web2py

Web2py is an open source web application framework. Its primary goal is to support agile development of fast, scalable, secure and portable database-driven web-based applications. Web2py is written in the Python language and is programmable in Python. Since web2py was originally designed as a teaching tool with emphasis on ease of use and deployment, it does not have any project-level configuration files.Web2py was inspired by Ruby on Rails (RoR) framework and, like RoR, it focuses on rapid development, favors convention over configuration approach and follows Model-View-Controller (MVC) architectural pattern. But web2py is based on Python and provides a comprehensive web-based administrative interface, includes libraries to handle more protocols, and can run on the Google App Engine.

Web2py was also inspired by the Django framework and, like Django, it has the ability to generate forms from database tables and includes an extensive set of validators.

Thanks to Python, web2py is less verbose than Java-based frameworks, and its syntax tends to be cleaner than PHP-based frameworks. This makes applications simpler to develop, easier to read and maintain.

Overview

Web2py is a full-stack framework in that it has built-in components for all major functions, including:

• HTTP requests, HTTP responses, cookies, sessions;
• multiple protocols^[1] HTML/XML, REST, ATOM and RSS, RTF and CSV, JSON, JSON-RPC and XML-RPC, AMF-RPC (Flash/Flex), and SOAP^[2];
• CRUD API;
• multiple authentication mechanisms and role-based access control;
• database abstraction layer (DAL) that dynamically generates SQL and runs on multiple compatible database backends;
• RAM, disk, and memcached-based caching for scalability;
• internationalization support;
• jQuery for Ajax and UI effects;
• automatic logging of errors with context.

Web2py encourages sound software engineering practices such as

• the Model-View-Controller (MVC) pattern;
• self-submission^[3] of web forms;
• server-side sessions;
• safe handling of uploaded files.

Web2py has a focus on security by providing safe default mechanisms, preventing the most common vulnerabilities.

Originally designed as a teaching tool at DePaul University, web2py has a very shallow learning curve. It requires little or no installation or configuration, and provides a fully web-based development environment.

Web2py uses the WSGI protocol, the Python-oriented protocol for communication between web server and web applications. It also provides handlers for CGI and the FastCGI protocols, and it includes the multi-threaded, SSL-enabled CherryPy wsgiserver.

Web2py has frequent releases and is easy to update. Despite frequent releases, web2py's developers have not broken backward compatibility since v1.0 in 2007, and have pledged not to break it in the future.

Distinctive features

Web-based integrated development environment (IDE)

All development, debugging, testing, maintenance and remote database administration can (optionally) be performed without third party tools, via a web interface, itself a web2py application. Internationalization (adding languages and writing translations) can also be performed from this IDE. Each application has an automatically generated database administrative interface, similar to Django. The web IDE also includes web-based testing and a web-based shell.

Applications can also be created from the command line or developed with other IDEs^[4]. Further debugging options^[5]:

• Wing IDE allows graphical debugging of web2py applications^[6] as you interact with it from your web browser, you can inspect and modify variables, make function calls etc.
• Eclipse/PyDev — Eclipse with the Aptana PyDev plugin — supports web2py as well^[7][8].
• The extensible pdb debugger is a module of Python's standard library.
• With the platform-independent open-source Winpdb debugger, you can perform remote debugging^[9] over TCP/IP, through encrypted connection^[10].

Flexible views

The Hello World program with web2py in its simplest form (simple web page^[11] with no template) looks like:

def hello():
    return 'Hello World'

Web2py includes a fast, pure Python-based template language, with no indentation requirements and a server-side Document Object Model (DOM). The template system works without web2py^[12]. Joomla 1.x templates can be converted to web2py layouts^[13].

A controller without a view automatically uses a generic view that render the variables returned by the controller, enabling the development of an application's business logic before writing HTML. The "Hello World" example using a default template:

def hello():
    return dict(greeting='Hello World')

Strong security

Web2py has a focus on security; it has never had a security issue reported. The top ten security issues according to OWASP^[14] and web2py's approach to them:^[15]

• Cross-site scripting (XSS): web2py, by default, escapes all variables rendered in the view, thus preventing XSS.
• Injection Flaws: web2py includes a database abstraction layer that makes SQL injections impossible.
• Malicious File Execution: web2py allows only exposed controllers to be executed and thus prohibits malicious file execution.
• Insecure Direct Object Reference: web2py does not exposes any internal object; moreover web2py validates all URLs thus preventing directory traversal attacks.
• Cross-site request forgery (CSRF): web2py only uses session cookies and prevents double submission of forms.
• Information Leakage and Improper Error Handling: web2py provides a built-in ticketing system.
• Broken Authentication and Session Management: web2py has a built-in mechanism for session management, using a cookie to store the session id.
• Insecure Cryptographic Storage: web2py uses a SHA512 HMAC algorithms to hash passwords. MD5 is also supported.
• Insecure Communications: web2py works with Apache and mod_ssl to provide strong encryption of communications.
• Failure to Restrict URL Access: web2py maps URLs into function calls, and provides a mechanism for declaring which functions are public and which require authentication/authorization.

Ticketing system

Each web2py application comes with a ticketing system:

• If an error occurs, it is logged and a ticket is issued to the user. That allows error tracking.
• Errors and source code are accessible only to the administrator, who can search and retrieve errors by date or client-IP. No error can result in code being exposed to the users.

Portable cron

Cron is a mechanism for creating and running recurrent tasks in background. It looks for an application-specific crontab file which is in standard crontab format. Three modes of operation are available:

• Soft cron: cron routines are checked after web page content has been served, does not guarantee execution precision. For unprivileged Apache CGI/WSGI installs.
• Hard cron: a cron thread gets started on web2py startup. For Windows and CherryPy/standalone web2py installs.
• System cron: cron functions get force-called from the command line, usually from the system crontab. For Unix/Linux systems and places where the cron triggers need to be executed even if web2py is not running at the moment. Also good for CGI/WSGI installs if you have access to the system crontab.

Source code protection

Web2py can compile web applications and you can distribute them in bytecode compiled form, without source code. This helps but does not guarantee source code protection due to the existence of disassemblers and decompilers for Python bytecode (*.pyc and *.pyo files):

• Dis module^[16] of the Python standard library allows you to disassemble, but not decompile Python bytecode.
• Open source Decompyle Python disassembler and decompiler converts Python bytecode back into equivalent Python source. It accepts bytecode from any Python version between 1.5 and 2.3 inclusive. It doesn't support versions above 2.3 and hard to use.
  • Commercial decompyle service origins at Decompyle. It decompiles Python versions 1.5 up to 2.6, with some minor limitations.
• Open source UnPyc is a tool for disassembling, analyzing and decompiling Python bytecodes, with various success. UnPyc supports Python v2.5 and v2.6.

However it is quite easy^[17][18][19] to extend Python with C or C++, to achieve:

• more efficient code;
• adequate safety of intellectual property;
• reduced security exposure of private information in the code, such as usernames and passwords.

Supported environments

Operating systems, Python versions & implementations, virtual machines, hardwares

Web2py runs on Windows, Windows CE phones, Mac, Unix/Linux, Google App Engine, Amazon EC2, and almost any web hosting via Python 2.4^[20]/2.5/2.6.

Web2py is targeted at Python 2.5, but is compatible with 2.4 and 2.6.

Web2py since v1.64.0 runs unmodifiedly on Java with Jython 2.5, without any known limitation^[21].

Web2py code runs with IronPython on .NET^[22]. Limitations:

• no csv module (so no database I/O);
• no third party database drivers (not even SQLite, so no databases at all);
• no built-in web server (unless you cripple it by removing signals and logging).

A VMWare appliance is planned^[23].

The web2py binary will^[24] run from a USB drive or a portable hard drive without dependencies, like Portable Python.

Web servers

Web2py can service requests via HTTP and HTTPS with its built-in CherryPy server^[25], with Apache^[26], Lighttpd^[27], Cherokee^[28], Nginx and almost any other web server through CGI, FastCGI, WSGI, mod_proxy^[29][30][31], and/or mod_python.

IDEs and debuggers

Web2py has a built-in web-based IDE, and is generally compatible with third-party Python development tools.

Database handling

The database abstraction layer (DAL) of web2py dynamically and transparently generates SQL queries and runs on multiple compatible database backend without the need for database-specific SQL commands (though SQL commands can be issued explicitly).

SQLite is included in Python and is the default web2py database. A connection string change allows connection to Firebird, IBM DB2, Informix, Ingres, Microsoft SQL Server, MySQL, Oracle, PostgreSQL, and Google App Engine (GAE) with some caveats. Specialities:

• Multiple databases connections.
• Automatic table creates and alters.
• Automatic transactions.
• Distributed transactions:
  • Since web2py v1.17 with PostgreSQL v8.2 and later^[32][33], because it provides API for two-phase commits.
  • Since web2py v1.70.1 with Firebird and MySQL (experimental).
• GAE is not a relational store, but web2py emulates certain operations.

The DAL is fast, at least comparable with SQLAlchemy and Storm^[34].

Web2py implements a DAL, not an ORM. An ORM maps database tables into classes and records into instances of those classes. The DAL instead maps database tables into instances of a class and records into instances of another class. It has very similar syntax to an ORM but it is faster, and can map almost any SQL expressions into DAL expressions. The DAL can be used without web2py^[35].

Automatic database migrations

Web2py supports database migrations—change the definition of a table and web2py ALTERs the table accordingly. Migrations are automatic, but can be disabled for any table. Migrations and migration attempts are logged, documenting the changes.

Limitations:

• SQLite does not understand migrations well. In particular it can't alter table and change a column type, but rather simply stores new values according to the new type.
• GAE has no concept of alter-table, so migrations are limited.

