From c3011cef61345b1c9dfc9e399ae62f01e9628acb Mon Sep 17 00:00:00 2001
From: Bachir Soussi Chiadmi <bachir@g-u-i.net>
Date: Mon, 7 Jul 2014 18:53:44 +0200
Subject: [PATCH] drupal core updated to 7.28

---
 CHANGELOG.txt                                 |  116 +
 COPYRIGHT.txt                                 |    2 +-
 README.txt                                    |   12 +-
 includes/ajax.inc                             |   59 +-
 includes/bootstrap.inc                        |  120 +-
 includes/common.inc                           |   94 +-
 includes/database/database.inc                |   25 +-
 includes/database/mysql/database.inc          |    2 +-
 includes/database/mysql/query.inc             |    3 +-
 includes/database/pgsql/database.inc          |    2 +-
 includes/database/pgsql/query.inc             |    3 +-
 includes/database/query.inc                   |   87 +-
 includes/database/select.inc                  |    2 +-
 includes/database/sqlite/database.inc         |    2 +-
 includes/database/sqlite/query.inc            |    3 +-
 includes/entity.inc                           |   32 +-
 includes/entity.inc.orig                      | 1360 ------
 includes/errors.inc                           |    2 +-
 includes/file.inc                             |  127 +-
 includes/filetransfer/ftp.inc                 |    6 +-
 includes/form.inc                             |   91 +-
 includes/install.core.inc                     |   26 +-
 includes/install.inc                          |    1 -
 includes/iso.inc                              |    5 +-
 includes/language.inc                         |    5 +-
 includes/mail.inc                             |   13 +-
 includes/menu.inc                             |   24 +-
 includes/path.inc                             |    4 +-
 includes/registry.inc                         |    9 +-
 includes/session.inc                          |    8 +-
 includes/stream_wrappers.inc                  |   42 +-
 misc/ajax.js                                  |    7 +
 misc/states.js                                |    2 +-
 modules/aggregator/aggregator.info            |    6 +-
 modules/aggregator/aggregator.install         |   10 +
 modules/aggregator/aggregator.test            |   17 +-
 modules/aggregator/tests/aggregator_test.info |    6 +-
 .../tests/aggregator_test_title_entities.xml  |   14 +
 modules/block/block.api.php                   |   30 +-
 modules/block/block.info                      |    6 +-
 modules/block/block.module                    |   32 +-
 modules/block/block.test                      |  122 +-
 modules/block/tests/block_test.info           |    6 +-
 modules/block/tests/block_test.module         |   31 +
 .../block_test_theme/block_test_theme.info    |    6 +-
 modules/blog/blog.info                        |    6 +-
 modules/blog/blog.test                        |   40 +-
 modules/book/book.info                        |    6 +-
 modules/color/color.info                      |    6 +-
 modules/color/color.module                    |   49 +-
 modules/comment/comment.info                  |    6 +-
 modules/comment/comment.module                |    4 +-
 modules/comment/comment.test                  |   32 +-
 modules/contact/contact.info                  |    6 +-
 modules/contextual/contextual.info            |    6 +-
 modules/dashboard/dashboard.api.php           |    2 +-
 modules/dashboard/dashboard.info              |    6 +-
 modules/dashboard/dashboard.test              |   38 +-
 modules/dblog/dblog.info                      |    6 +-
 modules/dblog/dblog.test                      |    2 +-
 modules/field/field.api.php                   |   69 +-
 modules/field/field.attach.inc                |    6 +
 modules/field/field.info                      |    6 +-
 modules/field/field.module                    |    4 +-
 .../field_sql_storage/field_sql_storage.info  |    6 +-
 modules/field/modules/list/list.info          |    6 +-
 .../field/modules/list/tests/list_test.info   |    6 +-
 modules/field/modules/number/number.info      |    6 +-
 modules/field/modules/options/options.info    |    6 +-
 modules/field/modules/options/options.test    |    2 +-
 modules/field/modules/text/text.info          |    6 +-
 modules/field/tests/field_test.info           |    6 +-
 modules/field/tests/field_test.install        |    4 +-
 modules/field_ui/field_ui.admin.inc           |    4 +-
 modules/field_ui/field_ui.info                |    6 +-
 modules/field_ui/field_ui.module              |    2 +-
 modules/file/file.field.inc                   |   16 +-
 modules/file/file.info                        |    6 +-
 modules/file/file.js                          |    2 +-
 modules/file/file.module                      |    3 +-
 modules/file/tests/file_module_test.info      |    6 +-
 modules/filter/filter.info                    |    6 +-
 modules/filter/filter.module                  |    4 +-
 modules/forum/forum.info                      |    6 +-
 modules/help/help.info                        |    6 +-
 modules/image/image.admin.inc                 |   16 +-
 modules/image/image.field.inc                 |    2 +-
 modules/image/image.info                      |    6 +-
 modules/image/image.module                    |   12 +-
 modules/image/image.test                      |   16 +-
 modules/image/tests/image_module_test.info    |    6 +-
 modules/locale/locale.admin.inc               |    4 +-
 modules/locale/locale.info                    |    6 +-
 modules/locale/locale.test                    |    2 +-
 modules/locale/tests/locale_test.info         |    6 +-
 modules/menu/menu.admin.inc                   |    6 +-
 modules/menu/menu.info                        |    6 +-
 modules/node/content_types.inc                |    6 +-
 modules/node/node.admin.inc                   |    2 +
 modules/node/node.api.php                     |   36 +-
 modules/node/node.info                        |    6 +-
 modules/node/node.install                     |    8 +
 modules/node/node.module                      |   25 +-
 modules/node/node.pages.inc                   |    1 +
 modules/node/node.test                        |  122 +
 modules/node/node.tokens.inc                  |   23 +-
 modules/node/tests/node_access_test.info      |    6 +-
 modules/node/tests/node_test.info             |    6 +-
 modules/node/tests/node_test.module           |   18 +
 modules/node/tests/node_test_exception.info   |    6 +-
 modules/openid/openid.inc                     |   23 +-
 modules/openid/openid.info                    |    6 +-
 modules/openid/openid.install                 |   76 +-
 modules/openid/openid.module                  |    3 +-
 modules/openid/openid.test                    |    7 -
 modules/openid/tests/openid_test.info         |    6 +-
 modules/openid/tests/openid_test.install      |    2 +-
 modules/overlay/overlay.info                  |    6 +-
 modules/overlay/overlay.module                |    4 +
 modules/path/path.info                        |    6 +-
 modules/php/php.info                          |    6 +-
 modules/php/php.module                        |    2 +-
 modules/poll/poll.info                        |    6 +-
 modules/profile/profile.info                  |    6 +-
 modules/profile/profile.module                |    1 +
 modules/profile/profile.pages.inc             |   13 +-
 modules/profile/profile.test                  |   76 +-
 modules/rdf/rdf.info                          |    6 +-
 modules/rdf/rdf.module                        |    2 +-
 modules/rdf/rdf.test                          |   11 +-
 modules/rdf/tests/rdf_test.info               |    6 +-
 modules/search/search-result.tpl.php          |    2 +-
 modules/search/search.extender.inc            |   54 +-
 modules/search/search.info                    |    6 +-
 modules/search/search.test                    |   63 +-
 .../search/tests/search_embedded_form.info    |    6 +-
 modules/search/tests/search_extra_type.info   |    6 +-
 modules/shortcut/shortcut.admin.inc           |    2 +-
 modules/shortcut/shortcut.info                |    6 +-
 modules/simpletest/drupal_web_test_case.php   |   39 +-
 .../css_input_with_import.css.unoptimized.css |   10 +
 .../css_subfolder/css_input_with_import.css   |   29 +
 .../css_input_with_import.css.optimized.css   |    6 +
 .../css_input_with_import.css.unoptimized.css |   39 +
 modules/simpletest/simpletest.info            |    7 +-
 .../simpletest/tests/actions_loop_test.info   |    6 +-
 modules/simpletest/tests/ajax.test            |   79 +
 modules/simpletest/tests/ajax_forms_test.info |    6 +-
 modules/simpletest/tests/ajax_test.info       |    6 +-
 modules/simpletest/tests/batch_test.info      |    6 +-
 modules/simpletest/tests/bootstrap.test       |   12 +
 modules/simpletest/tests/common.test          |   78 +-
 modules/simpletest/tests/common_test.info     |    6 +-
 .../tests/common_test_cron_helper.info        |    6 +-
 modules/simpletest/tests/database_test.info   |    6 +-
 .../simpletest/tests/database_test.install    |    3 +
 modules/simpletest/tests/database_test.test   |   81 +-
 ...drupal_system_listing_compatible_test.info |    6 +-
 ...upal_system_listing_incompatible_test.info |    6 +-
 .../simpletest/tests/entity_cache_test.info   |    6 +-
 .../tests/entity_cache_test_dependency.info   |    6 +-
 modules/simpletest/tests/entity_crud.test     |   49 +
 .../tests/entity_crud_hook_test.info          |    6 +-
 .../tests/entity_query_access_test.info       |    6 +-
 modules/simpletest/tests/error_test.info      |    6 +-
 modules/simpletest/tests/file.test            |    4 +-
 modules/simpletest/tests/file_test.info       |    6 +-
 modules/simpletest/tests/filter_test.info     |    6 +-
 modules/simpletest/tests/form.test            |  223 +-
 modules/simpletest/tests/form_test.info       |    6 +-
 modules/simpletest/tests/form_test.module     |  101 +
 modules/simpletest/tests/image_test.info      |    6 +-
 modules/simpletest/tests/mail.test            |   25 +
 modules/simpletest/tests/menu.test            |    4 +-
 modules/simpletest/tests/menu_test.info       |    6 +-
 modules/simpletest/tests/module_test.info     |    6 +-
 modules/simpletest/tests/path_test.info       |    6 +-
 .../tests/psr_0_test/psr_0_test.info          |    6 +-
 .../simpletest/tests/requirements1_test.info  |    6 +-
 .../simpletest/tests/requirements2_test.info  |    6 +-
 modules/simpletest/tests/session.test         |    3 +-
 modules/simpletest/tests/session_test.info    |    6 +-
 .../tests/system_dependencies_test.info       |    6 +-
 ...atible_core_version_dependencies_test.info |    6 +-
 ...system_incompatible_core_version_test.info |    6 +-
 ...ible_module_version_dependencies_test.info |    6 +-
 ...stem_incompatible_module_version_test.info |    6 +-
 modules/simpletest/tests/system_test.info     |    6 +-
 modules/simpletest/tests/system_test.module   |   19 +-
 modules/simpletest/tests/taxonomy_test.info   |    6 +-
 modules/simpletest/tests/theme_test.info      |    6 +-
 .../themes/test_basetheme/test_basetheme.info |    6 +-
 .../themes/test_subtheme/test_subtheme.info   |    6 +-
 .../tests/themes/test_theme/test_theme.info   |    6 +-
 .../simpletest/tests/update_script_test.info  |    6 +-
 modules/simpletest/tests/update_test_1.info   |    6 +-
 modules/simpletest/tests/update_test_2.info   |    6 +-
 modules/simpletest/tests/update_test_3.info   |    6 +-
 .../tests/upgrade/upgrade.taxonomy.test       |    5 +
 modules/simpletest/tests/url_alter_test.info  |    6 +-
 modules/simpletest/tests/xmlrpc_test.info     |    6 +-
 modules/statistics/statistics.admin.inc       |   15 +-
 modules/statistics/statistics.info            |    6 +-
 modules/statistics/statistics.install         |    1 +
 modules/statistics/statistics.js              |   10 +
 modules/statistics/statistics.module          |   18 +-
 modules/statistics/statistics.pages.inc       |    8 +-
 modules/statistics/statistics.php             |   31 +
 modules/statistics/statistics.test            |   17 +-
 modules/syslog/syslog.info                    |    6 +-
 modules/system/form.api.php                   |  126 +
 modules/system/image.gd.inc                   |   11 +-
 modules/system/language.api.php               |   12 +-
 modules/system/system.admin.inc               |   25 +-
 modules/system/system.api.php                 |   38 +-
 modules/system/system.info                    |    6 +-
 modules/system/system.install                 |   60 +-
 modules/system/system.mail.inc                |    2 +-
 modules/system/system.module                  |   35 +-
 modules/system/system.test                    |   85 +
 modules/system/tests/cron_queue_test.info     |   12 +
 modules/system/tests/cron_queue_test.module   |   15 +
 modules/taxonomy/taxonomy.info                |    6 +-
 modules/taxonomy/taxonomy.install             |   62 +-
 modules/taxonomy/taxonomy.module              |    9 +-
 modules/taxonomy/taxonomy.test                |   11 +-
 modules/toolbar/toolbar.info                  |    6 +-
 modules/tracker/tracker.info                  |    6 +-
 modules/tracker/tracker.pages.inc             |    1 -
 .../translation/tests/translation_test.info   |    6 +-
 modules/translation/translation.info          |    6 +-
 modules/trigger/tests/trigger_test.info       |    6 +-
 modules/trigger/trigger.info                  |    6 +-
 modules/trigger/trigger.test                  |   42 +-
 modules/update/tests/aaa_update_test.info     |    6 +-
 modules/update/tests/bbb_update_test.info     |    6 +-
 modules/update/tests/ccc_update_test.info     |    6 +-
 .../update_test_basetheme.info                |    6 +-
 .../update_test_subtheme.info                 |    6 +-
 modules/update/tests/update_test.info         |    6 +-
 modules/update/update.fetch.inc               |    2 +-
 modules/update/update.info                    |    6 +-
 modules/update/update.module                  |    2 +-
 modules/user/tests/user_form_test.info        |    6 +-
 modules/user/user.info                        |    6 +-
 modules/user/user.module                      |  101 +-
 modules/user/user.module.orig                 | 4014 -----------------
 modules/user/user.pages.inc                   |   13 +-
 modules/user/user.test                        |   53 -
 modules/user/user.test.orig                   | 2368 ----------
 profiles/minimal/minimal.info                 |    6 +-
 profiles/standard/standard.info               |    6 +-
 profiles/standard/standard.install            |    6 +-
 ...drupal_system_listing_compatible_test.info |    6 +-
 ...upal_system_listing_incompatible_test.info |    6 +-
 profiles/testing/testing.info                 |    6 +-
 themes/bartik/bartik.info                     |    6 +-
 themes/bartik/css/style.css                   |    2 +-
 themes/garland/garland.info                   |    6 +-
 themes/seven/seven.info                       |    6 +-
 themes/seven/style.css                        |    6 +
 themes/stark/stark.info                       |    6 +-
 update.php                                    |    7 +-
 263 files changed, 3331 insertions(+), 8894 deletions(-)
 delete mode 100755 includes/entity.inc.orig
 create mode 100644 modules/aggregator/tests/aggregator_test_title_entities.xml
 create mode 100644 modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css
 create mode 100644 modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.optimized.css
 create mode 100644 modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.unoptimized.css
 create mode 100644 modules/simpletest/tests/entity_crud.test
 create mode 100644 modules/statistics/statistics.js
 create mode 100644 modules/statistics/statistics.php
 create mode 100644 modules/system/form.api.php
 create mode 100644 modules/system/tests/cron_queue_test.info
 create mode 100644 modules/system/tests/cron_queue_test.module
 delete mode 100755 modules/user/user.module.orig
 delete mode 100755 modules/user/user.test.orig

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 464f5efb..ed734316 100755
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,4 +1,120 @@
 
+Drupal 7.28, 2014-05-08
+-----------------------
+- Fixed a regression introduced in Drupal 7.27 that caused JavaScript to break
+  on older browsers (such as Internet Explorer 8 and earlier) when Ajax was
+  used.
+- Increased the timeout used by the Update Manager module when it fetches data
+  from drupal.org (from 5 seconds to 30 seconds), to work around a problem
+  which causes incomplete information about security updates to be presented to
+  site administrators. This fix may lead to a performance slowdown on the
+  Update Manager administration pages, when installing Drupal distributions,
+  and (for sites that use the automated cron feature) on occasional page loads
+  by site visitors.
+- Fixed the behavior of the token system's "[node:summary]" token when the body
+  field does not have a manual summary.
+- Changed the behavior of db_query_temporary() so that it works on SELECT
+  queries even when they have leading comments/whitespace. A side effect of
+  this fix is that db_query_temporary() will now fail with an error if it is
+  ever used on non-SELECT queries.
+- Added a "node_admin_filter" tag to the database query used to build the list
+  of nodes on the content administration page, to make it easier to alter.
+- Made the cron queue system log any exceptions that are thrown while an item
+  in the queue is being processed, rather than stopping the entire PHP request.
+- Improved screen reader support by adding an aria-live HTML attribute to file
+  upload fields when there is an error uploading the file (minor markup
+  change).
+- Made the pager on the Tracker module listing pages show the same number of
+  items as other pagers throughout Drupal core (minor UI change).
+- Fixed a bug which caused caches not to be properly cleared when a file entity
+  was saved or deleted.
+- Added several missing countries to the default list returned by
+  country_get_list() (string change).
+- Replaced the term "weight" with "influence" in the content ranking settings
+  for search, and added help text for administrators (string change).
+- Fixed untranslatable text strings in the administrative interface for the
+  "Crop" effect provided by the Image module (minor string change).
+- Fixed a bug in the Taxonomy module update function introduced in Drupal 7.26
+  that caused memory and CPU problems on sites with very large numbers of
+  unpublished nodes.
+- Numerous small bug fixes.
+- Numerous API documentation improvements.
+- Additional automated test coverage.
+
+Drupal 7.27, 2014-04-16
+----------------------
+- Fixed security issues (information disclosure). See SA-CORE-2014-002.
+
+Drupal 7.26, 2014-01-15
+----------------------
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-001.
+
+Drupal 7.25, 2014-01-02
+-----------------------
+- Fixed a bug in node_save() which prevented the saved node from being updated
+  in hook_node_insert() and other similar hooks.
+- Added a meta tag to install.php to prevent it from being indexed by search
+  engines even when Drupal is installed in a subfolder (minor markup change).
+- Fixed a bug in the database API that caused frequent deadlock errors when
+  running merge queries on some servers.
+- Performance improvement: Prevented block rehashing from writing blocks to the
+  database on every cache clear and cron run when the blocks have not changed.
+  This fix results in an extra 'saved' key which is added and set to TRUE for
+  each block returned by _block_rehash() that actually is saved to the database
+  (data structure change).
+- Added an optional 'skip on cron' parameter to hook_cron_queue_info() to allow
+  queues to avoid being automatically processed on cron runs (API addition).
+- Fixed a bug which caused hook_block_view_MODULE_DELTA_alter() to never be
+  invoked if the block delta had a hyphen in it. To implement the hook when the
+  block delta has a hyphen, modules should now replace hyphens with underscores
+  when constructing the function name for the hook implementation.
+- Fixed a bug which caused cached pages to sometimes be sent to the browser
+  with incorrect compression. The fix adds a new 'page_compressed' key to the
+  $cache->data array returned by drupal_page_get_cache() (minor data structure
+  change).
+- Fixed broken tests on PHP 5.5.
+- Made the File and Image modules more robust when saving entities that have
+  deleted files attached. The code in file_field_presave() will now remove the
+  record of the deleted file from the entity before saving (minor data
+  structure change).
+- Standardized menu callback functions throughout Drupal core to return
+  MENU_NOT_FOUND and MENU_ACCESS_DENIED rather than printing their own "page
+  not found" or "access denied" pages (minor API change in the return value of
+  these functions under some circumstances).
+- Fixed a bug in which caches were not properly cleared when a node was deleted
+  via the administrative interface.
+- Changed the Bartik theme to render content contained in <pre>, <code> and
+  similar tags in a larger font size, so it is easier to read.
+- Fixed a bug in the Search module that caused exceptions to be thrown during
+  searches if the server was not configured to represent decimal points as a
+  period.
+- Fixed a regression in the Image module that made image_style_url() not work
+  when a relative path (rather than a complete file URI) was passed to it.
+- Added an optional feature to the Statistics module to allow node views to be
+  tracked by Ajax requests rather than during the server-side generation of the
+  page. This allows the node counter to work on sites that use external page
+  caches (string change and new administrative option:
+  https://drupal.org/node/2164069).
+- Added a link to the drupal.org documentation page for cron to the Cron
+  settings page (string change).
+- Added a 'drupal_anonymous_user_object' variable to allow the anonymous user
+  object returned by drupal_anonymous_user() to be overridden with a classed
+  object (API addition).
+- Changed the database API to allow inserts based on a SELECT * query to work
+  correctly.
+- Changed the database schema of the {file_managed} table to allow Drupal to
+  manage files larger than 4 GB.
+- Changed the File module's hook_field_load() implementation to prevent file
+  entity properties which have the same name as file or image field properties
+  from overwriting the field properties (minor API change).
+- Numerous small bug fixes.
+- Numerous API documentation improvements.
+- Additional automated test coverage.
+
+Drupal 7.24, 2013-11-20
+----------------------
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-003.
+
 Drupal 7.23, 2013-08-07
 -----------------------
 - Fixed a fatal error on PostgreSQL databases when updating the Taxonomy module
diff --git a/COPYRIGHT.txt b/COPYRIGHT.txt
index a2a6511c..dc8a855f 100755
--- a/COPYRIGHT.txt
+++ b/COPYRIGHT.txt
@@ -1,4 +1,4 @@
-All Drupal code is Copyright 2001 - 2012 by the original authors.
+All Drupal code is Copyright 2001 - 2013 by the original authors.
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/README.txt b/README.txt
index f4c2f643..60d3da59 100755
--- a/README.txt
+++ b/README.txt
@@ -71,12 +71,12 @@ profiles/your_site_profile/themes respectively to restrict their usage to only
 sites that were installed with that specific profile.
 
