Merge pull request #274 from jsocol/release/v4

Release v4

CHANGELOG

@@ -5,31 +5,41 @@ Change Log
 UNRELEASED
 ==========
 
+v4.0
+====
+
 Breaking changes:
 -----------------
 
 - Renamed the package from ratelimit to django_ratelimit (#226)
+- Changed the default value of the decorator's block kwarg to True (#271)
+- Dropped support for Django versions < 3.2 (#263)
+- Dropped support for Python versions < 3.7 (#263, #254, #266)
 
 Additions:
 ----------
 
 - Add RATELIMIT_IP_META_KEY setting (#218)
+- Add RATELIMIT_EXCEPTION_CLASS setting (#247)
+- Add a system check for cache configuration (#268)
 
 Minor changes:
 --------------
 
 - Factor up _get_ip() logic into a single place (#218)
 - Exception on empty REMOTE_ADDR is clearer (#220)
+- Moved CI process to GitHub Actions (#219, #225)
+- Automated release process (#273)
 
-3.0.1
-=====
+v3.0.1
+======
 
 Bug fixes
 ---------
 
 - Fix import path values for rate= argument (#206)
 
-3.0
+v3.0
 ====
 
 Breaking changes:

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2014, James Socol
+Copyright (c) 2022, James Socol
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

docs/conf.py

@@ -41,16 +41,16 @@
 
 # General information about the project.
 project = u'Django Ratelimit'
-copyright = u'2020, James Socol'
+copyright = u'2022, James Socol'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
-version = '3.0'
+version = '4.0'
 # The full version, including alpha/beta/rc tags.
-release = '3.0.1'
+release = '4.0.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/upgrading.rst

@@ -16,6 +16,62 @@ From 3.x to 4.0
 Quickly:
 
 - Rename imports from ``from ratelimit`` to ``from django_ratelimit``
+- Check all uses of the ``@ratelimit`` decorator. If the ``block`` argument is
+  not set, add ``block=False`` to retain the current behavior. ``block=True``
+  may optionally be removed.
+- Django versions below 3.2 and Python versions below 3.7 are no longer
+  supported.
+
+Package name changed
+--------------------
+
+To disambiguate with other ratelimit packages on PyPI and resolve distro
+packaging issues, the package name has been changed from ``ratelimit`` to
+``django_ratelimit``. See `issue 214`_ for more information on this change.
+
+When upgrading, import paths need to change to use the new package name.
+
+Old:
+
+.. code-block:: python
+
+    from ratelimit.decorators import ratelimit
+    from ratelimit import ALL, UNSAFE
+
+New:
+
+.. code-block:: python
+
+    from django_ratelimit.decorators import ratelimit
+    from django_ratelimit import ALL, UNSAFE
+
+.. _issue 214: https://github.com/jsocol/django-ratelimit/issues/214
+
+
+Default decorator behavior changed
+----------------------------------
+
+In previous versions, the ``@ratelimit`` decorator did not block traffic that
+exceeded the rate limits by default. This has been reversed, and now the
+default behavior *is* to block requests once a rate limit has been exceeded.
+The old behavior of annotating the request object with a ``.limited`` property
+can be restored by explicitly setting ``block=False`` on the decorator.
+
+Historically, the first use cases Django Ratelimit was built to support were
+HTML views like login and password-reset pages, rather than APIs. In these
+cases, rate limiting is often done based on user input like the username or
+email address. Instead of blocking requests, which could lead to a
+denial-of-service (DOS) attack against particular users, it is common to
+trigger some additional security measures to prevent brute-force attacks, like
+a CAPTCHA, temporary account lock, or even notify those users via email.
+
+However, it has become obvious that the majority of views using the
+``@ratelimit`` decorator tend to be either specific pages or API endpoints that
+do not present a DOS attack vector against other users, and that a more
+intuitive default behavior is to block requests that exceed the limits. Since
+there tend to only be a couple of pages or routes for uses like authentication,
+it makes more sense to opt those uses *out* of blocking, than opt all the
+others *in*.
 
 
 .. _upgrading-3.0:

docs/usage.rst

@@ -10,6 +10,8 @@ Using Django Ratelimit
 Use as a decorator
 ==================
 
+.. versionchanged:: 4.0
+
 Import:
 
 .. code-block:: python