Releases: visuaFUSION/drupal-7-modules
xmlsitemap-7.x-2026.01
xmlsitemap-7.x-2026.01
webserver_auth-7.x-2026.03
Webserver Authentication Module - Release Notes
Version 7.x-2026.01
Overview
This release brings critical bug fixes and new compatibility features for the Webserver Authentication module, addressing issues from the drupal.org issue queue that were closed due to Drupal 7 EOL.
Bug Fixes
Admin Lockout Fix (drupal.org/node/2859747)
Problem: Administrators and existing users were locked out immediately after enabling the module. The "Match external names to existing Drupal users" option (enabled by default) had no effect.
Cause: The check for webserver_auth_create_user (disabled by default) returned early in _webserver_auth_route() before the existing user matching logic could execute.
Fix: Moved the create_user check to after the existing user matching logic, allowing the two options to work independently as intended.
Watchdog Placeholder Bug
Problem: Usernames were not displaying in log messages.
Cause: Incorrect array syntax in watchdog() calls - used comma instead of => for placeholder arrays: array('@authname', $authname) instead of array('@authname' => $authname).
Fix: Corrected placeholder syntax in all affected watchdog() calls.
New Features
mod_auth_gssapi / Kerberos Compatibility (drupal.org/node/2859664)
Problem: The module was incompatible with Apache mod_auth_gssapi (Kerberos/SPNEGO authentication) because it logged users out whenever REMOTE_USER was empty. With GSSAPI, REMOTE_USER may only be set on certain paths, causing users to be logged out on AJAX requests or when navigating between protected and unprotected pages.
Solution: Added new configuration option "Logout the current user if the authname is empty" with smart defaults:
| Server Environment | Default Value | Behavior |
|---|---|---|
| IIS Windows Auth | TRUE (secure) | Original behavior - logout on empty REMOTE_USER |
| Apache Basic Auth | TRUE (secure) | Original behavior - logout on empty REMOTE_USER |
| GSSAPI/Kerberos | FALSE (auto-detected) | Don't logout on empty REMOTE_USER |
Auto-detection: During module installation, the following indicators trigger GSSAPI mode:
$_SERVER['GSS_NAME']is set$_SERVER['KRB5CCNAME']is set$_SERVER['AUTH_TYPE']equals "NEGOTIATE"
Location: Admin → Configuration → People → Webserver authentication → Advanced settings
Cleanup
- Removed duplicate packaging script entries from
.infofile - Updated version to 7.x-2026.01 format for Drupal 7 LTSR compatibility
Security Notes
This module has been reviewed for security. All database operations use Drupal's safe APIs, and XSS/CSRF protections are in place.
Note: The "User account modification" field (Advanced settings) allows arbitrary PHP execution. This is an intentional feature for customizing user creation, but should be left empty unless specifically needed. Only users with "administer site configuration" permission can modify this setting.
Upgrade Path
This is a drop-in replacement for version 7.x-1.6. No database updates required.
For existing installations: The new webserver_auth_logout_empty_remote_user variable will default to TRUE (secure behavior) if not explicitly set. This matches the original module behavior for IIS and standard Apache authentication setups.
Credits
Bug fixes backported from drupal.org issue queue:
timefield-7.x-2026.01
Timefield Module v7.x.2026.01 - Changes Summary
Commits
| # | Description |
|---|---|
| 1 | Improved jQuery Timepicker installation instructions - Updated requirements message with GitHub link and specific folder naming steps |
| 2 | Version update + Security fixes - Updated to 7.x.2026.01, fixed XSS in templates, updated deprecated ! to @ placeholders |
| 3 | Minute token zero-padding - Views tokens now properly zero-pad minutes (5 → 05) |
| 4 | Undefined index fixes - Added isset checks in Views handler, empty fallbacks, 24-hour zero-padding |
| 5 | Undefined $days variable - Fixed PHP notice when no days selected in Weekly Repeat |
| 6 | Field collection JS fix - Prevent duplicate JS settings causing errors with "add another item" |
| 7 | Missing timepicker library check - Gracefully handle when jQuery Timepicker isn't installed |
Security Fixes
- XSS: Added
check_plain($label)in minical-box template - XSS: Added
check_plain($time['time'])in timefield template - Escaping: Updated deprecated
!to@t() placeholders for proper escaping
Referenced Issues (drupal.org)
- #2241693 - Undefined index: raw in Views handler
- #2132811 - Undefined variable: $days
- #2144257 - Non-idempotent JS settings in field collections
ldap-7.x-2026.04
Release Date: January 2026
Compatibility: Drupal 7 LTSR, PHP 8.0+, PHP 8.2+ compatible
PHP 8.2 Compatibility Fixes
PHP 8.2 deprecated the creation of dynamic properties (assigning to $this->property without declaring the property first). This release adds all missing property declarations to eliminate deprecation warnings.
