Drupal Release: 7.0-unstable-5

TL;DR

Drupal 7.0-unstable-5: Major Field API Introduction and Performance Improvements

This release introduces the initial Field API patch, a cornerstone feature for Drupal 7 that enables attaching fields to various entities. Additionally, significant performance improvements have been made to session handling, drupal_render(), and database queries. The release also includes numerous bug fixes, improved accessibility for form elements, enhanced multilingual capabilities, and a new minimalist "Stark" theme. Several modules can now be uninstalled cleanly, and the UI has undergone terminology improvements based on usability studies.

Highlight of the Release

• Introduction of the initial Field API patch, allowing fields to be attached to entities
• Performance improvement: anonymous sessions are no longer written unless necessary
• New 'Stark' theme added to demonstrate Drupal's default markup
• Improved accessibility for radio buttons and checkboxes
• Renamed 'input format' to 'text format' based on usability studies
• Several modules (taxonomy, comment) can now be uninstalled cleanly
• New hook_page_alter() for modifying page output
• Vastly improved translation string search and editing interface
• Better transaction support in database layer

Migration Guide

Terminology Changes

• 'Input format' has been renamed to 'text format' based on usability studies (#244904)
• 'Main page' is now referred to as 'Front page' in update.php for consistency (#349327)
• Operation in Input Formats changed from 'Configure' to 'View Configuration' (#219584)

API Changes

• drupal_add_css/js parameter changed to use 'type' instead of $scope to clean up calling code (#345973)
• variable_get()'s default parameter now defaults to NULL so NULLs don't need to be specified (#88264)
• Menu title callback property can now bypass t() (#348627)
• Added means of getting all instances of a field (#370037)
• hook_menu_alter() documentation updated to use 'items' rather than 'callbacks' to match hook_menu() (#357429)

Module Changes

• Block module is now optional (#367380)
• Comment module can now be uninstalled (#360106)
• Taxonomy module can now be uninstalled (#360104)
• Locale module no longer auto-installs with custom install profiles (#310863)

File Management

• User pictures are now managed files (#357403)
• Added function to delete unmanaged files recursively (#373502)

Database Layer

• Removed db_and() and db_or() calls from database files (#360113)
• More robust example of how to use transaction support in D7 (#360887)
• Added timestamp to {poll_votes} table (#360785)

Upgrade Recommendations

This is an unstable development release (7.0-unstable-5) and is not recommended for production sites. It contains significant API changes, particularly with the introduction of the Field API, which is still under active development.

Developers working on Drupal 7 modules should update their development environments to test compatibility with these changes, especially:

1. The new Field API implementation
2. Changes to the rendering system
3. Database layer improvements
4. Module uninstallation capabilities

Site builders and module developers should be aware that APIs may continue to change between unstable releases. This release is primarily for those who want to test and contribute to Drupal 7's development.

When upgrading from 7.0-unstable-4 to 7.0-unstable-5, be sure to run update.php to apply database schema changes, particularly for the URL alias table structure.

Bug Fixes

Database and Query Fixes

• Fixed InsertQuery functionality (#301049)
• Fixed inconsistent behavior with transaction support and insert queries (#355225)
• Fixed a typo in SQLite transaction detection code (#360982)
• Fixed a bug in node_access() that posed a possible SQL injection risk (#278675)
• Fixed a bug in the URL alias table structure for better performance (#363262)

UI and Form Fixes

• Fixed PHP notice on preview with body-less nodes (#320395)
• Fixed naming conflict with 'file' preprocess variable (#297952)
• Fixed disabled checkboxes functionality (#314283)
• Fixed bug with updating feed categories (#360605)
• Fixed deletion of terms (#346156)
• Fixed count returned by taxonomy_term_count_nodes() with multi-select vocabularies (#144969)
• Fixed node_feed() silently discarding content (#365183)
• Fixed query in recent comment block that resulted in fatal error (#349823)
• Fixed user picture rendering (#371327)
• Fixed 'delete' link on block administration screen (#372400)
• Fixed drupal_write_record() bug with multi-field primary keys (#369423)

