views 7.x-3.0-rc3

Hopefully this will be more or less the last big step before a release.

Not this release fixes a security problem, which can be seen as critical

The Views module is useful for creating lists of items in Drupal sites. Some filters incorrectly used Drupal's built-in database api, so they didn't escaped some arguments correctly. This vulnerability is mitigated by the fact that a site must have a view with this filter to be enabled in order to be exploited.

Changes since 7.x-3.0-rc1:

• by dereine: use the bug fix from the relationship-access issue
• Revert "Issue #1222324 by damz, agentrickard, bojanz, dereine: Find a proper way to have multiple access tags per view and support relationships."
• Revert "#1222324 follow up by damz: Use the alias so apply the tag to the right part of the query"
• #1222324 follow up by damz: Use the alias so apply the tag to the right part of the query
• #1222324 by damz, agentrickard, bojanz, dereine: Find a proper way to have multiple access tags per view and support relationships.
• #1176048 by filijonka, tim.plunkett, dereine: Let the remove button respect chaning of the override selector, yeah!
• #1331032 by dereine: Hide rewriting if the value of a field is actually empty by default. That's maybe causes some views but sure we are doomed anyway. Additional fix it let the custom block actually always display something
• #1257376 by dereine: Don't run the preview on page load, but adding a seperate request for it.\n\nThis will catch a lot of possible issues with sql errors and can improve the speed of the editing, if you have unchecked the automatic-preview checkbox
• rename image preset to image style
• #1234414 by quicksketch: Support images styles in the user: picture field
• by dereine, Crashtest: Add an api function to override the title
• Revert "#1331032 by abs: Change default of hide rewritten output if it's empty to True"
• #1331032 by abs: Change default of hide rewritten output if it's empty to True
• ##1072860 by Pol: Take sure to add the human_name field to the views_view table.
• #1270890 by fago: Provide a way to provide entity-related views fields
• #564106 by dereine, bdpanda, dagmar, pcambra, eclipsegc: Allow to point more to a custom url
• #1303398 by dereine: Fix big introduced in 1303398
• #1291088 by tim.plunkett: Recursively merge field views data.
• by dereine:Fix typo in all instances of available
• #1242892 by timplunkett, dereine: Fix the override/revert mechanism.
• #1175260 by jrust: Set the right path-key on the jump menu
• #1221560 by ericduran, dereine: Allow to override views css files from theme directory
• Revert "#1199328 by casey, bojanz: Add typehintings to every place which doesn't break the api. KUDOS"
• #1298418 by lliss: Class Definition Comments misplace variable hierarchy
• #1301790 by rfay, dereine: Use created instead of timestamp for user.created field, and add some move definition
• #1199328 by casey, bojanz: Add typehintings to every place which doesn't break the api. KUDOS
• #1316496 by TR: Cleanup tests a lot
• by dereine: Test style groupby functionality
• #1211264 by dereine, ezheidtmann: Set validated title for taxonomy validation case 'tid' as well.
• #1303398 by johnv: Some entities might have a certain field value just empty but it's set, which caused notices
• #1316932 by dereine: Reorder view execution and title generation, so the title can use the tokens from actual result values.
• #1316908 by tedfordgif: Don't change the handler of the fieldapi-delta column
• by dereine: Document view::base_database
• #1124298 by David_Rothstein: Respect access for rendering fieldapi sub-elements
• by dereine: Describe how to write an area handler
• #1307162 by cmurph: Check whether an argument is empty or not when loading the taxonomy term for the title
• #1303880 by serialjaywalker: Add js settings keyed by dom_id
• Revert "#1235994 by das-peter, scor: Allow to group by field value instead of field html. This allows to use rdf with fields"
• #1314306 by Hanno: Don't translate html-tags, because translators might get confused and the user should really see the original tag all the time.
