Drupal Release: 8.0.0-beta9

TL;DR

Drupal 8.0.0-beta9 brings significant improvements to caching, performance, and security. This release focuses on refining the architecture with better cache contexts and tags, fixing security vulnerabilities, improving PostgreSQL support, and preparing for PHP 7 compatibility. Key highlights include enhanced multilingual capabilities, improved Views functionality, and numerous bug fixes across core modules. This beta represents continued progress toward a stable Drupal 8 release with important architectural improvements that will benefit both developers and site builders.

Highlight of the Release

• Significant improvements to caching architecture with hierarchical cache contexts and better cache tags
• Security fixes including protection against CSRF vulnerabilities and open redirects
• Enhanced PostgreSQL support with numerous database-specific fixes
• Preparation for PHP 7 compatibility by renaming classes that use reserved words
• Improved multilingual capabilities with better language handling and translation UI
• Enhanced Views functionality with better field handling and caching
• Simplified permissions page and improved role management

Migration Guide

PHP 7 Compatibility Changes

If you're developing custom modules or themes, be aware that several core classes have been renamed to support PHP 7 compatibility:

• Utility\String class has been split and renamed (String is a reserved word in PHP 7)
• Various Typed Data classes have been renamed
• Views plugin classes have been renamed

Update any references to these classes in your custom code.

Deprecated Functions Removed

The following functions have been removed. Update your code to use their replacements:

• drupal_bootstrap and drupal_get_bootstrap_phase → Use the service container instead
• language_load(), language_list() and language_default() → Use the language manager service
• _update_fetch_data → Use the update manager service
• drupal_html_id() → Use \Drupal\Component\Utility\Html::getUniqueId()
• drupal_theme_access() → Use the theme access service
• request_uri() → Use the Request object
• valid_email_address() → Use \Drupal\Component\Utility\EmailValidator
• system_rebuild_theme_data() → Use the theme handler service

API Changes

• Url::__toString() has been removed. Use Url::toString() instead.
• The html => TRUE option from l() and link generator has been removed. Use proper render arrays instead.
• TypedConfigInterface::set() has been removed.
• User signatures have been removed and moved to contrib.
• LazyPluginCollection no longer implements \Iterator.

Cache API Changes

• Cache contexts are now hierarchical (e.g., 'user' is more specific than 'user.roles')
• #cache[expire] has been removed in favor of #cache[max-age]
• Added #cache[max-age] to disable caching and bubble the max-age

Entity API Changes

• Entity storage now loads field values before instantiating entity objects
• Config entities are now created in the negotiated language unless otherwise specified
• ContentEntityBase::set() now respects its interface

Views API Changes

• Views base tables and entity types can now define additional cache contexts
• Views now sets cache tags on its render arrays

Theme Changes

• Admin templates have been removed from Classy
• Several CSS components have been refactored to align with CSS standards

Upgrade Recommendations

This release (8.0.0-beta9) represents a significant step forward in Drupal 8's development with important architectural improvements, security fixes, and performance enhancements. As this is still a beta release, it is not recommended for production sites.

For Developers and Site Builders Testing Drupal 8:

• Upgrading to this beta is highly recommended if you're already using a previous Drupal 8 beta version.
• The security fixes alone (CSRF protection, open redirect fixes) make this update important.
• The improved caching architecture and PostgreSQL support provide substantial benefits.

For Production Sites:

• Continue using Drupal 7 for production sites until Drupal 8 reaches a stable release.
• Use this beta only for development, testing, and preparing for the eventual migration to Drupal 8.

For Module Developers:

• Update your custom code to account for the API changes detailed in the migration guide.
• Pay special attention to the renamed classes for PHP 7 compatibility and the removed deprecated functions.
• Test your modules thoroughly with this beta to ensure compatibility with the improved caching system.

Preparation Steps:

1. Create a complete backup of your site before upgrading
2. Update any custom code to use the new APIs
3. Test thoroughly in a development environment before considering any production use

This beta release brings Drupal 8 closer to a stable release with important architectural improvements that will benefit both developers and site builders in the long term.

Bug Fixes

Security Fixes

• Fixed Cron CSRF vulnerability (Issue #2431283)
• Implemented fixes from SA-CORE-2015-001 for password reset URL access bypass (Issue #2455079)
• Added protection against open redirects (Issue #2455083)
• Fixed issue where block content titles were not escaped on new block form (Issue #2446995)

PostgreSQL Support

• Fixed numerous PostgreSQL-specific tests and functionality:
  • Fixed node translation UI test (Issue #2443669)
  • Fixed condition form test (Issue #2443653)
  • Fixed entity query test (Issue #2443657)
  • Fixed field SQL storage test (Issue #2443659)
  • Optimized tableExists method for PostgreSQL (Issue #2370593)
  • Fixed issue with changing field types to serial, bigserial, or numeric (Issue #1668644)

Views Issues

• Fixed Views exposed filter form causing enormous form state cache entries (Issue #2252763)
• Fixed "Add another item" button placement for grouped filters (Issue #2394693)
• Fixed issue where disabling feed view display did not remove feed header (Issue #2409417)
• Fixed JavaScript error after using jQuery UI Dialog close button in Views UI (Issue #2413709)

Entity and Field Issues

• Fixed files with spaces in URIs failing entity TypedData validation (Issue #2278073)
• Fixed duplicate index on entity_id column in dedicated field tables (Issue #2428297)
• Fixed issue where taxonomy terms in Entity Reference field were not sorted (Issue #2412553)
• Fixed Boolean field formatter showing default choice twice in list (Issue #2428087)