Applications

Ready to use applications with source code

You can find many free and ready to use web2py plugins and applications with full source code, ready to customize, with various licenses.

Mostly on this list at its homepage, some of them:

• Ajax SpreadSheet: an embeddable spreadsheet.
• Chat: Ajax web chat supports multiple users and rooms.
• Cookbook: a simple appliance that allows users to post cookbook recipes. Plus a step-by-step tutorial about creating it.
• Blogs:
  • KennethDamianBlog: an easily customizable blog.
  • WordPressClone: a blog that looks identical to Wordpress.
• GrooverWiki: a wiki.
• KPAX CMS: a full CMS. Does web pages, wikis, blogs, chats, news, groups, permissions, RSS feeds.
• Podcasts: this program let you receive, watch and listen to podcasts from various sources.
• Reddish: a Reddit clone for the Google App Engine.
• QrOne CSS Designer: application to build CSS layouts.
• DamianLogAnalizer: log analyzer application that does charting.
• IsUp: you list a bunch of URLs and it probes them every 30 seconds. It maintains a database of when the URLs were down.

Three of them elsewhere:

• PyForum, a full-fledged message board system.
• T2, a web2py plugin that implements web development patterns — registration, login, logout, groups, access, attachments, comments, previews, etc. —, with extensive documentation.
• T3, a wiki application that runs everywhere, including on Google App Engine. Super-powered: it allows admin to define database tables (using DAL syntax) and to embed Python code into the source code of wiki pages.

A quick reference to the high-level web2py functionality that was added in T2 and T3: T2/T3 cheat sheet.

Web sites and applications using web2py

• Powered by web2py
• Websites Powered by web2py
• Who Uses Web2Py

Licenses

Web2py code is released under GNU GPL v2.0 with commercial exception^[36]. Various third-party packages distributed with web2py have their own licenses, generally MIT or BSD-type licenses. Applications built with web2py are not covered by the GPL license.

Web2py is copyrighted by Massimo DiPierro. The web2py trademark is owned by Massimo DiPierro.

Publications

• Online documentation on its homepage, with cookbook, videos, interactive examples, interactive API reference, epydocs (complete library reference), FAQ, cheat sheet, online tools etc.
  • Cheat sheet of web2py.
• Web2py wiki — it's actually built using web2py.
• Web2py slides.

Videos

• web2py Enterprise Web Framework Tutorial.
• web2py "Shootout" video tutorial.
• web2py on the Google appengine.
• More video tutorials on Vimeo.

Printed

• Web programming with web2py; Python Magazine; Marco Tabini & Associates, Inc.; June 2008
• The official web2py manual, written by Massimo DiPierro:
  • 1st Edition: out of print. Wiley; September 16, 2008; 256 pages; ISBN 978-0-470-43232-7.
  • 2nd Edition: web2py Manual. Wiley; August 26, 2009; 341 pages; ISBN 978-0-470-59235-9. Read it online. Errata for the book.

Background

Support

Community support is available through the web2py knowledge base, the web2py mailing list at Google Groups, and the #web2py channel on IRC^[37]. As of 2009-10-02, commercial web2py support is provided by fifteen companies worldwide.^[38]

Developers

Lead developer: Massimo DiPierro (Associate Professor of Computer Science at DePaul University in Chicago). As of 2010-01-20, homepage of web2py lists 52 "main contributors".^[39]

Development source code

The web2py development source code is available from two repositories:

• Bazaar on Launchpad: BZR snapshot
• Mercurial on Google Code: hg snapshot

Third-party software included in web2py

• Python-based components:
  • a fast^[40][41], HTTP/1.1-compliant, multi-threaded, SSL-enabled and streaming-capable WSGI server from CherryPy;
  • fcgi.py: a FastCGI/WSGI gateway;
  • simplejson: a simple, fast, complete, correct and extensible JSON encoder and decoder;
  • markdown2: a Markdown processor, so you can write using this easy-to-read, easy-to-write plain text format, then on the fly convert it to structurally valid XHTML (or HTML);
  • PyRTF: an RTF document generator;
  • a syntax highlighter;
  • PyRSS2Gen: an RSS generator;
  • feedparser: to parse RSS and Atom feeds.
• JavaScript-based components:
  • jQuery: a lightweight JavaScript library;
  • EditArea: a free editor for source code;
  • nicEdit: a lightweight, cross platform, inline content editor.
• C-based components:
  • SQLite: a relational database;
  • memcached: a general-purpose distributed memory caching system.

History and naming

The source code for the first public version of web2py was released under GNU GPL v2.0 on 2007-09-27 by Massimo DiPierro as the Enterprise Web Framework (EWF). The name was changed twice due to name conflicts:

• EWF v1.7 was followed by Gluon v1.0.
• Gluon v1.15 was followed by web2py v1.16.

Web.py has a similar name, but they are unrelated.

Notes

Template:Python Web Application Frameworks

de:Web2py es:Web2py hu:Web2py ja:Web2py pl:Web2py