# Drupal editor configuration normalization
# @see
# This is the top-most .editorconfig file; do not search in parent directories.
root = true
# All files.
end_of_line = LF
indent_style = space
indent_size = 2
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
# Ignore configuration files that may contain sensitive information.
# Ignore paths that contain user-generated content.
# Protect files and directories from prying eyes.
<Files ~ "(\.(inc|module|pl|sh|sql|theme|engine|xtmpl)|Entries|Repositories|Root|scripts|updates)$">
Order deny,allow
Deny from all
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
Order allow,deny
# Set some options.
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
Options +FollowSymLinks
# Customized error messages.
# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Set the default handler.
DirectoryIndex index.php
# Override PHP settings. More exist in sites/default/settings.php, but
# the following cannot be changed at runtime. The first IfModule is
# for Apache 1.3, the second for Apache 2.
<IfModule mod_php4.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
DirectoryIndex index.php index.html index.htm
# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_environment_initialize() in
# includes/ for settings that can be changed at runtime.
<IfModule sapi_apache2.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
# Reduce the time dynamically generated pages are cache-able.
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
ExpiresByType text/html A1
# Enable expirations.
ExpiresActive On
# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600
<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# Modify the RewriteBase if you are using Drupal in a subdirectory and
# the rewrite rules are not working properly.
#RewriteBase /drupal
# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
# Make sure Authorization HTTP header is available to PHP
# even when running as CGI or FastCGI.
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Rewrite old-style URLs of the form 'node.php?id=x'.
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{QUERY_STRING} ^id=([^&]+)$
#RewriteRule node.php index.php?q=node/view/%1 [L]
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# <DirectoryMatch> is not allowed here.
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]
# Rewrite old-style URLs of the form 'module.php?mod=x'.
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{QUERY_STRING} ^mod=([^&]+)$
#RewriteRule module.php index.php?q=%1 [L]
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
# To redirect all users to access the site WITH the 'www.' prefix,
# ( will be redirected to
# uncomment the following:
# RewriteCond %{HTTP_HOST} .
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# ( will be redirected to
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]
# Rewrite current-style URLs of the form 'index.php?q=x'.
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at uncomment and
# modify the following line:
# RewriteBase /drupal
# If your site is running in a VirtualDocumentRoot at,
# uncomment the following line:
# RewriteBase /
# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
<IfModule mod_headers.c>
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
# Add headers to all responses.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
All Drupal code is Copyright 2001 - 2013 by the original authors.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.
You should have received a copy of the GNU General Public License
along with this program as the file LICENSE.txt; if not, please see
Drupal is a registered trademark of Dries Buytaert.
Drupal includes works under other copyright notices and distributed
according to the terms of the GNU General Public License or a compatible
license, including:
Farbtastic - Copyright (c) 2010 Matt Farina
jQuery - Copyright (c) 2010 John Resig
jQuery BBQ - Copyright (c) 2010 "Cowboy" Ben Alman
jQuery Cookie - Copyright (c) 2006 Klaus Hartl
jQuery Form - Copyright (c) 2010 Mike Alsup
jQuery Once - Copyright (c) 2009 Konstantin K�fer
jQuery UI - Copyright (c) 2010 by the original authors
Sizzle.js - Copyright (c) 2010 The Dojo Foundation (
ArchiveTar - Copyright (c) 1997 - 2008 Vincent Blavet
This step is only necessary if you don't already have a database set up (e.g.,
by your host). In the following examples, 'username' is an example MySQL user
which has the CREATE and GRANT privileges. Use the appropriate user name for
your system.
First, you must create a new database for your Drupal site (here, 'databasename'
is the name of the new database):
mysqladmin -u username -p create databasename
MySQL will prompt for the 'username' database password and then create the
initial database files. Next you must log in and set the access database rights:
mysql -u username -p
Again, you will be asked for the 'username' database password. At the MySQL
prompt, enter the following command:
TO 'username'@'localhost' IDENTIFIED BY 'password';
'databasename' is the name of your database
'username' is the username of your MySQL account
'localhost' is the web server host where Drupal is installed
'password' is the password required for that username
Note: Unless the database user/host combination for your Drupal installation
has all of the privileges listed above (except possibly CREATE TEMPORARY TABLES,
which is currently only used by Drupal core automated tests and some
contributed modules), you will not be able to install or run Drupal.
If successful, MySQL will reply with:
Query OK, 0 rows affected
If the InnoDB storage engine is available, it will be used for all database
tables. InnoDB provides features over MyISAM such as transaction support,
row-level locks, and consistent non-locking reads.
Note that the database must be created with UTF-8 (Unicode) encoding.
This step is only necessary if you don't already have a user set up (e.g., by
your host), or want to create a new user for use with Drupal only. The
following command creates a new user named 'username' and asks for a password
for that user:
createuser --pwprompt --encrypted --no-createrole --no-createdb username
If there are no errors, then the command was successful.
This step is only necessary if you don't already have a database set up
(e.g., by your host) or want to create a new database for use with Drupal
only. The following command creates a new database named 'databasename',
which is owned by the previously created 'username':
createdb --encoding=UTF8 --owner=username databasename
If there are no errors, then the command was successful.