 More about installation profiles and distributions:
-* Read about the difference between installation profiles and distributions:
-  http://drupal.org/node/1089736
-* Download contributed installation profiles and distributions:
-  http://drupal.org/project/distributions
-* Develop your own installation profile or distribution:
-  http://drupal.org/developing/distributions
+ * Read about the difference between installation profiles and distributions:
+   http://drupal.org/node/1089736
+ * Download contributed installation profiles and distributions:
+   http://drupal.org/project/distributions
+ * Develop your own installation profile or distribution:
+   http://drupal.org/developing/distributions
 
 APPEARANCE
 ----------
diff --git a/includes/ajax.inc b/includes/ajax.inc
index ab0111ce..8446bf89 100755
--- a/includes/ajax.inc
+++ b/includes/ajax.inc
@@ -308,10 +308,11 @@ function ajax_render($commands = array()) {
  * pulls the form info from $_POST.
  *
  * @return
- *   An array containing the $form and $form_state. Use the list() function
- *   to break these apart:
+ *   An array containing the $form, $form_state, $form_id, $form_build_id and an
+ *   initial list of Ajax $commands. Use the list() function to break these
+ *   apart:
  *   @code
- *     list($form, $form_state, $form_id, $form_build_id) = ajax_get_form();
+ *     list($form, $form_state, $form_id, $form_build_id, $commands) = ajax_get_form();
  *   @endcode
  */
 function ajax_get_form() {
@@ -331,6 +332,17 @@ function ajax_get_form() {
     drupal_exit();
   }
 
+  // When a page level cache is enabled, the form-build id might have been
+  // replaced from within form_get_cache. If this is the case, it is also
+  // necessary to update it in the browser by issuing an appropriate Ajax
+  // command.
+  $commands = array();
+  if (isset($form['#build_id_old']) && $form['#build_id_old'] != $form['#build_id']) {
+    // If the form build ID has changed, issue an Ajax command to update it.
+    $commands[] = ajax_command_update_build_id($form);
+    $form_build_id = $form['#build_id'];
+  }
+
   // Since some of the submit handlers are run, redirects need to be disabled.
   $form_state['no_redirect'] = TRUE;
 
@@ -345,7 +357,7 @@ function ajax_get_form() {
   $form_state['input'] = $_POST;
   $form_id = $form['#form_id'];
 
-  return array($form, $form_state, $form_id, $form_build_id);
+  return array($form, $form_state, $form_id, $form_build_id, $commands);
 }
 
 /**
@@ -366,7 +378,7 @@ function ajax_get_form() {
  * @see system_menu()
  */
 function ajax_form_callback() {
-  list($form, $form_state) = ajax_get_form();
+  list($form, $form_state, $form_id, $form_build_id, $commands) = ajax_get_form();
   drupal_process_form($form['#form_id'], $form, $form_state);
 
   // We need to return the part of the form (or some other content) that needs
@@ -379,7 +391,19 @@ function ajax_form_callback() {
     $callback = $form_state['triggering_element']['#ajax']['callback'];
   }
   if (!empty($callback) && function_exists($callback)) {
-    return $callback($form, $form_state);
+    $result = $callback($form, $form_state);
+
+    if (!(is_array($result) && isset($result['#type']) && $result['#type'] == 'ajax')) {
+      // Turn the response into a #type=ajax array if it isn't one already.
+      $result = array(
+        '#type' => 'ajax',
+        '#commands' => ajax_prepare_response($result),
+      );
+    }
+
+    $result['#commands'] = array_merge($commands, $result['#commands']);
+
+    return $result;
   }
 }
 
@@ -1210,3 +1234,26 @@ function ajax_command_restripe($selector) {
     'selector' => $selector,
   );
 }
+
+/**
+ * Creates a Drupal Ajax 'update_build_id' command.
+ *
+ * This command updates the value of a hidden form_build_id input element on a
+ * form. It requires the form passed in to have keys for both the old build ID
+ * in #build_id_old and the new build ID in #build_id.
+ *
+ * The primary use case for this Ajax command is to serve a new build ID to a
+ * form served from the cache to an anonymous user, preventing one anonymous
+ * user from accessing the form state of another anonymous users on Ajax enabled
+ * forms.
+ *
+ * @param $form
+ *   The form array representing the form whose build ID should be updated.
+ */
+function ajax_command_update_build_id($form) {
+  return array(
+    'command' => 'updateBuildId',
+    'old' => $form['#build_id_old'],
+    'new' => $form['#build_id'],
+  );
+}
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index d27f8d14..09c2044b 100755
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.23');
+define('VERSION', '7.28');
 
 /**
  * Core API compatibility.
@@ -244,7 +244,7 @@ define('REGISTRY_WRITE_LOOKUP_CACHE', 2);
 /**
  * Regular expression to match PHP function names.
  *
- * @see http://php.net/manual/en/language.functions.php
+ * @see http://php.net/manual/language.functions.php
  */
 define('DRUPAL_PHP_FUNCTION_PATTERN', '[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*');
 
@@ -278,7 +278,7 @@ define('DRUPAL_PHP_FUNCTION_PATTERN', '[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*'
  * error, and $var will be populated with the contents of $object['foo'], but
  * that data will be passed by value, not reference. For more information on
  * the PHP limitation, see the note in the official PHP documentation at·
- * http://php.net/manual/en/arrayaccess.offsetget.php on
+ * http://php.net/manual/arrayaccess.offsetget.php on
  * ArrayAccess::offsetGet().
  *
  * By default, the class accounts for caches where calling functions might
@@ -683,7 +683,8 @@ function drupal_environment_initialize() {
   ini_set('session.use_only_cookies', '1');
   ini_set('session.use_trans_sid', '0');
   // Don't send HTTP headers using PHP's session handler.
-  ini_set('session.cache_limiter', 'none');
+  // An empty string is used here to disable the cache limiter.
+  ini_set('session.cache_limiter', '');
   // Use httponly session cookies.
   ini_set('session.cookie_httponly', '1');
 
@@ -1278,7 +1279,7 @@ function drupal_page_header() {
  */
 function drupal_serve_page_from_cache(stdClass $cache) {
   // Negotiate whether to use compression.
-  $page_compression = variable_get('page_compression', TRUE) && extension_loaded('zlib');
+  $page_compression = !empty($cache->data['page_compressed']);
   $return_compressed = $page_compression && isset($_SERVER['HTTP_ACCEPT_ENCODING']) && strpos($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') !== FALSE;
 
   // Get headers set in hook_boot(). Keys are lower-case.
@@ -1932,6 +1933,33 @@ function drupal_block_denied($ip) {
   }
 }
 
+/**
+ * Returns a URL-safe, base64 encoded string of highly randomized bytes (over the full 8-bit range).
+ *
+ * @param $byte_count
+ *   The number of random bytes to fetch and base64 encode.
+ *
+ * @return string
+ *   The base64 encoded result will have a length of up to 4 * $byte_count.
+ */
+function drupal_random_key($byte_count = 32) {
+  return drupal_base64_encode(drupal_random_bytes($byte_count));
+}
+
+/**
+ * Returns a URL-safe, base64 encoded version of the supplied string.
+ *
+ * @param $string
+ *   The string to convert to base64.
+ *
+ * @return string
+ */
+function drupal_base64_encode($string) {
+  $data = base64_encode($string);
+  // Modify the output so it's safe to use in URLs.
+  return strtr($data, array('+' => '-', '/' => '_', '=' => ''));
+}
+
 /**
  * Returns a string of highly randomized bytes (over the full 8-bit range).
  *
@@ -1945,38 +1973,34 @@ function drupal_block_denied($ip) {
  */
 function drupal_random_bytes($count)  {
   // $random_state does not use drupal_static as it stores random bytes.
-  static $random_state, $bytes, $php_compatible;
-  // Initialize on the first call. The contents of $_SERVER includes a mix of
-  // user-specific and system information that varies a little with each page.
-  if (!isset($random_state)) {
-    $random_state = print_r($_SERVER, TRUE);
-    if (function_exists('getmypid')) {
-      // Further initialize with the somewhat random PHP process ID.
-      $random_state .= getmypid();
-    }
-    $bytes = '';
-  }
-  if (strlen($bytes) < $count) {
+  static $random_state, $bytes, $has_openssl;
+
+  $missing_bytes = $count - strlen($bytes);
+
+  if ($missing_bytes > 0) {
     // PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes()
     // locking on Windows and rendered it unusable.
-    if (!isset($php_compatible)) {
-      $php_compatible = version_compare(PHP_VERSION, '5.3.4', '>=');
+    if (!isset($has_openssl)) {
+      $has_openssl = version_compare(PHP_VERSION, '5.3.4', '>=') && function_exists('openssl_random_pseudo_bytes');
     }
-    // /dev/urandom is available on many *nix systems and is considered the
-    // best commonly available pseudo-random source.
-    if ($fh = @fopen('/dev/urandom', 'rb')) {
+
+    // openssl_random_pseudo_bytes() will find entropy in a system-dependent
+    // way.
+    if ($has_openssl) {
+      $bytes .= openssl_random_pseudo_bytes($missing_bytes);
+    }
+
+    // Else, read directly from /dev/urandom, which is available on many *nix
+    // systems and is considered cryptographically secure.
+    elseif ($fh = @fopen('/dev/urandom', 'rb')) {
       // PHP only performs buffered reads, so in reality it will always read
       // at least 4096 bytes. Thus, it costs nothing extra to read and store
       // that much so as to speed any additional invocations.
-      $bytes .= fread($fh, max(4096, $count));
+      $bytes .= fread($fh, max(4096, $missing_bytes));
       fclose($fh);
     }
-    // openssl_random_pseudo_bytes() will find entropy in a system-dependent
-    // way.
-    elseif ($php_compatible && function_exists('openssl_random_pseudo_bytes')) {
-      $bytes .= openssl_random_pseudo_bytes($count - strlen($bytes));
-    }
-    // If /dev/urandom is not available or returns no bytes, this loop will
+
+    // If we couldn't get enough entropy, this simple hash-based PRNG will
     // generate a good set of pseudo-random bytes on any system.
     // Note that it may be important that our $random_state is passed
     // through hash() prior to being rolled into $output, that the two hash()
@@ -1984,9 +2008,23 @@ function drupal_random_bytes($count)  {
     // the microtime() - is prepended rather than appended. This is to avoid
     // directly leaking $random_state via the $output stream, which could
     // allow for trivial prediction of further "random" numbers.
-    while (strlen($bytes) < $count) {
-      $random_state = hash('sha256', microtime() . mt_rand() . $random_state);
-      $bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
+    if (strlen($bytes) < $count) {
+      // Initialize on the first call. The contents of $_SERVER includes a mix of
+      // user-specific and system information that varies a little with each page.
+      if (!isset($random_state)) {
+        $random_state = print_r($_SERVER, TRUE);
+        if (function_exists('getmypid')) {
+          // Further initialize with the somewhat random PHP process ID.
+          $random_state .= getmypid();
+        }
+        $bytes = '';
+      }
+
+      do {
+        $random_state = hash('sha256', microtime() . mt_rand() . $random_state);
+        $bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
+      }
+      while (strlen($bytes) < $count);
     }
   }
   $output = substr($bytes, 0, $count);
@@ -1997,17 +2035,21 @@ function drupal_random_bytes($count)  {
 /**
  * Calculates a base-64 encoded, URL-safe sha-256 hmac.
  *
- * @param $data
+ * @param string $data
  *   String to be validated with the hmac.
- * @param $key
+ * @param string $key
  *   A secret string key.
  *
- * @return
+ * @return string
  *   A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
  *   any = padding characters removed.
  */
 function drupal_hmac_base64($data, $key) {
-  $hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
+  // Casting $data and $key to strings here is necessary to avoid empty string
+  // results of the hash function if they are not scalar values. As this
+  // function is used in security-critical contexts like token validation it is
+  // important that it never returns an empty string.
+  $hmac = base64_encode(hash_hmac('sha256', (string) $data, (string) $key, TRUE));
   // Modify the hmac so it's safe to use in URLs.
   return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
 }
@@ -2108,7 +2150,7 @@ function drupal_array_merge_deep_array($arrays) {
  * @return Object - the user object.
  */
 function drupal_anonymous_user() {
-  $user = new stdClass();
+  $user = variable_get('drupal_anonymous_user_object', new stdClass);
   $user->uid = 0;
   $user->hostname = ip_address();
   $user->roles = array();
@@ -3253,8 +3295,8 @@ function registry_update() {
  * However, the above line of code does not work, because PHP only allows static
  * variables to be initializied by literal values, and does not allow static
  * variables to be assigned to references.
- * - http://php.net/manual/en/language.variables.scope.php#language.variables.scope.static
- * - http://php.net/manual/en/language.variables.scope.php#language.variables.scope.references
+ * - http://php.net/manual/language.variables.scope.php#language.variables.scope.static
+ * - http://php.net/manual/language.variables.scope.php#language.variables.scope.references
  * The example below shows the syntax needed to work around both limitations.
  * For benchmarks and more information, see http://drupal.org/node/619666.
  *
diff --git a/includes/common.inc b/includes/common.inc
index 262e1c57..e1a1673d 100755
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -458,7 +458,7 @@ function drupal_get_query_array($query) {
   $result = array();
   if (!empty($query)) {
     foreach (explode('&', $query) as $param) {
-      $param = explode('=', $param);
+      $param = explode('=', $param, 2);
       $result[$param[0]] = isset($param[1]) ? rawurldecode($param[1]) : '';
     }
   }
@@ -929,7 +929,7 @@ function drupal_http_request($url, array $options = array()) {
 
   // If the server URL has a user then attempt to use basic authentication.
   if (isset($uri['user'])) {
-    $options['headers']['Authorization'] = 'Basic ' . base64_encode($uri['user'] . (isset($uri['pass']) ? ':' . $uri['pass'] : ''));
+    $options['headers']['Authorization'] = 'Basic ' . base64_encode($uri['user'] . (isset($uri['pass']) ? ':' . $uri['pass'] : ':'));
   }
 
   // If the database prefix is being used by SimpleTest to run the tests in a copied
@@ -1134,7 +1134,7 @@ function _fix_gpc_magic(&$item) {
  * @param $key
  *   The key for the item within $_FILES.
  *
- * @see http://php.net/manual/en/features.file-upload.php#42280
+ * @see http://php.net/manual/features.file-upload.php#42280
  */
 function _fix_gpc_magic_files(&$item, $key) {
   if ($key != 'tmp_name') {
@@ -1426,7 +1426,6 @@ function filter_xss_admin($string) {
  *   valid UTF-8.
  *
  * @see drupal_validate_utf8()
- * @ingroup sanitization
  */
 function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
   // Only operate on valid UTF-8 strings. This is necessary to prevent cross
@@ -1950,7 +1949,7 @@ function format_interval($interval, $granularity = 2, $langcode = NULL) {
  *   get interpreted as date format characters.
  * @param $timezone
  *   (optional) Time zone identifier, as described at
- *   http://php.net/manual/en/timezones.php Defaults to the time zone used to
+ *   http://php.net/manual/timezones.php Defaults to the time zone used to
  *   display the page.
  * @param $langcode
  *   (optional) Language code to translate to. Defaults to the language used to
@@ -3673,17 +3672,23 @@ function drupal_load_stylesheet($file, $optimize = NULL, $reset_basepath = TRUE)
   if ($basepath && !file_uri_scheme($file)) {
     $file = $basepath . '/' . $file;
   }
+  // Store the parent base path to restore it later.
+  $parent_base_path = $basepath;
+  // Set the current base path to process possible child imports.
   $basepath = dirname($file);
 
   // Load the CSS stylesheet. We suppress errors because themes may specify
   // stylesheets in their .info file that don't exist in the theme's path,
   // but are merely there to disable certain module CSS files.
+  $content = '';
   if ($contents = @file_get_contents($file)) {
     // Return the processed stylesheet.
-    return drupal_load_stylesheet_content($contents, $_optimize);
+    $content = drupal_load_stylesheet_content($contents, $_optimize);
   }
 
-  return '';
+  // Restore the parent base path as the file and its childen are processed.
+  $basepath = $parent_base_path;
+  return $content;
 }
 
 /**
@@ -3700,7 +3705,7 @@ function drupal_load_stylesheet($file, $optimize = NULL, $reset_basepath = TRUE)
  */
 function drupal_load_stylesheet_content($contents, $optimize = FALSE) {
   // Remove multiple charset declarations for standards compliance (and fixing Safari problems).
-  $contents = preg_replace('/^@charset\s+[\'"](\S*)\b[\'"];/i', '', $contents);
+  $contents = preg_replace('/^@charset\s+[\'"](\S*?)\b[\'"];/i', '', $contents);
 
   if ($optimize) {
     // Perform some safe CSS optimizations.
@@ -3719,7 +3724,7 @@ function drupal_load_stylesheet_content($contents, $optimize = FALSE) {
     // Remove certain whitespace.
     // There are different conditions for removing leading and trailing
     // whitespace.
-    // @see http://php.net/manual/en/regexp.reference.subpatterns.php
+    // @see http://php.net/manual/regexp.reference.subpatterns.php
     $contents = preg_replace('<
       # Strip leading and trailing whitespace.
         \s*([@{};,])\s*
@@ -3833,7 +3838,14 @@ function drupal_clean_css_identifier($identifier, $filter = array(' ' => '-', '_
  *   The cleaned class name.
  */
 function drupal_html_class($class) {
-  return drupal_clean_css_identifier(drupal_strtolower($class));
+  // The output of this function will never change, so this uses a normal
+  // static instead of drupal_static().
+  static $classes = array();
+
+  if (!isset($classes[$class])) {
+    $classes[$class] = drupal_clean_css_identifier(drupal_strtolower($class));
+  }
+  return $classes[$class];
 }
 
 /**
@@ -4097,7 +4109,7 @@ function drupal_region_class($region) {
  *       else being the same, JavaScript added by a call to drupal_add_js() that
  *       happened later in the page request gets added to the page after one for
  *       which drupal_add_js() happened earlier in the page request.
- *   - defer: If set to TRUE, the defer attribute is set on the &lt;script&gt;
+ *   - defer: If set to TRUE, the defer attribute is set on the <script>
  *     tag. Defaults to FALSE.
  *   - cache: If set to FALSE, the JavaScript file is loaded anew on every page
  *     call; in other words, it is not cached. Used only when 'type' references
@@ -5042,7 +5054,7 @@ function drupal_json_output($var = NULL) {
  */
 function drupal_get_private_key() {
   if (!($key = variable_get('drupal_private_key', 0))) {
-    $key = drupal_hash_base64(drupal_random_bytes(55));
+    $key = drupal_random_key();
     variable_set('drupal_private_key', $key);
   }
   return $key;
@@ -5054,6 +5066,11 @@ function drupal_get_private_key() {
  * @param $value
  *   An additional value to base the token on.
  *
+ * The generated token is based on the session ID of the current user. Normally,
+ * anonymous users do not have a session, so the generated token will be
+ * different on every page request. To generate a token for users without a
+ * session, manually start a session prior to calling this function.
+ *
  * @return string
  *   A 43-character URL-safe token for validation, based on the user session ID,
  *   the hash salt provided from drupal_get_hash_salt(), and the
@@ -5081,7 +5098,7 @@ function drupal_get_token($value = '') {
  */
 function drupal_valid_token($token, $value = '', $skip_anonymous = FALSE) {
   global $user;
-  return (($skip_anonymous && $user->uid == 0) || ($token == drupal_get_token($value)));
+  return (($skip_anonymous && $user->uid == 0) || ($token === drupal_get_token($value)));
 }
 
 function _drupal_bootstrap_full() {
@@ -5114,6 +5131,10 @@ function _drupal_bootstrap_full() {
   module_load_all();
   // Make sure all stream wrappers are registered.
   file_get_stream_wrappers();
+  // Ensure mt_rand is reseeded, to prevent random values from one page load
+  // being exploited to predict random values in subsequent page loads.
+  $seed = unpack("L", drupal_random_bytes(4));
+  mt_srand($seed[1]);
 
   $test_info = &$GLOBALS['drupal_test_info'];
   if (!empty($test_info['in_child_site'])) {
@@ -5151,7 +5172,7 @@ function _drupal_bootstrap_full() {
  * client without gzip support.
  *
  * Page compression requires the PHP zlib extension
- * (http://php.net/manual/en/ref.zlib.php).
+ * (http://php.net/manual/ref.zlib.php).
  *
  * @see drupal_page_header()
  */
@@ -5159,6 +5180,10 @@ function drupal_page_set_cache() {
   global $base_root;
 
   if (drupal_page_is_cacheable()) {
+
+    // Check whether the current page might be compressed.
+    $page_compressed = variable_get('page_compression', TRUE) && extension_loaded('zlib');
+
     $cache = (object) array(
       'cid' => $base_root . request_uri(),
       'data' => array(
@@ -5166,6 +5191,9 @@ function drupal_page_set_cache() {
         'body' => ob_get_clean(),
         'title' => drupal_get_title(),
         'headers' => array(),
+        // We need to store whether page was compressed or not,
+        // because by the time it is read, the configuration might change.
+        'page_compressed' => $page_compressed,
       ),
       'expire' => CACHE_TEMPORARY,
       'created' => REQUEST_TIME,
@@ -5183,7 +5211,7 @@ function drupal_page_set_cache() {
     }
 
     if ($cache->data['body']) {
-      if (variable_get('page_compression', TRUE) && extension_loaded('zlib')) {
+      if ($page_compressed) {
         $cache->data['body'] = gzencode($cache->data['body'], 9, FORCE_GZIP);
       }
       cache_set($cache->cid, $cache->data, 'cache_page', $cache->expire);
@@ -5258,12 +5286,23 @@ function drupal_cron_run() {
   }
 
   foreach ($queues as $queue_name => $info) {
+    if (!empty($info['skip on cron'])) {
+      // Do not run if queue wants to skip.
+      continue;
+    }
     $function = $info['worker callback'];
     $end = time() + (isset($info['time']) ? $info['time'] : 15);
     $queue = DrupalQueue::get($queue_name);
     while (time() < $end && ($item = $queue->claimItem())) {
-      $function($item->data);
-      $queue->deleteItem($item);
+      try {
+        $function($item->data);
+        $queue->deleteItem($item);
+      }
+      catch (Exception $e) {
+        // In case of exception log it and leave the item in the queue
+        // to be processed again later.
+        watchdog_exception('cron', $e);
+      }
     }
   }
   // Restore the user.
@@ -5918,14 +5957,16 @@ function drupal_render(&$elements) {
 /**
  * Renders children of an element and concatenates them.
  *
- * This renders all children of an element using drupal_render() and then
- * joins them together into a single string.
- *
- * @param $element
+ * @param array $element
  *   The structured array whose children shall be rendered.
- * @param $children_keys
- *   If the keys of the element's children are already known, they can be passed
- *   in to save another run of element_children().
+ * @param array $children_keys
+ *   (optional) If the keys of the element's children are already known, they
+ *   can be passed in to save another run of element_children().
+ *
+ * @return string
+ *   The rendered HTML of all children of the element.
+
+ * @see drupal_render()
  */
 function drupal_render_children(&$element, $children_keys = NULL) {
   if ($children_keys === NULL) {
@@ -7799,7 +7840,10 @@ function entity_load_unchanged($entity_type, $id) {
 }
 
 /**
- * Get the entity controller class for an entity type.
+ * Gets the entity controller for an entity type.
+ *
+ * @return DrupalEntityControllerInterface
+ *   The entity controller object for the specified entity type.
  */
 function entity_get_controller($entity_type) {
   $controllers = &drupal_static(__FUNCTION__, array());
diff --git a/includes/database/database.inc b/includes/database/database.inc
index 339c9b03..ad78ac0b 100755
--- a/includes/database/database.inc
+++ b/includes/database/database.inc
@@ -28,18 +28,21 @@
  * Most Drupal database SELECT queries are performed by a call to db_query() or
  * db_query_range(). Module authors should also consider using the PagerDefault
  * Extender for queries that return results that need to be presented on
- * multiple pages, and the Tablesort Extender for generating appropriate queries
- * for sortable tables.
+ * multiple pages (see https://drupal.org/node/508796), and the TableSort
+ * Extender for generating appropriate queries for sortable tables
+ * (see https://drupal.org/node/1848372).
  *
  * For example, one might wish to return a list of the most recent 10 nodes
  * authored by a given user. Instead of directly issuing the SQL query
  * @code
- * SELECT n.nid, n.title, n.created FROM node n WHERE n.uid = $uid LIMIT 0, 10;
+ * SELECT n.nid, n.title, n.created FROM node n WHERE n.uid = $uid
+ *   ORDER BY n.created DESC LIMIT 0, 10;
  * @endcode
  * one would instead call the Drupal functions:
  * @code
  * $result = db_query_range('SELECT n.nid, n.title, n.created
- *   FROM {node} n WHERE n.uid = :uid', 0, 10, array(':uid' => $uid));
+ *   FROM {node} n WHERE n.uid = :uid
+ *   ORDER BY n.created DESC', 0, 10, array(':uid' => $uid));
  * foreach ($result as $record) {
  *   // Perform operations on $record->title, etc. here.
  * }
@@ -179,7 +182,7 @@
  * concrete implementation of it to support special handling required by that
  * database.
  *
- * @see http://php.net/manual/en/book.pdo.php
+ * @see http://php.net/manual/book.pdo.php
  */
 abstract class DatabaseConnection extends PDO {
 
@@ -1986,7 +1989,7 @@ interface DatabaseStatementInterface extends Traversable {
   /**
    * Sets the default fetch mode for this statement.
    *
-   * See http://php.net/manual/en/pdo.constants.php for the definition of the
+   * See http://php.net/manual/pdo.constants.php for the definition of the
    * constants used.
    *
    * @param $mode
@@ -2005,7 +2008,7 @@ interface DatabaseStatementInterface extends Traversable {
   /**
    * Fetches the next row from a result set.
    *
-   * See http://php.net/manual/en/pdo.constants.php for the definition of the
+   * See http://php.net/manual/pdo.constants.php for the definition of the
    * constants used.
    *
    * @param $mode
@@ -2380,14 +2383,14 @@ function db_query_range($query, $from, $count, array $args = array(), array $opt
 }
 
 /**
- * Executes a query string and saves the result set to a temporary table.
+ * Executes a SELECT query string and saves the result set to a temporary table.
  *
  * The execution of the query string happens against the active database.
  *
  * @param $query
- *   The prepared statement query to run. Although it will accept both named and
- *   unnamed placeholders, named placeholders are strongly preferred as they are
- *   more self-documenting.
+ *   The prepared SELECT statement query to run. Although it will accept both
+ *   named and unnamed placeholders, named placeholders are strongly preferred
+ *   as they are more self-documenting.
  * @param $args
  *   An array of values to substitute into the query. If the query uses named
  *   placeholders, this is an associative array in any order. If the query uses
diff --git a/includes/database/mysql/database.inc b/includes/database/mysql/database.inc
index 00d81f47..4907a39d 100755
--- a/includes/database/mysql/database.inc
+++ b/includes/database/mysql/database.inc
@@ -90,7 +90,7 @@ class DatabaseConnection_mysql extends DatabaseConnection {
 
   public function queryTemporary($query, array $args = array(), array $options = array()) {
     $tablename = $this->generateTemporaryTableName();
-    $this->query(preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE {' . $tablename . '} Engine=MEMORY SELECT', $query), $args, $options);
+    $this->query('CREATE TEMPORARY TABLE {' . $tablename . '} Engine=MEMORY ' . $query, $args, $options);
     return $tablename;
   }
 
diff --git a/includes/database/mysql/query.inc b/includes/database/mysql/query.inc
index fa698d90..d3d2d9ee 100755
--- a/includes/database/mysql/query.inc
+++ b/includes/database/mysql/query.inc
@@ -51,7 +51,8 @@ class InsertQuery_mysql extends InsertQuery {
     // If we're selecting from a SelectQuery, finish building the query and
     // pass it back, as any remaining options are irrelevant.
     if (!empty($this->fromQuery)) {
-      return $comments . 'INSERT INTO {' . $this->table . '} (' . implode(', ', $insert_fields) . ') ' . $this->fromQuery;
+      $insert_fields_string = $insert_fields ? ' (' . implode(', ', $insert_fields) . ') ' : ' ';
+      return $comments . 'INSERT INTO {' . $this->table . '}' . $insert_fields_string . $this->fromQuery;
     }
 
     $query = $comments . 'INSERT INTO {' . $this->table . '} (' . implode(', ', $insert_fields) . ') VALUES ';
diff --git a/includes/database/pgsql/database.inc b/includes/database/pgsql/database.inc
index 00ed7990..67b49fed 100755
--- a/includes/database/pgsql/database.inc
+++ b/includes/database/pgsql/database.inc
@@ -146,7 +146,7 @@ class DatabaseConnection_pgsql extends DatabaseConnection {
 
   public function queryTemporary($query, array $args = array(), array $options = array()) {
     $tablename = $this->generateTemporaryTableName();
-    $this->query(preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE {' . $tablename . '} AS SELECT', $query), $args, $options);
+    $this->query('CREATE TEMPORARY TABLE {' . $tablename . '} AS ' . $query, $args, $options);
     return $tablename;
   }
 
diff --git a/includes/database/pgsql/query.inc b/includes/database/pgsql/query.inc
index f3783a9c..9902b164 100755
--- a/includes/database/pgsql/query.inc
+++ b/includes/database/pgsql/query.inc
@@ -112,7 +112,8 @@ class InsertQuery_pgsql extends InsertQuery {
     // If we're selecting from a SelectQuery, finish building the query and
     // pass it back, as any remaining options are irrelevant.
     if (!empty($this->fromQuery)) {
-      return $comments . 'INSERT INTO {' . $this->table . '} (' . implode(', ', $insert_fields) . ') ' . $this->fromQuery;
+      $insert_fields_string = $insert_fields ? ' (' . implode(', ', $insert_fields) . ') ' : ' ';
+      return $comments . 'INSERT INTO {' . $this->table . '}' . $insert_fields_string . $this->fromQuery;
     }
 
     $query = $comments . 'INSERT INTO {' . $this->table . '} (' . implode(', ', $insert_fields) . ') VALUES ';
diff --git a/includes/database/query.inc b/includes/database/query.inc
index 66495273..8af91c2d 100755
--- a/includes/database/query.inc
+++ b/includes/database/query.inc
@@ -710,10 +710,11 @@ class InsertQuery extends Query {
       // first call to fields() does have an effect.
       $this->fields(array_merge(array_keys($this->fromQuery->getFields()), array_keys($this->fromQuery->getExpressions())));
     }
-
-    // Don't execute query without fields.
-    if (count($this->insertFields) + count($this->defaultFields) == 0) {
-      throw new NoFieldsException('There are no fields available to insert with.');
+    else {
+      // Don't execute query without fields.
+      if (count($this->insertFields) + count($this->defaultFields) == 0) {
+        throw new NoFieldsException('There are no fields available to insert with.');
+      }
     }
 
     // If no values have been added, silently ignore this query. This can happen
@@ -1605,55 +1606,43 @@ class MergeQuery extends Query implements QueryConditionInterface {
   }
 
   public function execute() {
-    // Wrap multiple queries in a transaction, if the database supports it.
-    $transaction = $this->connection->startTransaction();
-    try {
-      if (!count($this->condition)) {
-        throw new InvalidMergeQueryException(t('Invalid merge query: no conditions'));
+    if (!count($this->condition)) {
+      throw new InvalidMergeQueryException(t('Invalid merge query: no conditions'));
+    }
+    $select = $this->connection->select($this->conditionTable)
+      ->condition($this->condition);
+    $select->addExpression('1');
+    if (!$select->execute()->fetchField()) {
+      try {
+        $insert = $this->connection->insert($this->table)->fields($this->insertFields);
+        if ($this->defaultFields) {
+          $insert->useDefaults($this->defaultFields);
+        }
+        $insert->execute();
+        return self::STATUS_INSERT;
       }
-      $select = $this->connection->select($this->conditionTable)
-        ->condition($this->condition)
-        ->forUpdate();
-      $select->addExpression('1');
-      if (!$select->execute()->fetchField()) {
-        try {
-          $insert = $this->connection->insert($this->table)->fields($this->insertFields);
-          if ($this->defaultFields) {
-            $insert->useDefaults($this->defaultFields);
-          }
-          $insert->execute();
-          return MergeQuery::STATUS_INSERT;
+      catch (Exception $e) {
+        // The insert query failed, maybe it's because a racing insert query
+        // beat us in inserting the same row. Retry the select query, if it
+        // returns a row, ignore the error and continue with the update
+        // query below.
+        if (!$select->execute()->fetchField()) {
+          throw $e;
         }
-        catch (Exception $e) {
-          // The insert query failed, maybe it's because a racing insert query
-          // beat us in inserting the same row. Retry the select query, if it
-          // returns a row, ignore the error and continue with the update
-          // query below.
-          if (!$select->execute()->fetchField()) {
-            throw $e;
-          }
-        }
-      }
-      if ($this->needsUpdate) {
-        $update = $this->connection->update($this->table)
-          ->fields($this->updateFields)
-          ->condition($this->condition);
-        if ($this->expressionFields) {
-          foreach ($this->expressionFields as $field => $data) {
-            $update->expression($field, $data['expression'], $data['arguments']);
-          }
-        }
-        $update->execute();
-        return MergeQuery::STATUS_UPDATE;
       }
     }
-    catch (Exception $e) {
-      // Something really wrong happened here, bubble up the exception to the
-      // caller.
-      $transaction->rollback();
-      throw $e;
-    }
-    // Transaction commits here where $transaction looses scope.
+    if ($this->needsUpdate) {
+      $update = $this->connection->update($this->table)
+        ->fields($this->updateFields)
+        ->condition($this->condition);
+      if ($this->expressionFields) {
+        foreach ($this->expressionFields as $field => $data) {
+          $update->expression($field, $data['expression'], $data['arguments']);
+        }
+      }
+      $update->execute();
+      return self::STATUS_UPDATE;
+     }
   }
 }
 
diff --git a/includes/database/select.inc b/includes/database/select.inc
index e036904b..70c03a28 100755
--- a/includes/database/select.inc
+++ b/includes/database/select.inc
@@ -596,7 +596,7 @@ class SelectQueryExtender implements SelectQueryInterface {
 
   public function hasAnyTag() {
     $args = func_get_args();
-    return call_user_func_array(array($this->query, 'hasAnyTags'), $args);
+    return call_user_func_array(array($this->query, 'hasAnyTag'), $args);
   }
 
   public function addMetaData($key, $object) {
diff --git a/includes/database/sqlite/database.inc b/includes/database/sqlite/database.inc
index b302b3e3..8a5ba8c9 100755
--- a/includes/database/sqlite/database.inc
+++ b/includes/database/sqlite/database.inc
@@ -250,7 +250,7 @@ class DatabaseConnection_sqlite extends DatabaseConnection {
     $prefixes[$tablename] = '';
     $this->setPrefix($prefixes);
 
-    $this->query(preg_replace('/^SELECT/i', 'CREATE TEMPORARY TABLE ' . $tablename . ' AS SELECT', $query), $args, $options);
+    $this->query('CREATE TEMPORARY TABLE ' . $tablename . ' AS ' . $query, $args, $options);
     return $tablename;
   }
 
diff --git a/includes/database/sqlite/query.inc b/includes/database/sqlite/query.inc
index 1bf609db..1c6289bd 100755
--- a/includes/database/sqlite/query.inc
+++ b/includes/database/sqlite/query.inc
@@ -41,7 +41,8 @@ class InsertQuery_sqlite extends InsertQuery {
     // If we're selecting from a SelectQuery, finish building the query and
     // pass it back, as any remaining options are irrelevant.
     if (!empty($this->fromQuery)) {
-      return $comments . 'INSERT INTO {' . $this->table . '} (' . implode(', ', $this->insertFields) . ') ' . $this->fromQuery;
+      $insert_fields_string = $this->insertFields ? ' (' . implode(', ', $this->insertFields) . ') ' : ' ';
+      return $comments . 'INSERT INTO {' . $this->table . '}' . $insert_fields_string . $this->fromQuery;
     }
 
     return $comments . 'INSERT INTO {' . $this->table . '} (' . implode(', ', $this->insertFields) . ') VALUES (' . implode(', ', $placeholders) . ')';
diff --git a/includes/entity.inc b/includes/entity.inc
index 8ae4831a..dc43e730 100644
--- a/includes/entity.inc
+++ b/includes/entity.inc
@@ -154,18 +154,6 @@ class DrupalDefaultEntityController implements DrupalEntityControllerInterface {
    */
   public function load($ids = array(), $conditions = array()) {
     $entities = array();
-    
-    # PATCH http://drupal.org/node/1003788#comment-5195682
-    // Clean the $ids array to remove non-integer values that can be passed
-    // in from various sources, including menu callbacks.
-    if (is_array($ids)) {
-      foreach ($ids as $key => $id) {
-        if (empty($id) || ((string) $id !== (string) (int) $id)) {
-          unset($ids[$key]);
-        }
-      }
-    }
-    # endpatch
 
