GitLab

- Patch #252013 by Eaton, pwolanin, Susurrus et al: drupal_render() now printes #markup, not #value.

- Patch #259463 by dmitrig01: notification e-mail for pending user registrations had blank subject line.

- Patch #73874 by pwolanin: normalize the permissions table and wrote simpletests for the (new) permission handling.  At last.

  et al.  Can you say 'registry'?  Drupal now maintains an internal registry of
  all functions or classes in the system, allowing it to lazy-load code files as
  needed (reducing the amount of code that must be parsed on each request). The
  list of included files is cached per menu callback for subsequent loading by
  the menu router. This way, a given page request will have all the code it needs
  but little else, minimizing time spent parsing unneeded code.

- Patch #245115 by kkaefer, John Morahan, JohnAlbin et al: after a long discussion we've decided to make the concatenation operator consistent with the other operators.

- Patch #216072 by recidive, David Rothstein, ptalindstrom et al: switched from numeric block IDs to string IDs.

  The short explanation is that Drupal uses a lot of numeric deltas in the block system; blocks are identified by the 'module' and the 'delta'. In early Drupal, delta was numeric, but somewhere along the line it was changed to be possibly a string. In modern Drupal, block overrides are easily done via block-MODULE-DELTA.tpl.php.  The primary motivation to switch to string IDs everywhere is to make these deltas friendlier to themers:

    block-user-0.tpl.php --> block-user-navigation.tpl.php
    block-user-1.tpl.php --> block-user-login.tpl.php

  You get the picture.

- Patch #244597 by drumm: remove login form text as this can now be accomplished using hook form_alter.

  The access rules capability of user module has been stripped down to a
  simple method for blocking IP addresses. E-mail and username restrictions
  are now available in a contributed module. IP address range blocking is
  no longer supported and should be done at the server level.

  This patch is partly motiviated by the fact that at the usability testing,
  it frequently came up that users went to "access rules" when trying to
  configure their site settings.

  This is a big and important patch for Drupal's security.  We are switching
  to much stronger password hashes that are also compatible with the Portable
  PHP password hashing framework.

  The new password hashes defeat a number of attacks, including:

  - The ability to try candidate passwords against multiple hashes at once.
  - The ability to use pre-hashed lists of candidate passwords.
  - The ability to determine whether two users have the same (or different)
    password without actually having to guess one of the passwords.

  Also implemented a pluggable password hashing API (similar to how an alternate
  cache mechanism can be used) to allow developers to readily substitute an
  alternative hashing and authentication scheme.

  Thanks all!

- Patch #30984 by webchick, keith.smith, kkaefer, Crell et al: provide descriptions for permissions on the permission administration page.

- Patch #181578 by Moshe: removed distributed authentication code from user_save().  Factored the relevant code out to a separate function.

#119038 by ximo, Pancho: user role editing usability: include disabled checkbox for authenticated role

#210211 by chx, theborg: removing the broken admin user search, which would provide the same as the public facing user search anyway

#18954 by kkaefer, Pancho: built-in role names were not translated and some user_roles() call cleanups

#152497 by bjaspan, with more docs from myself: user_external_login() was not updated to latest login process

#172993 by drewish, Lynn: remove old user picture even when the newly uploaded one uses a different format