Drupal Release: 4.7.0-rc-1

TL;DR

Drupal 4.7.0-rc-1 marks a significant milestone in the development cycle, moving from beta-6 to release candidate status. This update includes numerous bug fixes across core modules, security improvements, and Form API conversions. Key improvements focus on fixing critical issues in the book module, menu system, upload functionality, and user permissions. The release addresses several security vulnerabilities and improves overall stability as Drupal approaches its final 4.7.0 release.

Highlight of the Release

• Fixed critical security vulnerability that allowed any user to delete comments (#55622)
• Resolved multiple book module issues that were causing page editing problems (#11206, #53956, #55493)
• Fixed menu system issues including external URL support and permission bypassing (#53857, #45988)
• Improved Form API implementation across multiple core modules
• Enhanced upload module functionality and fixed permission issues (#54298, #54913)

Migration Guide

This release candidate is part of the path to Drupal 4.7.0 final release. When upgrading from 4.7.0-beta-6 to 4.7.0-rc-1:

1. Backup your database and files before performing any upgrade operations.

2. Form API Changes: Several modules have been converted to use the Form API. If you've created custom modules that interact with these forms, you may need to update your code:

   • Profile module
   • Locale module
   • Menu module
   • Search module
   • Taxonomy module

3. Menu System Changes: The menu builder has been completely overhauled (#42388). Custom modules that interact with the menu system may need updates.

4. Theme Changes:

   • theme_placeholder() has been changed to theme('placeholder')
   • Check for any custom themes that might be affected by the comment module XHTML validation fixes (#56346)

5. JavaScript Handling: If you've implemented custom JavaScript that relies on Drupal's error reporting behavior, be aware that cached JS files handling has been modified (#54002).

6. Book Module: If you're using the book module extensively, test thoroughly as several critical bugs were fixed that might change behavior.

7. Database Updates: Run the update script (update.php) after upgrading to apply any necessary database schema changes.

Upgrade Recommendations

Priority: Medium-High

This release candidate represents a significant step toward the stable 4.7.0 release and includes numerous bug fixes and security improvements.

• For production sites: If you're currently running 4.7.0-beta-6 and experiencing any of the issues fixed in this release, upgrading is recommended. However, as this is still a release candidate, proceed with caution and thoroughly test in a staging environment first.

• For development sites: Upgrading is strongly recommended to test your custom code against the latest changes, particularly if you interact with the Form API, menu system, or book module.

• For new installations: If you're setting up a new Drupal site and considering 4.7.x, this RC is preferable to the previous beta releases, but be aware that the final 4.7.0 release may still include additional changes.

Before upgrading:

1. Create a complete backup of your site and database
2. Review the full list of changes to identify any that might affect your custom code
3. Test the upgrade on a staging/development environment first
4. Run update.php after upgrading to apply any necessary database changes

Bug Fixes

Core System

• Fixed issue where forms with form tokens failed validation for anonymous users when caching was enabled (#51303)
• Fixed typo with page redirection upon login (#54687)
• Made site_name a required field (#54066)
• Fixed issue with string comparison on $_GET[q] by changing to arg() (#55640)
• Resolved issue with non-multiple form elements being set to array (#56143)
• Fixed XHTML validation errors in comment module links (#56346)

Book Module

• Fixed issue where editing a top-level book page inadvertently changed parent (#11206)
• Prevented moving away top-level book pages if they cannot be moved back (#53956)
• Fixed "book next link" breaking with PHP 5.1 (#50987)
• Fixed critical bug where editing an existing book page could crash Drupal (#55493)
• Resolved issue with book export where db_rewrite was breaking SQL queries (#53826)

Menu System

• Fixed external URL support for menus broken by security update SA-2006-001 (#53857)
• Complete overhaul of menu builder functionality (#42388)
• Fixed issue where nodes with menu items were bypassing the node permissions system (#45988)

Upload Module

• Fixed "Invalid argument supplied for foreach()" error in upload_save (#53666)
• Fixed issue where only user ID 1 could upload files (#54298)
• Resolved problem with checking filesize during uploading for users belonging to multiple roles (#54913)
• Fixed upload module not displaying previews when private files were enabled (#55520)