     // Revisions are not statically cached, and require a different query to
     // other conditions, so separate the revision id into its own variable.
@@ -372,9 +360,23 @@ class DrupalDefaultEntityController implements DrupalEntityControllerInterface {
     // This ensures the same behavior whether loading from memory or database.
     if ($conditions) {
       foreach ($entities as $entity) {
-        $entity_values = (array) $entity;
-        if (array_diff_assoc($conditions, $entity_values)) {
-          unset($entities[$entity->{$this->idKey}]);
+        // Iterate over all conditions and compare them to the entity
+        // properties. We cannot use array_diff_assoc() here since the
+        // conditions can be nested arrays, too.
+        foreach ($conditions as $property_name => $condition) {
+          if (is_array($condition)) {
+            // Multiple condition values for one property are treated as OR
+            // operation: only if the value is not at all in the condition array
+            // we remove the entity.
+            if (!in_array($entity->{$property_name}, $condition)) {
+              unset($entities[$entity->{$this->idKey}]);
+              continue 2;
+            }
+          }
+          elseif ($condition != $entity->{$property_name}) {
+            unset($entities[$entity->{$this->idKey}]);
+            continue 2;
+          }
         }
       }
     }
diff --git a/includes/entity.inc.orig b/includes/entity.inc.orig
deleted file mode 100755
index 25f75846..00000000
--- a/includes/entity.inc.orig
+++ /dev/null
@@ -1,1360 +0,0 @@
-<?php
-
-/**
- * Interface for entity controller classes.
- *
- * All entity controller classes specified via the 'controller class' key
- * returned by hook_entity_info() or hook_entity_info_alter() have to implement
- * this interface.
- *
- * Most simple, SQL-based entity controllers will do better by extending
- * DrupalDefaultEntityController instead of implementing this interface
- * directly.
- */
-interface DrupalEntityControllerInterface {
-
-  /**
-   * Resets the internal, static entity cache.
-   *
-   * @param $ids
-   *   (optional) If specified, the cache is reset for the entities with the
-   *   given ids only.
-   */
-  public function resetCache(array $ids = NULL);
-
-  /**
-   * Loads one or more entities.
-   *
-   * @param $ids
-   *   An array of entity IDs, or FALSE to load all entities.
-   * @param $conditions
-   *   An array of conditions in the form 'field' => $value.
-   *
-   * @return
-   *   An array of entity objects indexed by their ids. When no results are
-   *   found, an empty array is returned.
-   */
-  public function load($ids = array(), $conditions = array());
-}
-
-/**
- * Default implementation of DrupalEntityControllerInterface.
- *
- * This class can be used as-is by most simple entity types. Entity types
- * requiring special handling can extend the class.
- */
-class DrupalDefaultEntityController implements DrupalEntityControllerInterface {
-
-  /**
-   * Static cache of entities.
-   *
-   * @var array
-   */
-  protected $entityCache;
-
-  /**
-   * Entity type for this controller instance.
-   *
-   * @var string
-   */
-  protected $entityType;
-
-  /**
-   * Array of information about the entity.
-   *
-   * @var array
-   *
-   * @see entity_get_info()
-   */
-  protected $entityInfo;
-
-  /**
-   * Additional arguments to pass to hook_TYPE_load().
-   *
-   * Set before calling DrupalDefaultEntityController::attachLoad().
-   *
-   * @var array
-   */
-  protected $hookLoadArguments;
-
-  /**
-   * Name of the entity's ID field in the entity database table.
-   *
-   * @var string
-   */
-  protected $idKey;
-
-  /**
-   * Name of entity's revision database table field, if it supports revisions.
-   *
-   * Has the value FALSE if this entity does not use revisions.
-   *
-   * @var string
-   */
-  protected $revisionKey;
-
-  /**
-   * The table that stores revisions, if the entity supports revisions.
-   *
-   * @var string
-   */
-  protected $revisionTable;
-
-  /**
-   * Whether this entity type should use the static cache.
-   *
-   * Set by entity info.
-   *
-   * @var boolean
-   */
-  protected $cache;
-
-  /**
-   * Constructor: sets basic variables.
-   *
-   * @param $entityType
-   *   The entity type for which the instance is created.
-   */
-  public function __construct($entityType) {
-    $this->entityType = $entityType;
-    $this->entityInfo = entity_get_info($entityType);
-    $this->entityCache = array();
-    $this->hookLoadArguments = array();
-    $this->idKey = $this->entityInfo['entity keys']['id'];
-
-    // Check if the entity type supports revisions.
-    if (!empty($this->entityInfo['entity keys']['revision'])) {
-      $this->revisionKey = $this->entityInfo['entity keys']['revision'];
-      $this->revisionTable = $this->entityInfo['revision table'];
-    }
-    else {
-      $this->revisionKey = FALSE;
-    }
-
-    // Check if the entity type supports static caching of loaded entities.
-    $this->cache = !empty($this->entityInfo['static cache']);
-  }
-
-  /**
-   * Implements DrupalEntityControllerInterface::resetCache().
-   */
-  public function resetCache(array $ids = NULL) {
-    if (isset($ids)) {
-      foreach ($ids as $id) {
-        unset($this->entityCache[$id]);
-      }
-    }
-    else {
-      $this->entityCache = array();
-    }
-  }
-
-  /**
-   * Implements DrupalEntityControllerInterface::load().
-   */
-  public function load($ids = array(), $conditions = array()) {
-    $entities = array();
-
-    // Revisions are not statically cached, and require a different query to
-    // other conditions, so separate the revision id into its own variable.
-    if ($this->revisionKey && isset($conditions[$this->revisionKey])) {
-      $revision_id = $conditions[$this->revisionKey];
-      unset($conditions[$this->revisionKey]);
-    }
-    else {
-      $revision_id = FALSE;
-    }
-
-    // Create a new variable which is either a prepared version of the $ids
-    // array for later comparison with the entity cache, or FALSE if no $ids
-    // were passed. The $ids array is reduced as items are loaded from cache,
-    // and we need to know if it's empty for this reason to avoid querying the
-    // database when all requested entities are loaded from cache.
-    $passed_ids = !empty($ids) ? array_flip($ids) : FALSE;
-    // Try to load entities from the static cache, if the entity type supports
-    // static caching.
-    if ($this->cache && !$revision_id) {
-      $entities += $this->cacheGet($ids, $conditions);
-      // If any entities were loaded, remove them from the ids still to load.
-      if ($passed_ids) {
-        $ids = array_keys(array_diff_key($passed_ids, $entities));
-      }
-    }
-
-    // Load any remaining entities from the database. This is the case if $ids
-    // is set to FALSE (so we load all entities), if there are any ids left to
-    // load, if loading a revision, or if $conditions was passed without $ids.
-    if ($ids === FALSE || $ids || $revision_id || ($conditions && !$passed_ids)) {
-      // Build the query.
-      $query = $this->buildQuery($ids, $conditions, $revision_id);
-      $queried_entities = $query
-        ->execute()
-        ->fetchAllAssoc($this->idKey);
-    }
-
-    // Pass all entities loaded from the database through $this->attachLoad(),
-    // which attaches fields (if supported by the entity type) and calls the
-    // entity type specific load callback, for example hook_node_load().
-    if (!empty($queried_entities)) {
-      $this->attachLoad($queried_entities, $revision_id);
-      $entities += $queried_entities;
-    }
-
-    if ($this->cache) {
-      // Add entities to the cache if we are not loading a revision.
-      if (!empty($queried_entities) && !$revision_id) {
-        $this->cacheSet($queried_entities);
-      }
-    }
-
-    // Ensure that the returned array is ordered the same as the original
-    // $ids array if this was passed in and remove any invalid ids.
-    if ($passed_ids) {
-      // Remove any invalid ids from the array.
-      $passed_ids = array_intersect_key($passed_ids, $entities);
-      foreach ($entities as $entity) {
-        $passed_ids[$entity->{$this->idKey}] = $entity;
-      }
-      $entities = $passed_ids;
-    }
-
-    return $entities;
-  }
-
-  /**
-   * Builds the query to load the entity.
-   *
-   * This has full revision support. For entities requiring special queries,
-   * the class can be extended, and the default query can be constructed by
-   * calling parent::buildQuery(). This is usually necessary when the object
-   * being loaded needs to be augmented with additional data from another
-   * table, such as loading node type into comments or vocabulary machine name
-   * into terms, however it can also support $conditions on different tables.
-   * See CommentController::buildQuery() or TaxonomyTermController::buildQuery()
-   * for examples.
-   *
-   * @param $ids
-   *   An array of entity IDs, or FALSE to load all entities.
-   * @param $conditions
-   *   An array of conditions in the form 'field' => $value.
-   * @param $revision_id
-   *   The ID of the revision to load, or FALSE if this query is asking for the
-   *   most current revision(s).
-   *
-   * @return SelectQuery
-   *   A SelectQuery object for loading the entity.
-   */
-  protected function buildQuery($ids, $conditions = array(), $revision_id = FALSE) {
-    $query = db_select($this->entityInfo['base table'], 'base');
-
-    $query->addTag($this->entityType . '_load_multiple');
-
-    if ($revision_id) {
-      $query->join($this->revisionTable, 'revision', "revision.{$this->idKey} = base.{$this->idKey} AND revision.{$this->revisionKey} = :revisionId", array(':revisionId' => $revision_id));
-    }
-    elseif ($this->revisionKey) {
-      $query->join($this->revisionTable, 'revision', "revision.{$this->revisionKey} = base.{$this->revisionKey}");
-    }
-
-    // Add fields from the {entity} table.
-    $entity_fields = $this->entityInfo['schema_fields_sql']['base table'];
-
-    if ($this->revisionKey) {
-      // Add all fields from the {entity_revision} table.
-      $entity_revision_fields = drupal_map_assoc($this->entityInfo['schema_fields_sql']['revision table']);
-      // The id field is provided by entity, so remove it.
-      unset($entity_revision_fields[$this->idKey]);
-
-      // Remove all fields from the base table that are also fields by the same
-      // name in the revision table.
-      $entity_field_keys = array_flip($entity_fields);
-      foreach ($entity_revision_fields as $key => $name) {
-        if (isset($entity_field_keys[$name])) {
-          unset($entity_fields[$entity_field_keys[$name]]);
-        }
-      }
-      $query->fields('revision', $entity_revision_fields);
-    }
-
-    $query->fields('base', $entity_fields);
-
-    if ($ids) {
-      $query->condition("base.{$this->idKey}", $ids, 'IN');
-    }
-    if ($conditions) {
-      foreach ($conditions as $field => $value) {
-        $query->condition('base.' . $field, $value);
-      }
-    }
-    return $query;
-  }
-
-  /**
-   * Attaches data to entities upon loading.
-   *
-   * This will attach fields, if the entity is fieldable. It calls
-   * hook_entity_load() for modules which need to add data to all entities.
-   * It also calls hook_TYPE_load() on the loaded entities. For example
-   * hook_node_load() or hook_user_load(). If your hook_TYPE_load()
-   * expects special parameters apart from the queried entities, you can set
-   * $this->hookLoadArguments prior to calling the method.
-   * See NodeController::attachLoad() for an example.
-   *
-   * @param $queried_entities
-   *   Associative array of query results, keyed on the entity ID.
-   * @param $revision_id
-   *   ID of the revision that was loaded, or FALSE if the most current revision
-   *   was loaded.
-   */
-  protected function attachLoad(&$queried_entities, $revision_id = FALSE) {
-    // Attach fields.
-    if ($this->entityInfo['fieldable']) {
-      if ($revision_id) {
-        field_attach_load_revision($this->entityType, $queried_entities);
-      }
-      else {
-        field_attach_load($this->entityType, $queried_entities);
-      }
-    }
-
-    // Call hook_entity_load().
-    foreach (module_implements('entity_load') as $module) {
-      $function = $module . '_entity_load';
-      $function($queried_entities, $this->entityType);
-    }
-    // Call hook_TYPE_load(). The first argument for hook_TYPE_load() are
-    // always the queried entities, followed by additional arguments set in
-    // $this->hookLoadArguments.
-    $args = array_merge(array($queried_entities), $this->hookLoadArguments);
-    foreach (module_implements($this->entityInfo['load hook']) as $module) {
-      call_user_func_array($module . '_' . $this->entityInfo['load hook'], $args);
-    }
-  }
-
-  /**
-   * Gets entities from the static cache.
-   *
-   * @param $ids
-   *   If not empty, return entities that match these IDs.
-   * @param $conditions
-   *   If set, return entities that match all of these conditions.
-   *
-   * @return
-   *   Array of entities from the entity cache.
-   */
-  protected function cacheGet($ids, $conditions = array()) {
-    $entities = array();
-    // Load any available entities from the internal cache.
-    if (!empty($this->entityCache)) {
-      if ($ids) {
-        $entities += array_intersect_key($this->entityCache, array_flip($ids));
-      }
-      // If loading entities only by conditions, fetch all available entities
-      // from the cache. Entities which don't match are removed later.
-      elseif ($conditions) {
-        $entities = $this->entityCache;
-      }
-    }
-
-    // Exclude any entities loaded from cache if they don't match $conditions.
-    // This ensures the same behavior whether loading from memory or database.
-    if ($conditions) {
-      foreach ($entities as $entity) {
-        $entity_values = (array) $entity;
-        if (array_diff_assoc($conditions, $entity_values)) {
-          unset($entities[$entity->{$this->idKey}]);
-        }
-      }
-    }
-    return $entities;
-  }
-
-  /**
-   * Stores entities in the static entity cache.
-   *
-   * @param $entities
-   *   Entities to store in the cache.
-   */
-  protected function cacheSet($entities) {
-    $this->entityCache += $entities;
-  }
-}
-
-/**
- * Exception thrown by EntityFieldQuery() on unsupported query syntax.
- *
- * Some storage modules might not support the full range of the syntax for
- * conditions, and will raise an EntityFieldQueryException when an unsupported
- * condition was specified.
- */
-class EntityFieldQueryException extends Exception {}
-
-/**
- * Retrieves entities matching a given set of conditions.
- *
- * This class allows finding entities based on entity properties (for example,
- * node->changed), field values, and generic entity meta data (bundle,
- * entity type, entity id, and revision ID). It is not possible to query across
- * multiple entity types. For example, there is no facility to find published
- * nodes written by users created in the last hour, as this would require
- * querying both node->status and user->created.
- *
- * Normally we would not want to have public properties on the object, as that
- * allows the object's state to become inconsistent too easily. However, this
- * class's standard use case involves primarily code that does need to have
- * direct access to the collected properties in order to handle alternate
- * execution routines. We therefore use public properties for simplicity. Note
- * that code that is simply creating and running a field query should still use
- * the appropriate methods to add conditions on the query.
- *
- * Storage engines are not required to support every type of query. By default,
- * an EntityFieldQueryException will be raised if an unsupported condition is
- * specified or if the query has field conditions or sorts that are stored in
- * different field storage engines. However, this logic can be overridden in
- * hook_entity_query_alter().
- *
- * Also note that this query does not automatically respect entity access
- * restrictions. Node access control is performed by the SQL storage engine but
- * other storage engines might not do this.
- */
-class EntityFieldQuery {
-
-  /**
-   * Indicates that both deleted and non-deleted fields should be returned.
-   *
-   * @see EntityFieldQuery::deleted()
-   */
-  const RETURN_ALL = NULL;
-
-  /**
-   * TRUE if the query has already been altered, FALSE if it hasn't.
-   *
-   * Used in alter hooks to check for cloned queries that have already been
-   * altered prior to the clone (for example, the pager count query).
-   *
-   * @var boolean
-   */
-  public $altered = FALSE;
-
-  /**
-   * Associative array of entity-generic metadata conditions.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::entityCondition()
-   */
-  public $entityConditions = array();
-
-  /**
-   * List of field conditions.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::fieldCondition()
-   */
-  public $fieldConditions = array();
-
-  /**
-   * List of field meta conditions (language and delta).
-   *
-   * Field conditions operate on columns specified by hook_field_schema(),
-   * the meta conditions operate on columns added by the system: delta
-   * and language. These can not be mixed with the field conditions because
-   * field columns can have any name including delta and language.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::fieldLanguageCondition()
-   * @see EntityFieldQuery::fieldDeltaCondition()
-   */
-  public $fieldMetaConditions = array();
-
-  /**
-   * List of property conditions.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::propertyCondition()
-   */
-  public $propertyConditions = array();
-
-  /**
-   * List of order clauses.
-   *
-   * @var array
-   */
-  public $order = array();
-
-  /**
-   * The query range.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::range()
-   */
-  public $range = array();
-
-  /**
-   * The query pager data.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::pager()
-   */
-  public $pager = array();
-
-  /**
-   * Query behavior for deleted data.
-   *
-   * TRUE to return only deleted data, FALSE to return only non-deleted data,
-   * EntityFieldQuery::RETURN_ALL to return everything.
-   *
-   * @see EntityFieldQuery::deleted()
-   */
-  public $deleted = FALSE;
-
-  /**
-   * A list of field arrays used.
-   *
-   * Field names passed to EntityFieldQuery::fieldCondition() and
-   * EntityFieldQuery::fieldOrderBy() are run through field_info_field() before
-   * stored in this array. This way, the elements of this array are field
-   * arrays.
-   *
-   * @var array
-   */
-  public $fields = array();
-
-  /**
-   * TRUE if this is a count query, FALSE if it isn't.
-   *
-   * @var boolean
-   */
-  public $count = FALSE;
-
-  /**
-   * Flag indicating whether this is querying current or all revisions.
-   *
-   * @var int
-   *
-   * @see EntityFieldQuery::age()
-   */
-  public $age = FIELD_LOAD_CURRENT;
-
-  /**
-   * A list of the tags added to this query.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::addTag()
-   */
-  public $tags = array();
-
-  /**
-   * A list of metadata added to this query.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::addMetaData()
-   */
-  public $metaData = array();
-
-  /**
-   * The ordered results.
-   *
-   * @var array
-   *
-   * @see EntityFieldQuery::execute().
-   */
-  public $orderedResults = array();
-
-  /**
-   * The method executing the query, if it is overriding the default.
-   *
-   * @var string
-   *
-   * @see EntityFieldQuery::execute().
-   */
-  public $executeCallback = '';
-
-  /**
-   * Adds a condition on entity-generic metadata.
-   *
-   * If the overall query contains only entity conditions or ordering, or if
-   * there are property conditions, then specifying the entity type is
-   * mandatory. If there are field conditions or ordering but no property
-   * conditions or ordering, then specifying an entity type is optional. While
-   * the field storage engine might support field conditions on more than one
-   * entity type, there is no way to query across multiple entity base tables by
-   * default. To specify the entity type, pass in 'entity_type' for $name,
-   * the type as a string for $value, and no $operator (it's disregarded).
-   *
-   * 'bundle', 'revision_id' and 'entity_id' have no such restrictions.
-   *
-   * Note: The "comment" entity type does not support bundle conditions.
-   *
-   * @param $name
-   *   'entity_type', 'bundle', 'revision_id' or 'entity_id'.
-   * @param $value
-   *   The value for $name. In most cases, this is a scalar. For more complex
-   *   options, it is an array. The meaning of each element in the array is
-   *   dependent on $operator.
-   * @param $operator
-   *   Possible values:
-   *   - '=', '<>', '>', '>=', '<', '<=', 'STARTS_WITH', 'CONTAINS': These
-   *     operators expect $value to be a literal of the same type as the
-   *     column.
-   *   - 'IN', 'NOT IN': These operators expect $value to be an array of
-   *     literals of the same type as the column.
-   *   - 'BETWEEN': This operator expects $value to be an array of two literals
-   *     of the same type as the column.
-   *   The operator can be omitted, and will default to 'IN' if the value is an
-   *   array, or to '=' otherwise.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function entityCondition($name, $value, $operator = NULL) {
-    // The '!=' operator is deprecated in favour of the '<>' operator since the
-    // latter is ANSI SQL compatible.
-    if ($operator == '!=') {
-      $operator = '<>';
-    }
-    $this->entityConditions[$name] = array(
-      'value' => $value,
-      'operator' => $operator,
-    );
-    return $this;
-  }
-
-  /**
-   * Adds a condition on field values.
-   *
-   * Note that entities with empty field values will be excluded from the
-   * EntityFieldQuery results when using this method.
-   *
-   * @param $field
-   *   Either a field name or a field array.
-   * @param $column
-   *   The column that should hold the value to be matched.
-   * @param $value
-   *   The value to test the column value against.
-   * @param $operator
-   *   The operator to be used to test the given value.
-   * @param $delta_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $delta_group.
-   * @param $language_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $language_group.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   *
-   * @see EntityFieldQuery::addFieldCondition
-   * @see EntityFieldQuery::deleted
-   */
-  public function fieldCondition($field, $column = NULL, $value = NULL, $operator = NULL, $delta_group = NULL, $language_group = NULL) {
-    return $this->addFieldCondition($this->fieldConditions, $field, $column, $value, $operator, $delta_group, $language_group);
-  }
-
-  /**
-   * Adds a condition on the field language column.
-   *
-   * @param $field
-   *   Either a field name or a field array.
-   * @param $value
-   *   The value to test the column value against.
-   * @param $operator
-   *   The operator to be used to test the given value.
-   * @param $delta_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $delta_group.
-   * @param $language_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $language_group.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   *
-   * @see EntityFieldQuery::addFieldCondition
-   * @see EntityFieldQuery::deleted
-   */
-  public function fieldLanguageCondition($field, $value = NULL, $operator = NULL, $delta_group = NULL, $language_group = NULL) {
-    return $this->addFieldCondition($this->fieldMetaConditions, $field, 'language', $value, $operator, $delta_group, $language_group);
-  }
-
-  /**
-   * Adds a condition on the field delta column.
-   *
-   * @param $field
-   *   Either a field name or a field array.
-   * @param $value
-   *   The value to test the column value against.
-   * @param $operator
-   *   The operator to be used to test the given value.
-   * @param $delta_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $delta_group.
-   * @param $language_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $language_group.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   *
-   * @see EntityFieldQuery::addFieldCondition
-   * @see EntityFieldQuery::deleted
-   */
-  public function fieldDeltaCondition($field, $value = NULL, $operator = NULL, $delta_group = NULL, $language_group = NULL) {
-    return $this->addFieldCondition($this->fieldMetaConditions, $field, 'delta', $value, $operator, $delta_group, $language_group);
-  }
-
-  /**
-   * Adds the given condition to the proper condition array.
-   *
-   * @param $conditions
-   *   A reference to an array of conditions.
-   * @param $field
-   *   Either a field name or a field array.
-   * @param $column
-   *   A column defined in the hook_field_schema() of this field. If this is
-   *   omitted then the query will find only entities that have data in this
-   *   field, using the entity and property conditions if there are any.
-   * @param $value
-   *   The value to test the column value against. In most cases, this is a
-   *   scalar. For more complex options, it is an array. The meaning of each
-   *   element in the array is dependent on $operator.
-   * @param $operator
-   *   Possible values:
-   *   - '=', '<>', '>', '>=', '<', '<=', 'STARTS_WITH', 'CONTAINS': These
-   *     operators expect $value to be a literal of the same type as the
-   *     column.
-   *   - 'IN', 'NOT IN': These operators expect $value to be an array of
-   *     literals of the same type as the column.
-   *   - 'BETWEEN': This operator expects $value to be an array of two literals
-   *     of the same type as the column.
-   *   The operator can be omitted, and will default to 'IN' if the value is an
-   *   array, or to '=' otherwise.
-   * @param $delta_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $delta_group. For example, let's presume a multivalue field which has
-   *   two columns, 'color' and 'shape', and for entity id 1, there are two
-   *   values: red/square and blue/circle. Entity ID 1 does not have values
-   *   corresponding to 'red circle', however if you pass 'red' and 'circle' as
-   *   conditions, it will appear in the  results - by default queries will run
-   *   against any combination of deltas. By passing the conditions with the
-   *   same $delta_group it will ensure that only values attached to the same
-   *   delta are matched, and entity 1 would then be excluded from the results.
-   * @param $language_group
-   *   An arbitrary identifier: conditions in the same group must have the same
-   *   $language_group.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  protected function addFieldCondition(&$conditions, $field, $column = NULL, $value = NULL, $operator = NULL, $delta_group = NULL, $language_group = NULL) {
-    // The '!=' operator is deprecated in favour of the '<>' operator since the
-    // latter is ANSI SQL compatible.
-    if ($operator == '!=') {
-      $operator = '<>';
-    }
-    if (is_scalar($field)) {
-      $field_definition = field_info_field($field);
-      if (empty($field_definition)) {
-        throw new EntityFieldQueryException(t('Unknown field: @field_name', array('@field_name' => $field)));
-      }
-      $field = $field_definition;
-    }
-    // Ensure the same index is used for field conditions as for fields.
-    $index = count($this->fields);
-    $this->fields[$index] = $field;
-    if (isset($column)) {
-      $conditions[$index] = array(
-        'field' => $field,
-        'column' => $column,
-        'value' => $value,
-        'operator' => $operator,
-        'delta_group' => $delta_group,
-        'language_group' => $language_group,
-      );
-    }
-    return $this;
-  }
-
-  /**
-   * Adds a condition on an entity-specific property.
-   *
-   * An $entity_type must be specified by calling
-   * EntityFieldCondition::entityCondition('entity_type', $entity_type) before
-   * executing the query. Also, by default only entities stored in SQL are
-   * supported; however, EntityFieldQuery::executeCallback can be set to handle
-   * different entity storage.
-   *
-   * @param $column
-   *   A column defined in the hook_schema() of the base table of the entity.
-   * @param $value
-   *   The value to test the field against. In most cases, this is a scalar. For
-   *   more complex options, it is an array. The meaning of each element in the
-   *   array is dependent on $operator.
-   * @param $operator
-   *   Possible values:
-   *   - '=', '<>', '>', '>=', '<', '<=', 'STARTS_WITH', 'CONTAINS': These
-   *     operators expect $value to be a literal of the same type as the
-   *     column.
-   *   - 'IN', 'NOT IN': These operators expect $value to be an array of
-   *     literals of the same type as the column.
-   *   - 'BETWEEN': This operator expects $value to be an array of two literals
-   *     of the same type as the column.
-   *   The operator can be omitted, and will default to 'IN' if the value is an
-   *   array, or to '=' otherwise.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function propertyCondition($column, $value, $operator = NULL) {
-    // The '!=' operator is deprecated in favour of the '<>' operator since the
-    // latter is ANSI SQL compatible.
-    if ($operator == '!=') {
-      $operator = '<>';
-    }
-    $this->propertyConditions[] = array(
-      'column' => $column,
-      'value' => $value,
-      'operator' => $operator,
-    );
-    return $this;
-  }
-
-  /**
-   * Orders the result set by entity-generic metadata.
-   *
-   * If called multiple times, the query will order by each specified column in
-   * the order this method is called.
-   *
-   * Note: The "comment" and "taxonomy_term" entity types don't support ordering
-   * by bundle. For "taxonomy_term", propertyOrderBy('vid') can be used instead.
-   *
-   * @param $name
-   *   'entity_type', 'bundle', 'revision_id' or 'entity_id'.
-   * @param $direction
-   *   The direction to sort. Legal values are "ASC" and "DESC".
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function entityOrderBy($name, $direction = 'ASC') {
-    $this->order[] = array(
-      'type' => 'entity',
-      'specifier' => $name,
-      'direction' => $direction,
-    );
-    return $this;
-  }
-
-  /**
-   * Orders the result set by a given field column.
-   *
-   * If called multiple times, the query will order by each specified column in
-   * the order this method is called. Note that entities with empty field
-   * values will be excluded from the EntityFieldQuery results when using this
-   * method.
-   *
-   * @param $field
-   *   Either a field name or a field array.
-   * @param $column
-   *   A column defined in the hook_field_schema() of this field. entity_id and
-   *   bundle can also be used.
-   * @param $direction
-   *   The direction to sort. Legal values are "ASC" and "DESC".
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function fieldOrderBy($field, $column, $direction = 'ASC') {
-    if (is_scalar($field)) {
-      $field_definition = field_info_field($field);
-      if (empty($field_definition)) {
-        throw new EntityFieldQueryException(t('Unknown field: @field_name', array('@field_name' => $field)));
-      }
-      $field = $field_definition;
-    }
-    // Save the index used for the new field, for later use in field storage.
-    $index = count($this->fields);
-    $this->fields[$index] = $field;
-    $this->order[] = array(
-      'type' => 'field',
-      'specifier' => array(
-        'field' => $field,
-        'index' => $index,
-        'column' => $column,
-      ),
-      'direction' => $direction,
-    );
-    return $this;
-  }
-
-  /**
-   * Orders the result set by an entity-specific property.
-   *
-   * An $entity_type must be specified by calling
-   * EntityFieldCondition::entityCondition('entity_type', $entity_type) before
-   * executing the query.
-   *
-   * If called multiple times, the query will order by each specified column in
-   * the order this method is called.
-   *
-   * @param $column
-   *   The column on which to order.
-   * @param $direction
-   *   The direction to sort. Legal values are "ASC" and "DESC".
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function propertyOrderBy($column, $direction = 'ASC') {
-    $this->order[] = array(
-      'type' => 'property',
-      'specifier' => $column,
-      'direction' => $direction,
-    );
-    return $this;
-  }
-
-  /**
-   * Sets the query to be a count query only.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function count() {
-    $this->count = TRUE;
-    return $this;
-  }
-
-  /**
-   * Restricts a query to a given range in the result set.
-   *
-   * @param $start
-   *   The first entity from the result set to return. If NULL, removes any
-   *   range directives that are set.
-   * @param $length
-   *   The number of entities to return from the result set.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function range($start = NULL, $length = NULL) {
-    $this->range = array(
-      'start' => $start,
-      'length' => $length,
-    );
-    return $this;
-  }
-
-  /**
-   * Enables a pager for the query.
-   *
-   * @param $limit
-   *   An integer specifying the number of elements per page.  If passed a false
-   *   value (FALSE, 0, NULL), the pager is disabled.
-   * @param $element
-   *   An optional integer to distinguish between multiple pagers on one page.
-   *   If not provided, one is automatically calculated.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function pager($limit = 10, $element = NULL) {
-    if (!isset($element)) {
-      $element = PagerDefault::$maxElement++;
-    }
-    elseif ($element >= PagerDefault::$maxElement) {
-      PagerDefault::$maxElement = $element + 1;
-    }
-
-    $this->pager = array(
-      'limit' => $limit,
-      'element' => $element,
-    );
-    return $this;
-  }
-
-  /**
-   * Enables sortable tables for this query.
-   *
-   * @param $headers
-   *   An EFQ Header array based on which the order clause is added to the
-   *   query.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function tableSort(&$headers) {
-    // If 'field' is not initialized, the header columns aren't clickable
-    foreach ($headers as $key =>$header) {
-      if (is_array($header) && isset($header['specifier'])) {
-        $headers[$key]['field'] = '';
-      }
-    }
-
-    $order = tablesort_get_order($headers);
-    $direction = tablesort_get_sort($headers);
-    foreach ($headers as $header) {
-      if (is_array($header) && ($header['data'] == $order['name'])) {
-        if ($header['type'] == 'field') {
-          $this->fieldOrderBy($header['specifier']['field'], $header['specifier']['column'], $direction);
-        }
-        else {
-          $header['direction'] = $direction;
-          $this->order[] = $header;
-        }
-      }
-    }
-
-    return $this;
-  }
-
-  /**
-   * Filters on the data being deleted.
-   *
-   * @param $deleted
-   *   TRUE to only return deleted data, FALSE to return non-deleted data,
-   *   EntityFieldQuery::RETURN_ALL to return everything. Defaults to FALSE.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function deleted($deleted = TRUE) {
-    $this->deleted = $deleted;
-    return $this;
-  }
-
-  /**
-   * Queries the current or every revision.
-   *
-   * Note that this only affects field conditions. Property conditions always
-   * apply to the current revision.
-   * @TODO: Once revision tables have been cleaned up, revisit this.
-   *
-   * @param $age
-   *   - FIELD_LOAD_CURRENT (default): Query the most recent revisions for all
-   *     entities. The results will be keyed by entity type and entity ID.
-   *   - FIELD_LOAD_REVISION: Query all revisions. The results will be keyed by
-   *     entity type and entity revision ID.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function age($age) {
-    $this->age = $age;
-    return $this;
-  }
-
-  /**
-   * Adds a tag to the query.
-   *
-   * Tags are strings that mark a query so that hook_query_alter() and
-   * hook_query_TAG_alter() implementations may decide if they wish to alter
-   * the query. A query may have any number of tags, and they must be valid PHP
-   * identifiers (composed of letters, numbers, and underscores). For example,
-   * queries involving nodes that will be displayed for a user need to add the
-   * tag 'node_access', so that the node module can add access restrictions to
-   * the query.
-   *
-   * If an entity field query has tags, it must also have an entity type
-   * specified, because the alter hook will need the entity base table.
-   *
-   * @param string $tag
-   *   The tag to add.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function addTag($tag) {
-    $this->tags[$tag] = $tag;
-    return $this;
-  }
-
-  /**
-   * Adds additional metadata to the query.
-   *
-   * Sometimes a query may need to provide additional contextual data for the
-   * alter hook. The alter hook implementations may then use that information
-   * to decide if and how to take action.
-   *
-   * @param $key
-   *   The unique identifier for this piece of metadata. Must be a string that
-   *   follows the same rules as any other PHP identifier.
-   * @param $object
-   *   The additional data to add to the query. May be any valid PHP variable.
-   *
-   * @return EntityFieldQuery
-   *   The called object.
-   */
-  public function addMetaData($key, $object) {
-    $this->metaData[$key] = $object;
-    return $this;
-  }
-
-  /**
-   * Executes the query.
-   *
-   * After executing the query, $this->orderedResults will contain a list of
-   * the same stub entities in the order returned by the query. This is only
-   * relevant if there are multiple entity types in the returned value and
-   * a field ordering was requested. In every other case, the returned value
-   * contains everything necessary for processing.
-   *
-   * @return
-   *   Either a number if count() was called or an array of associative arrays
-   *   of stub entities. The outer array keys are entity types, and the inner
-   *   array keys are the relevant ID. (In most cases this will be the entity
-   *   ID. The only exception is when age=FIELD_LOAD_REVISION is used and field
-   *   conditions or sorts are present -- in this case, the key will be the
-   *   revision ID.) The entity type will only exist in the outer array if
-   *   results were found. The inner array values are always stub entities, as
-   *   returned by entity_create_stub_entity(). To traverse the returned array:
-   *   @code
-   *     foreach ($query->execute() as $entity_type => $entities) {
-   *       foreach ($entities as $entity_id => $entity) {
-   *   @endcode
-   *   Note if the entity type is known, then the following snippet will load
-   *   the entities found:
-   *   @code
-   *     $result = $query->execute();
-   *     if (!empty($result[$my_type])) {
-   *       $entities = entity_load($my_type, array_keys($result[$my_type]));
-   *     }
-   *   @endcode
-   */
-  public function execute() {
-    // Give a chance to other modules to alter the query.
-    drupal_alter('entity_query', $this);
-    $this->altered = TRUE;
-
-    // Initialize the pager.
-    $this->initializePager();
-
-    // Execute the query using the correct callback.
-    $result = call_user_func($this->queryCallback(), $this);
-
-    return $result;
-  }
-
-  /**
-   * Determines the query callback to use for this entity query.
-   *
-   * @return
-   *   A callback that can be used with call_user_func().
-   */
-  public function queryCallback() {
-    // Use the override from $this->executeCallback. It can be set either
-    // while building the query, or using hook_entity_query_alter().
-    if (function_exists($this->executeCallback)) {
-      return $this->executeCallback;
-    }
-    // If there are no field conditions and sorts, and no execute callback
-    // then we default to querying entity tables in SQL.
-    if (empty($this->fields)) {
-      return array($this, 'propertyQuery');
-    }
-    // If no override, find the storage engine to be used.
-    foreach ($this->fields as $field) {
-      if (!isset($storage)) {
-        $storage = $field['storage']['module'];
-      }
-      elseif ($storage != $field['storage']['module']) {
-        throw new EntityFieldQueryException(t("Can't handle more than one field storage engine"));
-      }
-    }
-    if ($storage) {
-      // Use hook_field_storage_query() from the field storage.
-      return $storage . '_field_storage_query';
-    }
-    else {
-      throw new EntityFieldQueryException(t("Field storage engine not found."));
-    }
-  }
-
-  /**
-   * Queries entity tables in SQL for property conditions and sorts.
-   *
-   * This method is only used if there are no field conditions and sorts.
-   *
-   * @return
-   *   See EntityFieldQuery::execute().
-   */
-  protected function propertyQuery() {
-    if (empty($this->entityConditions['entity_type'])) {
-      throw new EntityFieldQueryException(t('For this query an entity type must be specified.'));
-    }
-    $entity_type = $this->entityConditions['entity_type']['value'];
-    $entity_info = entity_get_info($entity_type);
-    if (empty($entity_info['base table'])) {
-      throw new EntityFieldQueryException(t('Entity %entity has no base table.', array('%entity' => $entity_type)));
-    }
-    $base_table = $entity_info['base table'];
-    $base_table_schema = drupal_get_schema($base_table);
-    $select_query = db_select($base_table);
-    $select_query->addExpression(':entity_type', 'entity_type', array(':entity_type' => $entity_type));
-    // Process the property conditions.
-    foreach ($this->propertyConditions as $property_condition) {
-      $this->addCondition($select_query, $base_table . '.' . $property_condition['column'], $property_condition);
-    }
-    // Process the four possible entity condition.
-    // The id field is always present in entity keys.
-    $sql_field = $entity_info['entity keys']['id'];
-    $id_map['entity_id'] = $sql_field;
-    $select_query->addField($base_table, $sql_field, 'entity_id');
-    if (isset($this->entityConditions['entity_id'])) {
-      $this->addCondition($select_query, $base_table . '.' . $sql_field, $this->entityConditions['entity_id']);
-    }
-
-    // If there is a revision key defined, use it.
-    if (!empty($entity_info['entity keys']['revision'])) {
-      $sql_field = $entity_info['entity keys']['revision'];
-      $select_query->addField($base_table, $sql_field, 'revision_id');
-      if (isset($this->entityConditions['revision_id'])) {
-        $this->addCondition($select_query, $base_table . '.' . $sql_field, $this->entityConditions['revision_id']);
-      }
-    }
-    else {
-      $sql_field = 'revision_id';
-      $select_query->addExpression('NULL', 'revision_id');
-    }
-    $id_map['revision_id'] = $sql_field;
-
-    // Handle bundles.
-    if (!empty($entity_info['entity keys']['bundle'])) {
-      $sql_field = $entity_info['entity keys']['bundle'];
-      $having = FALSE;
-
-      if (!empty($base_table_schema['fields'][$sql_field])) {
-        $select_query->addField($base_table, $sql_field, 'bundle');
-      }
-    }
-    else {
-      $sql_field = 'bundle';
-      $select_query->addExpression(':bundle', 'bundle', array(':bundle' => $entity_type));
-      $having = TRUE;
-    }
-    $id_map['bundle'] = $sql_field;
-    if (isset($this->entityConditions['bundle'])) {
-      if (!empty($entity_info['entity keys']['bundle'])) {
-        $this->addCondition($select_query, $base_table . '.' . $sql_field, $this->entityConditions['bundle'], $having);
-      }
-      else {
-        // This entity has no bundle, so invalidate the query.
-        $select_query->where('1 = 0');
-      }
-    }
-
-    // Order the query.
-    foreach ($this->order as $order) {
-      if ($order['type'] == 'entity') {
-        $key = $order['specifier'];
-        if (!isset($id_map[$key])) {
-          throw new EntityFieldQueryException(t('Do not know how to order on @key for @entity_type', array('@key' => $key, '@entity_type' => $entity_type)));
-        }
-        $select_query->orderBy($id_map[$key], $order['direction']);
-      }
-      elseif ($order['type'] == 'property') {
-        $select_query->orderBy($base_table . '.' . $order['specifier'], $order['direction']);
-      }
-    }
-
-    return $this->finishQuery($select_query);
-  }
-
-  /**
-   * Gets the total number of results and initializes a pager for the query.
-   *
-   * The pager can be disabled by either setting the pager limit to 0, or by
-   * setting this query to be a count query.
-   */
-  function initializePager() {
-    if ($this->pager && !empty($this->pager['limit']) && !$this->count) {
-      $page = pager_find_page($this->pager['element']);
-      $count_query = clone $this;
-      $this->pager['total'] = $count_query->count()->execute();
-      $this->pager['start'] = $page * $this->pager['limit'];
-      pager_default_initialize($this->pager['total'], $this->pager['limit'], $this->pager['element']);
-      $this->range($this->pager['start'], $this->pager['limit']);
-    }
-  }
-
-  /**
-   * Finishes the query.
-   *
-   * Adds tags, metaData, range and returns the requested list or count.
-   *
-   * @param SelectQuery $select_query
-   *   A SelectQuery which has entity_type, entity_id, revision_id and bundle
-   *   fields added.
-   * @param $id_key
-   *   Which field's values to use as the returned array keys.
-   *
-   * @return
-   *   See EntityFieldQuery::execute().
-   */
-  function finishQuery($select_query, $id_key = 'entity_id') {
-    foreach ($this->tags as $tag) {
-      $select_query->addTag($tag);
-    }
-    foreach ($this->metaData as $key => $object) {
-      $select_query->addMetaData($key, $object);
-    }
-    $select_query->addMetaData('entity_field_query', $this);
-    if ($this->range) {
-      $select_query->range($this->range['start'], $this->range['length']);
-    }
-    if ($this->count) {
-      return $select_query->countQuery()->execute()->fetchField();
-    }
-    $return = array();
-    foreach ($select_query->execute() as $partial_entity) {
-      $bundle = isset($partial_entity->bundle) ? $partial_entity->bundle : NULL;
-      $entity = entity_create_stub_entity($partial_entity->entity_type, array($partial_entity->entity_id, $partial_entity->revision_id, $bundle));
-      $return[$partial_entity->entity_type][$partial_entity->$id_key] = $entity;
-      $this->ordered_results[] = $partial_entity;
-    }
-    return $return;
-  }
-
-  /**
-   * Adds a condition to an already built SelectQuery (internal function).
-   *
-   * This is a helper for hook_entity_query() and hook_field_storage_query().
-   *
-   * @param SelectQuery $select_query
-   *   A SelectQuery object.
-   * @param $sql_field
-   *   The name of the field.
-   * @param $condition
-   *   A condition as described in EntityFieldQuery::fieldCondition() and
-   *   EntityFieldQuery::entityCondition().
-   * @param $having
-   *   HAVING or WHERE. This is necessary because SQL can't handle WHERE
-   *   conditions on aliased columns.
-   */
-  public function addCondition(SelectQuery $select_query, $sql_field, $condition, $having = FALSE) {
-    $method = $having ? 'havingCondition' : 'condition';
-    $like_prefix = '';
-    switch ($condition['operator']) {
-      case 'CONTAINS':
-        $like_prefix = '%';
-      case 'STARTS_WITH':
-        $select_query->$method($sql_field, $like_prefix . db_like($condition['value']) . '%', 'LIKE');
-        break;
-      default:
-        $select_query->$method($sql_field, $condition['value'], $condition['operator']);
-    }
-  }
-
-}
-
-/**
- * Defines an exception thrown when a malformed entity is passed.
- */
-class EntityMalformedException extends Exception { }
diff --git a/includes/errors.inc b/includes/errors.inc
index fcf9ca85..a9b7b5bd 100755
--- a/includes/errors.inc
+++ b/includes/errors.inc
@@ -9,7 +9,7 @@
  * Maps PHP error constants to watchdog severity levels.
  *
  * The error constants are documented at
- * http://php.net/manual/en/errorfunc.constants.php
+ * http://php.net/manual/errorfunc.constants.php
  *
  * @ingroup logging_severity_levels
  */
diff --git a/includes/file.inc b/includes/file.inc
index 06657cfb..834699f1 100755
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -470,8 +470,11 @@ function file_ensure_htaccess() {
  * @param $private
  *   FALSE indicates that $directory should be an open and public directory.
  *   The default is TRUE which indicates a private and protected directory.
+ * @param $force_overwrite
+ *   Set to TRUE to attempt to overwrite the existing .htaccess file if one is
+ *   already present. Defaults to FALSE.
  */
-function file_create_htaccess($directory, $private = TRUE) {
+function file_create_htaccess($directory, $private = TRUE, $force_overwrite = FALSE) {
   if (file_uri_scheme($directory)) {
     $directory = file_stream_wrapper_uri_normalize($directory);
   }
@@ -480,19 +483,12 @@ function file_create_htaccess($directory, $private = TRUE) {
   }
   $htaccess_path =  $directory . '/.htaccess';
 