Theme and Template Issues

• Fixed not found templates being displayed literally instead of throwing an Exception (Issue #2369981)
• Fixed Bartik maintenance CSS referenced incorrectly in libraries.yml (Issue #2442749)
• Fixed footer container contents being wider than other page elements in Bartik (Issue #1273052)
• Fixed themes being unable to implement hook_element_info_alter() and hook_theme_registry_alter() (Issues #2448843, #2448847)

New Features

Enhanced Caching Architecture

• Added hierarchical cache contexts (e.g., 'user' is more specific than 'user.roles')
• Implemented bubble cache contexts for better cache handling
• Added X-Drupal-Cache-Contexts header to aid in debugging and testing
• Improved Views caching with better cache tags and contexts

Improved Multilingual Support

• Added multilingual tour for language section
• Made config entities created in the negotiated language unless otherwise specified
• Fixed translation settings for nodes in standard profile
• Improved language handling for Views base fields

Better Field Management

• Added preconfigured field options concept in Field UI
• Categorized field type plugins for better organization
• Improved entity reference fields with better selection handling
• Made alt attribute required for Image fields by default

Enhanced Views Functionality

• Fixed Views preview for REST display
• Improved Views exposed filter form to reduce form state cache entries
• Added support for using data table as views base table when available
• Fixed issues with Views UI dialogs and filter handling

Simplified Role Management

• Implemented admin role as a flag on the role storage
• Simplified permissions page
• Removed user_modules_installed function

Security Updates

Critical Security Fixes

• Fixed Cron CSRF vulnerability (Issue #2431283)

  • This vulnerability could allow attackers to trigger cron runs without proper authorization

• Implemented password reset URL access bypass fixes from SA-CORE-2015-001 (Issue #2455079)

  • Ported security fixes from Drupal 7 to prevent unauthorized access to password reset URLs

• Added protection against open redirect vulnerabilities from SA-CORE-2015-001 (Issue #2455083)

  • Fixed issues that could allow attackers to redirect users to malicious sites

• Fixed issue where block content titles were not escaped on new block form (Issue #2446995)

  • This could potentially allow XSS attacks through unescaped block titles

Authentication and Access Control

• Fixed BasicAuth challenge never being sent to browser (Issue #2432657)

  • This improves the security of basic authentication implementation

• Fixed issue where ShortcutsBlock did not respect the 'access shortcuts' permission (Issue #2449633)

  • Ensures proper access control for shortcuts functionality

• Implemented Contact module's AccessControlHandler (Issue #2427713)

  • Improves access control for the Contact module

Other Security Improvements

• Removed trusted host verification incompatibility with URIs using the "internal" scheme (Issue #2417075)

  • Ensures proper host verification for better security

• Fixed maintenance mode message ending up in page cache and being served endlessly (Issue #2453351)

  • Prevents caching issues that could expose maintenance mode messages inappropriately

Performance Improvements

Route Handling Optimization

• Optimized the route rebuilding process to rebuild on write rather than on read (Issue #356399)
• This significantly improves performance by avoiding unnecessary route rebuilds

Entity Loading Improvements

• Refactored entity storage to load field values before instantiating entity objects (Issue #2137801)
• Added a way for entity manager to get fresh entity and field definitions without invalidating all caches (Issue #2443409)

Cache Optimization

• Removed extension:views cache tag and implemented other views-related cache improvements (Issue #2443485)
• Removed default block_plugin cache tags that were deemed useless (Issue #2449069)
• Improved caching for Views with better handling of cache contexts and tags (Issue #2381217)

Database Optimizations

• Optimized PostgreSQL tableExists method for better performance (Issue #2370593)
• Fixed duplicate index on entity_id column in dedicated field tables (Issue #2428297)
• Fixed issue where Views exposed filter form caused enormous form state cache entries (Issue #2252763)

Service Improvements

• Made several services lazy-loaded to improve performance (Issue #2454287)
• Removed CachedStorage::listAll() caching for better reliability (Issue #2442041)
• Used MemoryBackend in StorageComparer to avoid rereading data from disk or database (Issue #2411689)

Impact Summary

Drupal 8.0.0-beta9 represents a significant milestone in Drupal 8's development journey, focusing on architectural refinements, security hardening, and performance optimizations. This release brings substantial improvements to the caching system with hierarchical cache contexts and better cache tags, which will result in more efficient caching and better performance. Security has been enhanced with fixes for CSRF vulnerabilities and open redirects, making this an important update for anyone testing Drupal 8.

For developers, the most notable changes include preparation for PHP 7 compatibility by renaming classes that use reserved words, improved PostgreSQL support with numerous database-specific fixes, and modernized code with removal of deprecated functions. The entity API has been refined with better field handling and improved entity reference functionality.

Site builders will benefit from enhanced Views functionality, improved multilingual capabilities, and a more consistent field UI with preconfigured field options. The block system has been improved with better caching and visibility options.

Content editors will appreciate the improved accessibility with required alt attributes for image fields, better handling of multilingual content, and fixed issues with text formatting guidelines in textareas.

Administrators will find security improvements, better performance with optimized route rebuilding, improved maintenance mode handling, and enhanced role management with a simplified permissions page.

While this is still a beta release not recommended for production sites, it represents significant progress toward a stable Drupal 8 release with important architectural improvements that will benefit the Drupal ecosystem in the long term.