I've just released a minor update, Pylons 0.9.6.1. The most important fix prompting this release was that private functions (those starting with _) were actually exposed under 0.9.6, this update remedies that security hole. Thanks Tomasz Nazar for the bug catch.

For those using nosetests, Pylons now has a nose plugin extension that ensures the Pylons app is loaded *before* doc tests are run. This means that you can have and run model doc tests. You'll need a [nosetests] block in your setup.cfg as the Pylons Unit test docs note, and add this section: with-pylons=test.ini

Or you can add the --with-pylons option to the command line if you run nosetests directly.

Full Changelog: 0.9.6.1 (September 27th, 2007) * Fixed validate decorator to resume pre-0.9.6 behavior of only validating POST requests by default. Added option to validate during GET as well and a recursion avoidance check to prevent validate from running more than once. * WARNING: Fixed a security hole allowing private controller methods (those beginning with an underscore) to be accessed from the outside. Found by Tomasz Nazar. * Added nose plugin '--with-pylons=test.ini' option to load the Pylons app before scanning for unit tests. This enables Pylons apps to be unit tested with doc tests. * PylonsBaseWSGIApp now caches controller lookup and the effective logging level for a little better performance.

Cheers, Ben