-  if (file_exists($htaccess_path)) {
+  if (file_exists($htaccess_path) && !$force_overwrite) {
     // Short circuit if the .htaccess file already exists.
     return;
   }
 
-  if ($private) {
-    // Private .htaccess file.
-    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +FollowSymLinks";
-  }
-  else {
-    // Public .htaccess file.
-    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
-  }
+  $htaccess_lines = file_htaccess_lines($private);
 
   // Write the .htaccess file.
   if (file_put_contents($htaccess_path, $htaccess_lines)) {
@@ -504,6 +500,45 @@ function file_create_htaccess($directory, $private = TRUE) {
   }
 }
 
+/**
+ * Returns the standard .htaccess lines that Drupal writes to file directories.
+ *
+ * @param $private
+ *   (Optional) Set to FALSE to return the .htaccess lines for an open and
+ *   public directory. The default is TRUE, which returns the .htaccess lines
+ *   for a private and protected directory.
+ *
+ * @return
+ *   A string representing the desired contents of the .htaccess file.
+ *
+ * @see file_create_htaccess()
+ */
+function file_htaccess_lines($private = TRUE) {
+  $lines = <<<EOF
+# Turn off all options we don't need.
+Options None
+Options +FollowSymLinks
+
+# Set the catch-all handler to prevent scripts from being executed.
+SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
+<Files *>
+  # Override the handler again if we're run later in the evaluation list.
+  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
+</Files>
+
+# If we know how to do it safely, disable the PHP engine entirely.
+<IfModule mod_php5.c>
+  php_flag engine off
+</IfModule>
+EOF;
+
+  if ($private) {
+    $lines = "Deny from all\n\n" . $lines;
+  }
+
+  return $lines;
+}
+
 /**
  * Loads file objects from the database.
  *
@@ -586,7 +621,11 @@ function file_save(stdClass $file) {
     module_invoke_all('entity_update', $file, 'file');
   }
 
+  // Clear internal properties.
   unset($file->original);
+  // Clear the static loading cache.
+  entity_get_controller('file')->resetCache(array($file->fid));
+
   return $file;
 }
 
@@ -719,10 +758,11 @@ function file_usage_delete(stdClass $file, $module, $type = NULL, $id = NULL, $c
  * stored in the database. This is a powerful function that in many ways
  * performs like an advanced version of copy().
  * - Checks if $source and $destination are valid and readable/writable.
- * - Checks that $source is not equal to $destination; if they are an error
- *   is reported.
  * - If file already exists in $destination either the call will error out,
  *   replace the file or rename the file based on the $replace parameter.
+ * - If the $source and $destination are equal, the behavior depends on the
+ *   $replace parameter. FILE_EXISTS_REPLACE will error out. FILE_EXISTS_RENAME
+ *   will rename the file until the $destination is unique.
  * - Adds the new file to the files database. If the source file is a
  *   temporary file, the resulting file will also be a temporary file. See
  *   file_save_upload() for details on temporary files.
@@ -817,10 +857,11 @@ function file_valid_uri($uri) {
  * This is a powerful function that in many ways performs like an advanced
  * version of copy().
  * - Checks if $source and $destination are valid and readable/writable.
- * - Checks that $source is not equal to $destination; if they are an error
- *   is reported.
  * - If file already exists in $destination either the call will error out,
  *   replace the file or rename the file based on the $replace parameter.
+ * - If the $source and $destination are equal, the behavior depends on the
+ *   $replace parameter. FILE_EXISTS_REPLACE will error out. FILE_EXISTS_RENAME
+ *   will rename the file until the $destination is unique.
  * - Provides a fallback using realpaths if the move fails using stream
  *   wrappers. This can occur because PHP's copy() function does not properly
  *   support streams if safe_mode or open_basedir are enabled. See
@@ -1108,7 +1149,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
 
   // Allow potentially insecure uploads for very savvy users and admin
   if (!variable_get('allow_insecure_uploads', 0)) {
-    // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
+    // Remove any null bytes. See http://php.net/manual/security.filesystem.nullbytes.php
     $filename = str_replace(chr(0), '', $filename);
 
     $whitelist = array_unique(explode(' ', trim($extensions)));
@@ -1256,6 +1297,7 @@ function file_delete(stdClass $file, $force = FALSE) {
   if (file_unmanaged_delete($file->uri)) {
     db_delete('file_managed')->condition('fid', $file->fid)->execute();
     db_delete('file_usage')->condition('fid', $file->fid)->execute();
+    entity_get_controller('file')->resetCache();
     return TRUE;
   }
   return FALSE;
@@ -1365,8 +1407,9 @@ function file_space_used($uid = NULL, $status = FILE_STATUS_PERMANENT) {
  * Temporary files are periodically cleaned. To make the file a permanent file,
  * assign the status and use file_save() to save the changes.
  *
- * @param $source
- *   A string specifying the filepath or URI of the uploaded file to save.
+ * @param $form_field_name
+ *   A string that is the associative array key of the upload form element in
+ *   the form array.
  * @param $validators
  *   An optional, associative array of callback functions used to validate the
  *   file. See file_validate() for a full discussion of the array format.
@@ -1377,9 +1420,9 @@ function file_space_used($uid = NULL, $status = FILE_STATUS_PERMANENT) {
  *   (Beware: this is not safe and should only be allowed for trusted users, if
  *   at all).
  * @param $destination
- *   A string containing the URI $source should be copied to.
- *   This must be a stream wrapper URI. If this value is omitted, Drupal's
- *   temporary files scheme will be used ("temporary://").
+ *   A string containing the URI that the file should be copied to. This must
+ *   be a stream wrapper URI. If this value is omitted, Drupal's temporary
+ *   files scheme will be used ("temporary://").
  * @param $replace
  *   Replace behavior when the destination file already exists:
  *   - FILE_EXISTS_REPLACE: Replace the existing file.
@@ -1397,45 +1440,45 @@ function file_space_used($uid = NULL, $status = FILE_STATUS_PERMANENT) {
  *   - source: Path to the file before it is moved.
  *   - destination: Path to the file after it is moved (same as 'uri').
  */
-function file_save_upload($source, $validators = array(), $destination = FALSE, $replace = FILE_EXISTS_RENAME) {
+function file_save_upload($form_field_name, $validators = array(), $destination = FALSE, $replace = FILE_EXISTS_RENAME) {
   global $user;
   static $upload_cache;
 
   // Return cached objects without processing since the file will have
   // already been processed and the paths in _FILES will be invalid.
-  if (isset($upload_cache[$source])) {
-    return $upload_cache[$source];
+  if (isset($upload_cache[$form_field_name])) {
+    return $upload_cache[$form_field_name];
   }
 
   // Make sure there's an upload to process.
-  if (empty($_FILES['files']['name'][$source])) {
+  if (empty($_FILES['files']['name'][$form_field_name])) {
     return NULL;
   }
 
   // Check for file upload errors and return FALSE if a lower level system
   // error occurred. For a complete list of errors:
-  // See http://php.net/manual/en/features.file-upload.errors.php.
-  switch ($_FILES['files']['error'][$source]) {
+  // See http://php.net/manual/features.file-upload.errors.php.
+  switch ($_FILES['files']['error'][$form_field_name]) {
     case UPLOAD_ERR_INI_SIZE:
     case UPLOAD_ERR_FORM_SIZE:
-      drupal_set_message(t('The file %file could not be saved, because it exceeds %maxsize, the maximum allowed size for uploads.', array('%file' => $_FILES['files']['name'][$source], '%maxsize' => format_size(file_upload_max_size()))), 'error');
+      drupal_set_message(t('The file %file could not be saved, because it exceeds %maxsize, the maximum allowed size for uploads.', array('%file' => $_FILES['files']['name'][$form_field_name], '%maxsize' => format_size(file_upload_max_size()))), 'error');
       return FALSE;
 
     case UPLOAD_ERR_PARTIAL:
     case UPLOAD_ERR_NO_FILE:
-      drupal_set_message(t('The file %file could not be saved, because the upload did not complete.', array('%file' => $_FILES['files']['name'][$source])), 'error');
+      drupal_set_message(t('The file %file could not be saved, because the upload did not complete.', array('%file' => $_FILES['files']['name'][$form_field_name])), 'error');
       return FALSE;
 
     case UPLOAD_ERR_OK:
       // Final check that this is a valid upload, if it isn't, use the
       // default error handler.
-      if (is_uploaded_file($_FILES['files']['tmp_name'][$source])) {
+      if (is_uploaded_file($_FILES['files']['tmp_name'][$form_field_name])) {
         break;
       }
 
     // Unknown error
     default:
-      drupal_set_message(t('The file %file could not be saved. An unknown error has occurred.', array('%file' => $_FILES['files']['name'][$source])), 'error');
+      drupal_set_message(t('The file %file could not be saved. An unknown error has occurred.', array('%file' => $_FILES['files']['name'][$form_field_name])), 'error');
       return FALSE;
   }
 
@@ -1443,10 +1486,10 @@ function file_save_upload($source, $validators = array(), $destination = FALSE,
   $file = new stdClass();
   $file->uid      = $user->uid;
   $file->status   = 0;
-  $file->filename = trim(drupal_basename($_FILES['files']['name'][$source]), '.');
-  $file->uri      = $_FILES['files']['tmp_name'][$source];
+  $file->filename = trim(drupal_basename($_FILES['files']['name'][$form_field_name]), '.');
+  $file->uri      = $_FILES['files']['tmp_name'][$form_field_name];
   $file->filemime = file_get_mimetype($file->filename);
-  $file->filesize = $_FILES['files']['size'][$source];
+  $file->filesize = $_FILES['files']['size'][$form_field_name];
 
   $extensions = '';
   if (isset($validators['file_validate_extensions'])) {
@@ -1503,7 +1546,7 @@ function file_save_upload($source, $validators = array(), $destination = FALSE,
     return FALSE;
   }
 
-  $file->source = $source;
+  $file->source = $form_field_name;
   // A URI may already have a trailing slash or look like "public://".
   if (substr($destination, -1) != '/') {
     $destination .= '/';
@@ -1512,7 +1555,7 @@ function file_save_upload($source, $validators = array(), $destination = FALSE,
   // If file_destination() returns FALSE then $replace == FILE_EXISTS_ERROR and
   // there's an existing file so we need to bail.
   if ($file->destination === FALSE) {
-    drupal_set_message(t('The file %source could not be uploaded because a file by that name already exists in the destination %directory.', array('%source' => $source, '%directory' => $destination)), 'error');
+    drupal_set_message(t('The file %source could not be uploaded because a file by that name already exists in the destination %directory.', array('%source' => $form_field_name, '%directory' => $destination)), 'error');
     return FALSE;
   }
 
@@ -1531,7 +1574,7 @@ function file_save_upload($source, $validators = array(), $destination = FALSE,
     else {
       $message .= ' ' . array_pop($errors);
     }
-    form_set_error($source, $message);
+    form_set_error($form_field_name, $message);
     return FALSE;
   }
 
@@ -1539,8 +1582,8 @@ function file_save_upload($source, $validators = array(), $destination = FALSE,
   // directory. This overcomes open_basedir restrictions for future file
   // operations.
   $file->uri = $file->destination;
-  if (!drupal_move_uploaded_file($_FILES['files']['tmp_name'][$source], $file->uri)) {
-    form_set_error($source, t('File upload error. Could not move uploaded file.'));
+  if (!drupal_move_uploaded_file($_FILES['files']['tmp_name'][$form_field_name], $file->uri)) {
+    form_set_error($form_field_name, t('File upload error. Could not move uploaded file.'));
     watchdog('file', 'Upload error. Could not move uploaded file %file to destination %destination.', array('%file' => $file->filename, '%destination' => $file->uri));
     return FALSE;
   }
@@ -1560,7 +1603,7 @@ function file_save_upload($source, $validators = array(), $destination = FALSE,
   // If we made it this far it's safe to record this file in the database.
   if ($file = file_save($file)) {
     // Add file to the cache.
-    $upload_cache[$source] = $file;
+    $upload_cache[$form_field_name] = $file;
     return $file;
   }
   return FALSE;
@@ -2177,7 +2220,7 @@ function drupal_chmod($uri, $mode = NULL) {
  * @param $uri
  *   A URI or pathname.
  * @param $context
- *   Refer to http://php.net/manual/en/ref.stream.php
+ *   Refer to http://php.net/manual/ref.stream.php
  *
  * @return
  *   Boolean TRUE on success, or FALSE on failure.
@@ -2310,7 +2353,7 @@ function drupal_basename($uri, $suffix = NULL) {
  * @param $recursive
  *   Default to FALSE.
  * @param $context
- *   Refer to http://php.net/manual/en/ref.stream.php
+ *   Refer to http://php.net/manual/ref.stream.php
  *
  * @return
  *   Boolean TRUE on success, or FALSE on failure.
@@ -2341,7 +2384,7 @@ function drupal_mkdir($uri, $mode = NULL, $recursive = FALSE, $context = NULL) {
  * @param $uri
  *   A URI or pathname.
  * @param $context
- *   Refer to http://php.net/manual/en/ref.stream.php
+ *   Refer to http://php.net/manual/ref.stream.php
  *
  * @return
  *   Boolean TRUE on success, or FALSE on failure.
diff --git a/includes/filetransfer/ftp.inc b/includes/filetransfer/ftp.inc
index 838dc7c1..a85831d1 100755
--- a/includes/filetransfer/ftp.inc
+++ b/includes/filetransfer/ftp.inc
@@ -82,11 +82,11 @@ class FileTransferFTPExtension extends FileTransferFTP implements FileTransferCh
     if (!$list) {
       $list = array();
     }
-    foreach ($list as $item){
+    foreach ($list as $item) {
       if ($item == '.' || $item == '..') {
         continue;
       }
-      if (@ftp_chdir($this->connection, $item)){
+      if (@ftp_chdir($this->connection, $item)) {
         ftp_cdup($this->connection);
         $this->removeDirectory(ftp_pwd($this->connection) . '/' . $item);
       }
@@ -122,7 +122,7 @@ class FileTransferFTPExtension extends FileTransferFTP implements FileTransferCh
 
   function chmodJailed($path, $mode, $recursive) {
     if (!ftp_chmod($this->connection, $mode, $path)) {
-      throw new FileTransferException("Unable to set permissions on %file", NULL, array ('%file' => $path));
+      throw new FileTransferException("Unable to set permissions on %file", NULL, array('%file' => $path));
     }
     if ($this->isDirectory($path) && $recursive) {
       $filelist = @ftp_nlist($this->connection, $path);
diff --git a/includes/form.inc b/includes/form.inc
index 8ca048a9..846bcb51 100755
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -15,10 +15,9 @@
  * reference the form builder function using \@see. For examples, of this see
  * system_modules_uninstall() or user_pass(), the latter of which has the
  * following in its doxygen documentation:
- *
- * \@ingroup forms
- * \@see user_pass_validate().
- * \@see user_pass_submit().
+ * - \@ingroup forms
+ * - \@see user_pass_validate()
+ * - \@see user_pass_submit()
  *
  * @}
  */
@@ -168,6 +167,12 @@ function drupal_get_form($form_id) {
  *       processed.
  *     - base_form_id: Identification for a base form, as declared in a
  *       hook_forms() implementation.
+ *     - immutable: If this flag is set to TRUE, a new form build id is
+ *       generated when the form is loaded from the cache. If it is subsequently
+ *       saved to the cache again, it will have another cache id and therefore
+ *       the original form and form-state will remain unaltered. This is
+ *       important when page caching is enabled in order to prevent form state
+ *       from leaking between anonymous users.
  *   - rebuild_info: Internal. Similar to 'build_info', but pertaining to
  *     drupal_rebuild_form().
  *   - rebuild: Normally, after the entire form processing is completed and
@@ -235,6 +240,12 @@ function drupal_get_form($form_id) {
  *     likely to occur during Ajax operations.
  *   - programmed: If TRUE, the form was submitted programmatically, usually
  *     invoked via drupal_form_submit(). Defaults to FALSE.
+ *   - programmed_bypass_access_check: If TRUE, programmatic form submissions
+ *     are processed without taking #access into account. Set this to FALSE
+ *     when submitting a form programmatically with values that may have been
+ *     input by the user executing the current request; this will cause #access
+ *     to be respected as it would on a normal form submission. Defaults to
+ *     TRUE.
  *   - process_input: Boolean flag. TRUE signifies correct form submission.
  *     This is always TRUE for programmed forms coming from drupal_form_submit()
  *     (see 'programmed' key), or if the form_id coming from the $_POST data is
@@ -402,6 +413,7 @@ function form_state_defaults() {
     'submitted' => FALSE,
     'executed' => FALSE,
     'programmed' => FALSE,
+    'programmed_bypass_access_check' => TRUE,
     'cache'=> FALSE,
     'method' => 'post',
     'groups' => array(),
@@ -452,17 +464,25 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) {
   $form = drupal_retrieve_form($form_id, $form_state);
 