3. CREATE SCHEMA OR SCHEMAS (Optional advanced step)
Drupal will run across different schemas within your database if you so wish.
By default, Drupal runs inside the 'public' schema but you can use $db_prefix
inside settings.php to define a schema for Drupal to run inside of, or
specify tables that are shared inside of a separate schema. Drupal will not
create schemas for you. In fact, the user that Drupal runs as should not be
allowed to do this. You'll need to execute the SQL below as a superuser,
replace 'username' with the username that Drupal uses to connect to
PostgreSQL, and replace 'schema_name' with a schema name you wish to use,
such as 'shared':
Do this for as many schemas as you need. See default.settings.php for
instructions on how to set which tables use which schemas.
To use SQLite with your Drupal installation, the following requirements must be
met: Server has PHP 5.2 or later with PDO, and the PDO SQLite driver must be
The Drupal installer will create the SQLite database for you. The only
requirement is that the installer must have write permissions to the directory
where the database file resides. This directory (not just the database file) also
has to remain writeable by the web server going forward for SQLite to continue to
be able to operate.
On the "Database configuration" form in the "Database file" field, you must
supply the exact path to where you wish your database file to reside. It is
strongly suggested that you choose a path that is outside of the webroot, yet
ensure that the directory is writeable by the web server.
If you must place your database file in your webroot, you could try using the
following in your "Database file" field:
Note: The .ht in the name will tell Apache to prevent the database from being
downloaded. Please check that the file is, indeed, protected by your webserver.
If not, please consult the documentation of your webserver on how to protect a
file from downloading.
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
List of maintainers
- M: the maintainer
- S: status:
"supported" : someone is actually paid to look after this.
"maintained" : someone actually looks after it.
"fixes/patches" : it has a maintainer but they don't have time to
do much other than throw the odd patch in.
"orphan" : no current maintainer, but maybe you could take
the role as you write new code?
- W: website with status or information
M: James Walker <>
S: maintained
M: Alexander Schwartz <>
S: maintained
M: Moshe Weitzman <>
S: maintained
M: Steven Wittens <>
S: maintained
M: Gabor Hojtsy <>
S: maintained
M: Jonathan Chaffer <>
S: maintained
M: Matt Westgate <>
S: maintained
M: Adrian Rossouw <>
S: maintained
M: Jeremy Andrews <>
S: maintained
M: Hilko Bengen <>
S: maintained
M: Dries <>
Drupal core is built and maintained by the Drupal project community. Everyone is
encouraged to submit issues and changes (patches) to improve Drupal, and to
contribute in other ways -- see to find out
Branch maintainers
The Drupal Core branch maintainers oversee the development of Drupal as a whole.
The branch maintainers for Drupal 7 are:
- Dries Buytaert 'dries'
- Angela Byron 'webchick'
- Fabian Franz 'Fabianx'
- David Rothstein 'David_Rothstein'
- Stefan Ruijsenaars 'stefan.r'
Component maintainers
The Drupal Core component maintainers oversee the development of Drupal
subsystems. See for more
information on their responsibilities, and to find out how to become a component
maintainer. Current component maintainers for Drupal 7:
Ajax system
- Alex Bronstein 'effulgentsia'
- Earl Miles 'merlinofchaos'
Base system
- Damien Tournoud 'DamZ'
- Moshe Weitzman 'moshe weitzman'
Batch system
- Yves Chedemois 'yched'
Cache system
- Damien Tournoud 'DamZ'
- Nathaniel Catchpole 'catch'
Cron system
- Derek Wright 'dww'
Database system
- Larry Garfield 'Crell'
- MySQL driver
- Larry Garfield 'Crell'
- David Strauss 'David Strauss'
- PostgreSQL driver
- Damien Tournoud 'DamZ'
- Josh Waihi 'fiasco'
- Sqlite driver
- Damien Tournoud 'DamZ'
Database update system
- Ashok Modi 'BTMash'
Entity system
- Wolfgang Ziegler 'fago'
- Nathaniel Catchpole 'catch'
- Franz Heinzmann 'Frando'
File system
- Andrew Morton 'drewish'
- Aaron Winborn 'aaron'
Form system
- Alex Bronstein 'effulgentsia'
- Wolfgang Ziegler 'fago'
- Daniel F. Kudwien 'sun'
- Franz Heinzmann 'Frando'
Image system
- Andrew Morton 'drewish'
- Nathan Haug 'quicksketch'
Install system
- David Rothstein 'David_Rothstein'
- Théodore Biadala 'nod_'
- Steve De Jonghe 'seutje'
Language system
- Francesco Placella 'plach'
- Daniel F. Kudwien 'sun'
Lock system
- Damien Tournoud 'DamZ'
Mail system
- ?
