From 1f99d5dd20cb8d422a96bc028e5a6e51c696e162 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Wed, 15 Apr 2026 16:11:54 -0700 Subject: [PATCH] Release 1.0a27 Refs #1936, #2678, #2681, #2682, #2683, #2684, #2688, #2689 --- datasette/version.py | 2 +- docs/changelog.rst | 29 ++++++++++++++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/datasette/version.py b/datasette/version.py index add192f6..e2c80e50 100644 --- a/datasette/version.py +++ b/datasette/version.py @@ -1,2 +1,2 @@ -__version__ = "1.0a26" +__version__ = "1.0a27" __version_info__ = tuple(__version__.split(".")) diff --git a/docs/changelog.rst b/docs/changelog.rst index cff580da..9cd7a7d6 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -3,12 +3,35 @@ ========= Changelog ========= -.. dev: -dev ---- +.. _v1_0_a27: +1.0a27 (2026-04-15) +------------------- + +CSRF protection no longer uses CSRF tokens +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Datasette's token-based CSRF protection has been replaced with a mechanism based on the ``Sec-Fetch-Site`` and ``Origin`` request headers, which are `supported by all modern browsers `__. See `this article by Filippo Valsorda `__ for more details of this approach. This removes the need for CSRF tokens in forms and AJAX requests. (:pr:`2689`) + +``RenameTableEvent`` when a table is renamed +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Renaming a table within Datasette will now fire a new :class:`~datasette.events.RenameTableEvent`, which plugins can use to react by updating ACL records or re-assigning comments or other associated records to the new table name. (:issue:`2681`) + +This event will not be fired if the table is renamed by SQL running in some other process. + +The ``datasette.track_event()`` method can now be called from within a write operation (using :ref:`database.execute_write() ` and related methods) and the event will be fired after the write transaction has successfully committed. (:pr:`2682`) + +Other changes +~~~~~~~~~~~~~ + +- New :ref:`actor= parameter ` for ``datasette.client`` methods, allowing internal requests to be made as a specific actor. This is particularly useful for writing automated tests. (:pr:`2688`) +- New ``Database(is_temp_disk=True)`` option, used internally for the internal database. This helps resolve intermittent database locked errors caused by the internal database being in-memory as opposed to on-disk. (:issue:`2683`) (:pr:`2684`) +- The ``///-/upsert`` API (:ref:`docs `) now rejects rows with ``null`` primary key values. (:issue:`1936`) +- Improved example in the API explorer for the ``/-/upsert`` endpoint (:ref:`docs `). (:issue:`1936`) - The ``/.json`` endpoint now includes an ``"ok": true`` key, for consistency with other JSON API responses. +- :ref:`call_with_supported_arguments() ` is now documented as a supported public API. (:pr:`2678`) .. _v1_0_a26: