project 4.7.x-2.3

This release addresses an access bypass security issue, DRUPAL-SA-2007-020. Sites that try to restrict access to projects based on the 'access projects' or 'access own projects' permissions should upgrade immediately.

Other changes since 4.7.x-2.2:

• #111323: allow maintainers to see npublished release nodes (also related to #109181) [backport]
• #111658: module browsing pages ignores release publish status and 'enable releases' settings.
• #115756 by Arthaey (with minor cleanup by dww): project_release.install doesn't work for PostgreSQL (you can't create indexes inside CREATE TABLE statements on pgsql).
• #115625: browse-by-date has no pager when filtering by version. Thanks to merlinofchaos for helping to find the bug in the count_query SQL.
• #128718: faulter headers in merged .po files (we were missing the --use-first argument to msgcat).
• #149963 by dww and aclight: Projects overview page has bad links to taxonomy terms that don't belong to the "Projects" vocabulary, and the links don't include other goodness from taxonomy_link(), for example, mouse-over link titles for term descriptions, etc.
• #151490 by aclight: View CVS Messages should not be available if project has no repository set.
• #151923: Project-generated vocabulary should be called "Project types".
• #151772 by aclight: field length in project_release form is too short.
• #152918: Project browsing pages don't honor the "active compatibility terms" setting, nor the published bit on release nodes. The totals for each category are wrong on the "Browse by category" summary page, and projects are displayed that have no published release nodes.
• #58630 by aclight: Fixing project breadcrumbs on the "View CVS messages" and "Developers" pages, along with a better version of project_project_set_breadcrumb() to make it easier to get breadcrumbs right in other places in the project* codebase.
• #151923: Fixing help text at admin/project/project-settings to use the current name of the project vocabulary instead of hard-coding it.
• #155996 by hass and drewish: Removed MyISAM settings from MySQL statements.
• #145755 by aclight: Fixed array_merge() error in releases subtab of project edit tab by unnecessary definition of $form['#validate'].
• #151892 by aclight (backported by dww): Use per-project logic to determine handling of certain CVS-related things by introducing a project_use_cvs() function that checks both that cvs.module is enabled, _and_ that the particular project node you pass in is configured to point to a CVS repository. This will need to be refactored for versioncontrol_api in the near future, but this is an important bug fix in the mean time.
• #154280 by aclight and dww: Project edit access not revoked if user has cvs privilages disabled. Also, immediately revoke CVS access in this case instead of waiting for the passwd file to be regenerated.
• #151892: Fixing syntax error in backport (revision 1.75.2.16.2.26).
• #159321: "Automatically generated path..." on project edit form needs a div. Backporting isn't technically necessary, since the bug doesn't appear in 4.7.x, but the extra div can't hurt.
• #155727: "Go" button should be called "Filter" on the version filter form for the download browsing pages.
• Fixing code style for string concatenations.
• #155727 by dww: Fixing improper use of dynamic content inside t().
• #155727 by hass and dww: Fixing some minor t() and XHTML validation bugs.
• #105224 by aclight, bonzinip and dww: The download table is broken if a release has no file attached (bogus date, size, and download link).
• #58630 by aclight and dww (slightly modified version of patch 7): Fixing breadcrumbs on release nodes for the 'add' and 'edit' forms.
• #157769 by dww: Fixed critical bug from #151892 where the "Restrict project creation to users with CVS accounts" setting was being ignored due to over-zealous use of project_use_cvs() on a node that doesn't exist yet instead of simply testing module_exists('cvs').
• #161552 by dww: Fixed another bug from #151892 where people with CVS access couldn't add or edit release nodes for projects they didn't own.
• #163464 by hunmonk -- make project select query SQL compliant.
• #159334 by dww: Fixed translation bugs and improved help text about the project vocabulary on the settings page. The text is now displayed at admin/content/taxonomy if you view the "Project type" vocabulary.
• #57667 by dww: Removed the code trying to display help text about using the "Project type" vocabulary when adding or editing project nodes. The code didn't work, so it wasn't displaying anyway, and the UI has been so majorly improved (#64221) that the help isn't needed.
• #127875 by dww: Fixed SQL syntax error when viewing a release download table on a site with no active "Project release API compatibility" terms.
• #162531 by dww: Removed inappropriate implementation of hook_link(). It was buggy, too (there was no link) so there's no visible change.
• #164615: Fixed typo in project_release_project_edit_form()
• #119860 by swood, drewish, dww, CSCharabaruk, et al: Added an implementation of hook_file_download() so that files attached to release nodes can be downloaded on sites with private file handling.
• #163586 by dww: Fixed bug in the SQL queries that generate the project browsing pages were releases without a file were needlessly filtered out.
• Adding link to TODO list: http://groups.drupal.org/node/5489
• #168431 by aclight and dww: Projects that don't use CVS had misleading text on the "View all releases" page if there were no published releases. Now, the text makes sense whether or not CVS is being used.
• #114281 and #168760 (SA-2007-020) by dww: Fixed numerous access bugs.