Drupal Release: 7.0-unstable-7

TL;DR

This Drupal 7.0-unstable-7 release brings significant improvements to the database abstraction layer, field API, and caching mechanisms. It introduces a new queue system for asynchronous processing, enhances the SimpleTest framework, and includes numerous code style cleanups and documentation improvements. Security fixes address potential cross-site scripting vulnerabilities, while performance optimizations focus on reducing unnecessary database queries. The release also features UI improvements like vertical tabs for user settings and better organization of administrative pages.

Highlight of the Release

• Introduction of a queue system API for asynchronous task processing
• Major conversion of core modules to the new database abstraction layer
• Default to InnoDB in MySQL for better data integrity and performance
• Improved block system with mission statement and footer message as blocks
• Revamped user settings page with vertical tabs and better organization
• Enhanced SimpleTest framework with new assertion methods and interface improvements
• Security fixes for potential cross-site scripting vulnerabilities
• Performance optimizations in path handling and caching mechanisms

Migration Guide

Function Renames

• drupal_execute() has been renamed to drupal_submit_form(). Update all calls accordingly.
• Several other internal functions have been renamed for consistency. Check function deprecation notices.

Database API Changes

• Many core modules have been converted to the new database abstraction layer. If your module interacts with these modules' tables, you'll need to update your queries.
• Review your custom SQL queries and convert them to the new database abstraction layer.
• If using COUNT(*) queries just to check for existence, replace with SELECT 1 ... LIMIT 1 pattern.

Block System Changes

• The mission statement and footer message are now blocks. If your theme relied on these variables, update to use the block system instead.
• Main page content is now a real block. Update your theme if you were handling this specially.

Field API Changes

• hook_field_load() is now multiple like field_attach_load(). Update your implementations.
• Field display settings now run prefixes and suffixes through field_filter_xss() rather than check_plain().
• Default values are now saved on insert. Review your field implementations.

Theme Changes

• box.tpl.php has been removed. Update any themes that use this template.
• theme_xml_icon() has been removed. Use theme_feed_icon() instead.
• $breadcrumb and $mission variables have been moved out of the content div.

PHP Requirements

• The code now requires the PHP tokenizer extension. Ensure this is installed on your server.

Upgrade Recommendations

This is an unstable development release (7.0-unstable-7) and is not recommended for production sites. It contains significant API changes and is intended for developers to test and provide feedback.

If you are a module developer, this is a good time to start updating your modules to work with Drupal 7's new APIs, particularly:

• The database abstraction layer
• Field API changes
• Queue system API
• Static caching API

Site builders should wait for a more stable release before upgrading production sites. However, testing this release in a development environment is encouraged to identify compatibility issues with contributed modules.

When upgrading a development site:

1. Back up your database and files
2. Update your codebase
3. Run update.php
4. Test thoroughly, especially if you use contributed modules

Pay special attention to the database layer changes and field API modifications, as these are the areas with the most significant changes in this release.

Bug Fixes

Critical Bug Fixes

• Fixed typo preventing edit and delete links on translation page from working (#368064)
• Fixed broken book breadcrumbs with added tests (#444920)
• Fixed problem with private files (#147310)
• Fixed form cache not being cleared on submit when page cache is activated (#343415)
• Fixed broken anchor tags on permissions page (#392582)
• Fixed fatal error when submitting aggregator block (#423886)
• Fixed glitch in comment paging (#353328)
• Fixed batch API rounding issues (#267333)

Database-Related Fixes

• Fixed PostgreSQL installation issues (#472646)
• Fixed handling of NULL serial columns in drupal_write_record() (#445214)
• Fixed failing tests in SQLite/PostgreSQL due to NULL values for ftid and ftvid (#445094)
• Fixed SQLite abstraction layer to accept arrays of placeholder values (#464878)

Other Fixes

• Fixed drupal_http_request() to properly handle redirects (#457788)
• Fixed node_body_field to check ->has_body (#223771)
• Fixed automatic enctype on adding a file field (#137932)
• Fixed teaser splitting JavaScript code (#193577)
• Fixed favicon mime-type handling (#415710)
• Fixed menu machine-name validation error (#292790)

New Features

Queue System API

A new queue system has been introduced that allows placing items in a queue and processing them later. The system ensures that only one consumer can process an item at a time. This provides a standardized way to handle asynchronous processing tasks across the system.

Block System Improvements

• Mission statement is now a block, providing more flexibility for placement
• Footer message is now a block, allowing for better customization
• Main page content is now a real block, improving layout flexibility

User Interface Enhancements

• User settings page has been revamped with vertical tabs and better organization
• Title/body fieldset is now expanded by default for better visibility
• 'Workflow settings' renamed to 'publishing options' for clarity

Aggregator Module Improvements

• Added option to suspend feeds
• Added option to never discard feed items
• Improved handling of feed item keys

Database Improvements

• Default to InnoDB in MySQL for better data integrity
• Added db_truncate_table() function to the database layer
• Allow non-default database connections in installation profiles

Security Updates

Cross-Site Scripting Protection

• SA-CORE-2009-005 #2 (#449142) - Fixed potential cross-site scripting vulnerability
• SA-CORE-2009-006 (#462428) - Fixed cross-site scripting vulnerability (forward-port)
• Removed header injection check that is now redundant thanks to PHP 5.1.2 and beyond (#444154)
• Added check_plain() call to prevent potential XSS issue (#465190)

Input Validation

• Improved security for AHAH callbacks (#360128)
• Added type checking for passwords to prevent potential security issues (#398902)
• Email addresses are now trimmed before validation/submission to prevent validation bypass (#61856)

Other Security Improvements

• Prefixed aggregated CSS and JS files to prevent certain firewalls from blocking them if they start with "ad*" (#452704)
• Removed 'q' from possible letters that can be appended to aggregated css/js string to prevent confusion with ['q'] parameter (#454992)

Performance Improvements

Database Optimizations

• Replaced COUNT(*) queries with SELECT 1 ... LIMIT 1 queries when only checking for row existence
• Added better caching to drupal_lookup_path() for improved path handling performance
• Removed unnecessary queries in search module
• Added indexes for field storage to improve field-related queries

Caching Improvements

• Converted menu.inc to the new static caching API
• Converted drupal_add_js/css to static caching API
• Update module now always uses the database for caching project data
• Only cache field data for current revision to reduce cache size
• Improved form cache handling

Other Performance Enhancements

• Added node_delete_multiple() for more efficient deletion of lots of nodes
• Removed unnecessary module_rebuild_cache() calls
• Optimized SimpleTest bootstrap process by bringing unit tests back to life
• Improved handling of aggregated CSS and JS files

Impact Summary

This Drupal 7.0-unstable-7 release represents a significant step forward in Drupal 7's development with major architectural improvements. The new database abstraction layer enhances cross-database compatibility, while the queue system API provides a robust foundation for asynchronous processing. Field API refinements improve both developer experience and end-user content management.

Performance optimizations in caching and database queries will result in faster page loads and better scalability. Security fixes address potential vulnerabilities, making the platform more secure even in this development stage.

For developers, this release requires significant adaptation to new APIs and patterns, particularly around database handling, form submission, and field management. The renamed functions and new approaches to common tasks will require updates to custom code.

Site builders will benefit from improved block flexibility, better user interface organization, and enhanced testing capabilities. The move to InnoDB as the default MySQL storage engine improves data integrity and performance.

While this is an unstable release not recommended for production, it provides a clear view of Drupal 7's direction and gives developers an opportunity to begin adapting their code to the new architecture.