User Management

• Improved handling of deleted/blocked user accounts (#53348)
• Fixed issue where editing a node would change the author to the user editing it (#55550)
• Added notification for users with admin-created accounts (#42119)
• Fixed "User.module links for blocked/non-existent accounts" issue (#14591)

Comment System

• Fixed security vulnerability that allowed any user to delete comments (#55622)
• Fixed comment reply form anchor issues (#55666)

Forum & Taxonomy

• Fixed issue where forum and taxonomy term deletion worked only superficially (#54910)
• Fixed forum "last post" column showing oldest posts instead of most recent (#54098)
• Resolved issue where forum vocabulary wasn't handling standard vocabulary features correctly (#28625)

Search & Locale

• Fixed PO import not updating strings (#54008)
• Form API conversion for search functionality (#56457)
• Fixed search box display issues in certain themes (#56457)

JavaScript & AJAX

• Fixed cached JS files breaking Drupal's JavaScript error reporting behavior (#54002)
• Fixed upload module JavaScript broken on Firefox 1.0.x (#53314)
• Fixed autocomplete functionality broken by Prototype library (#47557)

Database

• Fixed MySQL database scripts where Replace blocks statements failed with latest MySQL (#39755)
• Added prefix to UPDATE & DROP TABLE IF EXISTS statements (#24749)
• Fixed watchdog not logging update errors (#54003)

BlogAPI

• Fixed blogapi failing to post with permission errors unless uid=1 (#56016)
• Fixed validation in blogapi (#53834)

Profile & Contact

• Form API conversion for profile module with minor fixes (#53628)
• Removed crufty code from contact module (#54151)
• Fixed author block not obeying settings (#55040)
• Made author block configure page only show public fields (#55788)

New Features

No significant new features were introduced in this release candidate as it focuses primarily on bug fixes and stability improvements. The main goal of this RC is to stabilize the codebase in preparation for the final 4.7.0 release.

Security Updates

• Fixed critical vulnerability that allowed any user to delete comments (#55622)
• Resolved issue where nodes with menu items were bypassing the node permissions system (#45988)
• Added protection for .install and .*sql files to prevent unauthorized access (#54784)
• Fixed issue where only user ID 1 could upload files, improving permission handling (#54298)
• Improved handling of deleted/blocked user accounts to prevent potential security issues (#53348)
• Enhanced form token validation for anonymous users when caching is enabled (#51303)
• Fixed external URL support for menus that was broken by security update SA-2006-001 (#53857)

Performance Improvements

Performance Enhancements

• Improved database query handling, particularly with MySQL compatibility issues (#39755)
• Enhanced caching behavior for JavaScript files (#54002)
• Optimized menu builder functionality through complete overhaul (#42388)
• Improved watchdog logging efficiency, especially when using non-default databases (#42000)
• Reduced code redundancy across multiple modules through Form API conversions
• Removed unnecessary database query arguments in search code
• General code cleanup and removal of deprecated functionality across multiple modules

Impact Summary

Drupal 4.7.0-rc-1 represents a significant milestone in the development cycle as it transitions from beta to release candidate status. This update focuses primarily on stability and bug fixes rather than introducing new features.

The most impactful changes address critical security vulnerabilities, particularly one that allowed any user to delete comments (#55622) and another where nodes with menu items were bypassing permission systems (#45988). These fixes substantially improve the security posture of Drupal sites.

Several modules received Form API conversions, including profile, locale, menu, and search modules. This standardization improves code quality and maintainability but may require updates to custom code that interacts with these forms.

The book module received significant attention, fixing multiple critical issues that were causing page editing problems and potential site crashes. The menu system also saw substantial improvements, including a complete overhaul of the menu builder.

Upload functionality issues were addressed, fixing problems with permissions, file size checking for users in multiple roles, and preview display with private files. These changes improve content management workflows for editors and administrators.

Database compatibility was enhanced, particularly for sites using newer MySQL versions, and watchdog logging was improved to better handle errors when using non-default databases.

Overall, this release candidate significantly improves stability, security, and reliability as Drupal approaches its final 4.7.0 release.