• Merge branch '7.x-3.x' of git.drupal.org:project/views into 7.x-3.x
• #750172 by Hydra: Allow to disable the linking to user pictures
• Merge branches '7.x-3.x' and '7.x-3.x' of git.drupal.org:project/views into 7.x-3.x
• #1317500 by dereine: Add output format to node.promoted
• #1090098 by dereine, chx: Convert database views which were defaulted in d6.2 and exported to views3. Sadly this only works for exported
• #1301960 by nagiek: Support dynamic access plugin arguments for default tabs as well
• #1294636 by dereine: objective ajax-view.js
• #1296060 by dereine, diegot: Support sqlite in the date functions
• small code identation fix for last commit
• #1235994 by das-peter, scor: Allow to group by field value instead of field html. This allows to use rdf with fields
• #1309082 by bojanz: Support base_tables foreach plugin type in views
• #1309518 by das-peter: Change signature of execute_hook_menu to allow altering
• #1090098 revert to previous behaviour
• Issue #1090098 by chx, dereine: Fix the pager conversion.
• by dereine: Two more instances of instead of
• #1302494 by defr: Don't alter the value_options directly for flatten the options in in_operator filter
• #1301904 by primsi: Translate the ellipsis like truncate_utf8
• by agentrickard, dereine: Provide a helpful message if there is a missing wizard
• #1279438 by dereine: Refactor views_debug to support proper translated strings/placeholders
• use instead of
• #1299276 follow up by dereine: Let display::options_validate always use form[]
• #1299276 by dereine: Move the right form value to display::options_validte
• by dereine: Use availible sorts in the wizard not only if a created column exist
• #1109108 by szantog: Handler translation keys should use the id instead of the field to have a unique key for multiple fields
• Fix jump menu test
• by dereine: Validate dates if the value is not exposed
• fix argument default test case
• Fix exposed form test case
• #1193742 by bojanz: Replace too hard css rule with a special check for the views-remove-checkbox class
• by dereine: Use an override select instead of the old override button in the pager test
• #1212916 by dereine: Display-ids should be validated for lower case
• #1212848 by kmcnamee: Allow to use a pure anchor link in output as link
• #1023582 by dereine: save_block_cache should handle md5-deltas as well
• by dereine: Small help improvement of taxonomy terms
• by dereine: Move was_defaulted/is_defauled into another function
• #1283808 by somanyfish, dereine: Remove leftover vid from filter_term_node_tid
• #1222762 by dereine: Show contextual links on exposed_form-blocks
• #1193284 by LinL: Glossary should show every character in the summary
• #1251052 follow up by andypost: Duplicated help for comment.uid
• #1294826 by reevo> Summary jump menu ignored base_path, because of old d6 like code
• by dereine: Improve help text of uid field
• #1291658 by jackalope: Convert views_plugin_argument_default_taxonomy_tid to new return value of views_get_page_view
• #1227302 by droplet: Make jump menu work with drupal install in a subdir
• #1264438 by dereine: Add a field for the vocabulary vid
• #1279202 by dereine: Allow display extenders to force to be enabled.
• #1271540 by dereine: Don't limit feed description to 128 chars
• #1251052 by dereine: Add automatic conversions of joins to relationships for users_roles and role. Additional clean up comment/node author relationship
• #1261812 by webflo: Implements user permissions as field and filter.