   // If only parts of the form will be returned to the browser (e.g., Ajax or
-  // RIA clients), re-use the old #build_id to not require client-side code to
-  // manually update the hidden 'build_id' input element.
+  // RIA clients), or if the form already had a new build ID regenerated when it
+  // was retrieved from the form cache, reuse the existing #build_id.
   // Otherwise, a new #build_id is generated, to not clobber the previous
   // build's data in the form cache; also allowing the user to go back to an
   // earlier build, make changes, and re-submit.
   // @see drupal_prepare_form()
-  if (isset($old_form['#build_id']) && !empty($form_state['rebuild_info']['copy']['#build_id'])) {
+  $enforce_old_build_id = isset($old_form['#build_id']) && !empty($form_state['rebuild_info']['copy']['#build_id']);
+  $old_form_is_mutable_copy = isset($old_form['#build_id_old']);
+  if ($enforce_old_build_id || $old_form_is_mutable_copy) {
     $form['#build_id'] = $old_form['#build_id'];
+    if ($old_form_is_mutable_copy) {
+      $form['#build_id_old'] = $old_form['#build_id_old'];
+    }
   }
   else {
-    $form['#build_id'] = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
+    if (isset($old_form['#build_id'])) {
+      $form['#build_id_old'] = $old_form['#build_id'];
+    }
+    $form['#build_id'] = 'form-' . drupal_random_key();
   }
 
   // #action defaults to request_uri(), but in case of Ajax and other partial
@@ -516,6 +536,15 @@ function form_get_cache($form_build_id, &$form_state) {
           }
         }
       }
+      // Generate a new #build_id if the cached form was rendered on a cacheable
+      // page.
+      if (!empty($form_state['build_info']['immutable'])) {
+        $form['#build_id_old'] = $form['#build_id'];
+        $form['#build_id'] = 'form-' . drupal_random_key();
+        $form['form_build_id']['#value'] = $form['#build_id'];
+        $form['form_build_id']['#id'] = $form['#build_id'];
+        unset($form_state['build_info']['immutable']);
+      }
       return $form;
     }
   }
@@ -528,15 +557,28 @@ function form_set_cache($form_build_id, $form, $form_state) {
   // 6 hours cache life time for forms should be plenty.
   $expire = 21600;
 
+  // Ensure that the form build_id embedded in the form structure is the same as
+  // the one passed in as a parameter. This is an additional safety measure to
+  // prevent legacy code operating directly with form_get_cache and
+  // form_set_cache from accidentally overwriting immutable form state.
+  if ($form['#build_id'] != $form_build_id) {
+    watchdog('form', 'Form build-id mismatch detected while attempting to store a form in the cache.', array(), WATCHDOG_ERROR);
+    return;
+  }
+
   // Cache form structure.
   if (isset($form)) {
     if ($GLOBALS['user']->uid) {
       $form['#cache_token'] = drupal_get_token();
     }
+    unset($form['#build_id_old']);
     cache_set('form_' . $form_build_id, $form, 'cache_form', REQUEST_TIME + $expire);
   }
 
   // Cache form state.
+  if (variable_get('cache', 0) && drupal_page_is_cacheable()) {
+    $form_state['build_info']['immutable'] = TRUE;
+  }
   if ($data = array_diff_key($form_state, array_flip(form_state_keys_no_cache()))) {
     cache_set('form_state_' . $form_build_id, $data, 'cache_form', REQUEST_TIME + $expire);
   }
@@ -977,7 +1019,7 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
   // @see drupal_build_form()
   // @see drupal_rebuild_form()
   if (!isset($form['#build_id'])) {
-    $form['#build_id'] = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
+    $form['#build_id'] = 'form-' . drupal_random_key();
   }
   $form['form_build_id'] = array(
     '#type' => 'hidden',
@@ -1129,6 +1171,12 @@ function drupal_validate_form($form_id, &$form, &$form_state) {
 
       // Setting this error will cause the form to fail validation.
       form_set_error('form_token', t('The form has become outdated. Copy any unsaved work in the form below and then <a href="@link">reload this page</a>.', array('@link' => $url)));
+
+      // Stop here and don't run any further validation handlers, because they
+      // could invoke non-safe operations which opens the door for CSRF
+      // vulnerabilities.
+      $validated_forms[$form_id] = TRUE;
+      return;
     }
   }
 
@@ -1979,7 +2027,7 @@ function _form_builder_handle_input_element($form_id, &$element, &$form_state) {
   // #access=FALSE on an element usually allow access for some users, so forms
   // submitted with drupal_form_submit() may bypass access restriction and be
   // treated as high-privilege users instead.
-  $process_input = empty($element['#disabled']) && ($form_state['programmed'] || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
+  $process_input = empty($element['#disabled']) && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
 
   // Set the element's #value property.
   if (!isset($element['#value']) && !array_key_exists('#value', $element)) {
@@ -3052,8 +3100,7 @@ function form_process_radios($element) {
  * @param $variables
  *   An associative array containing:
  *   - element: An associative array containing the properties of the element.
- *     Properties used: #title, #value, #return_value, #description, #required,
- *     #attributes, #checked.
+ *     Properties used: #id, #name, #attributes, #checked, #return_value.
  *
  * @ingroup themeable
  */
@@ -4245,7 +4292,7 @@ function element_validate_number($element, &$form_state) {
  * returns any user input in the 'results' or 'message' keys of $context,
  * it must also sanitize them first.
  *
- * Sample batch operations:
+ * Sample callback_batch_operation():
  * @code
  * // Simple and artificial: load a node of a given type for a given user
  * function my_function_1($uid, $type, &$context) {
@@ -4297,7 +4344,7 @@ function element_validate_number($element, &$form_state) {
  * }
  * @endcode
  *
- * Sample 'finished' callback:
+ * Sample callback_batch_finished():
  * @code
  * function batch_test_finished($success, $results, $operations) {
  *   // The 'success' parameter means no fatal PHP errors were detected. All
@@ -4336,12 +4383,14 @@ function element_validate_number($element, &$form_state) {
  * @param $batch_definition
  *   An associative array defining the batch, with the following elements (all
  *   are optional except as noted):
- *   - operations: (required) Array of function calls to be performed.
+ *   - operations: (required) Array of operations to be performed, where each
+ *     item is an array consisting of the name of an implementation of
+ *     callback_batch_operation() and an array of parameter.
  *     Example:
  *     @code
  *     array(
- *       array('my_function_1', array($arg1)),
- *       array('my_function_2', array($arg2_1, $arg2_2)),
+ *       array('callback_batch_operation_1', array($arg1)),
+ *       array('callback_batch_operation_2', array($arg2_1, $arg2_2)),
  *     )
  *     @endcode
  *   - title: A safe, translated string to use as the title for the progress
@@ -4353,10 +4402,10 @@ function element_validate_number($element, &$form_state) {
  *     @elapsed. Defaults to t('Completed @current of @total.').
  *   - error_message: Message displayed if an error occurred while processing
  *     the batch. Defaults to t('An error has occurred.').
- *   - finished: Name of a function to be executed after the batch has
- *     completed. This should be used to perform any result massaging that may
- *     be needed, and possibly save data in $_SESSION for display after final
- *     page redirection.
+ *   - finished: Name of an implementation of callback_batch_finished(). This is
+ *     executed after the batch has completed. This should be used to perform
+ *     any result massaging that may be needed, and possibly save data in
+ *     $_SESSION for display after final page redirection.
  *   - file: Path to the file containing the definitions of the 'operations' and
  *     'finished' functions, for instance if they don't reside in the main
  *     .module file. The path should be relative to base_path(), and thus should
diff --git a/includes/install.core.inc b/includes/install.core.inc
index 7a694e9b..38ad7248 100755
--- a/includes/install.core.inc
+++ b/includes/install.core.inc
@@ -692,6 +692,21 @@ function install_full_redirect_url($install_state) {
  */
 function install_display_output($output, $install_state) {
   drupal_page_header();
+
+  // Prevent install.php from being indexed when installed in a sub folder.
+  // robots.txt rules are not read if the site is within domain.com/subfolder
+  // resulting in /subfolder/install.php being found through search engines.
+  // When settings.php is writeable this can be used via an external database
+  // leading a malicious user to gain php access to the server.
+  $noindex_meta_tag = array(
+    '#tag' => 'meta',
+    '#attributes' => array(
+      'name' => 'robots',
+      'content' => 'noindex, nofollow',
+    ),
+  );
+  drupal_add_html_head($noindex_meta_tag, 'install_meta_robots');
+
   // Only show the task list if there is an active task; otherwise, the page
   // request has ended before tasks have even been started, so there is nothing
   // meaningful to show.
@@ -766,6 +781,15 @@ function install_system_module(&$install_state) {
   // Install system.module.
   drupal_install_system();
 
+  // Call file_ensure_htaccess() to ensure that all of Drupal's standard
+  // directories (e.g., the public and private files directories) have
+  // appropriate .htaccess files. These directories will have already been
+  // created by this point in the installer, since Drupal creates them during
+  // the install_verify_requirements() task. Note that we cannot call
+  // file_ensure_htaccess() any earlier than this, since it relies on
+  // system.module in order to work.
+  file_ensure_htaccess();
+
   // Enable the user module so that sessions can be recorded during the
   // upcoming bootstrap step.
   module_enable(array('user'), FALSE);
@@ -981,7 +1005,7 @@ function install_settings_form_submit($form, &$form_state) {
     'required' => TRUE,
   );
   $settings['drupal_hash_salt'] = array(
-    'value'    => drupal_hash_base64(drupal_random_bytes(55)),
+    'value'    => drupal_random_key(),
     'required' => TRUE,
   );
   drupal_rewrite_settings($settings);
diff --git a/includes/install.inc b/includes/install.inc
index 3631c36e..71de3e6c 100755
--- a/includes/install.inc
+++ b/includes/install.inc
@@ -1134,7 +1134,6 @@ function st($string, array $args = array(), array $options = array()) {
     }
   }
 
-  require_once DRUPAL_ROOT . '/includes/theme.inc';
   // Transform arguments before inserting them
   foreach ($args as $key => $value) {
     switch ($key[0]) {
diff --git a/includes/iso.inc b/includes/iso.inc
index 6c66c569..5cad329d 100755
--- a/includes/iso.inc
+++ b/includes/iso.inc
@@ -53,6 +53,7 @@ function _country_get_predefined_list() {
     'BM' => $t('Bermuda'),
     'BN' => $t('Brunei'),
     'BO' => $t('Bolivia'),
+    'BQ' => $t('Caribbean Netherlands'),
     'BR' => $t('Brazil'),
     'BS' => $t('Bahamas'),
     'BT' => $t('Bhutan'),
@@ -74,8 +75,8 @@ function _country_get_predefined_list() {
     'CO' => $t('Colombia'),
     'CR' => $t('Costa Rica'),
     'CU' => $t('Cuba'),
-    'CW' => $t('Curaçao'),
     'CV' => $t('Cape Verde'),
+    'CW' => $t('Curaçao'),
     'CX' => $t('Christmas Island'),
     'CY' => $t('Cyprus'),
     'CZ' => $t('Czech Republic'),
@@ -230,8 +231,10 @@ function _country_get_predefined_list() {
     'SN' => $t('Senegal'),
     'SO' => $t('Somalia'),
     'SR' => $t('Suriname'),
+    'SS' => $t('South Sudan'),
     'ST' => $t('Sao Tome and Principe'),
     'SV' => $t('El Salvador'),
+    'SX' => $t('Sint Maarten'),
     'SY' => $t('Syria'),
     'SZ' => $t('Swaziland'),
     'TC' => $t('Turks and Caicos Islands'),
diff --git a/includes/language.inc b/includes/language.inc
index ea63948d..803a6304 100755
--- a/includes/language.inc
+++ b/includes/language.inc
@@ -78,7 +78,7 @@ define('LANGUAGE_NEGOTIATION_DEFAULT', 'language-default');
  * function mymodule_language_negotiation_info_alter(&$negotiation_info) {
  *   // Replace the core function with our own function.
  *   module_load_include('language', 'inc', 'language.negotiation');
- *   $negotiation_info[LANGUAGE_NEGOTIATION_URL]['callbacks']['negotiation'] = 'mymodule_from_url';
+ *   $negotiation_info[LANGUAGE_NEGOTIATION_URL]['callbacks']['language'] = 'mymodule_from_url';
  *   $negotiation_info[LANGUAGE_NEGOTIATION_URL]['file'] = drupal_get_path('module', 'mymodule') . '/mymodule.module';
  * }
  *
@@ -94,7 +94,6 @@ define('LANGUAGE_NEGOTIATION_DEFAULT', 'language-default');
  *   }
  *   return $langcode;
  * }
- * ?>
  * @endcode
  *
  * For more information, see
@@ -314,7 +313,7 @@ function language_negotiation_get_switch_links($type, $path) {
 }
 
 /**
- * Removes any unused language negotation providers from the configuration.
+ * Removes any unused language negotiation providers from the configuration.
  */
 function language_negotiation_purge() {
   // Ensure that we are getting the defined language negotiation information. An
diff --git a/includes/mail.inc b/includes/mail.inc
index bbb55357..7a1d29ed 100755
--- a/includes/mail.inc
+++ b/includes/mail.inc
@@ -339,13 +339,13 @@ interface MailSystemInterface {
  *
  * We deliberately use LF rather than CRLF, see drupal_mail().
  *
- * @param $text
+ * @param string $text
  *   The plain text to process.
- * @param $indent (optional)
+ * @param string $indent (optional)
  *   A string to indent the text with. Only '>' characters are repeated on
  *   subsequent wrapped lines. Others are replaced by spaces.
  *
- * @return
+ * @return string
  *   The content of the email as a string with formatting applied.
  */
 function drupal_wrap_mail($text, $indent = '') {
@@ -356,8 +356,9 @@ function drupal_wrap_mail($text, $indent = '') {
   $soft = strpos($clean_indent, ' ') === FALSE;
   // Check if the string has line breaks.
   if (strpos($text, "\n") !== FALSE) {
-    // Remove trailing spaces to make existing breaks hard.
-    $text = preg_replace('/ +\n/m', "\n", $text);
+    // Remove trailing spaces to make existing breaks hard, but leave signature
+    // marker untouched (RFC 3676, Section 4.3).
+    $text = preg_replace('/(?(?<!^--) +\n|  +\n)/m', "\n", $text);
     // Wrap each line at the needed width.
     $lines = explode("\n", $text);
     array_walk($lines, '_drupal_wrap_mail_line', array('soft' => $soft, 'length' => strlen($indent)));
@@ -563,7 +564,7 @@ function drupal_html_to_text($string, $allowed_tags = NULL) {
  */
 function _drupal_wrap_mail_line(&$line, $key, $values) {
   // Use soft-breaks only for purely quoted or unindented text.
-  $line = wordwrap($line, 77 - $values['length'], $values['soft'] ? "  \n" : "\n");
+  $line = wordwrap($line, 77 - $values['length'], $values['soft'] ? " \n" : "\n");
   // Break really long words at the maximum width allowed.
   $line = wordwrap($line, 996 - $values['length'], $values['soft'] ? " \n" : "\n");
 }
diff --git a/includes/menu.inc b/includes/menu.inc
index a93ddad6..fa5a71e7 100755
--- a/includes/menu.inc
+++ b/includes/menu.inc
@@ -1000,7 +1000,7 @@ function menu_tree($menu_name) {
 }
 
 /**
- * Returns a rendered menu tree.
+ * Returns an output structure for rendering a menu tree.
  *
  * The menu item's LI element is given one of the following classes:
  * - expanded: The menu item is showing its submenu.
@@ -1926,13 +1926,21 @@ function menu_local_tasks($level = 0) {
     }
 
     // Get all tabs (also known as local tasks) and the root page.
-    $result = db_select('menu_router', NULL, array('fetch' => PDO::FETCH_ASSOC))
-      ->fields('menu_router')
-      ->condition('tab_root', $router_item['tab_root'])
-      ->condition('context', MENU_CONTEXT_INLINE, '<>')
-      ->orderBy('weight')
-      ->orderBy('title')
-      ->execute();
+    $cid = 'local_tasks:' . $router_item['tab_root'];
+    if ($cache = cache_get($cid, 'cache_menu')) {
+      $result = $cache->data;
+    }
+    else {
+      $result = db_select('menu_router', NULL, array('fetch' => PDO::FETCH_ASSOC))
+        ->fields('menu_router')
+        ->condition('tab_root', $router_item['tab_root'])
+        ->condition('context', MENU_CONTEXT_INLINE, '<>')
+        ->orderBy('weight')
+        ->orderBy('title')
+        ->execute()
+        ->fetchAll();
+      cache_set($cid, $result, 'cache_menu');
+    }
     $map = $router_item['original_map'];
     $children = array();
     $tasks = array();
diff --git a/includes/path.inc b/includes/path.inc
index 234430ea..2e357111 100755
--- a/includes/path.inc
+++ b/includes/path.inc
@@ -560,8 +560,8 @@ function drupal_valid_path($path, $dynamic_allowed = FALSE) {
   elseif ($dynamic_allowed && preg_match('/\/\%/', $path)) {
     // Path is dynamic (ie 'user/%'), so check directly against menu_router table.
     if ($item = db_query("SELECT * FROM {menu_router} where path = :path", array(':path' => $path))->fetchAssoc()) {
-      $item['link_path']  = $form_item['link_path'];
-      $item['link_title'] = $form_item['link_title'];
+      $item['link_path']  = $item['path'];
+      $item['link_title'] = $item['title'];
       $item['external']   = FALSE;
       $item['options'] = '';
       _menu_link_translate($item);
diff --git a/includes/registry.inc b/includes/registry.inc
index f6c81eb1..5fc76748 100755
--- a/includes/registry.inc
+++ b/includes/registry.inc
@@ -10,7 +10,7 @@
  * @{
  * The code registry engine.
  *
- * Drupal maintains an internal registry of all functions or classes in the
+ * Drupal maintains an internal registry of all interfaces or classes in the
  * system, allowing it to lazy-load code files as needed (reducing the amount
  * of code that must be parsed on each request).
  */
@@ -120,7 +120,10 @@ function registry_get_parsed_files() {
 }
 
 /**
- * Parse all files that have changed since the registry was last built, and save their function and class listings.
+ * Parse all changed files and save their interface and class listings.
+ *
+ * Parse all files that have changed since the registry was last built, and save
+ * their interface and class listings.
  *
  * @param $files
  *  The list of files to check and parse.
@@ -149,7 +152,7 @@ function _registry_parse_files($files) {
 }
 
