drupal 6.0-rc2

For more information on this release candidate and about compatible modules, themes and translations, refer to: http://drupal.org/drupal-6.0-rc2

This release candidate fixes security vulnerabilities. Those running the previous release candidate are urged to upgrade immediately. For more details, please see the security announcement:

• SA-2008-005 - Drupal core - Cross site request forgery
• SA-2008-006 - Drupal core - Cross site scripting (UTF8)
• SA-2008-007 - Drupal core - Cross site scripting (register_globals)

In addition to this security vulnerability, the following bugs have been fixed since the first release candidate:

• #199241 by bjaspan, Heine: fix documentation on how confirm forms are constructed; port of Drupal 5 fix
• #202925 report by beholder, patch by myself: (notice fix) only consider languages with a host set when comparing with the current host in domain language negotiation
• #202895 by cwgordon7, theborg: fix node revision view page load argumnets
• #194579 patch by pwolanin: clear filter cache when allowed HTML tags configuration changes in an input format
• #200921 by Pancho: code consistency change, renaming an internal variable in drupal_get_schema() for better developer docs
• #202997 by JirkaRybka: more specific CSS selector for draggable links
• #202967 by catch: kill notice on forum page
• #181195 by hunmonk and Pasqualle: node type related variables were not properly renamed, when node type names changed
• #203274 by Pasqualle: remove excessive witespace from our code (minor)
• #195176 by chx: form_set_error doxygen was misleading
• #194310 by JirkaRybka: t() was misused in update.php (we should not use t() in the update process)
• #194946 by dmitrig01, Pasqualle: christmas cleanup (some code style issues fixed)
• #198234 by bjaspan: fix improper type maps for numeric and char values in schema API
• #154517 follow up by Desbeers: path_form_alter() was not path alias language aware
• #203482 by Desbeers: block module HTML typo in help (outside t())
• #203316 by douggreen: schema docs for the search_node_links table
• #173656 by qucksketch: fix upload form ordering and delete buttons on preview, among smaller issues
• #203660 by keith.smith: missing 'a' tag name in 'a href='
• - Patch #174226 by keith.smith, pwolanin et al al -- and greatly simplified by me: added a copyright notice.
• #197722 by catch, hwsong3i: remove 4.7 to 5.x updates; we only support direct updates from 5.x to 6.x
• - Patch #203509 by pwolanin, chx, cwgordon7 et al: fixed menu inheritenace.
• - Patch #176748 by pwolanin, Rob Loach: fixed broken breadcrumbs.
• #191914 by chx: admin check was missing from menu user_register_access()
• #204081 by chx: check menu arguments by type, so type casting will not cause problems
• #203794 by douggreen: nonexistent dependencies should not be considered on the dependency checker
• #176748 follow up by pwolanin: fix bad breadcrumbs and missing/wrong titles
• Reported at http://groups.drupal.org/node/7843 : language direction was not translated in the overview (it is in the form, so no new string for translators)
• Reported at http://groups.drupal.org/node/7843 by kkaefer: t() was used in install.php in place of st()
• #152497 by bjaspan, with more docs from myself: user_external_login() was not updated to latest login process
• #194369 by lots of contributors: move default files directory to sites/default/files which can be created automatically on install, so no need to bug the user about it, making the install process easier
• - Patch #204083 by pwolanin: PHPdoc improvement.
• - Patch #194369 by webernet: fixed the default files directory on multi-site setups.
• - Patch #203316 by mooffie and douggreen: improved schema documentation.
• - Patch #204221 by webernet: code style fixes.
• #203941 reported and tested by Takafumi, patch by myself: trigger assocations should be removed when deleting an advanced action
• #204420 by webernet: do not show messages about status problems to those who will not be able to click and go to the reports
• - Patch #204456 by Keith: mentioned drag and drop support in the CHANGELOG.txt.
• - Patch #204488 by Desbeers: Garland was still using deprected CSS class names: watchdog -> dblog.
• - Patch #204955 by chx: fixed E_ALL warning.
• - Patch #204996 by chx: fixed access check and warning in poll module.
