Let me preface this by saying that I really enjoy web2py, and that it's a testament to the great efforts that Massimo puts into maintaining backwards compatibility that made this change such a painful surprise...
1.96.1 includes a security fix that breaks existing applications by disabling generic views. *[release notes included at the end of this post]. The fix was made for good reasons (because saying "Don't do that" isn't a good security solution), but it really does break existing applications - see http://web2py.com/examples/default/examples 3rd example, click the hello3.json and hello3.xml links - "invalid view (simple_examples/hello3.xml)". Multiple other examples on that page are also broken. By definition, these examples are the way users learn to write web2py apps - and they're broken. Application-breaking changes really MUST be highlighted more than just mentioning a security fix with a "slight change of behavior for new app" in the release notes. I would like to have been warned on every startup until I acknowledged the changes: "You have upgraded web2py from version X to version Y . The following changes have been made that change the behavior of your applications: 1.96.1 - generic views are now disabled by default. This may cause invalid view errors, ..." Furthermore, the localhost exemption hides the breakage - letting you exhaustively test the application locally, where it works fine, then deploy it where it breaks for your users. (Guess I need a non-local staging location...) I believe this exemption should be removed (it is easy enough to add explicitly in db.py if developers want a localhost exemption). Finally, the error message "invalid view (simple_examples/hello3.xml)" ( http://web2py.com/examples/simple_examples/hello3.xml) is confusing to users and doesn't help the developer know what is wrong. Ideally, this situation would invoke the traceback mechanism with an error message including instructions for the developer: web2py generic views are disabled by default because they could expose more fields of objects returned from your controller methods than you intended to expose in your custom view. To enable generic views in spite of this security risk, add the following line to your db.py: response.generic_patterns = ['*'] kb * The security problem occurs if you return sensitive data from your controller methods and attempt to hide it in your custom view, the hiding can be circumvented with the generic views. Security description in the release notes for 1.96.1 doesn't indicate this release is not backwards compatible: usage of generic.* views is - by default - restricted to localhost for security. This can be changed in a granular way with: response.generic_patterns=['*']. This is a slight change of behavior for new app but a major security fix. """ http://www.web2py.com/examples/default/changelog Massimo's announcement of the problem in the mailing list is informative: https://groups.google.com/d/msg/web2py/26g9XA_0ZXE/4yiIHs5FivkJ