 /**
- * Parse a file and save its function and class listings.
+ * Parse a file and save its interface and class listings.
  *
  * @param $filename
  *   Name of the file we are going to parse.
diff --git a/includes/session.inc b/includes/session.inc
index 16727df6..9589e06f 100755
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -263,10 +263,10 @@ function drupal_session_initialize() {
     // Less random sessions (which are much faster to generate) are used for
     // anonymous users than are generated in drupal_session_regenerate() when
     // a user becomes authenticated.
-    session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
+    session_id(drupal_random_key());
     if ($is_https && variable_get('https', FALSE)) {
       $insecure_session_name = substr(session_name(), 1);
-      $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE));
+      $session_id = drupal_random_key();
       $_COOKIE[$insecure_session_name] = $session_id;
     }
   }
@@ -360,7 +360,7 @@ function drupal_session_regenerate() {
       $old_insecure_session_id = $_COOKIE[$insecure_session_name];
     }
     $params = session_get_cookie_params();
-    $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
+    $session_id = drupal_random_key();
     // If a session cookie lifetime is set, the session will expire
     // $params['lifetime'] seconds from the current request. If it is not set,
     // it will expire when the browser is closed.
@@ -372,7 +372,7 @@ function drupal_session_regenerate() {
   if (drupal_session_started()) {
     $old_session_id = session_id();
   }
-  session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55)));
+  session_id(drupal_random_key());
 
   if (isset($old_session_id)) {
     $params = session_get_cookie_params();
diff --git a/includes/stream_wrappers.inc b/includes/stream_wrappers.inc
index fa401c6b..48829388 100755
--- a/includes/stream_wrappers.inc
+++ b/includes/stream_wrappers.inc
@@ -93,7 +93,7 @@ define('STREAM_WRAPPERS_LOCAL_NORMAL', STREAM_WRAPPERS_LOCAL | STREAM_WRAPPERS_N
 /**
  * Generic PHP stream wrapper interface.
  *
- * @see http://www.php.net/manual/en/class.streamwrapper.php
+ * @see http://www.php.net/manual/class.streamwrapper.php
  */
 interface StreamWrapperInterface {
   public function stream_open($uri, $mode, $options, &$opened_url);
@@ -401,7 +401,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   Returns TRUE if file was opened successfully.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-open.php
+   * @see http://php.net/manual/streamwrapper.stream-open.php
    */
   public function stream_open($uri, $mode, $options, &$opened_path) {
     $this->uri = $uri;
@@ -429,7 +429,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   Always returns TRUE at the present time.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-lock.php
+   * @see http://php.net/manual/streamwrapper.stream-lock.php
    */
   public function stream_lock($operation) {
     if (in_array($operation, array(LOCK_SH, LOCK_EX, LOCK_UN, LOCK_NB))) {
@@ -448,7 +448,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   The string that was read, or FALSE in case of an error.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-read.php
+   * @see http://php.net/manual/streamwrapper.stream-read.php
    */
   public function stream_read($count) {
     return fread($this->handle, $count);
@@ -463,7 +463,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   The number of bytes written (integer).
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-write.php
+   * @see http://php.net/manual/streamwrapper.stream-write.php
    */
   public function stream_write($data) {
     return fwrite($this->handle, $data);
@@ -475,7 +475,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if end-of-file has been reached.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-eof.php
+   * @see http://php.net/manual/streamwrapper.stream-eof.php
    */
   public function stream_eof() {
     return feof($this->handle);
@@ -492,7 +492,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE on success.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-seek.php
+   * @see http://php.net/manual/streamwrapper.stream-seek.php
    */
   public function stream_seek($offset, $whence) {
     // fseek returns 0 on success and -1 on a failure.
@@ -506,7 +506,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if data was successfully stored (or there was no data to store).
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-flush.php
+   * @see http://php.net/manual/streamwrapper.stream-flush.php
    */
   public function stream_flush() {
     return fflush($this->handle);
@@ -518,7 +518,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   The current offset in bytes from the beginning of file.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-tell.php
+   * @see http://php.net/manual/streamwrapper.stream-tell.php
    */
   public function stream_tell() {
     return ftell($this->handle);
@@ -531,7 +531,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    *   An array with file status, or FALSE in case of an error - see fstat()
    *   for a description of this array.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-stat.php
+   * @see http://php.net/manual/streamwrapper.stream-stat.php
    */
   public function stream_stat() {
     return fstat($this->handle);
@@ -543,7 +543,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if stream was successfully closed.
    *
-   * @see http://php.net/manual/en/streamwrapper.stream-close.php
+   * @see http://php.net/manual/streamwrapper.stream-close.php
    */
   public function stream_close() {
     return fclose($this->handle);
@@ -558,7 +558,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if resource was successfully deleted.
    *
-   * @see http://php.net/manual/en/streamwrapper.unlink.php
+   * @see http://php.net/manual/streamwrapper.unlink.php
    */
   public function unlink($uri) {
     $this->uri = $uri;
@@ -576,7 +576,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if file was successfully renamed.
    *
-   * @see http://php.net/manual/en/streamwrapper.rename.php
+   * @see http://php.net/manual/streamwrapper.rename.php
    */
   public function rename($from_uri, $to_uri) {
     return rename($this->getLocalPath($from_uri), $this->getLocalPath($to_uri));
@@ -622,7 +622,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if directory was successfully created.
    *
-   * @see http://php.net/manual/en/streamwrapper.mkdir.php
+   * @see http://php.net/manual/streamwrapper.mkdir.php
    */
   public function mkdir($uri, $mode, $options) {
     $this->uri = $uri;
@@ -654,7 +654,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE if directory was successfully removed.
    *
-   * @see http://php.net/manual/en/streamwrapper.rmdir.php
+   * @see http://php.net/manual/streamwrapper.rmdir.php
    */
   public function rmdir($uri, $options) {
     $this->uri = $uri;
@@ -678,7 +678,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    *   An array with file status, or FALSE in case of an error - see fstat()
    *   for a description of this array.
    *
-   * @see http://php.net/manual/en/streamwrapper.url-stat.php
+   * @see http://php.net/manual/streamwrapper.url-stat.php
    */
   public function url_stat($uri, $flags) {
     $this->uri = $uri;
@@ -704,7 +704,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE on success.
    *
-   * @see http://php.net/manual/en/streamwrapper.dir-opendir.php
+   * @see http://php.net/manual/streamwrapper.dir-opendir.php
    */
   public function dir_opendir($uri, $options) {
     $this->uri = $uri;
@@ -719,7 +719,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   The next filename, or FALSE if there are no more files in the directory.
    *
-   * @see http://php.net/manual/en/streamwrapper.dir-readdir.php
+   * @see http://php.net/manual/streamwrapper.dir-readdir.php
    */
   public function dir_readdir() {
     return readdir($this->handle);
@@ -731,7 +731,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE on success.
    *
-   * @see http://php.net/manual/en/streamwrapper.dir-rewinddir.php
+   * @see http://php.net/manual/streamwrapper.dir-rewinddir.php
    */
   public function dir_rewinddir() {
     rewinddir($this->handle);
@@ -747,7 +747,7 @@ abstract class DrupalLocalStreamWrapper implements DrupalStreamWrapperInterface
    * @return
    *   TRUE on success.
    *
-   * @see http://php.net/manual/en/streamwrapper.dir-closedir.php
+   * @see http://php.net/manual/streamwrapper.dir-closedir.php
    */
   public function dir_closedir() {
     closedir($this->handle);
@@ -788,8 +788,6 @@ class DrupalPublicStreamWrapper extends DrupalLocalStreamWrapper {
  *
  * Provides support for storing privately accessible files with the Drupal file
  * interface.
- *
- * Extends DrupalPublicStreamWrapper.
  */
 class DrupalPrivateStreamWrapper extends DrupalLocalStreamWrapper {
   /**
diff --git a/misc/ajax.js b/misc/ajax.js
index 90c3bb8b..29483b49 100755
--- a/misc/ajax.js
+++ b/misc/ajax.js
@@ -616,6 +616,13 @@ Drupal.ajax.prototype.commands = {
       .removeClass('odd even')
       .filter(':even').addClass('odd').end()
       .filter(':odd').addClass('even');
+  },
+
+  /**
+   * Command to update a form's build ID.
+   */
+  updateBuildId: function(ajax, response, status) {
+    $('input[name="form_build_id"][value="' + response['old'] + '"]').val(response['new']);
   }
 };
 
diff --git a/misc/states.js b/misc/states.js
index 4b4f1d51..6d98da81 100755
--- a/misc/states.js
+++ b/misc/states.js
@@ -373,7 +373,7 @@ states.Trigger.states = {
 
   checked: {
     'change': function () {
-      return this.attr('checked');
+      return this.is(':checked');
     }
   },
 
diff --git a/modules/aggregator/aggregator.info b/modules/aggregator/aggregator.info
index 1bc261b6..57ae3139 100755
--- a/modules/aggregator/aggregator.info
+++ b/modules/aggregator/aggregator.info
@@ -7,8 +7,8 @@ files[] = aggregator.test
 configure = admin/config/services/aggregator/settings
 stylesheets[all][] = aggregator.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/aggregator/aggregator.install b/modules/aggregator/aggregator.install
index b84556a9..d6cc0392 100755
--- a/modules/aggregator/aggregator.install
+++ b/modules/aggregator/aggregator.install
@@ -260,6 +260,7 @@ function aggregator_schema() {
     'primary key' => array('iid'),
     'indexes' => array(
       'fid' => array('fid'),
+      'timestamp' => array('timestamp'),
     ),
     'foreign keys' => array(
       'aggregator_feed' => array(
@@ -325,6 +326,15 @@ function aggregator_update_7003() {
   db_add_index('aggregator_feed', 'url', array(array('url', 255)));
 }
 
+/**
+ * Add index on timestamp.
+ */
+function aggregator_update_7004() {
+  if (!db_index_exists('aggregator_item', 'timestamp')) {
+    db_add_index('aggregator_item', 'timestamp', array('timestamp'));
+  }
+}
+
 /**
  * @} End of "addtogroup updates-7.x-extra"
  */
diff --git a/modules/aggregator/aggregator.test b/modules/aggregator/aggregator.test
index 8b95d6e3..d84ee785 100755
--- a/modules/aggregator/aggregator.test
+++ b/modules/aggregator/aggregator.test
@@ -288,6 +288,10 @@ EOF;
     return $GLOBALS['base_url'] . '/' . drupal_get_path('module', 'aggregator') . '/tests/aggregator_test_atom.xml';
   }
 
+  function getHtmlEntitiesSample() {
+    return $GLOBALS['base_url'] . '/' . drupal_get_path('module', 'aggregator') . '/tests/aggregator_test_title_entities.xml';
+  }
+
   /**
    * Creates sample article nodes.
    *
@@ -931,7 +935,7 @@ class AggregatorRenderingTestCase extends AggregatorTestCase {
     // up.
     $feed->block = 0;
     aggregator_save_feed((array) $feed);
-    // It is nescessary to flush the cache after saving the number of items.
+    // It is necessary to flush the cache after saving the number of items.
     drupal_flush_all_caches();
     // Check that the block is no longer displayed.
     $this->drupalGet('node');
@@ -1016,4 +1020,15 @@ class FeedParserTestCase extends AggregatorTestCase {
     $this->assertText('Some text.');
     $this->assertEqual('urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a', db_query('SELECT guid FROM {aggregator_item} WHERE link = :link', array(':link' => 'http://example.org/2003/12/13/atom03'))->fetchField(), 'Atom entry id element is parsed correctly.');
   }
+
+  /**
+   * Tests a feed that uses HTML entities in item titles.
+   */
+  function testHtmlEntitiesSample() {
+    $feed = $this->createFeed($this->getHtmlEntitiesSample());
+    aggregator_refresh($feed);
+    $this->drupalGet('aggregator/sources/' . $feed->fid);
+    $this->assertResponse(200, format_string('Feed %name exists.', array('%name' => $feed->title)));
+    $this->assertRaw("Quote&quot; Amp&amp;");
+  }
 }
diff --git a/modules/aggregator/tests/aggregator_test.info b/modules/aggregator/tests/aggregator_test.info
index 40a97034..53c583c7 100755
--- a/modules/aggregator/tests/aggregator_test.info
+++ b/modules/aggregator/tests/aggregator_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/aggregator/tests/aggregator_test_title_entities.xml b/modules/aggregator/tests/aggregator_test_title_entities.xml
new file mode 100644
index 00000000..e526e441
--- /dev/null
+++ b/modules/aggregator/tests/aggregator_test_title_entities.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<rss version="0.91">
+  <channel>
+    <title>Example with Entities</title>
+    <link>http://example.com</link>
+    <description>Example RSS Feed With HTML Entities in Title</description>
+    <language>en-us</language>
+    <item>
+      <title>Quote&quot; Amp&amp;</title>
+      <link>http://example.com/example-turns-one</link>
+      <description>Some text.</description>
+    </item>
+  </channel>
+</rss>
diff --git a/modules/block/block.api.php b/modules/block/block.api.php
index 312eb11f..d7453b24 100755
--- a/modules/block/block.api.php
+++ b/modules/block/block.api.php
@@ -87,13 +87,13 @@
  *     and any value provided can be modified by a user on the block
  *     configuration screen.
  *   - pages: (optional) See 'visibility' above. A string that contains one or
- *     more page paths separated by '\n', '\r', or '\r\n' when 'visibility' is
- *     set to BLOCK_VISIBILITY_NOTLISTED or BLOCK_VISIBILITY_LISTED, or custom
- *     PHP code when 'visibility' is set to BLOCK_VISIBILITY_PHP. Paths may use
- *     '*' as a wildcard (matching any number of characters); '<front>'
- *     designates the site's front page. For BLOCK_VISIBILITY_PHP, the PHP
- *     code's return value should be TRUE if the block is to be made visible or
- *     FALSE if the block should not be visible.
+ *     more page paths separated by "\n", "\r", or "\r\n" when 'visibility' is
+ *     set to BLOCK_VISIBILITY_NOTLISTED or BLOCK_VISIBILITY_LISTED (example:
+ *     "<front>\nnode/1"), or custom PHP code when 'visibility' is set to
+ *     BLOCK_VISIBILITY_PHP. Paths may use '*' as a wildcard (matching any
+ *     number of characters); '<front>' designates the site's front page. For
+ *     BLOCK_VISIBILITY_PHP, the PHP code's return value should be TRUE if the
+ *     block is to be made visible or FALSE if the block should not be visible.
  *
  * For a detailed usage example, see block_example.module.
  *
@@ -200,11 +200,13 @@ function hook_block_save($delta = '', $edit = array()) {
  *   within the module, defined in hook_block_info().
  *
  * @return
- *   An array containing the following elements:
+ *   Either an empty array so the block will not be shown or an array containing
+ *   the following elements:
  *   - subject: The default localized title of the block. If the block does not
  *     have a default title, this should be set to NULL.
  *   - content: The content of the block's body. This may be a renderable array
- *     (preferable) or a string containing rendered HTML content.
+ *     (preferable) or a string containing rendered HTML content. If the content
+ *     is empty the block will not be shown.
  *
  * For a detailed usage example, see block_example.module.
  *
@@ -253,8 +255,9 @@ function hook_block_view($delta = '') {
  * specific block.
  *
  * @param $data
- *   An array of data, as returned from the hook_block_view() implementation of
- *   the module that defined the block:
+ *   The data as returned from the hook_block_view() implementation of the
+ *   module that defined the block. This could be an empty array or NULL value
+ *   (if the block is empty) or an array containing:
  *   - subject: The default localized title of the block.
  *   - content: Either a string or a renderable array representing the content
  *     of the block. You should check that the content is an array before trying
@@ -287,8 +290,9 @@ function hook_block_view_alter(&$data, $block) {
  * specific block, rather than implementing hook_block_view_alter().
  *
  * @param $data
- *   An array of data, as returned from the hook_block_view() implementation of
- *   the module that defined the block:
+ *   The data as returned from the hook_block_view() implementation of the
+ *   module that defined the block. This could be an empty array or NULL value
+ *   (if the block is empty) or an array containing:
  *   - subject: The localized title of the block.
  *   - content: Either a string or a renderable array representing the content
  *     of the block. You should check that the content is an array before trying
diff --git a/modules/block/block.info b/modules/block/block.info
index 08f7165b..571b335a 100755
--- a/modules/block/block.info
+++ b/modules/block/block.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = block.test
 configure = admin/structure/block
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/block/block.module b/modules/block/block.module
index 3a988de2..2977ca88 100755
--- a/modules/block/block.module
+++ b/modules/block/block.module
@@ -401,23 +401,27 @@ function _block_rehash($theme = NULL) {
   }
   // Save the blocks defined in code for alter context.
   $code_blocks = $current_blocks;
-  $database_blocks = db_select('block', 'b')
+  $database_blocks = db_select('block', 'b', array('fetch' => PDO::FETCH_ASSOC))
     ->fields('b')
     ->condition($or)
     ->condition('theme', $theme)
     ->execute();
+  $original_database_blocks = array();
   foreach ($database_blocks as $block) {
-    // Preserve info which is not in the database.
-    $block->info = $current_blocks[$block->module][$block->delta]['info'];
+    $module = $block['module'];
+    $delta = $block['delta'];
+    $original_database_blocks[$module][$delta] = $block;
     // The cache mode can only by set from hook_block_info(), so that has
     // precedence over the database's value.
-    if (isset($current_blocks[$block->module][$block->delta]['cache'])) {
-      $block->cache = $current_blocks[$block->module][$block->delta]['cache'];
+    if (isset($current_blocks[$module][$delta]['cache'])) {
+      $block['cache'] = $current_blocks[$module][$delta]['cache'];
     }
+    // Preserve info which is not in the database.
+    $block['info'] = $current_blocks[$module][$delta]['info'];
     // Blocks stored in the database override the blocks defined in code.
-    $current_blocks[$block->module][$block->delta] = get_object_vars($block);
+    $current_blocks[$module][$delta] = $block;
     // Preserve this block.
-    $bids[$block->bid] = $block->bid;
+    $bids[$block['bid']] = $block['bid'];
   }
   drupal_alter('block_info', $current_blocks, $theme, $code_blocks);
   foreach ($current_blocks as $module => $module_blocks) {
@@ -456,7 +460,15 @@ function _block_rehash($theme = NULL) {
       else {
         $primary_keys = array();
       }
-      drupal_write_record('block', $block, $primary_keys);
+      // If the block is new or differs from the original database block, save
+      // it. To determine whether there was a change it is enough to examine
+      // the values for the keys in the original database record as that
+      // contained every database field.
+      if (!$primary_keys || array_diff_assoc($original_database_blocks[$module][$delta], $block)) {
+        drupal_write_record('block', $block, $primary_keys);
+        // Make it possible to test this.
+        $block['saved'] = TRUE;
+      }
       // Add to the list of blocks we return.
       $blocks[] = $block;
     }
@@ -880,9 +892,11 @@ function _block_render_blocks($region_blocks) {
       else {
         $array = module_invoke($block->module, 'block_view', $block->delta);
 
+        // Valid PHP function names cannot contain hyphens.
+        $delta = str_replace('-', '_', $block->delta);
         // Allow modules to modify the block before it is viewed, via either
         // hook_block_view_alter() or hook_block_view_MODULE_DELTA_alter().
-        drupal_alter(array('block_view', "block_view_{$block->module}_{$block->delta}"), $array, $block);
+        drupal_alter(array('block_view', "block_view_{$block->module}_{$delta}"), $array, $block);
 
         if (isset($cid)) {
           cache_set($cid, $array, 'cache_block', CACHE_TEMPORARY);
diff --git a/modules/block/block.test b/modules/block/block.test
index 11d07099..99c81dc6 100755
--- a/modules/block/block.test
+++ b/modules/block/block.test
@@ -193,7 +193,7 @@ class BlockTestCase extends DrupalWebTestCase {
   }
 
   /**
-   * Test block visibility when using "pages" restriction but leaving 
+   * Test block visibility when using "pages" restriction but leaving
    * "pages" textarea empty
    */
   function testBlockVisibilityListedEmpty() {
@@ -752,6 +752,48 @@ class BlockTemplateSuggestionsUnitTest extends DrupalUnitTestCase {
   }
 }
 
+/**
+ * Tests for hook_block_view_MODULE_DELTA_alter().
+ */
+class BlockViewModuleDeltaAlterWebTest extends DrupalWebTestCase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Block view module delta alter',
+      'description' => 'Test the hook_block_view_MODULE_DELTA_alter() hook.',
+      'group' => 'Block',
+    );
+  }
+
+  public function setUp() {
+    parent::setUp(array('block_test'));
+  }
+
+  /**
+   * Tests that the alter hook is called, even if the delta contains a hyphen.
+   */
+  public function testBlockViewModuleDeltaAlter() {
+    $block = new stdClass;
+    $block->module = 'block_test';
+    $block->delta = 'test_underscore';
+    $block->title = '';
+    $render_array = _block_render_blocks(array('region' => $block));
+    $render = array_pop($render_array);
+    $test_underscore = $render->content['#markup'];
+    $this->assertEqual($test_underscore, 'hook_block_view_MODULE_DELTA_alter', 'Found expected altered block content for delta with underscore');
+
+    $block = new stdClass;
+    $block->module = 'block_test';
+    $block->delta = 'test-hyphen';
+    $block->title = '';
+    $render_array = _block_render_blocks(array('region' => $block));
+    $render = array_pop($render_array);
+    $test_hyphen = $render->content['#markup'];
+    $this->assertEqual($test_hyphen, 'hook_block_view_MODULE_DELTA_alter', 'Hyphens (-) in block delta were replaced by underscore (_)');
+  }
+
+}
+
 /**
  * Tests that hidden regions do not inherit blocks when a theme is enabled.
  */
@@ -857,3 +899,81 @@ class BlockInvalidRegionTestCase extends DrupalWebTestCase {
     $this->assertNoRaw($warning_message, 'Disabled block in the invalid region will not trigger the warning.');
   }
 }
+
+/**
+ * Tests that block rehashing works correctly.
+ */
+class BlockHashTestCase extends DrupalWebTestCase {
+  public static function getInfo() {
+    return array(
+      'name' => 'Block rehash',
+      'description' => 'Checks _block_rehash() functionality.',
+      'group' => 'Block',
+    );
+  }
+
+  function setUp() {
+    parent::setUp(array('block'));
+  }
+
+  /**
+   * Tests that block rehashing does not write to the database too often.
+   */
+  function testBlockRehash() {
+    // No hook_block_info_alter(), no save.
+    $this->doRehash();
+    module_enable(array('block_test'), FALSE);
+    // Save the new blocks, check that the new blocks exist by checking weight.
+    _block_rehash();
+    $this->assertWeight(0);
+    // Now hook_block_info_alter() exists but no blocks are saved on a second
+    // rehash.
+    $this->doRehash();
+    $this->assertWeight(0);
+    // Now hook_block_info_alter() exists and is changing one block which
+    // should be saved.
+    $GLOBALS['conf']['block_test_info_alter'] = 1;
+    $this->doRehash(TRUE);
+    $this->assertWeight(10000);
+    // Now hook_block_info_alter() exists but already changed the block's
+    // weight before, so it should not be saved again.
+    $this->doRehash();
+    $this->assertWeight(10000);
+  }
+
+  /**
+   * Performs a block rehash and checks several related assertions.
+   *
+   * @param $alter_active
+   *   Set to TRUE if the block_test module's hook_block_info_alter()
+   *   implementation is expected to make a change that results in an existing
+   *   block needing to be resaved to the database. Defaults to FALSE.
+   */
+  function doRehash($alter_active = FALSE) {
+    $saves = 0;
+    foreach (_block_rehash() as $block) {
+      $module = $block['module'];
+      $delta = $block['delta'];
+      if ($alter_active && $module == 'block_test' && $delta == 'test_html_id') {
+        $this->assertFalse(empty($block['saved']), "$module $delta saved");
+        $saves++;
+      }
+      else {
+        $this->assertTrue(empty($block['saved']), "$module $delta not saved");
+      }
+    }
+    $this->assertEqual($alter_active, $saves);
+  }
+
+  /**
+   * Asserts that the block_test module's block has a given weight.
+   *
+   * @param $weight
+   *   The expected weight.
+   */
+  function assertWeight($weight) {
+    $db_weight = db_query('SELECT weight FROM {block} WHERE module = :module AND delta = :delta', array(':module' => 'block_test', ':delta' => 'test_html_id'))->fetchField();
+    // By casting to string the assert fails on FALSE.
+    $this->assertIdentical((string) $db_weight, (string) $weight);
+  }
+}
diff --git a/modules/block/tests/block_test.info b/modules/block/tests/block_test.info
index ec20b09a..759ecbe9 100755
--- a/modules/block/tests/block_test.info
+++ b/modules/block/tests/block_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/block/tests/block_test.module b/modules/block/tests/block_test.module
index 5e06d5cf..e7ed09b2 100755
--- a/modules/block/tests/block_test.module
+++ b/modules/block/tests/block_test.module
@@ -22,6 +22,14 @@ function block_test_block_info() {
     'cache' => variable_get('block_test_caching', DRUPAL_CACHE_PER_ROLE),
   );
 