• - Patch #204900 by webernet: code style fixes. Likely my last patch of the year. Fiew. Thanks all, and see you on the other side. :)
• #204996 by chx: poll bar theme gets NULL as default, so use that here as well
• #204344 by marcingy: path aliases were not alled as default home page
• #203846 by pwolanin and jvandyk: PHP 4 does not allow omitting an object when it is passed by reference, so we need to live with dummy object passing with actions for object-less actions to support PHP 4
• White space problem found while gathering background info for #204420
• #199373 report by avskip, patch by myself, testing by keith.smith: forum node type was not re-added to the forum vocabulary when the module is re-enabled (after being disabled)
• #204420 follow up by webernet: fix bad permission check introduced for update module message
• #205199 by David_Rothstein: leftover links were not removed in the reindexing process properly (search module)
• #203582 by David_Rothstein: some core hook_access() implementations are not using the passed in account
• #205134 by damz: fix not translatable use of t() in update module
• #205138 by pwolanin: require node types in forums vocab, fix help text parameter name (outside t())
• #205075 report by ktabuer, patch by myself, testing by ktauber and Lynn: book block throws notice when used on non-book-node page (with a little bit of code cleanup)
• #205334 by hass: if more then 5 languages are available, use a dropdown not a radio button list (usability)
• #181125 follow up by beginner: book.js should have been removed earlier in #181125, was a commit mistake
• #135329 follow up: rolling back some of the user password request form changes, so user names in email address format (eg. site_network module) will still work
• #204872 report by hass, patch by myself: Mode radio button in locale import had bad default value
• #50901 by chx: do not allow user login under maintenance mode, if the logged in user has no site config permission
• #201017 by chx: AHAH callbacks were not working for regular buttons
• #168315 by schuyler1d: previous active database name was not consistently returned in db_set_active()
• #205334 follow up by myself: options were improperly counted in language list (minor)
• #205795 by douggreen: search result normalization used a wrong calculation
• #205843 report by asimmonds, patch by chx: menu_valid_path() was used as an API function, but was located in menu.module, move to menu.inc
• #202955 by chx: menu_rebuild() needs to be called after maintenance mode, because stale data might end up in menu tables in maintenance mode
• - Patch #202078 by chx: fixed poll AHAH problem with caching.
• #198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
• #195161 by mcarbone with some modifications: only show 'login to post comments' if logging in actually lets you post comments
• #201141 by yched: instead of 'HTTP error 200' messages when a PHP error occurs, actually display the PHP error message
• #206272 report by yojoe, patch by myself: user provided data in menu titles should be check_plain()-ed not t()-ed
• #195161 follow up by keith.smith: fix typo in code comment
• #206232 by chx with a bit of cleanup: add in-memory reset clearing to locale() to help it interact with simpletests, which are not reloading the Drupal instance on form submits
• #206281 by keith.smith: document that people should look into the new system requirements when they upgrade
• #206232 follow up by chx: set locale() cache to NULL when resetting
• #197720 by nedjo, scor, keith.smith, catch: inform installing users about PHP memory requirements of Drupal 6
• #199809 by theborg: comment templates were not checking status properly (fix notice, allows themes to theme in-preview comments differently)
• - Patch #206512 by jvandyk: fixed grammar mistake in status message.
• - Patch #206470 by David_Rothstein: fix book permission upgrade.
• - Patch #206434 by meba: added missing doc in string.
• - Patch #199955 by saxofaan: file_upload_max_size() returns results in bytes, not in mega bytes.
• - Patch #206418 by meba: fixed typo - 'sever' should be 'server'.
• - Patch #205465 by jvandyk: add missing index on comment table.
• #205602 by theborg: disabled languages were included in the language lookup logic
• #206510 by pwolanin, chx: menu title arguments were not properly stored when they were empty
• - Patch #203222 by Pascalle: added missing message type to watchdog call.