- Jacine Luisi 'Jacine'
- Daniel F. Kudwien 'sun'
Menu system
- Peter Wolanin 'pwolanin'
Path system
- Dave Reid 'davereid'
- Nathaniel Catchpole 'catch'
Render system
- Moshe Weitzman 'moshe weitzman'
- Alex Bronstein 'effulgentsia'
- Franz Heinzmann 'Frando'
Theme system
- Earl Miles 'merlinofchaos'
- Alex Bronstein 'effulgentsia'
- Joon Park 'dvessel'
- John Albin Wilkins 'JohnAlbin'
Token system
- Dave Reid 'davereid'
XML-RPC system
- Frederic G. Marand 'fgm'
Topic coordinators
- Everett Zufelt 'Everett Zufelt'
- Brandon Bowersox-Johnson 'bowersox'
- Jennifer Hodgdon 'jhodgdon'
- Gerhard Killesreiter 'killes'
User experience and usability
- Roy Scholten 'yoroy'
- Bojhan Somers 'Bojhan'
Node Access
- Moshe Weitzman 'moshe weitzman'
- Ken Rickard 'agentrickard'
Security team
To report a security issue, see:
The Drupal security team provides Security Advisories for vulnerabilities,
assists developers in resolving security issues, and provides security
documentation. See for more information.
The security team lead is:
- Michael Hess 'mlhess'
Module maintainers
Aggregator module
- ?
Block module
- John Albin Wilkins 'JohnAlbin'
Blog module
- ?
Book module
- Peter Wolanin 'pwolanin'
Color module
- ?
Comment module
- Nathaniel Catchpole 'catch'
Contact module
- Dave Reid 'davereid'
Contextual module
- Daniel F. Kudwien 'sun'
Dashboard module
- ?
Database logging module
- Khalid Baheyeldin 'kbahey'
Field module
- Yves Chedemois 'yched'
- Barry Jaspan 'bjaspan'
Field UI module
- Yves Chedemois 'yched'
File module
- Aaron Winborn 'aaron'
Filter module
- Daniel F. Kudwien 'sun'
Forum module
- Lee Rowlands 'larowlan'
Help module
- ?
Image module
- Nathan Haug 'quicksketch'
Locale module
- Gábor Hojtsy 'Gábor Hojtsy'ábor-hojtsy
Menu module
- ?
Node module
- Moshe Weitzman 'moshe weitzman'
- David Strauss 'David Strauss'
OpenID module
- Vojtech Kusy 'wojtha'
- Christian Schmidt 'c960657'
- Damien Tournoud 'DamZ'
Overlay module
- Katherine Senzee 'ksenzee'
Path module
- Dave Reid 'davereid'
PHP module
- ?
Poll module
- Andrei Mateescu 'amateescu'
Profile module
- ?
RDF module
- Stéphane Corlosquet 'scor'
Search module
- Doug Green 'douggreen'
Shortcut module
- David Rothstein 'David_Rothstein'
Simpletest module
- Jimmy Berry 'boombatower'
Statistics module
- Tim Millwood 'timmillwood'
Syslog module
- Khalid Baheyeldin 'kbahey'
System module
- ?
Taxonomy module
- Nathaniel Catchpole 'catch'
- Benjamin Doherty 'bangpound'
Toolbar module
- ?
Tracker module
- David Strauss 'David Strauss'
Translation module
- Francesco Placella 'plach'
Trigger module
- ?
Update module
- Derek Wright 'dww'
User module
- Moshe Weitzman 'moshe weitzman'
- David Strauss 'David Strauss'
Theme maintainers
Bartik theme
- Jen Simmons 'jensimmons'
- Jeff Burns 'Jeff Burnz'
Garland theme
- John Albin Wilkins 'JohnAlbin'
Seven theme
- Jeff Burns 'Jeff Burnz'
Stark theme
- John Albin Wilkins 'JohnAlbin'
* About Drupal
* Configuration and features
* Installation profiles
* Appearance
* Developing for Drupal
Drupal is an open source content management platform supporting a variety of
websites ranging from personal weblogs to large community-driven websites. For
more information, see the Drupal website at, and join the
Drupal community at
Legal information about Drupal:
* Know your rights when using Drupal:
See LICENSE.txt in the same directory as this document.
* Learn about the Drupal trademark and logo policy:
Drupal core (what you get when you download and extract a drupal-x.y.tar.gz or file from has what you need to
get started with your website. It includes several modules (extensions that add
functionality) for common website features, such as managing content, user
accounts, image uploading, and search. Core comes with many options that allow
site-specific configuration. In addition to the core modules, there are
thousands of contributed modules (for functionality not included with Drupal
core) available for download.
More about configuration:
* Install, upgrade, and maintain Drupal:
See INSTALL.txt and UPGRADE.txt in the same directory as this document.
* Learn about how to use Drupal to create your site:
* Download contributed modules to sites/all/modules to extend Drupal's
* See also: "Developing for Drupal" for writing your own modules, below.
Installation profiles define additional steps (such as enabling modules,
defining content types, etc.) that run after the base installation provided
by core when Drupal is first installed. There are two basic installation
profiles provided with Drupal core.
Installation profiles from the Drupal community modify the installation process
to provide a website for a specific use case, such as a CMS for media
publishers, a web-based project tracking tool, or a full-fledged CRM for
non-profit organizations raising money and accepting donations. They can be
distributed as bare installation profiles or as "distributions". Distributions
include Drupal core, the installation profile, and all other required
extensions, such as contributed and custom modules, themes, and third-party
libraries. Bare installation profiles require you to download Drupal Core and
the required extensions separately; place the downloaded profile in the
/profiles directory before you start the installation process. Note that the
contents of this directory may be overwritten during updates of Drupal core;
it is advised to keep code backups or use a version control system.