+  $blocks['test_underscore'] = array(
+    'info' => t('Test underscore'),
+  );
+
+  $blocks['test-hyphen'] = array(
+    'info' => t('Test hyphen'),
+  );
+
   $blocks['test_html_id'] = array(
     'info' => t('Test block html id'),
   );
@@ -34,3 +42,26 @@ function block_test_block_info() {
 function block_test_block_view($delta = 0) {
   return array('content' => variable_get('block_test_content', ''));
 }
+
+/**
+ * Implements hook_block_view_MODULE_DELTA_alter().
+ */
+function block_test_block_view_block_test_test_underscore_alter(&$data, $block) {
+  $data['content'] = 'hook_block_view_MODULE_DELTA_alter';
+}
+
+/**
+ * Implements hook_block_view_MODULE_DELTA_alter().
+ */
+function block_test_block_view_block_test_test_hyphen_alter(&$data, $block) {
+  $data['content'] = 'hook_block_view_MODULE_DELTA_alter';
+}
+
+/**
+ * Implements hook_block_info_alter().
+ */
+function block_test_block_info_alter(&$blocks) {
+  if (variable_get('block_test_info_alter')) {
+    $blocks['block_test']['test_html_id']['weight'] = 10000;
+  }
+}
diff --git a/modules/block/tests/themes/block_test_theme/block_test_theme.info b/modules/block/tests/themes/block_test_theme/block_test_theme.info
index 3a754800..36a43c21 100755
--- a/modules/block/tests/themes/block_test_theme/block_test_theme.info
+++ b/modules/block/tests/themes/block_test_theme/block_test_theme.info
@@ -13,8 +13,8 @@ regions[footer] = Footer
 regions[highlighted] = Highlighted
 regions[help] = Help
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/blog/blog.info b/modules/blog/blog.info
index 6ef427a1..ae262016 100755
--- a/modules/blog/blog.info
+++ b/modules/blog/blog.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = blog.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/blog/blog.test b/modules/blog/blog.test
index 6ff66a2a..b9172945 100755
--- a/modules/blog/blog.test
+++ b/modules/blog/blog.test
@@ -42,8 +42,8 @@ class BlogTestCase extends DrupalWebTestCase {
 
     $this->drupalGet('blog/' . $this->big_user->uid);
     $this->assertResponse(200);
-    $this->assertTitle(t("@name's blog", array('@name' => format_username($this->big_user))) . ' | Drupal', t('Blog title was displayed'));
-    $this->assertText(t('You are not allowed to post a new blog entry.'), t('No new entries can be posted without the right permission'));
+    $this->assertTitle(t("@name's blog", array('@name' => format_username($this->big_user))) . ' | Drupal', 'Blog title was displayed');
+    $this->assertText(t('You are not allowed to post a new blog entry.'), 'No new entries can be posted without the right permission');
   }
 
   /**
@@ -54,8 +54,8 @@ class BlogTestCase extends DrupalWebTestCase {
 
     $this->drupalGet('blog/' . $this->own_user->uid);
     $this->assertResponse(200);
-    $this->assertTitle(t("@name's blog", array('@name' => format_username($this->own_user))) . ' | Drupal', t('Blog title was displayed'));
-    $this->assertText(t('@author has not created any blog entries.', array('@author' => format_username($this->own_user))), t('Users blog displayed with no entries'));
+    $this->assertTitle(t("@name's blog", array('@name' => format_username($this->own_user))) . ' | Drupal', 'Blog title was displayed');
+    $this->assertText(t('@author has not created any blog entries.', array('@author' => format_username($this->own_user))), 'Users blog displayed with no entries');
   }
 
   /**
@@ -73,7 +73,7 @@ class BlogTestCase extends DrupalWebTestCase {
     $edit = array();
     $edit['blog_block_count'] = 5;
     $this->drupalPost('admin/structure/block/manage/blog/recent/configure', $edit, t('Save block'));
-    $this->assertEqual(variable_get('blog_block_count', 10), 5, t('Number of recent blog posts changed.'));
+    $this->assertEqual(variable_get('blog_block_count', 10), 5, 'Number of recent blog posts changed.');
 
     // Do basic tests for each user.
     $this->doBasicTests($this->any_user, TRUE);
@@ -132,31 +132,31 @@ class BlogTestCase extends DrupalWebTestCase {
     $this->drupalGet('admin/help/blog');
     $this->assertResponse($response2);
     if ($response2 == 200) {
-      $this->assertTitle(t('Blog | Drupal'), t('Blog help node was displayed'));
-      $this->assertText(t('Blog'), t('Blog help node was displayed'));
+      $this->assertTitle(t('Blog | Drupal'), 'Blog help node was displayed');
+      $this->assertText(t('Blog'), 'Blog help node was displayed');
     }
 
     // Verify the blog block was displayed.
     $this->drupalGet('');
     $this->assertResponse(200);
-    $this->assertText(t('Recent blog posts'), t('Blog block was displayed'));
+    $this->assertText(t('Recent blog posts'), 'Blog block was displayed');
 
     // View blog node.
     $this->drupalGet('node/' . $node->nid);
     $this->assertResponse(200);
-    $this->assertTitle($node->title . ' | Drupal', t('Blog node was displayed'));
+    $this->assertTitle($node->title . ' | Drupal', 'Blog node was displayed');
     $breadcrumb = array(
       l(t('Home'), NULL),
       l(t('Blogs'), 'blog'),
       l(t("!name's blog", array('!name' => format_username($node_user))), 'blog/' . $node_user->uid),
     );
-    $this->assertRaw(theme('breadcrumb', array('breadcrumb' => $breadcrumb)), t('Breadcrumbs were displayed'));
+    $this->assertRaw(theme('breadcrumb', array('breadcrumb' => $breadcrumb)), 'Breadcrumbs were displayed');
 
     // View blog edit node.
     $this->drupalGet('node/' . $node->nid . '/edit');
     $this->assertResponse($response);
     if ($response == 200) {
-      $this->assertTitle('Edit Blog entry ' . $node->title . ' | Drupal', t('Blog edit node was displayed'));
+      $this->assertTitle('Edit Blog entry ' . $node->title . ' | Drupal', 'Blog edit node was displayed');
     }
 
     if ($response == 200) {
@@ -166,12 +166,12 @@ class BlogTestCase extends DrupalWebTestCase {
       $edit["title"] = 'node/' . $node->nid;
       $edit["body[$langcode][0][value]"] = $this->randomName(256);
       $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
-      $this->assertRaw(t('Blog entry %title has been updated.', array('%title' => $edit["title"])), t('Blog node was edited'));
+      $this->assertRaw(t('Blog entry %title has been updated.', array('%title' => $edit["title"])), 'Blog node was edited');
 
       // Delete blog node.
       $this->drupalPost('node/' . $node->nid . '/delete', array(), t('Delete'));
       $this->assertResponse($response);
-      $this->assertRaw(t('Blog entry %title has been deleted.', array('%title' => $edit["title"])), t('Blog node was deleted'));
+      $this->assertRaw(t('Blog entry %title has been deleted.', array('%title' => $edit["title"])), 'Blog node was deleted');
     }
   }
 
@@ -185,29 +185,29 @@ class BlogTestCase extends DrupalWebTestCase {
     // Confirm blog entries link exists on the user page.
     $this->drupalGet('user/' . $user->uid);
     $this->assertResponse(200);
-    $this->assertText(t('View recent blog entries'), t('View recent blog entries link was displayed'));
+    $this->assertText(t('View recent blog entries'), 'View recent blog entries link was displayed');
 
     // Confirm the recent blog entries link goes to the user's blog page.
     $this->clickLink('View recent blog entries');
-    $this->assertTitle(t("@name's blog | Drupal", array('@name' => format_username($user))), t('View recent blog entries link target was correct'));
+    $this->assertTitle(t("@name's blog | Drupal", array('@name' => format_username($user))), 'View recent blog entries link target was correct');
 
     // Confirm a blog page was displayed.
     $this->drupalGet('blog');
     $this->assertResponse(200);
-    $this->assertTitle('Blogs | Drupal', t('Blog page was displayed'));
-    $this->assertText(t('Home'), t('Breadcrumbs were displayed'));
+    $this->assertTitle('Blogs | Drupal', 'Blog page was displayed');
+    $this->assertText(t('Home'), 'Breadcrumbs were displayed');
     $this->assertLink(t('Create new blog entry'));
 
     // Confirm a blog page was displayed per user.
     $this->drupalGet('blog/' . $user->uid);
-    $this->assertTitle(t("@name's blog | Drupal", array('@name' => format_username($user))), t('User blog node was displayed'));
+    $this->assertTitle(t("@name's blog | Drupal", array('@name' => format_username($user))), 'User blog node was displayed');
 
     // Confirm a blog feed was displayed.
     $this->drupalGet('blog/feed');
-    $this->assertTitle(t('Drupal blogs'), t('Blog feed was displayed'));
+    $this->assertTitle(t('Drupal blogs'), 'Blog feed was displayed');
 
     // Confirm a blog feed was displayed per user.
     $this->drupalGet('blog/' . $user->uid . '/feed');
-    $this->assertTitle(t("@name's blog", array('@name' => format_username($user))), t('User blog feed was displayed'));
+    $this->assertTitle(t("@name's blog", array('@name' => format_username($user))), 'User blog feed was displayed');
   }
 }
diff --git a/modules/book/book.info b/modules/book/book.info
index 45e3b2a3..297366b7 100755
--- a/modules/book/book.info
+++ b/modules/book/book.info
@@ -7,8 +7,8 @@ files[] = book.test
 configure = admin/content/book/settings
 stylesheets[all][] = book.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/color/color.info b/modules/color/color.info
index 6b393ea5..0c35d986 100755
--- a/modules/color/color.info
+++ b/modules/color/color.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = color.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/color/color.module b/modules/color/color.module
index 53c54fbf..5b441aab 100755
--- a/modules/color/color.module
+++ b/modules/color/color.module
@@ -240,6 +240,7 @@ function color_scheme_form($complete_form, &$form_state, $theme) {
       $form['palette'][$name] = array(
         '#type' => 'textfield',
         '#title' => check_plain($names[$name]),
+        '#value_callback' => 'color_palette_color_value',
         '#default_value' => $value,
         '#size' => 8,
       );
@@ -294,6 +295,52 @@ function theme_color_scheme_form($variables) {
   return $output;
 }
 
+/**
+ * Determines the value for a palette color field.
+ *
+ * @param $element
+ *   The form element whose value is being populated.
+ * @param $input
+ *   The incoming input to populate the form element. If this is FALSE,
+ *   the element's default value should be returned.
+ * @param $form_state
+ *   A keyed array containing the current state of the form.
+ *
+ * @return
+ *   The data that will appear in the $form_state['values'] collection for this
+ *   element. Return nothing to use the default.
+ */
+function color_palette_color_value($element, $input = FALSE, $form_state = array()) {
+  // If we suspect a possible cross-site request forgery attack, only accept
+  // hexadecimal CSS color strings from user input, to avoid problems when this
+  // value is used in the JavaScript preview.
+  if ($input !== FALSE) {
+    // Start with the provided value for this textfield, and validate that if
+    // necessary, falling back on the default value.
+    $value = form_type_textfield_value($element, $input, $form_state);
+    if (!$value || !isset($form_state['complete form']['#token']) || color_valid_hexadecimal_string($value) || drupal_valid_token($form_state['values']['form_token'], $form_state['complete form']['#token'])) {
+      return $value;
+    }
+    else {
+      return $element['#default_value'];
+    }
+  }
+}
+
+/**
+ * Determines if a hexadecimal CSS color string is valid.
+ *
+ * @param $color
+ *   The string to check.
+ *
+ * @return
+ *   TRUE if the string is a valid hexadecimal CSS color string, or FALSE if it
+ *   isn't.
+ */
+function color_valid_hexadecimal_string($color) {
+  return preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color);
+}
+
 /**
  * Form validation handler for color_scheme_form().
  *
@@ -302,7 +349,7 @@ function theme_color_scheme_form($variables) {
 function color_scheme_form_validate($form, &$form_state) {
   // Only accept hexadecimal CSS color strings to avoid XSS upon use.
   foreach ($form_state['values']['palette'] as $key => $color) {
-    if (!preg_match('/^#([a-f0-9]{3}){1,2}$/iD', $color)) {
+    if (!color_valid_hexadecimal_string($color)) {
       form_set_error('palette][' . $key, t('%name must be a valid hexadecimal CSS color value.', array('%name' => $form['color']['palette'][$key]['#title'])));
     }
   }
diff --git a/modules/comment/comment.info b/modules/comment/comment.info
index 09aff8ac..7c344ac0 100755
--- a/modules/comment/comment.info
+++ b/modules/comment/comment.info
@@ -9,8 +9,8 @@ files[] = comment.test
 configure = admin/content/comment
 stylesheets[all][] = comment.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index a83069f6..3c942002 100755
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -490,7 +490,7 @@ function comment_permalink($cid) {
     // Return the node view, this will show the correct comment in context.
     return menu_execute_active_handler('node/' . $node->nid, FALSE);
   }
-  drupal_not_found();
+  return MENU_NOT_FOUND;
 }
 
 /**
@@ -2304,7 +2304,7 @@ function template_preprocess_comment(&$variables) {
   $variables['signature'] = $comment->signature;
 
   $uri = entity_uri('comment', $comment);
-  $uri['options'] += array('attributes' => array('class' => 'permalink', 'rel' => 'bookmark'));
+  $uri['options'] += array('attributes' => array('class' => array('permalink'), 'rel' => 'bookmark'));
 
   $variables['title']     = l($comment->subject, $uri['path'], $uri['options']);
   $variables['permalink'] = l(t('Permalink'), $uri['path'], $uri['options']);
diff --git a/modules/comment/comment.test b/modules/comment/comment.test
index 30bff714..9e69ba62 100755
--- a/modules/comment/comment.test
+++ b/modules/comment/comment.test
@@ -155,7 +155,7 @@ class CommentHelperCase extends DrupalWebTestCase {
         $mode_text = 'required';
         break;
     }
-    $this->setCommentSettings('comment_preview', $mode, 'Comment preview ' . $mode_text . '.');
+    $this->setCommentSettings('comment_preview', $mode, format_string('Comment preview @mode_text.', array('@mode_text' => $mode_text)));
   }
 
   /**
@@ -175,7 +175,7 @@ class CommentHelperCase extends DrupalWebTestCase {
    *   Anonymous level.
    */
   function setCommentAnonymous($level) {
-    $this->setCommentSettings('comment_anonymous', $level, 'Anonymous commenting set to level ' . $level . '.');
+    $this->setCommentSettings('comment_anonymous', $level, format_string('Anonymous commenting set to level @level.', array('@level' => $level)));
   }
 
   /**
@@ -185,7 +185,7 @@ class CommentHelperCase extends DrupalWebTestCase {
    *   Comments per page value.
    */
   function setCommentsPerPage($number) {
-    $this->setCommentSettings('comment_default_per_page', $number, 'Number of comments per page set to ' . $number . '.');
+    $this->setCommentSettings('comment_default_per_page', $number, format_string('Number of comments per page set to @number.', array('@number' => $number)));
   }
 
   /**
@@ -201,7 +201,7 @@ class CommentHelperCase extends DrupalWebTestCase {
   function setCommentSettings($name, $value, $message) {
     variable_set($name . '_article', $value);
     // Display status message.
-    $this->assertTrue(TRUE, $message);
+    $this->pass($message);
   }
 
   /**
@@ -273,7 +273,7 @@ class CommentInterfaceTest extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_DISABLED);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(FALSE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
     $this->drupalLogout();
 
     // Post comment #1 without subject or preview.
@@ -583,7 +583,7 @@ class CommentInterfaceTest extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_DISABLED);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(FALSE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
     $this->drupalLogout();
 
     // Creates a second user to post comments.
@@ -954,7 +954,7 @@ class CommentPreviewTest extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_OPTIONAL);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(TRUE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
     $this->drupalLogout();
 
     // Login as web user and add a signature and a user picture.
@@ -1000,7 +1000,7 @@ class CommentPreviewTest extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_OPTIONAL);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(TRUE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
 
     $edit = array();
     $edit['subject'] = $this->randomName(8);
@@ -1238,7 +1238,7 @@ class CommentPagerTest extends CommentHelperCase {
     $comments[] = $this->postComment($node, $this->randomName(), $this->randomName(), TRUE);
     $comments[] = $this->postComment($node, $this->randomName(), $this->randomName(), TRUE);
 
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_FLAT, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_FLAT, 'Comment paging changed.');
 
     // Set comments to one per page so that we are able to test paging without
     // needing to insert large numbers of comments.
@@ -1279,7 +1279,7 @@ class CommentPagerTest extends CommentHelperCase {
     // If we switch to threaded mode, the replies on the oldest comment
     // should be bumped to the first page and comment 6 should be bumped
     // to the second page.
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Switched to threaded mode.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Switched to threaded mode.');
     $this->drupalGet('node/' . $node->nid, array('query' => array('page' => 0)));
     $this->assertTrue($this->commentExists($reply, TRUE), 'In threaded mode, reply appears on page 1.');
     $this->assertFalse($this->commentExists($comments[1]), 'In threaded mode, comment 2 has been bumped off of page 1.');
@@ -1339,7 +1339,7 @@ class CommentPagerTest extends CommentHelperCase {
     // - 2
     //   - 5
 
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_FLAT, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_FLAT, 'Comment paging changed.');
 
     $expected_order = array(
       0,
@@ -1353,7 +1353,7 @@ class CommentPagerTest extends CommentHelperCase {
     $this->drupalGet('node/' . $node->nid);
     $this->assertCommentOrder($comments, $expected_order);
 
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Switched to threaded mode.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Switched to threaded mode.');
 
     $expected_order = array(
       0,
@@ -1435,7 +1435,7 @@ class CommentPagerTest extends CommentHelperCase {
     // - 2
     //   - 5
 
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_FLAT, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_FLAT, 'Comment paging changed.');
 
     $expected_pages = array(
       1 => 5, // Page of comment 5
@@ -1453,7 +1453,7 @@ class CommentPagerTest extends CommentHelperCase {
       $this->assertIdentical($expected_page, $returned_page, format_string('Flat mode, @new replies: expected page @expected, returned page @returned.', array('@new' => $new_replies, '@expected' => $expected_page, '@returned' => $returned_page)));
     }
 
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Switched to threaded mode.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Switched to threaded mode.');
 
     $expected_pages = array(
       1 => 5, // Page of comment 5
@@ -1509,7 +1509,7 @@ class CommentNodeAccessTest extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_DISABLED);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(TRUE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
     $this->drupalLogout();
 
     // Post comment.
@@ -2126,7 +2126,7 @@ class CommentThreadingTestCase extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_DISABLED);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(TRUE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
     $this->drupalLogout();
 
     // Create a node.
diff --git a/modules/contact/contact.info b/modules/contact/contact.info
index 2f7b3dbf..875ec0ba 100755
--- a/modules/contact/contact.info
+++ b/modules/contact/contact.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = contact.test
 configure = admin/structure/contact
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/contextual/contextual.info b/modules/contextual/contextual.info
index e9cf706d..617ad68c 100755
--- a/modules/contextual/contextual.info
+++ b/modules/contextual/contextual.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = contextual.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/dashboard/dashboard.api.php b/modules/dashboard/dashboard.api.php
index 623dd30a..a36a8ea0 100755
--- a/modules/dashboard/dashboard.api.php
+++ b/modules/dashboard/dashboard.api.php
@@ -32,7 +32,7 @@ function hook_dashboard_regions() {
  *   An array containing all dashboard regions, in the format provided by
  *   hook_dashboard_regions().
  */
-function hook_dashboard_regions_alter($regions) {
+function hook_dashboard_regions_alter(&$regions) {
   // Remove the sidebar region defined by the core dashboard module.
   unset($regions['dashboard_sidebar']);
 }
diff --git a/modules/dashboard/dashboard.info b/modules/dashboard/dashboard.info
index c2a04a74..12f890a4 100755
--- a/modules/dashboard/dashboard.info
+++ b/modules/dashboard/dashboard.info
@@ -7,8 +7,8 @@ files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/dashboard/dashboard.test b/modules/dashboard/dashboard.test
index 56bdb132..06344fc9 100755
--- a/modules/dashboard/dashboard.test
+++ b/modules/dashboard/dashboard.test
@@ -49,15 +49,15 @@ class DashboardBlocksTestCase extends DrupalWebTestCase {
 
     // Ensure admin access.
     $this->drupalGet('admin/dashboard');
-    $this->assertResponse(200, t('Admin has access to the dashboard.'));
-    $this->assertRaw($custom_block['title'], t('Admin has access to a dashboard block.'));
+    $this->assertResponse(200, 'Admin has access to the dashboard.');
+    $this->assertRaw($custom_block['title'], 'Admin has access to a dashboard block.');
 
     // Ensure non-admin access is denied.
     $normal_user = $this->drupalCreateUser();
     $this->drupalLogin($normal_user);
     $this->drupalGet('admin/dashboard');
-    $this->assertResponse(403, t('Non-admin has no access to the dashboard.'));
-    $this->assertNoText($custom_block['title'], t('Non-admin has no access to a dashboard block.'));
+    $this->assertResponse(403, 'Non-admin has no access to the dashboard.');
+    $this->assertNoText($custom_block['title'], 'Non-admin has no access to a dashboard block.');
   }
 
   /**
@@ -70,7 +70,7 @@ class DashboardBlocksTestCase extends DrupalWebTestCase {
     $this->drupalGet('admin/dashboard/configure');
     foreach ($dashboard_regions as $region => $description) {
       $elements = $this->xpath('//option[@value=:region]', array(':region' => $region));
-      $this->assertTrue(!empty($elements), t('%region is an available choice on the dashboard block configuration page.', array('%region' => $region)));
+      $this->assertTrue(!empty($elements), format_string('%region is an available choice on the dashboard block configuration page.', array('%region' => $region)));
     }
 
     // Ensure blocks cannot be placed in dashboard regions on the standard
@@ -78,7 +78,7 @@ class DashboardBlocksTestCase extends DrupalWebTestCase {
     $this->drupalGet('admin/structure/block');
     foreach ($dashboard_regions as $region => $description) {
       $elements = $this->xpath('//option[@value=:region]', array(':region' => $region));
-      $this->assertTrue(empty($elements), t('%region is not an available choice on the block configuration page.', array('%region' => $region)));
+      $this->assertTrue(empty($elements), format_string('%region is not an available choice on the block configuration page.', array('%region' => $region)));
     }
   }
 
@@ -94,24 +94,24 @@ class DashboardBlocksTestCase extends DrupalWebTestCase {
     $custom_block['regions[stark]'] = 'dashboard_main';
     $this->drupalPost('admin/structure/block/add', $custom_block, t('Save block'));
     $this->drupalGet('admin/dashboard');
-    $this->assertRaw($custom_block['title'], t('Block appears on the dashboard.'));
+    $this->assertRaw($custom_block['title'], 'Block appears on the dashboard.');
 
     $edit = array();
     $edit['modules[Core][dashboard][enable]'] = FALSE;
     $this->drupalPost('admin/modules', $edit, t('Save configuration'));
-    $this->assertText(t('The configuration options have been saved.'), t('Modules status has been updated.'));
-    $this->assertNoRaw('assigned to the invalid region', t('Dashboard blocks gracefully disabled.'));
+    $this->assertText(t('The configuration options have been saved.'), 'Modules status has been updated.');
+    $this->assertNoRaw('assigned to the invalid region', 'Dashboard blocks gracefully disabled.');
     module_list(TRUE);
-    $this->assertFalse(module_exists('dashboard'), t('Dashboard disabled.'));
+    $this->assertFalse(module_exists('dashboard'), 'Dashboard disabled.');
 
     $edit['modules[Core][dashboard][enable]'] = 'dashboard';
     $this->drupalPost('admin/modules', $edit, t('Save configuration'));
-    $this->assertText(t('The configuration options have been saved.'), t('Modules status has been updated.'));
+    $this->assertText(t('The configuration options have been saved.'), 'Modules status has been updated.');
     module_list(TRUE);
-    $this->assertTrue(module_exists('dashboard'), t('Dashboard enabled.'));
+    $this->assertTrue(module_exists('dashboard'), 'Dashboard enabled.');
 
     $this->drupalGet('admin/dashboard');
-    $this->assertRaw($custom_block['title'], t('Block still appears on the dashboard.'));
+    $this->assertRaw($custom_block['title'], 'Block still appears on the dashboard.');
   }
 
   /**
@@ -121,21 +121,21 @@ class DashboardBlocksTestCase extends DrupalWebTestCase {
     // