Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The new 7.x-3.0 release has been troublesome for many (see the related issues below). What is the possibility of getting a fix to this security issue right on the 7.x-1.x branch instead of requiring us to make the jump to 7.x-3.x?
Comments
Comment #2
mulderjoe CreditAttribution: mulderjoe commentedUpdating 7.x-1.x branch would be ideal. I have found that the Scheduler for Workbench no longer works, either, and that is mission critical to my site. Thank you.
Comment #3
Begun CreditAttribution: Begun commented+1
Comment #4
dbielke1986 CreditAttribution: dbielke1986 commented+1
Comment #5
dbielke1986 CreditAttribution: dbielke1986 commentedComment #6
sylus CreditAttribution: sylus commentedI too am a bit concerned about this change and that it might require significant development work to update to the latest stable for the security release thanks to the addition of Drafty. While I am greatly for Drafty since it removes the "double save" issue and does fix the other issues related to the security fix such as disclosure, it is indeed a significant refactor that can break quite a bit of existing workflows.
For instance a current workflow leveraging Entity Translation + Title module might have issues thanks to:
#2487013: Make Drafty work with the Title module patch from issue #2267251
While I haven't tested this I am also wondering about Deploy + UUID for content staging of entities which does work as expected with Workbench Moderation in 1.x line but I do know it has specific logic to deal with the double save.
Comment #7
Matroschker CreditAttribution: Matroschker commentedIt would be very helpful to get the security fix for the version 7.x-1.4 too
Thx. And thank you for the new version 7.x-3.0 to make revisions a little bit more to a standard.
Comment #8
davewilly CreditAttribution: davewilly as a volunteer commented+1 for security branch fix.
Having a lot of issues updating from 7.x-1.x to 7.x-3.x.
Comment #9
sylus CreditAttribution: sylus commentedI'm updating the priority and the more I think about this I think it is a bug and not a feature request but won't be so bold.
Comment #10
spotzero CreditAttribution: spotzero at Coldfront Labs Inc. commentedDue to the huge architectural changes between 1.x and 3.x, many use cases can't just upgrade. So I agree that this is a bug, and it's related to a security issue, I've increased the priority again.
In all honestly though, the security issue is pretty built into the architect of 1.x, which is bad news for a fix to this branch. Everyone stuck on 1.x will likely have to mitigate the security issue in other ways :S
The maintainers should clarify the plans for 1.x (is it abandoned?), since it unfortunately looks like a lot of sites are going to be stuck there for a while.
Comment #11
das-peter CreditAttribution: das-peter at Cando commentedUnfortunately spotzero is right, the security flaw is based within the architecture of the 1.x branch. Another fix there is very very unlikely.
The same architectural flaw was present in at least one other module, dealing with revisions in a similar way, and it had to switch to drafty too.
Why drafty you might ask: Well because it's handling exactly the critical case of the revision storage and it's an API module. Having a centralized API for this makes it more likely to get reliable handling by having more stakeholders and a narrower scope.
Regarding the branching, rest assured there was quite some discussion ongoing between maintainers and the security team about how to best handle this case.
Unfortunately as of the complexity of the changes and the issue being the actual architecture there weren't many options besides going with a new branch.
Having a new branch allows us to provide the 1.x state as is - including the security issue - so that users that have problems with the new 3.x have a safe harbour while we continue to work on 3.x to sort all issues out.
As of now I'd consider 1.x minimally maintained.
3.x is the branch you should go with - whenever possible.
If you experience problems with 3.x let us now! We need detailed feedback to fix outstanding issues and so does Drafty.
Remark: "Officially" I'm not the maintainer for 1.x / 3.x but the 2.x branch which integrates with State Machine. However, I'll try to do my best to push things for 3.x.
Comment #12
mstrelan CreditAttribution: mstrelan commentedThere is now a warning on the Drafty project page:
That makes this issue even more critical.
Comment #13
will_c CreditAttribution: will_c commentedI believe that's the same warning that is on all non-stable modules. They've just been toying with it to make it more prominent over the last X months.
Comment #14
Liam MorlandWe have customization based on 1.x and cannot easily move to 3.x. The fact that 3.x depends on a module that does not have security support makes that doubly a concern for us. We would really like a 1.x fix. Me not knowing anything about the Workbench Moderation code, what is it that makes it so hard?