Drupal Release: 7.0-unstable-10

TL;DR

Drupal 7.0-unstable-10 represents a significant evolution from 7.0-unstable-1 with major architectural improvements and new features. This release introduces RDFa support, a plugin manager for module installation through the UI, contextual editing capabilities, AJAX framework improvements, and a new Field API with multilingual support. It also includes important performance optimizations, security enhancements, and accessibility improvements. This unstable release lays the groundwork for what will become Drupal 7's stable release, with a focus on developer APIs, user experience, and modern web standards.

Highlight of the Release

• Introduction of RDFa support for semantic web integration
• New Plugin Manager for module installation and updates through the UI
• Contextual editing capabilities for in-place content management
• Field API improvements with multilingual support
• AJAX framework enhancements and JavaScript States system
• New sequences API to replace incrementing ID tables
• Improved accessibility across multiple interfaces
• Enhanced theme system with alter hooks for themes
• Archiver interface for handling multiple archive formats
• Performance optimizations in core systems

Migration Guide

Theme Function Changes

If you've implemented custom theme functions, be aware that hook_theme() has changed to allow theme functions to take one argument without any hacks. Review your theme implementations to ensure compatibility.

// Old style:
function hook_theme() {
  return array(
    'my_theme_function' => array(
      'arguments' => array('arg1' => NULL),
    ),
  );
}

// New style:
function hook_theme() {
  return array(
    'my_theme_function' => array(
      'variables' => array('arg1' => NULL),
    ),
  );
}

URL Rewriting Changes

The custom_url_rewrite_inbound() and custom_url_rewrite_outbound() functions have been converted to hooks. If you were using these functions, update your code:

// Old style:
function custom_url_rewrite_inbound(&$path, $original_path, $path_language) {
  // Custom code
}

// New style:
function hook_url_inbound_alter(&$path, $original_path, $path_language) {
  // Custom code
}

Field API Changes

If you've built custom field types or widgets, review the Field API changes, particularly:

• Namespacing for bundle names has been improved
• Entity handling has been moved out of Field API
• Widget implementation has been simplified

AJAX Framework Changes

The AJAX framework has been significantly improved. If you're using AJAX in your modules:

• Review the unified page, AJAX 'path', and AJAX 'callback' callbacks
• Update your code to use the new AJAX command structure
• Ensure your JavaScript implements Drupal.detachBehaviors()

Database API Changes

If you're using custom database queries:

• Review the new sequences API if you're using auto-increment tables
• Check for lowercase comparison operators support in DBTNG
• Update any code that relies on specific database behaviors

Path API Changes

If you're manipulating URLs or paths:

• Update to use the new Path API
• Replace custom_url_rewrite_* function calls with hook implementations

Upgrade Recommendations

This is an unstable development release (7.0-unstable-10) and is not recommended for production sites. It contains significant API changes and new features that are still being refined for the stable Drupal 7 release.

For developers working with Drupal 7 development:

• Test your modules thoroughly against this release to identify compatibility issues
• Review the API changes, particularly in Field API, AJAX framework, and theme system
• Update custom code to use the new hooks and APIs
• Contribute any issues or bugs you find to the Drupal issue queue

For site owners:

• Continue using Drupal 6.x for production sites until Drupal 7.0 stable is released
• Consider setting up a development environment with this release to test your site's compatibility
• Begin planning migration strategies for custom modules and themes

When upgrading from previous unstable releases:

1. Back up your database and files
2. Replace all core files and directories
3. Run update.php immediately
4. Clear all caches
5. Test thoroughly, especially custom code and contributed modules

Note that the upgrade path from Drupal 6 to Drupal 7 is still being refined in these unstable releases.

Bug Fixes

Theme System Fixes

• Fixed theme_get_setting() to properly handle custom theme settings
• Resolved issue where theme system would not report when a theme key is not found
• Fixed aggressive reset.css in Seven theme that broke RTL language and some forms

AJAX and Form Handling

• Fixed hook_exit() and other cleanup for AJAX requests
• Resolved issues with AJAX command 'settings'
• Fixed form validation for node filter page to ensure rows were selected
• Corrected confirm_form() to respect query string destination

Database and Performance

• Fixed bug in the default queue implementation
• Resolved PDOException issues
• Fixed database query issues in taxonomy term reordering
• Corrected schema not being available in hook_install()/hook_enable()

Content Management

• Fixed node multiple delete fatal error
• Resolved issues with image styles not being usable as formatters
• Fixed broken CLI installs
• Corrected problem with creating images

User Management

• Fixed user pictures not working with private files
• Resolved impersonation attack vulnerability when an https session exists
• Fixed flood control window inconsistency (6 hours vs. 1 hour)

Taxonomy

• Fixed bug with taxonomy term reordering
• Resolved re-ordering bug when taxonomy overview form is saved
• Fixed notice when multilingual body display set to hidden

Field API

• Fixed namespacing for bundle names to prevent users from rendering their site unusable
• Resolved problem with list field static caching in field_update_field()
• Fixed incomplete initialization in _field_info_collate_fields()

Other Fixes

• Fixed timer_read() returning NULL after timer_stop()
• Corrected wrong variable used in file_build_uri()
• Fixed "Clean environment" button not flushing all caches
• Resolved issues with compressed pages

New Features

RDFa Support

Added comprehensive RDFa support to Drupal core, enabling semantic web integration and improved machine-readable content. This feature allows Drupal sites to expose structured data that can be consumed by search engines and other services.