| File | Properties Added |
|---|---|
| ldap_user/LdapUserConf.class.php | createLDAPAccounts, createLDAPAccountsAdminApproval |
| ldap_servers/LdapServer.class.php | _errorMsgText, type, export_type |
| ldap_query/LdapQuery.class.php | _errorMsgText, type, export_type |
Upgrade Notes
- Direct drop-in replacement for LDAP 7.x-2.6
- No database updates required
- No configuration changes needed
- All 11 submodules updated to 7.x-2026.04
Requirements
- PHP 7.4+ (PHP 8.0+ recommended, PHP 8.2+ fully compatible)
- PHP LDAP extension (php-ldap)
- Drupal 7 LTSR
ldap-7.x-2026.01
LDAP Module v7.x-2026.01 - Release Notes
PHP 8.0+ Compatibility
| Fix | Description |
|---|---|
| Pagination API | Replace removed ldap_control_paged_result() and ldap_control_paged_result_response() with LDAP controls API (LDAP_CONTROL_PAGEDRESULTS, ldap_parse_result()) |
| Function signatures | Fix required params after optional in 5 functions: LdapServer::search(), LdapServerTest::search(), LdapTestFunctions::drupalLdapUpdateUser(), LdapUserConf::provisionDrupalAccount(), _ldap_servers_get_simpletest_servers() |
| OpenSSL decrypt | Fix null $iv deprecation in _ldap_servers_decrypt() |
| debug_backtrace() | Move call before parameter modification in LdapTestCase::testId() |
Drupal 7.93+ Compatibility
- Fix PDOException
query_stringproperty access (dynamic property deprecation)
Security Fixes
- Credential exposure: Remove password from watchdog log messages in
LdapServer::bind()
Bug Fixes
- Fix
count()parenthesis errors inLdapTestCase::removeUserFromGroup()(count($arr - 1)→count($arr) - 1) - Fix undefined
$ivariable in member count assignment
Files Modified
ldap_servers/LdapServer.class.phpldap_servers/LdapServerAdmin.class.phpldap_servers/ldap_servers.moduleldap_servers/ldap_servers.encryption.incldap_test/LdapTestCase.class.phpldap_test/LdapServerTest.class.phpldap_test/LdapTestFunctions.class.phpldap_user/LdapUserConf.class.phpldap_query/LdapQueryAdmin.class.phpldap_authorization/ldap_authorization.admin.test.inc- All 11 submodule
.infofiles (version update)
Referenced Issues (drupal.org)
- #3190852 - PHP 7.4/8.0 deprecation warnings
- #3461932 - Drupal 7.93 PDOException compatibility
- #3302242 - Required parameter after optional
ctools-7.x-2026.03
Changes in 7.x-2026.03
Bug Fixes
PHP 8.1 Compatibility — "Attempt to assign property on bool"
- File:
includes/content.inc - Issue: #3413093
- Fix: Added
!is_object($content)check inctools_content_render()to handle render callbacks that return non-object values
Undefined Index Fix — term.inc
- File:
plugins/arguments/term.inc - Issue: #3497028
- Fix: Added
isset($conf['input_form'])check before accessing the configuration value
Security Hardening
Path Traversal Prevention — stylizer.inc
- File:
includes/stylizer.inc - Fix: Added input sanitization in
ctools_stylizer_get_image_path()andctools_stylizer_get_css_id()to prevent path traversal attacks via malformed style names
Not Applied
Modal accessibility patches are documented but not applied due to complexity. See MODAL_ACCESSIBILITY_PATCHES.md for details.
analytics-7.x-1.0-alpha2
7.x-1.0