-migrate that prevented initial migration steps from being
  run successfully.
- Require kotti_tinymce 0.5.3.

1.1.2 - 2015-06-12
------------------

- Enlarge column sizes for ``name``, ``path`` and ``title`` (see #427).
  Upgrading from any version older than 1.1.2 requires you to run a migration
  script on your database. To run the migration, call::

    $ bin/kotti-migrate <myconfig.ini> upgrade

- Add length validator for ``title`` (fix partially #404). See #428

- Remove 40 chars max length constraint for the html segment ``name``
  (``Kotti.util.title_to_name``). See #428

- Update italian translation

- Update documentation

- Add an ``add_permission`` attribute to ``kotti.resources.TypeInfo`` with a
  default value of ``add``. See #436

- Add a "cancel" button to the delete node view.

1.1.1 2015-05-11
----------------

- Update scaffold's README file. See #417.
- Fix broken multifile upload.  See #425.

1.1.0 2015-04-16
----------------

- Separate the default actions to a ``kotti.resources.default_actions``
  variable, to allows easier customization of default actions of all
  content types. This is a ``LinkParent``, you can append new
  ``kotti.util.Link`` objects to its ``children``.

- Add ``target`` option to ``kotti.util.Link``. See #405.

- Add sanitizers.  See ``docs/development/advanced/sanitizers`` and
  ``kotti.sanitizers`` for details.  This fixes #296.

- Added new document on how to customize the edit interface.
  See ``docs/development/advanced/add-to-edit-interface``.

- Make it easier to customize default actions by separating them to a new
  ``kotti.resources.default_actions`` variable. Before, to customize them,
  you'd have to change ``Content.type_info.edit_links[3].children``, now you
  can mutate ``default_actions`` directly. See
  ``docs/development/advanced/add-to-edit-interface`` for details.

- Upgrade ``WebOb``, ``html2text``, ``pyramid`` and ``xlwt`` to their latest
  stable versions.

1.1.0-alpha.1 - 2015-03-19
--------------------------

- Allow moving ``File`` and ``Image`` blob data from the database to
  configurable storages. To achieve this we use `filedepot`_, a third-party
  library with several plugin storages already built in. See
  docs/developing/advanced/blobs.rst for details on what this brings. Upgrading
  from any version older then 1.1.0 requires you to run a migration script on
  your database.  To run the migration, call::

    $ bin/kotti-migrate <myconfig.ini> upgrade

  Please note that, before running the migration, you should take the time to
  read the documentation and configure your desired storage scheme.

.. _filedepot: https://pypi.python.org/pypi/filedepot/

- Allow storing blob data in the database using ``DBStoredFile`` and
  ``DBFileStorage``, a database centered storage plugin for ``filedepot``. This
  storage is the default storage for blob data, unless configured otherwise.

- Added a script to migrate blob data between depot storages. See
  docs/developing/advanced/blobs.rst for details on how to use it.

- Simplify serving blob data by using ``kotti.views.file.UploadedFileResponse``,
  which also streams data.  Please note that the default ``DBStoredFile`` still
  needs to load its entire data in memory, to benefit from this feature you
  should configure another default depot storage.

- Added three new test fixtures: ``mock_filedepot``, to be used in simple unit
  tests with no dependency on a database session, ``filedepot``, which
  integrates with the ``dbsession`` fixture and ``no_filedepot``, a fixture
  that can be used in developing tests for new file depot plugins - by
  preserving the depot configuration before and after running the test. NOTE:
  in order to test edit views with uploaded data in the request, you need to
  mixin the ``filedepot`` fixture.

- Initialize pyramid.paster.logging for custom commands defined via
  ``kotti.util.command``, to allow log message output for kotti sessions
  started via custom commands.

- Remove unused ``kotti.js``.

- Remove deprecated ``kotti.views.slots.local_navigation`` and
  ``kotti.views.slots.includeme_local_navigation``.  Use
  ``kotti.views.navigation.local_navigation`` and
  ``kotti.views.navigation.includeme_local_navigation`` instead.