Plugin Manager

Introduced a functioning Plugin Manager that enables module installation and updates through the UI. This eliminates the need for FTP access to install new modules and makes site maintenance significantly easier.

Contextual Editing

Added contextual editing capabilities that allow users to edit content directly from the page view. This provides quick access to editing functions without having to navigate through the administrative interface.

Update Manager

Implemented an Update Manager that simplifies keeping Drupal core and modules up-to-date through the UI, with support for secure connections and proper error handling.

Customizable Shortcuts

Added customizable shortcuts to the toolbar, allowing users to create personalized quick access links to frequently used administrative pages.

JavaScript States System

Introduced a FAPI JavaScript States system that enables dynamic form behavior based on the state of other form elements, without requiring custom JavaScript.

Archiver Interface

Created a common interface for archive operations to handle multiple formats like .zip and .tar.gz, making it easier to work with compressed files.

Multilingual Field Handling

Implemented integration between Field API and locale module for translatable fields, including node bodies and other content.

Sequences API

Added a sequences API to replace tables that only contain incrementing IDs, fixing database import problems and improving performance.

Path API

Introduced a comprehensive API for path.module and converted custom_url_rewrite functions into proper hooks for better URL handling.

Security Updates

User Authentication and Sessions

• Fixed impersonation attack vulnerability when an https session exists
• Ensured user's raw login name is never output directly to prevent XSS attacks
• Improved HTTPS support and implemented HTTPS for authorize.php when available

Form Handling

• Added better validation and error messages when installing new code via update manager
• Fixed security issues with form submissions and validation

Access Control

• Added edit/delete terms permission per vocabulary for more granular access control
• Improved permission checks throughout the system

Input Sanitization

• Added missing check_plain() in theme_field_formatter_taxonomy_term_plain()
• Enhanced input sanitization across various modules
• Added input format capability to taxonomy term descriptions

Other Security Improvements

• Improved error handling in the archiver interface
• Added warning to 'Administer users' permission to highlight its security implications
• Fixed issues with certain configurations of compressed pages that could expose security vulnerabilities

Performance Improvements

Caching and Static Storage

• Optimized drupal_get_filename() and drupal_load() to not use drupal_static(), improving performance
• Reduced {system} database hits on every page request
• Added index to avoid filesort in filter_formats()
• Streamlined drupal_bootstrap() and exposed the flow to code profilers

Conditional Processing

• Optimized check_plain() function for better performance
• Improved performance by not invoking hook_url_outbound_alter() when there's nothing to invoke
• Added permission to decrease performance impact of contextual links
• Optimized toolbar to only build if it will be displayed

Database Operations

• Implemented use of slave servers for statistics, tracker, and search modules
• Allowed lowercase comparison operators in DBTNG for more efficient queries
• Removed schema rebuild from field_cache_clear() to improve performance

Code Optimization

• Removed drupal_render_children() from drupal_render() by inlining it
• Reduced performance overhead of drupal_alter()
• Improved menu router handling for better performance
• Used require instead of require_once() in _registry_check_code() for better performance

Impact Summary

This unstable release represents a significant milestone in Drupal 7's development, introducing fundamental architectural improvements and new features that will shape the final Drupal 7.0 release. The addition of RDFa support positions Drupal at the forefront of semantic web integration, while the new Plugin Manager and Update Manager dramatically improve the site administration experience by enabling module installation and updates through the UI.

For developers, this release provides powerful new APIs including the Field API with multilingual support, a sequences API, and improved path handling. The AJAX framework enhancements and JavaScript States system offer more sophisticated front-end capabilities with less custom code. Theme developers benefit from improved theme function handling, alter hooks for themes, and better error reporting.

Content editors and site administrators will appreciate the contextual editing capabilities, customizable shortcuts, and improved content management interfaces. The focus on accessibility improvements makes Drupal more inclusive, while performance optimizations ensure the system remains efficient despite its growing feature set.

This release demonstrates Drupal's evolution toward a more user-friendly, developer-friendly, and standards-compliant content management framework. While still unstable and not recommended for production use, it provides a clear view of what Drupal 7 will offer when finalized.