Additionally, modules and themes may be placed inside subdirectories in a
specific installation profile such as profiles/your_site_profile/modules and
profiles/your_site_profile/themes respectively to restrict their usage to only
sites that were installed with that specific profile.
More about installation profiles and distributions:
* Read about the difference between installation profiles and distributions:
* Download contributed installation profiles and distributions:
* Develop your own installation profile or distribution:
In Drupal, the appearance of your site is set by the theme (themes are
extensions that set fonts, colors, and layout). Drupal core comes with several
themes. More themes are available for download, and you can also create your own
custom theme.
More about themes:
* Download contributed themes to sites/all/themes to modify Drupal's
* Develop your own theme:
Drupal contains an extensive API that allows you to add to and modify the
functionality of your site. The API consists of "hooks", which allow modules to
react to system events and customize Drupal's behavior, and functions that
standardize common operations such as database queries and form generation. The
flexible hook architecture means that you should never need to directly modify
the files that come with Drupal core to achieve the functionality you want;
instead, functionality modifications take the form of modules.
When you need new functionality for your Drupal site, search for existing
contributed modules. If you find a module that matches except for a bug or an
additional needed feature, change the module and contribute your improvements
back to the project in the form of a "patch". Create new custom modules only
when nothing existing comes close to what you need.
More about developing:
* Search for existing contributed modules:
* Contribute a patch:
* Develop your own module:
* Follow best practices:
* Refer to the API documentation:
This document describes how to:
* Update your Drupal site from one minor 7.x version to another minor 7.x
version; for example, from 7.8 to 7.9, or from 7.6 to 7.10.
* Upgrade your Drupal site's major version from 6.x to 7.x.
First steps and definitions:
* If you are upgrading to Drupal version x.y, then x is known as the major
version number, and y is known as the minor version number. The download
file will be named drupal-x.y.tar.gz (or
* All directories mentioned in this document are relative to the directory of
your Drupal installation.
* Make a full backup of all files, directories, and your database(s) before
starting, and save it outside your Drupal installation directory.
Instructions may be found at
* It is wise to try an update or upgrade on a test copy of your site before
applying it to your live site. Even minor updates can cause your site's
behavior to change.
* Each new release of Drupal has release notes, which explain the changes made
since the previous version and any special instructions needed to update or
upgrade to the new version. You can find a link to the release notes for the
version you are upgrading or updating to on the Drupal project page
If you encounter errors during this process,
* Note any error messages you see.
* Restore your site to its previous state, using the file and database backups
you created before you started the upgrade process. Do not attempt to do
further upgrades on a site that had update problems.
* Consult one of the support options listed on
More in-depth information on upgrading can be found at
To update from one minor 7.x version of Drupal to any later 7.x version, after
following the instructions in the INTRODUCTION section at the top of this file:
1. Log in as a user with the permission "Administer software updates".
2. Go to Administration > Configuration > Development > Maintenance mode.
Enable the "Put site into maintenance mode" checkbox and save the
3. Remove all old core files and directories, except for the 'sites' directory
and any custom files you added elsewhere.
If you made modifications to files like .htaccess or robots.txt, you will
need to re-apply them from your backup, after the new files are in place.
Sometimes an update includes changes to default.settings.php (this will be
noted in the release notes). If that's the case, follow these steps:
- Locate your settings.php file in the /sites/* directory. (Typically
- Make a backup copy of your settings.php file, with a different file name.
- Make a copy of the new default.settings.php file, and name the copy
settings.php (overwriting your previous settings.php file).
- Copy the custom and site-specific entries from the backup you made into the
new settings.php file. You will definitely need the lines giving the
database information, and you will also want to copy in any other
customizations you have added.
You can find the release notes for your version at At bottom of the project page under
"Downloads" use the link for your version of Drupal to view the release
notes. If your version is not listed, use the 'View all releases' link. From
this page you can scroll down or use the filter to find your version and its
release notes.
4. Download the latest Drupal 7.x release from to a
directory outside of your web root. Extract the archive and copy the files
into your Drupal directory.
On a typical Unix/Linux command line, use the following commands to download
and extract:
tar -zxvf drupal-x.y.tar.gz
This creates a new directory drupal-x.y/ containing all Drupal files and
directories. Copy the files into your Drupal installation directory:
cp -R drupal-x.y/* drupal-x.y/.htaccess /path/to/your/installation
If you do not have command line access to your server, download the archive
from using your web browser, extract it, and then use an
FTP client to upload the files to your web root.
5. Re-apply any modifications to files such as .htaccess or robots.txt.
6. Run update.php by visiting (replace with your domain name). This will update the core database
If you are unable to access update.php do the following:
- Open settings.php with a text editor.
- Find the line that says:
$update_free_access = FALSE;
- Change it into:
$update_free_access = TRUE;
- Once the upgrade is done, $update_free_access must be reverted to FALSE.
7. Go to Administration > Reports > Status report. Verify that everything is
working as expected.
8. Ensure that $update_free_access is FALSE in settings.php.
9. Go to Administration > Configuration > Development > Maintenance mode.
Disable the "Put site into maintenance mode" checkbox and save the
To upgrade from a previous major version of Drupal to Drupal 7.x, after
following the instructions in the INTRODUCTION section at the top of this file:
1. Check on the Drupal 7 status of your contributed and custom modules and
themes. See for information on upgrading
contributed modules and themes. See for a list
of modules that have been moved into core for Drupal 7, and instructions on
how to update them. See for information on
how to update your custom modules, and for
custom themes.
You may decide at this point that you cannot upgrade your site, because
needed modules or themes are not ready for Drupal 7.
2. Update to the latest available version of Drupal 6.x (if your current version
is Drupal 5.x, you have to upgrade to 6.x first). If you need to update,
download Drupal 6.x and follow the instructions in its UPGRADE.txt. This
document only applies for upgrades from 6.x to 7.x.
3. In addition to updating to the latest available version of Drupal 6.x core,
you must also upgrade all of your contributed modules for Drupal to their
latest Drupal 6.x versions.
4. Log in as user ID 1 (the site maintenance user).
5. Go to Administer > Site configuration > Site maintenance. Select
"Off-line" and save the configuration.
6. Go to Administer > Site building > Themes. Enable "Garland" and select it as
the default theme.
7. Go to Administer > Site building > Modules. Disable all modules that are not
listed under "Core - required" or "Core - optional". It is possible that some
modules cannot be disabled, because others depend on them. Repeat this step
until all non-core modules are disabled.
If you know that you will not re-enable some modules for Drupal 7.x and you
no longer need their data, then you can uninstall them under the Uninstall
tab after disabling them.
8. On the command line or in your FTP client, remove the file
9. Remove all old core files and directories, except for the 'sites' directory
and any custom files you added elsewhere.
If you made modifications to files like .htaccess or robots.txt, you will
need to re-apply them from your backup, after the new files are in place.
10. If you uninstalled any modules, remove them from the sites/all/modules and
other sites/*/modules directories. Leave other modules in place, even though
they are incompatible with Drupal 7.x.
11. Download the latest Drupal 7.x release from to a
directory outside of your web root. Extract the archive and copy the files
into your Drupal directory.
On a typical Unix/Linux command line, use the following commands to download
and extract:
tar -zxvf drupal-x.y.tar.gz
This creates a new directory drupal-x.y/ containing all Drupal files and
directories. Copy the files into your Drupal installation directory:
cp -R drupal-x.y/* drupal-x.y/.htaccess /path/to/your/installation
If you do not have command line access to your server, download the archive
from using your web browser, extract it, and then use an
FTP client to upload the files to your web root.
12. Re-apply any modifications to files such as .htaccess or robots.txt.
13. Make your settings.php file writeable, so that the update process can
convert it to the format of Drupal 7.x. settings.php is usually located in
14. Run update.php by visiting (replace with your domain name). This will update the core database
If you are unable to access update.php do the following:
- Open settings.php with a text editor.
- Find the line that says:
$update_free_access = FALSE;
- Change it into:
$update_free_access = TRUE;
- Once the upgrade is done, $update_free_access must be reverted to FALSE.
15. Backup your database after the core upgrade has run.
16. Replace and update your non-core modules and themes, following the
procedures at
17. Go to Administration > Reports > Status report. Verify that everything is
working as expected.
18. Ensure that $update_free_access is FALSE in settings.php.
19. Go to Administration > Configuration > Development > Maintenance mode.
Disable the "Put site into maintenance mode" checkbox and save the
To get started with Drupal 7 administration, visit
* @file
* Administrative script for running authorized file operations.
* Using this script, the site owner (the user actually owning the files on the
* webserver) can authorize certain file-related operations to proceed with
* elevated privileges, for example to deploy and upgrade modules or themes.
* Users should not visit this page directly, but instead use an administrative
* user interface which knows how to redirect the user to this script as part of
* a multistep process. This script actually performs the selected operations
* without loading all of Drupal, to be able to more gracefully recover from
* errors. Access to the script is controlled by a global killswitch in
* settings.php ('allow_authorize_operations') and via the 'administer software
* updates' permission.
* There are helper functions for setting up an operation to run via this
* system in modules/system/system.module. For more information, see:
* @link authorize Authorized operation helper functions @endlink
* Defines the root directory of the Drupal installation.
define('DRUPAL_ROOT', getcwd());
* Global flag to identify update.php and authorize.php runs.
* Identifies update.php and authorize.php runs, avoiding unwanted operations
* such as hook_init() and hook_exit() invokes, css/js preprocessing and
* translation, and solves some theming issues. The flag is checked in other
* places in Drupal code (not just authorize.php).
define('MAINTENANCE_MODE', 'update');
* Renders a 403 access denied page for authorize.php.
function authorize_access_denied_page() {
drupal_add_http_header('Status', '403 Forbidden');
watchdog('access denied', 'authorize.php', NULL, WATCHDOG_WARNING);
drupal_set_title('Access denied');
return t('You are not allowed to access this page.');
* Determines if the current user is allowed to run authorize.php.
* The killswitch in settings.php overrides all else, otherwise, the user must
* have access to the 'administer software updates' permission.
* @return
* TRUE if the current user can run authorize.php, and FALSE if not.
function authorize_access_allowed() {
return variable_get('allow_authorize_operations', TRUE) && user_access('administer software updates');
// *** Real work of the script begins here. ***
require_once DRUPAL_ROOT . '/includes/';
require_once DRUPAL_ROOT . '/includes/';
require_once DRUPAL_ROOT . '/includes/';
require_once DRUPAL_ROOT . '/includes/';
require_once DRUPAL_ROOT . '/includes/';
// We prepare only a minimal bootstrap. This includes the database and
// variables, however, so we have access to the class autoloader registry.
// This must go after drupal_bootstrap(), which unsets globals!
global $conf;
// We have to enable the user and system modules, even to check access and
// display errors via the maintenance theme.
$module_list['system']['filename'] = 'modules/system/system.module';
$module_list['user']['filename'] = 'modules/user/user.module';
module_list(TRUE, FALSE, FALSE, $module_list);
drupal_load('module', 'system');
drupal_load('module', 'user');
// We also want to have the language system available, but we do *NOT* want to
// actually call drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE), since that would
// also force us through the DRUPAL_BOOTSTRAP_PAGE_HEADER phase, which loads
// all the modules, and that's exactly what we're trying to avoid.
// Initialize the maintenance theme for this administrative script.
$output = '';
$show_messages = TRUE;
if (authorize_access_allowed()) {
// Load both the Form API and Batch API.
require_once DRUPAL_ROOT . '/includes/';
require_once DRUPAL_ROOT . '/includes/';
// Load the code that drives the authorize process.
require_once DRUPAL_ROOT . '/includes/';
// For the sake of Batch API and a few other low-level functions, we need to
// initialize the URL path into $_GET['q']. However, we do not want to raise
// our bootstrap level, nor do we want to call drupal_initialize_path(),
// since that is assuming that modules are loaded and invoking hooks.
// However, all we really care is if we're in the middle of a batch, in which
// case $_GET['q'] will already be set, we just initialize it to an empty
// string if it's not already defined.
if (!isset($_GET['q'])) {
$_GET['q'] = '';
if (isset($_SESSION['authorize_operation']['page_title'])) {
else {
drupal_set_title(t('Authorize file system changes'));
// See if we've run the operation and need to display a report.
if (isset($_SESSION['authorize_results']) && $results = $_SESSION['authorize_results']) {
// Clear the session out.
if (!empty($results['page_title'])) {
if (!empty($results['page_message'])) {
drupal_set_message($results['page_message']['message'], $results['page_message']['type']);
$output = theme('authorize_report', array('messages' => $results['messages']));
$links = array();
if (is_array($results['tasks'])) {
$links += $results['tasks'];
else {
$links = array_merge($links, array(
l(t('Administration pages'), 'admin'),
l(t('Front page'), '<front>'),
$output .= theme('item_list', array('items' => $links, 'title' => t('Next steps')));
// If a batch is running, let it run.
elseif (isset($_GET['batch'])) {
$output = _batch_page();
else {
if (empty($_SESSION['authorize_operation']) || empty($_SESSION['authorize_filetransfer_info'])) {
$output = t('It appears you have reached this page in error.');
elseif (!$batch = batch_get()) {
// We have a batch to process, show the filetransfer form.
$elements = drupal_get_form('authorize_filetransfer_form');
$output = drupal_render($elements);
// We defer the display of messages until all operations are done.
$show_messages = !(($batch = batch_get()) && isset($batch['running']));
else {
$output = authorize_access_denied_page();
if (!empty($output)) {
print theme('update_page', array('content' => $output, 'show_messages' => $show_messages));
* @file
* Handles incoming requests to fire off regularly-scheduled tasks (cron jobs).
include_once 'includes/';
* Root directory of Drupal installation.
define('DRUPAL_ROOT', getcwd());
include_once DRUPAL_ROOT . '/includes/';
// If not in 'safe mode', increase the maximum execution time:
if (!ini_get('safe_mode')) {
if (!isset($_GET['cron_key']) || variable_get('cron_key', 'drupal') != $_GET['cron_key']) {
watchdog('cron', 'Cron could not run because an invalid key was used.', array(), WATCHDOG_NOTICE);
// Check if the last cron run completed
if (variable_get('cron_busy', false)) {
watchdog('cron', t('Last cron run did not complete.'), WATCHDOG_WARNING);
elseif (variable_get('maintenance_mode', 0)) {
watchdog('cron', 'Cron could not run because the site is in maintenance mode.', array(), WATCHDOG_NOTICE);
else {
variable_set('cron_busy', true);
// Iterate through the modules calling their cron handlers (if any):
// Clean up
variable_set('cron_busy', false);
watchdog('cron', t('Cron run completed'));
* @file
* This is the actions engine for executing stored actions.
* @defgroup actions Actions
* @{
* Functions that perform an action on a certain system object.
* Action functions are declared by modules by implementing hook_action_info().
* Modules can cause action functions to run by calling actions_do(), and
* trigger.module provides a user interface that lets administrators define
* events that cause action functions to run.
* Each action function takes two to four arguments:
* - $entity: The object that the action acts on, such as a node, comment, or
* user.
* - $context: Array of additional information about what triggered the action.
* - $a1, $a2: Optional additional information, which can be passed into
* actions_do() and will be passed along to the action function.
* @}
* Performs a given list of actions by executing their callback functions.
* Given the IDs of actions to perform, this function finds out what the
* callback functions for the actions are by querying the database. Then
* it calls each callback using the function call $function($object, $context,
* $a1, $a2), passing the input arguments of this function (see below) to the
* action function.
* @param $action_ids
* The IDs of the actions to perform. Can be a single action ID or an array
* of IDs. IDs of configurable actions must be given as numeric action IDs;
* IDs of non-configurable actions may be given as action function names.
* @param $object
* The object that the action will act on: a node, user, or comment object.
* @param $context
* Associative array containing extra information about what triggered
* the action call, with $context['hook'] giving the name of the hook
* that resulted in this call to actions_do().
* @param $a1
* Passed along to the callback.
* @param $a2
* Passed along to the callback.
* @return
* An associative array containing the results of the functions that
* perform the actions, keyed on action ID.
* @ingroup actions
function actions_do($action_ids, $object = NULL, $context = NULL, $a1 = NULL, $a2 = NULL) {
// $stack tracks the number of recursive calls.
static $stack;
if ($stack > variable_get('actions_max_stack', 35)) {
watchdog('actions', 'Stack overflow: too many calls to actions_do(). Aborting to prevent infinite recursion.', array(), WATCHDOG_ERROR);
$actions = array();
$available_actions = actions_list();
$actions_result = array();
if (is_array($action_ids)) {
$conditions = array();
foreach ($action_ids as $action_id) {
if (is_numeric($action_id)) {
$conditions[] = $action_id;
elseif (isset($available_actions[$action_id])) {
$actions[$action_id] = $available_actions[$action_id];
// When we have action instances we must go to the database to retrieve
// instance data.
if (!empty($conditions)) {
$query = db_select('actions');
$query->addField('actions', 'aid');
$query->addField('actions', 'type');
$query->addField('actions', 'callback');
$query->addField('actions', 'parameters');
$query->condition('aid', $conditions, 'IN');
$result = $query->execute();
foreach ($result as $action) {
$actions[$action->aid] = $action->parameters ? unserialize($action->parameters) : array();
$actions[$action->aid]['callback'] = $action->callback;
$actions[$action->aid]['type'] = $action->type;
// Fire actions, in no particular order.
foreach ($actions as $action_id => $params) {
// Configurable actions need parameters.
if (is_numeric($action_id)) {
$function = $params['callback'];
if (function_exists($function)) {
$context = array_merge($context, $params);
$actions_result[$action_id] = $function($object, $context, $a1, $a2);
else {
$actions_result[$action_id] = FALSE;
// Singleton action; $action_id is the function name.
else {
$actions_result[$action_id] = $action_id($object, $context, $a1, $a2);
// Optimized execution of a single action.
else {
// If it's a configurable action, retrieve stored parameters.
if (is_numeric($action_ids)) {
$action = db_query("SELECT callback, parameters FROM {actions} WHERE aid = :aid", array(':aid' => $action_ids))->fetchObject();
$function = $action->callback;
if (function_exists($function)) {
$context = array_merge($context, unserialize($action->parameters));
$actions_result[$action_ids] = $function($object, $context, $a1, $a2);
else {
$actions_result[$action_ids] = FALSE;
// Singleton action; $action_ids is the function name.
else {
if (function_exists($action_ids)) {
$actions_result[$action_ids] = $action_ids($object, $context, $a1, $a2);
else {
// Set to avoid undefined index error messages later.
$actions_result[$action_ids] = FALSE;
return $actions_result;
* Discovers all available actions by invoking hook_action_info().
* This function contrasts with actions_get_all_actions(); see the
* documentation of actions_get_all_actions() for an explanation.
* @param $reset
* Reset the action info static cache.
* @return
* An associative array keyed on action function name, with the same format
* as the return value of hook_action_info(), containing all
* modules' hook_action_info() return values as modified by any
* hook_action_info_alter() implementations.
* @see hook_action_info()
function actions_list($reset = FALSE) {
$actions = &drupal_static(__FUNCTION__);
if (!isset($actions) || $reset) {
$actions = module_invoke_all('action_info');
drupal_alter('action_info', $actions);
// See module_implements() for an explanation of this cast.
return (array) $actions;
* Retrieves all action instances from the database.
* This function differs from the actions_list() function, which gathers
* actions by invoking hook_action_info(). The actions returned by this
* function and the actions returned by actions_list() are partially
* synchronized. Non-configurable actions from hook_action_info()
* implementations are put into the database when actions_synchronize() is
* called, which happens when admin/config/system/actions is visited.
* Configurable actions are not added to the database until they are configured
* in the user interface, in which case a database row is created for each
* configuration of each action.
* @return
* Associative array keyed by numeric action ID. Each value is an associative
* array with keys 'callback', 'label', 'type' and 'configurable'.
function actions_get_all_actions() {
$actions = db_query("SELECT aid, type, callback, parameters, label FROM {actions}")->fetchAllAssoc('aid', PDO::FETCH_ASSOC);
foreach ($actions as &$action) {
$action['configurable'] = (bool) $action['parameters'];
return $actions;
* Creates an associative array keyed by hashes of function names or IDs.
* Hashes are used to prevent actual function names from going out into HTML
* forms and coming back.