• #1283606 by dereine: Provide a sane default sort for the groupwise_max relationship subquery
• #1242286 by rickmanelius: Update default views examples to sync with views templates code
• #1176458 by webflo, dereine: Check for url aliases for example generated by i18n in summary url generation code
• #1277900 by dereine: Handle pager options correctly on the wizard
• #1279182 by dereine: Don't wsod on missing display extender, but throw a views debug message
• #1290916 by vflirt: Use the right handler type when exporting translatables areas
• #1278640 by dereine: Grid columns should be required
• #1275942 by dereine: Adapt signature of render_link
• small code improvement
• #960648 by dereine: Add a valid url for comments in all cases
• by dereine: Replace criterion with criteria
• #1283002 by joachim: small improvements to API docs
• #1280382 by Alan Evans: Reset for the views listing
• #1167752 by dereine: Add a comment approve link field
• #1115588 by fubhy: Allow to select the used theme on the views ui
• #1277660 by dereine: Allow to search for the description as well
• #1279276 by wimleers: Don't add ui.dialog on every page
• #1278694 by fangel: Allow to autocompelte terms with comma seperated
• #1278566 by davereid: Reset some variables after the views ui preview
• by dereine: use dpm instead of dsm
• remove id tags from doc files
• by dereine: Add some views_join comments to the query functions
• reported by andypost: Remove dsm
• #1275736 by dereine: If clone a display mark the new display as changed
• #1182634 by Adam_S, dereine: Save block cache only if the block table exists
• #1243220 by davereid, haffmans: Cleanup RSS content building and handling
• #1147326 by dereine: Follow up: Fix missing variable vocabularies
• #1261844 by webflow: Make filter_in_operator work with optgroups
• #1245032 by sma-ka, dereine: Fix notices in quite some argument plugin submit/validations
• #1259778 by dereine: Remove term synonyms as they not longer exist in d7
• #1016792 by dereine: Check whether the human name is already in the database
• Remove old code which defaulted exclude to FALSE on field handlers
• #1222494 by dereine: Respect the output of set_display on some other places, there might be other ones as well
• #1238488 by dereine: The actual default order of a single field in a table didn't worked as expected
• by dereine: Converted views.install quite some more
• #1261528 by rlhawk: Allow to display only the first and last value on a fieldapi field
• by dereine: remove old ctools_dependent_process additions
• #1273806 by dereine: Allow to export date specific default plugins on the date argument handler
• #1274834 by dub4u: Use JS_DEFAULT insted of JS_THEME for jqueru-ui-patch js so people can override the behaviour in the theme
• #1248454 by dereine: Relationship handlers should respect real field
• #1270982 by drunken monkey, dereine: Allow to specify entity type on non-base-tables, which allows some fancy views integrations like a generic entity views integration
• #1268466 by droplet, jessebeach: Repaired .views-display-top after changes to the Seven secondary menu unordered list styling jarred the layout. Cleaned out some crufty CSS.
• #1272350 by tunic: Fix content translation filter function, which still used the old add_where instead of add_where_expression
• #1270934 by dereine, Michelle: Better tags support on several areas
• disable the default views again
• #1267916 by CrashTest: Change the empty textfield to a textarea and add a better description
• #1263680 by dereine: Add more helpful error messages for filter_in_operator
• #881060 by benoit.borrel: Fix incorrect code sample on views_join documentation.
• Add argument_dates_various to defgroup views_argument_handlers
• #887768 by merlinofchaos: Fix notice with joins
• by dereine: small comment fix for views_language_list
• #1130760 by neoglez: Check for variables in tokens generation of terms
• #1261468 by dereine: Fix notices when relationship label is not defined and strict error on views_handler_field_accesslog_path
• #1135002 by dereine, bojanz: Add feature to hide table column if each field is empty
• #1257568 by recrit, dereine: Make views_handler_area_view check access as well
• Conflicts:
• #1098326 by Agileware: Stop validating terms if there is no term
• by dereine: Add template path to the hook_views_api example
• by dereine: Add todo for row search plugin
• Preload multiple nodes on comment row.