Multilingual Fixes

• Fixed error during multilingual installation due to NULL value on required field (#368729)
• Fixed bug in language switcher block that made all languages active (#220559)
• Fixed Locale uninstall (#347288)

Other Fixes

• Fixed CSRF vulnerability on update.php (#361699)
• Fixed menu translation returning FALSE before to_arg is available (#298722)
• Fixed _menu_translate returning FALSE before to_arg is available (#298722)
• Fixed error message about upload when not uploading a file (#30520)
• Fixed HTTP_HOST handling (#346285)

New Features

Field API Introduction

The most significant addition in this release is the initial Field API patch (#361683). This foundational feature allows fields to be attached to various entities in Drupal, providing a flexible content architecture system. While more work remains to be done, this represents a major milestone for Drupal 7's development.

New Stark Theme

A new minimalist "Stark" theme (#364777) has been added to core to demonstrate Drupal's default markup without styling. This provides a clean baseline for theme developers to understand Drupal's HTML structure.

Hook Page Alter

A new hook_page_alter() (#351235) has been introduced, allowing modules to modify page output before it's rendered, providing greater flexibility for page manipulation.

Centralized AHAH Callback

A centralized AHAH callback (#360128) has been created to reduce duplicate code across the system, making Ajax functionality more consistent and maintainable.

Improved Translation Interface

The translation string search and editing interface (#52990) has been vastly improved, making it easier to find and translate strings.

Default Directory Structure

Drupal now ships with default sites/all/modules and sites/all/themes directories (#360415), making the recommended directory structure clearer for new users.

Tablesort Form API Element

A new 'tablesort' Form API element (#242962) has been added to unify various places where tables with JavaScript-enabled checkboxes are used.

Security Updates

CSRF Protection

• Added CSRF protection to update.php (#361699), preventing cross-site request forgery attacks on this sensitive administrative page.

SQL Injection Prevention

• Fixed a possible SQL injection risk in node_access() (#278675), which was already part of Drupal 6 but now forward-ported to Drupal 7.

Session Security

• Improved HTTP_HOST handling (#346285) to prevent potential security issues related to HTTP host header manipulation.

Performance Improvements

Session Handling Optimization

A significant performance improvement (#201122) prevents writing anonymous sessions unless something has been written to $_SESSION, reducing database load for anonymous users.

Rendering Performance

Multiple improvements to drupal_render() have been implemented:

• Avoiding sorting elements twice (#353632)
• Further improving performance of sorting in the rendering process (#370846)
• Refactoring the theming system (#355236)

Database Performance

• Replaced the 'src' index on the {url_alias} table with 'src, language' for better performance (#363262)
• Avoiding pager query if there are no comments on a node (#352337)

Protocol Filtering Optimization

The filter_xss_bad_protocol function, which was being called hundreds of times on some pages, has been optimized (#354812)

Code Simplification

• Simplified DBTNG code flow (#363687)
• Shortened drupal_map_assoc() for better performance (#367711, later reverted)

Impact Summary

This release represents a significant milestone in Drupal 7's development with the introduction of the Field API, a cornerstone feature that will enable much of Drupal 7's content architecture flexibility. The Field API allows fields to be attached to various entities, providing a powerful foundation for structured content.

Performance has received considerable attention with improvements to session handling (not writing anonymous sessions unnecessarily), rendering optimization, and database query enhancements. These changes should result in better scalability and faster page loads, particularly for anonymous users.

Usability improvements based on research studies have led to terminology changes (like renaming "input format" to "text format") and interface enhancements. The new minimalist "Stark" theme provides a clean demonstration of Drupal's default markup, which will be valuable for theme developers.

The system is becoming more modular, with several previously required modules now being optional or cleanly uninstallable. This gives site builders more flexibility in configuring exactly what functionality they need.

Multilingual capabilities have been enhanced with a vastly improved translation interface and better handling of language-specific features, making Drupal 7 more accessible to international audiences.

Security has been strengthened with CSRF protection for update.php and fixes for potential SQL injection vulnerabilities, maintaining Drupal's commitment to security.

Overall, this unstable release shows Drupal 7 taking shape with major architectural improvements while addressing performance, usability, and security concerns.