Drupal Release: 7.0-unstable-3

TL;DR

Drupal 7.0-unstable-3 brings significant improvements to the codebase, focusing on database abstraction, security fixes, and code modernization. This release includes better error handling during testing, enhanced taxonomy API, improved password strength checking, and numerous bug fixes. It's a development snapshot moving towards a more robust and secure Drupal 7 platform.

Highlight of the Release

• Enhanced database abstraction layer with query logging per connection
• Better password strength checker implementation
• Improved error handling during testing, catching notices, warnings and fatal errors
• Automatic cron run after installation
• Theme preprocess functions can now exist without corresponding .tpl.php files
• Security fixes for file inclusion vulnerability and XSS vulnerability

Migration Guide

Database API Changes

Modules using direct SQL queries need to be updated to use the new database abstraction layer. The key changes include:

• Use db_select(), db_insert(), db_update(), and db_delete() instead of db_query()
• For dynamic queries, use the query builder methods like addField(), condition(), etc.
• Use placeholders with the new syntax (:name instead of %s)

Example:

// Old way
$result = db_query("SELECT nid, title FROM {node} WHERE type = '%s'", $type);

// New way
$result = db_select('node', 'n')
  ->fields('n', array('nid', 'title'))
  ->condition('type', $type)
  ->execute();

JavaScript and CSS API Changes

The drupal_add_js() and drupal_add_css() functions now accept array parameters with more options:

// Old way
drupal_add_js($path);

// New way
drupal_add_js($path, array(
  'weight' => 5,
  'scope' => 'header',
  // Other options...
));

Taxonomy API Changes

The taxonomy API has been standardized. Update your code to use the new hook names and function signatures:

• Use hook_taxonomy_term_insert(), hook_taxonomy_term_update(), etc.
• Check the updated function signatures for taxonomy functions

Theme System Changes

• Theme preprocess functions can now exist without corresponding .tpl.php files
• Update your theme to handle the new behavior detachment for AHAH/AJAX

Upgrade Recommendations

This is an unstable development release (7.0-unstable-3) and is not recommended for production sites. It's intended for developers who want to test and contribute to Drupal 7 development.

For Developers and Testers

• Install in a development environment only
• Test your custom modules and themes for compatibility
• Report any bugs you find to the Drupal issue queue
• Begin updating custom code to use the new APIs (database abstraction, JS/CSS handling, etc.)

For Production Sites

• Continue using Drupal 6.x for production sites
• Wait for a stable Drupal 7 release before upgrading
• Use this time to plan your migration strategy and begin updating custom code

Module Maintainers

• Start updating your modules to use the new database abstraction layer
• Test with this development release to identify compatibility issues
• Update your code to use the new taxonomy hooks if applicable

Bug Fixes

Menu and Path Handling

• Fixed bug with 'active-trail' class in Primary/Secondary links
• Fixed broken link to cron.php when clean URLs are disabled
• Fixed bug in drupal_lookup_path('wipe')
• Fixed wildcard loader names with numbers
• Fixed wildcard loader problem

Form and AJAX Issues

• Fixed AHAH not working for checkboxes
• Fixed undefined property in forms
• Fixed PHP notice on error page

Comment System

• Fixed problem with comment threading
• Added test for comment threading

File Handling

• Fixed file inclusion vulnerability (SA-2008-067)
• Improved conf_path() header injection checking
• Fixed SimpleTest copying/deletion issues

Database Related

• Fixed issue with PostgreSQL users not being able to delete blocks
• Fixed queryTemporary which was missing a required argument
• Fixed search query that had field aliased to column name

Other Bug Fixes

• Fixed XSS vulnerability in book administration page (SA-2008-067)
• Fixed incorrect regex causing some aggregated CSS to fail
• Fixed exceptions in XML-RPC library and its tests
• Fixed issue with max_allowed_packet size in simpletests
• Fixed bootstrap phase issue that broke installer
• Fixed PHP notices in various modules
• Fixed invalid XHTML being generated for forum topic listings

New Features

Database Abstraction Layer Improvements

• Added query logging per database connection
• Made it easier to add multiple fields in dynamic SELECT statements
• Improved support for PostgreSQL and other database drivers
• Converted several core modules to use the new database API

Taxonomy System Enhancements

• Improved taxonomy hook system
• Added proper taxonomy term hooks
• Standardized vocabulary and term APIs
• Added automatic trimming of taxonomy term names upon save

JavaScript and CSS Handling

• Reworked the parameters of drupal_add_js() to be more flexible
• Added weighting to drupal_add_js() for better control of script loading order
• Updated to use array format in drupal_add_css()
• Updated jQuery Form Plugin to latest version
• Added ability for behaviors to detach from AHAH/AJAX

Testing Framework Improvements

• Added capability to catch notices, warnings and fatal errors during testing
• Fixed the --php parameter in run-tests.sh
• Improved test case for file operations
• Keep running tests checked by default

Other New Features

• Better password strength checker implementation
• Automatic cron run after installation with improved notifications
• Theme preprocess functions can now exist without corresponding .tpl.php files

Security Updates

Critical Security Fixes

• Fixed file inclusion vulnerability (SA-2008-067, #324824)
• Fixed XSS vulnerability in book administration page (SA-2008-067, #324824)
• Improved conf_path() header injection checking

Security Enhancements

• Made drupal_set_title() use check_plain() by default to prevent XSS attacks
• Better password strength checker implementation
• Extended error handler to manage exceptions
• Don't set Reply-To header in emails unless necessary

Performance Improvements

Database Performance

• Added an index on uid to make deleting watchdog entries faster
• Fixed no-op queries during menu rebuild
• Improved search indexing performance by changing the search_dataset.sid_type unique key to an index

Cache Improvements

• Improved the cache registry lookups for better performance
• Made module_implements work regardless of bootstrap phase
• Properly reset user_access() cache

PHP Optimizations

• Optimized timer_start() and timer_read() functions by taking advantage of PHP5
• Removed many PHP4-isms and workarounds for PHP versions less than 5.2.x
• Code simplification in various areas including bootstrap process

Other Performance Enhancements

• Improved session handling
• Better handling of static variables in objects
• More efficient file operations

Impact Summary

Drupal 7.0-unstable-3 represents a significant step forward in the development of Drupal 7, with major improvements to the database abstraction layer, security enhancements, and modernization of the codebase.

The most impactful changes include:

1. Database Abstraction Layer: The continued conversion of core modules to the new database API provides better cross-database compatibility and query logging capabilities. This is a fundamental change that affects how all modules interact with the database.

2. Security Improvements: Security fixes for file inclusion and XSS vulnerabilities, along with the implementation of check_plain() by default in drupal_set_title() and a better password strength checker, enhance the overall security posture.

3. Testing Framework: Significant improvements to SimpleTest, including the ability to catch notices, warnings, and fatal errors during testing, make it easier to develop robust modules and themes.

4. API Modernization: Updates to JavaScript and CSS handling, taxonomy hooks, and file operations bring the codebase up to modern standards and prepare for future enhancements.

5. Performance Optimizations: Various performance improvements, including better cache handling, database query optimizations, and removal of PHP4-era code, contribute to a more efficient system.

While this is still an unstable development release, it shows the direction Drupal 7 is taking toward a more robust, secure, and developer-friendly platform. Module and theme developers should begin familiarizing themselves with these changes to prepare for the eventual stable release.