• #206820 by catch, keith.smith: forum delete confirm form was saying it deleted posts, but it does not
• #205920 by douggreen: short term searches were returning wrong results
• #206670 by keith.smith and myself: node type names have their underscores converted to hyphens in node/add links
• #202821 by marco.robotangel: display messages above help in all core themes for consistent user feedback (usability)
• #200777 by JirkaRybka: theme settings form relied on _POST[] and stored irrelevant formapi keys as theme settings
• #197720 follow up by keith.smith, scor: include php.ini path in memory limit messages
• #207170 by hswong3i slightly modified: drupal_write_record() did not return FALSE on query failure and had bad documentation on the returned values
• #199946 by JirkaRybka: append a short query string to CSS and JS files, changing on upgrades, so on core/module/theme upgrades, browser caches will 'flush'
• #204946 by theborg, keith.smith: only tell users their language setting will be used for interface presentation, when this actually happens
• #164532 follow up by pwolanin, David Strauss, catch and myself, testing also by hswong3i: some indexes added before Drupal 6 RC1 were too unique, and our code did not back them, so we should not add those indexes
• #207569 by ScoutBaker (minor code style): clean up @see usage in phpdoc blocks
• #205792 by yched: fix contradictory messages after node access rebuild
• #195091 by Rowanw: (usability) swap enabled and expanded checkbox in menu admin and allow setting elements without children to be expanded
• #207372 by Pancho, pwolanin, chx: remove duplicate query from menu_enable()
• #151910 by chx: support subqueries in db_rewrite_sql() - now that we use subqueries even in core, this was critical
• #204756 by dvessel: textarea.js assumed #disabled fields are to be hidden
• #197720 follow up by myself: cleaning up the memory_limit requirement check, use dollar t
• #207731 by Pancho: adding brackets to some default form values, for consistency
• #153998 by David_Rothstein and myself: clean up permissions in book, blog, blogapi, forum and locale modules
• #194590 by scor, JirkaRybka, attiks, dvessel; with heavy testing by catch: fix a dozen issues with sticky table headers
• #207931 by ScoutBaker: some links in update.module were pointing to 'logs' instead of 'reports'
• #207868 by cwgordon7, webernet and myself: SQL status page was using wrong property names
• #207947 by Rok Zlender: whitespace missing between error messages in file.inc
• #206021 by dropcube and myself: language content type settings were not properly namespaced
• #201667 by theborg, quicksketch, gpk, catch: fix bugs with teaser splitter in JS and no-JS mode
• #207982 by domasj: Lithuanian native language name was incorrect
• #207779 report by meba, patch by myself: missing plural formatting in forum module, and a counter display fix as well
• #201667 follow up by keith.smith: typo in code comment
• #207991 by Rok Zlender: xmlrpc_date did not parse dates well
• #206778 by dvessel: prevent themes from using their sub-theme's templates, when not intended
• #197186 by dww, testing by catch, webernet, greggles: (critical security functionality) update.module did not inform users when their current release became revoked/not supported
• #207990 by soxofaan: fix notice on node/add page for anonymous users
• #206021 follow up by keith.smith, dropcube: better code comments in locale update
• #204705 by pwolanin: abort user_save on SQL errors, to avoid data corruption
• #201667 follow up by gpk: minor code comment and whitespace cleanup
• #206078 by Pancho, traxer: order roles with system roles first (usability)
• #194590 follow up by theborg, catch: avoid cloning the sticky table headers with the same id value
• #202997 follow up by quicksketch: the table drag CSS selector was not specific enough in the RTL sheet
• #208492 report and testing by KarenS, patch by myself: book upgrade should not use the book API
• #207908 by chx, docs by jvandyk: menu title custom translation was not invoked properly
• #208262 by jvandyk: better name for variable signing a menu rebuild requirement
• #18954 by kkaefer, Pancho: built-in role names were not translated and some user_roles() call cleanups
• #18954 follow up by myself: restore user role name editing
• #208542 by KarenS, webernet: save old actions table when upgrading from Drupal 5 with a previous actions install