• by dereine: Fix groupby tests and move some things around
• by dereine: Remove two old debugging lines
• #1222324 by dereine: Apply access tags of relationships to the query
• #1195944 by adamdicarlo: Fix fatal error if no field does exist
• update groupby test view
• small comment fix
• #1259056 by stevector: Add view to views-more.tpl.php and document the availible variables
• #1194396 by dereine: Reexport all views provided
• #1243436 by travist: Setup items per page for none pager plugin to 0
• #1235814 by recrit: Allow to use in the global text area
• add test file for jump menu duplicates2
• #1175260 by mrfelton: Duplicate paths shouldn't result in grouped items on a jump menu
• #1258756 by berdir: Make css cache restoring work again
• fix notice in field_custom and field_math_expression test
• #1172970 by fago, drunken_monkey: Provide a unified way to retrieve result entities
• by dereine: Fix analyze tests
• #1102852 by ralf: Add enabled-disabled boolean display format
• #1124130 by djebbz: Mislabeled option description about wrapping field output with default HTML
• by dereine: Allow to work a wizard on a base table without a sortable field
• #1151032 by dereine: Update block hashes plausible and take sure of broken examples
• #1225228 by dalin: Allow to hide links from node rss
• #1205376 by dereine: Add a way to prevent plugins from register theme
• #1208440 by dereine: Disable pager as default case for blocks on the wizard
• #1188132 by David Hernández: Remove from plugin_exposed_form
• by dereine: Move rendering of a views form into a process function so people can alter things if wanted
• #1191928 by bojanz: Support views form on ajax
• #1252538 by crell: Use format_username to render a user name
• #1117512 by dereine: Support to use non-default bundle handlers in the wizard
• #1241476 by jdleonard: Check for time hence for custom date formats as well
• #1221980 by temaruk: Fixed wired diverits, when using autosubmit ajax exposed filters. Multiple additional divs are created
• #1202048 by dereine: Make edit view contextual links work with default display
• #1231692 by dereine: Also validate on uid = 1 and set the validated_title
• #1170804 by merco, smk-ka: Fix undefined error in views mini pager
• #1255994 by bwpanda: Correct doc for variable in table template
• by dereine: Bring back drush cc views
• #1101506 by djebbz, dereine: Provide a admin/reports/views-fields which list all fieldapi fields used in different views
• #1253106 by Sborsody: Correct urls to comment edit/delete links
• #1249742 by kla2t: Fix wrong dbtng argument name in argument_node_tnid handler
• Add note about non-UID1 users being able to import
• by dereine: Rename arguments to variables in views_theme as is it's fits a bit better with the api
• by dereine: Add theme argument suggestions pager and exposed_form
• Add return documentation for views_get_page_view
• #1133924: Force aliases into lower case to avoid problems when DBTNG does it for you.
• #1242424 by bevan: Document the grouping of contextual filter issue
• #1213516 by oddsim, dereine: Allow to sort via search_score on arguments as well
• #1127422 by dereine: Add rearrange to the filter rearrange link
• #1245558 by Aron Novak: Do not tokenize always in area text handler
• #1245020 by smk: Provide title for some taxonomy term arguments
• #1244876 by dereine: Let views_handler_argument_vocabulary_vid utilize the features of views_handler_argument_numeric
• #1243998 by dereine: Port another views_get_page_view to d7 behaviour
• #1242658 by djebbz: Fixed small typo in comments of views_form()
• by dereine: Don't assuem that each query plugin has a base field, for example something like xml_views doesn't
• by dereine: Set a sane default for the sort column
• #1240934 by becw, dereine: Use depedency for style_summary->items_per_page
• #1203794 by paranojik: Use sort weight with exposed sorts
• #1215602 by derhasi: Provide a views_get_views_as_options which allows to list all views availible for form elements
• by dereine: document plugin_type in views_plugin
• #1239580 by dereine: Allow area handlers to alter the query
• #1239526 by hydra: Don't show path/external form elements on field_node_link
• #1236226 by balagan: Fix type in relationship handler
• fix type in doc
• #1216288 by hunziker: Mailto field values is overridden by the parent form
• by dereine: Remove unused numeric definition option in filter_in_operator
• Revert "#1222324 by dereine: Add access not only on base table, but also on relationships"
• #1220498 by ericduran: Added Missing hook_ajax_data_alter()
• #1157716 by dereine: Fix notice on add_item_form for header/footer
• #1230306 by aaron.r.carlton, dereine: User and taxonomy default plugin updated to new behaviour of views_get_page_view
• by dereine: Add a comment access query tag
• #1222324 by dereine: Add access not only on base table, but also on relationships
• #1185914 by dereine: Fix missing quotes in preview generation
• #1222724 by RdeBoer: Fix revision delete link
• #1220216 by akoepke: Operators without values shouldn't try to validate it's values
• #1234246 by dereine: display_handler is not defined on the field handler but on the view
• #1233274 by dereine: Fix notice in views_taxonomy_set_breadcrumb
• #1089876: Move field language setting to display settings.
• #1185572 by martinjbaker: Remove unnecessary description with typo.
• #1221946 by dereine: Invalid placeholders breaking min/max in exposed filters.
• #1180510 by dereine and mstrelan: Add case control options to links.
• #1020540 followup: Text improvement from kmcnamee
• #1221648 by Amaylia: Crush down the size of the sprites
• #1225322 by pcambra: Allow to submit/validate form elements placed in area handlers (header, footer, empty)
• by dereine: Fix error message when on validating filter_in_operator
• #1224630 by rvilar: Port filter by content translation to add_where_expression
• Add uses_exposed_form_in_block() method to the display so that CTools can specifically make content panes have exposed form in a block.
• by dereine: Remove ssh-agent which isn't used but can cause a fatal error
• #1213916 by stella, dereine: Make views search filter/argument work with more complicated searches
• #1208738 by dereine: Allow to add views from templates again
• by dereine: Use version_compare to detect whether an imported view is valid
• #1207680 by damz: Don't validate if there are no options set, the values are empty and required is not set
• Revert "#1191928 by dafeder, bojanz: Make views forms work with ajax"
• #1191928 by dafeder, bojanz: Make views forms work with ajax
• #1208824 by linclark: Add views_ui_pre_render_add_fieldset_markup to plugins forms as well
• by dereine: Add back some missing handlers
• #1213218 by dereine: Make file->user relationship explicit
• #1213218 by davereid: Add relationships for file/image fields + backward relationships
• Revert "#1213218 by davereid: Add relationships for file/image fields + backward relationships"
• #1207680 by dereine: Don't validate on term filters, because this causes views to not to save anymore. Added TODO
• by dereine: Set api version to 3.0
• #783514 - Use in views_break_phrase_string() in title() methode.
• #1209338 by chx: Fix help message to setting the validated argument title
• document variable handler_type
• #1207366 by dereine: Empty text should be displayed as well
• #1183294 by dereine: Fix language behaviour on not grouped fieldapi fields.
• by dereine: Don't assume that the display handler is valid in analyze code
• #1205450 by chx: Add a mass analyze drush command
• #1205570 by chx: Validate the values of the filter_in_operator settings
• #1194900 by dereine: Make aggregation of fieldapi fields work again
• #1193580 by dereine: Replace empty tokens
• #1201908 by dereine, dug out by Liam Mitchell: Temporary workaround for using subqueries in main query and in clone query
• #1190510 by andypost: Fix previous fix for aliases not an array
• #1198466 by arcaneadam: Fix output format for sticky field
• #1198454 by arcaneadam: Fix documentation for boolean output formats
• #1198166 by joachim: Fix notice for groupwise relationship options_submit
• #1174130 by pillarsdotnet: Check for empty join in views_many_to_one_helper().
• #1197030 by crell: Allow to use any tid/all tid on taxonomy default argument
• #1198156 by joachim: fix bad method call crash.
• #1192666 by dereine: Don't add historical data on entity types which don't support revisions
• #1194614 by Adam S: Allow to use hide() on node comments
• #1192690 by dereine: Fix field_prerender_list multiple get_value method
• #1120668 by dereine: Fix Fatal error when scanning templates
• by dereine: Provide default relationship for authmap table
• #1098480 by fubhy: Allow to set no pager in the wizard

Thanks for everyone who helped on this release! On contrast to rc2 this has the security patch commited as well.