* @param $actions
* An associative array with function names or action IDs as keys
* and associative arrays with keys 'label', 'type', etc. as values.
* This is usually the output of actions_list() or actions_get_all_actions().
* @return
* An associative array whose keys are hashes of the input array keys, and
* whose corresponding values are associative arrays with components
* 'callback', 'label', 'type', and 'configurable' from the input array.
function actions_actions_map($actions) {
$actions_map = array();
foreach ($actions as $callback => $array) {
$key = drupal_hash_base64($callback);
$actions_map[$key]['callback'] = isset($array['callback']) ? $array['callback'] : $callback;
$actions_map[$key]['label'] = $array['label'];
$actions_map[$key]['type'] = $array['type'];
$actions_map[$key]['configurable'] = $array['configurable'];
return $actions_map;
* Returns an action array key (function or ID), given its hash.
* Faster than actions_actions_map() when you only need the function name or ID.
* @param $hash
* Hash of a function name or action ID array key. The array key
* is a key into the return value of actions_list() (array key is the action
* function name) or actions_get_all_actions() (array key is the action ID).
* @return
* The corresponding array key, or FALSE if no match is found.
function actions_function_lookup($hash) {
// Check for a function name match.
$actions_list = actions_list();
foreach ($actions_list as $function => $array) {
if (drupal_hash_base64($function) == $hash) {
return $function;
$aid = FALSE;
// Must be a configurable action; check database.
$result = db_query("SELECT aid FROM {actions} WHERE parameters <> ''")->fetchAll(PDO::FETCH_ASSOC);
foreach ($result as $row) {
if (drupal_hash_base64($row['aid']) == $hash) {
$aid = $row['aid'];
return $aid;
* Synchronizes actions that are provided by modules in hook_action_info().
* Actions provided by modules in hook_action_info() implementations are
* synchronized with actions that are stored in the actions database table.
* This is necessary so that actions that do not require configuration can
* receive action IDs.
* @param $delete_orphans
* If TRUE, any actions that exist in the database but are no longer
* found in the code (for example, because the module that provides them has
* been disabled) will be deleted.
function actions_synchronize($delete_orphans = FALSE) {
$actions_in_code = actions_list(TRUE);
$actions_in_db = db_query("SELECT aid, callback, label FROM {actions} WHERE parameters = ''")->fetchAllAssoc('callback', PDO::FETCH_ASSOC);
// Go through all the actions provided by modules.
foreach ($actions_in_code as $callback => $array) {
// Ignore configurable actions since their instances get put in when the
// user adds the action.
if (!$array['configurable']) {
// If we already have an action ID for this action, no need to assign aid.
if (isset($actions_in_db[$callback])) {
else {
// This is a new singleton that we don't have an aid for; assign one.
'aid' => $callback,
'type' => $array['type'],
'callback' => $callback,
'parameters' => '',
'label' => $array['label'],
watchdog('actions', "Action '%action' added.", array('%action' => $array['label']));
// Any actions that we have left in $actions_in_db are orphaned.
if ($actions_in_db) {
$orphaned = array_keys($actions_in_db);
if ($delete_orphans) {
$actions = db_query('SELECT aid, label FROM {actions} WHERE callback IN (:orphaned)', array(':orphaned' => $orphaned))->fetchAll();
foreach ($actions as $action) {
watchdog('actions', "Removed orphaned action '%action' from database.", array('%action' => $action->label));
else {
$link = l(t('Remove orphaned actions'), 'admin/config/system/actions/orphan');
$count = count($actions_in_db);
$orphans = implode(', ', $orphaned);
watchdog('actions', '@count orphaned actions (%orphans) exist in the actions table. !link', array('@count' => $count, '%orphans' => $orphans, '!link' => $link), WATCHDOG_INFO);
* Saves an action and its user-supplied parameter values to the database.
* @param $function
* The name of the function to be called when this action is performed.
* @param $type
* The type of action, to describe grouping and/or context, e.g., 'node',
* 'user', 'comment', or 'system'.
* @param $params
* An associative array with parameter names as keys and parameter values as
* values.
* @param $label
* A user-supplied label of this particular action, e.g., 'Send e-mail
* to Jim'.
* @param $aid
* The ID of this action. If omitted, a new action is created.
* @return
* The ID of the action.
function actions_save($function, $type, $params, $label, $aid = NULL) {
// aid is the callback for singleton actions so we need to keep a separate
// table for numeric aids.
if (!$aid) {
$aid = db_next_id();
->key(array('aid' => $aid))
'callback' => $function,
'type' => $type,
'parameters' => serialize($params),
'label' => $label,
watchdog('actions', 'Action %action saved.', array('%action' => $label));
return $aid;
* Retrieves a single action from the database.
* @param $aid
* The ID of the action to retrieve.
* @return
* The appropriate action row from the database as an object.
function actions_load($aid) {
return db_query("SELECT aid, type, callback, parameters, label FROM {actions} WHERE aid = :aid", array(':aid' => $aid))->fetchObject();
* Deletes a single action from the database.
* @param $aid
* The ID of the action to delete.
function actions_delete($aid) {
->condition('aid', $aid)
module_invoke_all('actions_delete', $aid);
This diff is collapsed.