- Upgrade ``plone.scale`` and ``SQLAlchemy`` to their latest stable versions.

- Change ``height`` property on ``body``'s widget (``RichTextField``) for
  improved usability. See #403.

1.0.0 - 2015-01-20
------------------

- No changes.

1.0.0-alpha.4 - 2015-01-29
--------------------------

- Added experimental Docker support. See #374.

- Allow restricting *add views* to specific contexts. This allows third party
  developers to register new content types that are addable in specific
  type of contexts, by specifying ``context=SomeContentType`` in their
  *add view* registration and having ``type_info.addable=['SomeContentType']``
  in the type info.

- For documents with duplicate titles that end in a number, append a counter
  instead of incrementing their number. Fixes #245

- Update all requirements (except alembic) to their latest respective versions.

1.0.0-alpha.3 - 2015-01-13
--------------------------

- Explicitly implement ``pyramid.interfaces.IRequest`` for
  ``kotti.request.Request``.  This allows add-on packages to use
  ``config.add_request_method`` (with reify) and
  ``config.add_request_property`` without breaking the interfaces provided by
  the request. Fixes #369

1.0.0-alpha.2 - 2015-01-01
--------------------------

- Require ``kotti_tinymce==0.5.1``.  This fixes #365.

1.0.0-alpha - 2014-12-20
------------------------

- Add a new scaffold based on Pyramid's ``pcreate``.  To run the tests for the
  scaffold, you must invoke ``py.test`` with the ``--runslow`` option.  This
  is enabled by default on Travis.

- ``kotti._resolve_dotted`` now return a resolved copy of the settings
  (instead of in place resolving as before).

- Factor out DBMS specific patches and make them available to the test fixtures.

- Add new fixtures that can also be used in add on tests:

  - ``custom_settings`` does nothing and is meant to be overridden in add on
    test suites.  It allows injection of arbitrary key / values into the
    settings dict used in tests.

  - ``unresolved_settings`` is guaranteed to only contain unresolved string
    values (or lists therof).

  - ``settings`` is now guaranteed to be fully resolved.

  - ``webtest`` returns a ``webtest.TestApp`` instance with support for the
    ``@user`` marker.  This should be used instead of browser doctests for
    functional tests.

- Use RTD theme for documentation.

- Use latest versions of all requirements.  The only upgrade with notable
  differences is ``lingua`` (from 1.4 to 3.6.1).  This completely changes
  lingua's API.  See docs/developing/basic/translations.rst for details on
  the greatly simplified new usage.

- Remove code (incl. tests) that has been marked as deprecated since (at least)
  Kotti 0.8.

- Revise UI to make better use of Bootstrap 3.

- Allow parameters for move-child-position views to either be in
  ``request.POST`` or ``request.json_body``.

- Don't use Pyramid code that is marked as deprecated:

  - replace ``pyramid.security.authenticated_userid`` with
    ``request.authenticated_userid``.

- Deprecate ``kotti.security.has_permission`` to be consistent with the
  corresponding deprecation in Pyramid 1.5.  You should now use
  ``request.has_permission`` instead.

- Make all values in ``Node.path`` end in ``/``.  This makes it consistent over
  all nodes (*including* root) and correspond to the values of
  ``request.resource_url``.  As a side effect querying becomes easier.
  However, this might need adjustments in your code if you were expecting the
  old path values before.  A migration step for DB upgrades is included.

0.10b1 - 2014-07-11
-------------------

- Add a ``__json__`` method to MutationList and MutationDict.

  This is to allow Pyramid's serializer to just work.

0.10a4 - 2014-06-19
-------------------

- Upgrade Pyramid to version 1.5.1.

0.10a3 - 2014-06-11
-------------------

- Upgrade SQLAlchemy and alembic dependencies from 0.8.2 and 0.5.0 to
  0.9.4 and 0.6.5 respectively.

- Do not flush within ``Node.path`` event handlers.  We would
  otherwise trigger object handlers with funny object states.

- Fix bug with ``Node.path`` where we attach a Node instance to a
  parent that has been loaded from the database, but its parents have
  not been loaded yet.

- Fix deprecation warnings with regard to Pyramid's
  ``custom_view_predicates`` and ``set_request_property``.  Also
  deprecate ``kotti.views.util.is_root``.

0.10a2 - 2014-06-05
-------------------

- Add ``Node.path`` column.  This allows queries based on path, so
  it's much easier just to find all children, grandchildren etc. of a
  given node::

    DBSession.query(Node).filter(Node.path.startswith(mynode.path))

- Adds ``session`` attribute to the request attributes to copy to the slot view request.

Migrations
~~~~~~~~~~

- Upgrading from 0.9.2 to 0.10 requires you to run a migration script
  on your database.  To run the migration, call::

    $ bin/kotti-migrate <myconfig.ini> upgrade

  Make sure you **backup** your database before running the migration!

0.10a1 - 2014-05-19
-------------------

- Kotti is now based on Bootstrap 3 (and therefore Deform 2).

  THIS IS A BACKWARD INCOMPATIBLE CHANGE W.R.T. MOST TEMPLATES,
  INCLUDING FORM TEMPLATES!  IF YOUR PROJECT EITHER HAS TEMPLATE
  CUSTOMIZATIONS OR DEPENDS ON ADD-ONS THINGS WILL LOOK BROKEN!

  If you **only** use Kotti's default UI, chances are good that your
  application will continue to work well unchanged.  Kotti's API is
  mostly unchanged and fully backward compatible though.

- Rework implementation of 'kotti.util.Link' ('ViewLink') to be more
  flexible.

  There's now proper support for nesting 'edit_links', so that the
  special 'action_links' list is no longer necessary.  Links now also
  make better use of templates for rendering, and are probably easier
  to customize overall.

- Added compatiblity for and now require Pyramid>=1.5.  #273

- In tests, turned `settings` and `setup_app` into fixtures to ease
  overriding.

- Add ``kotti_context_url`` JS global variable.  For more details on why this
  is needed see:

    - https://github.com/Kotti/kotti_tinymce/issues/19
    - https://github.com/Kotti/Kotti/issues/219
    - https://github.com/Kotti/kotti_newsitem/issues/2
    - https://github.com/Kotti/kotti_calendar/issues/4

- Adds ``delete`` permission needed for 'delete' and 'delete_nodes'
  views. The default workflow was updated in consequence. It allows to
  elaborate more fine grained workflows : for instance, create a role
  which can edit a content but not delete it.

  To make existent Kotti's instances using default workflow
  compatibles and avoid users that have 'editor' role (and so far,
  whom have the possibility to edit and delete the content) to not be
  able to delete contents, it's needed to reset workflow with
  "kotti-reset-workflow <application ini file>" command.

- Fix #308: Unique name constraint issue during paste of a cut node.

0.9.2 - 2013-10-15
------------------

- Fix #268: Convert None to colander.null in get_appstruct so that
  serialization doesn't fail (needed due to recent changes in colander).

0.9.1 - 2013-09-25
------------------

- Allow user admins to modify user passwords.

- Require newer kotti_tinymce (source code editing was broken in 0.4).

0.9 - 2013-09-17
----------------

- Add multi file content upload.  You can now select several files from your
  local storage that you want to upload and chose what content nodes shall be
  created in your Kotti site.  Currently files with MIME types of ``image/*``
  can be uploaded and be created as either ``Image`` or ``File`` nodes, all
  other MIME types will be created as ``File``.  In future releases (or add-on
  products) this can be extended with additional converters allowing for example
  to upload HTML files and create ``Document`` nodes with the content of the
  ``title`` tag becoming the node's title, the content of the ``body`` tag
  becoming the node's body and so on.

- Fix #253: Many translations weren't included in the last release.

  '--use-fuzzy' translations when running 'compile_catalog' adds back
  translations that were recently marked as fuzzy.  (All translations
  that were marked as fuzzy in German were still accurate.)

- Fix #252: Wrap templates where extract_messages failed with <tal:block>

- Fix #249: TinyMCE translations work again.

0.9b2 - 2013-08-20
------------------

- Fix #251: Broken comparison of NestedMutationDict and NestedMutationList.

- Update kotti_tinymce to version 4.0.2.

- Fix bug in `kotti.views.content.FileEditForm` to preserve file
  content while editing it.

0.9b1 - 2013-06-26
------------------

- Add ``kotti.util.ViewLink.visible`` method for better control over
  whether a view link should be visible or not.  This allows us to
  move formerly hardcoded action links defined in
  ``kotti.views.edit.actions`` into ``TypeInfo.action_links`` and thus
  make them configurable either globally or per content type.

- ``kotti.security.view_permitted`` will now check for
  ``pyramid.security.view_execution_permitted`` with a request method
  set to 'GET' by default.  It used to check for a view that matches
  the current request's method.

  This fixes an issue where ``kotti.util.ViewLink.permitted`` would by
  mistake check for a 'POST' view when the current request was 'POST'.

- Add ``INavigationRoot`` interface and ``TemplateAPI.navigation_root``
  property.  The latter returns the first content node in the lineage that
  implements ``INavigationRoot`` or the root node if ``INavigationRoot`` is not
  implemented by any node in the lineage.  Make the ``nav.pt`` template use
  ``api.navigation_root`` instead of ``api.root``.  This allows third party
  add-ons to define content types that can reside somewhere in the content tree
  while still being the root for the navigation.

- Move navigation related view code to new module ``kotti.views.navigation``.
  Deprecate imports from the old locations.

- Remove *some* code that has been deprecated in 0.6 or 0.7.

- A view assigned to a slot can access the slot name where its rendered.

- Add missing `transaction.commit()` in `kotti-reset-workflow`.

- Fix bug in `kotti.views.util.render_view` where local roles weren't
  respected correctly.

- Add helper method `kotti.message.send_email` for sending general
  emails. These emails must follow a particular structure. Look at
  `kotti:templates/email-set-password.pt` as an example.

0.9a2 - 2013-05-04
------------------

- Fix #222: Use SQLAlchemy's `before_flush` event for object events.

  We were using the wrong events previously.  The problem with
  `before_insert`, `before_update`, and `before_delete` was that event
  handlers could not reliably call `Session.add`, `Session.delete`,
  and change mapped relationships.  But only SQLAlchemy 0.8 started
  emitting a warning when that was done.

  Also deprecated `ObjectAfterDelete` because I don't think it's useful.

- Remove the html5shim from the master templates and use the fanstatic
  package js.html5shiv instead.

- A temporary fix for #187.  Basically suppresses DetachedInstanceError.

- Add ``kotti.events.subscribe`` decorator.  See the also updated docs on that
  topic / module for details.

0.9a1 - 2013-03-12
------------------

- Fix ordering on how ``include_me`` functions are loaded. This puts
  Kotti's own and Kotti add-on search paths in front of
  deform_bootstrap's.

- Add image thumbs with preview popovers to @@contents view.

- Add drag'n'drop ordering support to @@contents view.

- Add "toggle all" checkbox to @@contents view.

- Add contents path bar to @@contents view.

0.8 - 2013-03-12
----------------

- No changes.

0.8b2 - 2013-02-08
------------------

- Fix Kotti's tests to no longer trigger deprecation warnings.
  Kotti's funcargs need to be better documented still, see #141.

- Add a fanstatic.Group 'tagit' and need() it in the defered widget. This is
  needed to make the tags widget render correctly with a theme package enabled
  until the defered widget is replaced by a widget class that declares its
  requirements in the usual deform style.

- Transform ``setup_users``, ``setup_user`` and ``prefs`` views into
  class-based views. Add a little text at subsection ``Security`` on
  developer manual mentioning those views.

0.8b1 - 2012-12-30
------------------

- No changes

0.8a2 - 2012-12-15
------------------

- Remove test related dependencies on requirements.txt.
  So now we need to run `python setup.py dev` to get testing
  dependencies.

- Update packages versions on requirements.txt for latest working
  versions.

- Added a tags display in views for documents, files, folders, and images,
  where they show up as a horizontal list between description and body.

- Modified general search to include simple tags searching. The default
  search in Kotti works on a simple search term matching basis. Tags
  searching is added here in a simple fashion also, such that you can only
  search for one tag at a time, but partial matches work: searching for 'foo'
  finds content tagged 'foo bar'.  You can also search on single tags by
  clicking an individual tag in the tags display of an item. More
  sophisticated tags searching, just as for general search, is left to
  dedicated add-ons.

0.8a1 - 2012-11-13
------------------

- Make language-dependent URL normalization the default.  (How to do
  this used to be a cookbook entry.)

- Cleanup node edit actions and use decorated view classes.

- Add contents view with actions for multiple items.

- Add children_with_permission method to ContainerMixin.

- Add UI for default_view selection.

- Deprecate 'kotti.views.edit.generic_add' and 'generic_edit'.  Just
  use class-based forms instead.

0.7.2 - 2012-10-02
------------------

- Improve installation instructions.  Now uses tagged requirements.txt
  file.

- Added event request POST vars to the request for the slot viewlet.

- Added IFile and IImage interfaces to allow for file and image
  subclasses to reuse the same view (registrations).

0.7.1 - 2012-08-30
------------------

- Add deletion of users to the users management.

- Fix tag support for files and images.

- Upgrade to Twitter Bootstrap 2.1

  - remove lots of CSS that is no longer needed

  - fix responsive layout that was broken on some phone size
    screen resolutions

- Add "Site Setup" submenu / remove @@setup view.

0.7 - 2012-08-16
----------------

- Fix critical issue with migrations where version number would not be
  persisted in the Alembic versions table.

0.7rc1 - 2012-08-14
-------------------

- No changes.

0.7a6 - 2012-08-07
------------------

- Fix a bug with connections in the migration script.  This would
  previously cause Postgres to deadlock when calling
  ``kotti-migrate``.

0.7a5 - 2012-08-07
------------------

- Add workflow support based on ``repoze.workflow``.  A simple
  workflow is included in ``workflow.zcml`` and is active by default.
  Use ``kotti.use_workflow = 0`` to deactivate.  The workflow support
  adds a drop-down that allows users with ``state_change`` permission
  to modify the workflow state.

- Change the default layout

  Kotti's new default look is now even closer to the Bootstrap
  documentation, with the main nav bar at the very top and the
  edit bar right below.

  Upgrade note: if you have a customized main_template and want to
  use the recent changes in that template, you need to swap
  positions of ``nav.pt`` and ``editor-bar.pt`` ``api.render_template``
  calls and remove the ``search.pt`` call from the main_template
  (it's now called from within ``nav.pt``).
  Everything else is completely optional.

- Add migrations via Alembic.  A new script ``kotti-migrate`` helps
  with managing database upgrades of Kotti and Kotti add-ons.  Run
  ``kotti-migrate <your.ini> upgrade`` to upgrade the Kotti database
  to the latest version.

  Add-on authors should see the ``kotti.migrate`` module's docstring
  for more details.

- Make ``Document.body`` searchable (and therefore the search feature
  actually useful for the first time).

- Add a "minify" command to compress CSS and JS resources.

  To use it run::

    python setup.py dev
    python setup.py minify

  The ``minify`` command assumes, that all resources are in
  ``kotti/static/``. ``YUI compressor`` is used for compression
  and will be automatically installed when running
  ``python setup.py dev``. However, you still need a JVM on
  your development machine to be able to use the ``minify``
  command.

- Fix settings: only values for kotti* keys should be converted to
  unicode strings.

- Fix #89: Validate email address for uniqueness when user changes it.

- Fix #91: Styling of search box.

- Fix #104: Make fanstatic resources completely overridable.

- Enabled deferred loading on File.data column.

Migrations
~~~~~~~~~~

- Upgrading from 0.6 to 0.7 requires you to run a migration script on
  your database.  To run the migration, call::

    $ bin/kotti-migrate <myconfig.ini> upgrade

  Make sure you **backup** your database before running the migration!

- Upgrading to 0.7 will initialize workfow state and permissions for
  all your content objects, unless you've overwritten
  ``kotti-use_workflow`` to not use a workflow (use ``0``) or a custom
  one.

  It is **important** that sites that have custom permissions,
  e.g. custom modifications to SITE_ACL, turn off workflow support
  prior to running the upgrade script.

0.7a4 - 2012-06-25
------------------

- Add minified versions JS/CSS files.

- Fix #88: logging in with email.

- Update translations.

0.7a3 - 2012-06-15
------------------

- Include ``kotti.tinymce`` which adds plug-ins for image and file
  upload and content linking to the TinyMCE rich text editor.

- Slot renderers have been replaced by normal views (or viewlets).
  ``kotti.views.slots.register`` has been deprecated in favour of
  ``kotti.views.slots.assign_slot``, which works similarly, but takes
  a view name of a registered view instead of a function for
  registration.

- Switch to fanstatic for static resource management.

  Upgrade note: This requires changes to existing `*.ini` application
  configuration files.  Concretely, you'll need to add a
  ``filter:fanstatic`` section and a ``pipeline:main`` section and
  rename an existing ``app:main`` section to ``app:Kotti`` or the
  like.  Take a look at Kotti's own ``development.ini`` for an
  example.

- Retire the undocumented ``kotti.resources.Setting`` class and table.
  ``kotti.get_settings`` will now return ``registry.settings``
  straight, without looking for persistent overrides in the database.

- Drop support for Pyramid<1.3, since we use
  ``pyramid.response.FileResponse``, and kotti_tinymce uses
  ``pyramid.view.view_defaults``.

- Fix encoding error with non-ascii passwords.

0.7a2 - 2012-06-07
------------------

- Do not allow inactive users to reset their password.


0.7a1 - 2012-06-01
------------------

Features
~~~~~~~~

- Add a new 'Image' content type and image scaling, originally from
  the kotti_image_gallery add-on.  See ``kotti.image_scales.*``
  settings.

- Add search and related setting ``kotti.search_content``.

- Add subscriber to set cache headers based on caching rules.  See
  also related setting ``kotti.caching_policy_chooser``.

- Remove TinyMCE from the core.

- Move email templates into page templates in
  ``kotti:templates/email-set-password.pt`` and
  ``kotti:templates/email-reset-password.pt``.  This is to make them
  easier to translate and customize.  This deprecates
  ``kotti.message.send_set_password``.

- Add a 'edit_inhead' slot for stuff that goes into the edit
  interface's head.  'inhead' is no longer be used in
  'edit/master.pt'.

- For more details, see also
  http://danielnouri.org/notes/2012/05/28/kotti-werkpalast-sprint-wrap-up/

Bugs
~~~~

- Fix bug with group edit views.
  See https://github.com/Pylons/Kotti/pull/61

- Fix bug where ``user.last_login_date`` was not set during automic
  login after the set password screen.

0.6.3 - 2012-05-08
------------------

- Add tag support.  All content objects now have tags.  They can be
  added in the UI using the "jQuery UI Tag-it!" widget.
  See https://github.com/Pylons/Kotti/pull/55 .

- Fix a bug with file download performance.

0.6.2 - 2012-04-21
------------------

- Links in Navigation view lead to node view. Added edit links
  to view the node's edit form.

- Hitting 'Cancel' now returns to the context node for add/edit views

0.6.1 - 2012-03-30
------------------

- Added button to show/hide nodes from navigation in the order screen.

- The 'rename' action now strips slashes out of names.  Fixes #53.

- Add Dutch translation.

- Allow translation of TinyMCE's UI (starting with deform 0.9.5)

- Separated out testing dependencies.  Run ``bin/python setup.py dev``
  to install Kotti with extra dependencies for testing.

- Deprecate 'kotti.includes' setting.  Use the standard
  'pyramid.includes' instead.

- Setting 'Node.__acl__' to the empty list will now persist the empty
  list instead of setting 'None'.

- Let 'pyramid_deform' take care of configuring deform with
  translation dirs and search paths.

0.6.0 - 2012-03-22
------------------

- Add Japanese translation.

- Enforce lowercase user names and email with registration and login.

- Moved SQLAlchemy related stuff from kotti.util into kotti.sqla.

- You can also append to 'Node.__acl__' now in addition to setting the
  attribute.

0.6.0b3 - 2012-03-17
--------------------

- Have the automatic ``__tablename__`` and ``polymorphic_identity``
  for CamelCase class names use underscores, so a class
  'MyFancyDocument' gets a table name of 'my_fancy_documents' and a
  type of 'my_fancy_document'.

0.6.0b2 - 2012-03-16
--------------------

- Make the 'item_type' attribute of AddForm optional.  Fixes #41.

- ``kotti.util.title_to_name`` will now return a name with a maximum
  length of 40.  Fixes #31.

0.6.0b1 - 2012-03-15
--------------------

- Use declarative style instead of class mapper for SQLAlchemy resources.

  Unfortunately, this change is backwards incompatible with existing
  content types (not with existing databases however).  Updating your
  types to use Declarative is simple.  See kotti_calendar for an
  example:
  https://github.com/dnouri/kotti_calendar/commit/509d46bd596ff338e0a88f481339882de72e49e0#diff-1

0.5.2 - 2012-03-10
------------------

- A new 'Actions' menu makes copy, paste, delete and rename of items
  more accessible.

- Add German translation.

- Populators no longer need to call ``transaction.commit()``
  themselves.

0.5.1 - 2012-02-27
------------------

- Internationalize user interface.  Add Portuguese as the first
  translation.

- A new 'Add' menu in the editor toolbar allows for a more intuitive
  adding of items in the CMS.

- Refine ``Node.copy``.  No longer copy over local roles per default.

0.5.0 - 2012-02-15
------------------

- Move Kotti's default user interface to use Twitter Bootstrap 2.

- Add a new 'File' content type.

- Add CSRF protection to some forms.

- Remove Kotti's ``FormController`` in favor of using ``pyramid_deform``.

- Use plone.i18n to normalize titles to URL parts.

- Add a separate navigation screen that replaces the former
  intelligent breadcrumbs menu.

- Use ``pyramid_beaker`` as the default session factory.

- Make ``kotti.messages.send_set_password`` a bit more flexible.

0.4.5 - 2012-01-19
------------------

- Add 'kotti.security.has_permission' which may be used instead of
  'pyramid.security.has_permission'.

  The difference is that Kotti's version will set the "authorization
  context" to be the context that you pass to 'has_permission'.  The
  effect is that 'list_groups' will return a more correct list of
  local roles, i.e. the groups in the given context instead of
  'request.context'.

- Add a template ('forbidden.pt') for when user is logged in but still
  getting HTTPForbidden.

0.4.4 - 2012-01-05
------------------

- The "Forbidden View" will no longer redirect clients that don't
  accept 'text/html' to the login form.

- Fix bug with 'kotti.site_title' setting.

0.4.3 - 2011-12-22
------------------

- Add 'kotti.root_factory' setting which allows the override Kotti's
  default Pyramid *root factory*.  Also, make master templates more
  robust so that a minimal root with '__parent__' and '__name__' can
  be rendered.

- The 'kotti.tests' was factored out.  Tests should now import from
  'kotti.testing'.

0.4.2 - 2011-12-20
------------------

- More convenient overrides for add-on packages by better use of
  'config.commit()'.

0.4.1 - 2011-12-20
------------------

- Modularize Kotti's Paste App Factory 'kotti.main'.

- Allow explicit setting of tables that Kotti creates
  ('kotti.use_tables').

0.4.0 - 2011-12-14
------------------

- Remove configuration variables 'kotti.templates.*' in favour of
  'kotti.asset_overrides', which uses Pyramid asset specs and their
  overrides.

- Remove 'TemplateAPI.__getitem__' and instead add 'TemplateAPI.macro'
  which has a similar but less 'special' API.

- Factor snippets in 'kotti/templates/snippets.pt' out into their own
  templates.  Use 'api.render_template' to render them instead of
  macros.

0.3.1 - 2011-12-09
------------------

- Add 'keys' method to mutation dicts (see 0.3.0).

0.3.0 - 2011-11-30
-------------------

- Replace `Node.__annotations__` in favor of an extended `Node.annotations`.

  `Node.annotations` will attempt to not only recognize changes to
  subobjects of type dict, it will also handle list objects
  transparently.  That is, changing arbitrary JSON structures should
  just work with regard to calling `node.annotations.changed()` when
  the structure was changed.

0.2.10 - 2011-11-22
-------------------

- 'api.format_datetime' now also accepts a timestamp in addition to datetime.

0.2.9 - 2011-11-21
------------------

- Remove MANIFEST.in in favour of using 'setuptools-git'.

0.2.8 - 2011-11-21
------------------

- Remove 'PasteScript' dependency since that would result in spurious
  errors when installing Kotti. See
  http://jenkins.danielnouri.org/job/Kotti/42/TOXENV=py27/console

0.2.7 - 2011-11-20
------------------

- Add 'PasteScript' dependency.

- Fix #11 where 'python setup.py test' would look into a hard-coded
  'bin' directory.

- Structural analysis documentation. (Unfinished; in 'analysis' directory
  during development. Will be moved to main docs when finished.)

0.2.6 - 2011-11-17
------------------

- Add `Node.__annotations__` convenience attribute.

  `Node.__annotations__` will wrap the annotations dict in such a way
  that both item and attribute access are possible.  It'll also record
  changes to dicts inside dicts and mark the parent `__annotations__`
  attribute as dirty.

- Add a welcome page.
- Delete the demo added in version 0.2.4.

0.2.5 - 2011-11-14
------------------

- Add 'TemplateAPI.render_template'; allow templates to be rendered
  conveniently from templates.

0.2.4 - 2011-11-13
------------------

- Adjust for Pyramid 1.2: INI file, pyramid_tm, Wsgiref server, pcreate and
  pserve. (MO)

- Add Kotti Demo source and documentation.

0.2.3 - 2011-10-28
------------------

- ``Node.__getitem__`` will now also accept a tuple as key.

  ``folder['1', '2']`` is the same as ``folder['1']['2']``, just more
  efficient.

- Added a new cache decorator based on ``repoze.lru``.

0.2.2 - 2011-10-10
------------------

- Change the function signature of ``kotti.authn_policy_factory``,
  ``kotti.authz_policy_factory`` and ``kotti.session_factory`` to
  include all settings from the configuration file.

0.2.1 - 2011-09-29
------------------

- Minor changes to events setup code to ease usage in tests.

0.2 - 2011-09-16
----------------

- No changes.

0.2a2 - 2011-09-05
------------------

- Fix templates to be compatible with Chameleon 2.  Also, require
  Chameleon>=2.

- Require pyramid>=1.2.  Also, enable pyramid_debugtoolbar for
  ``development.ini`` profile.

0.2a1 - 2011-08-29
------------------

- Improve database schema for ``Nodes``.  Split ``Node`` class into
  ``Node`` and ``Content``.

  This change is backward incompatible in that existing content types
  in your code will need to subclass ``Content`` instead of ``Node``.
  The example in the docs has been updated.  Also, the underlying
  database schema has changed.

- Improve user database hashing and local roles storage.

- Compatibility fix for Pyramid 1.2.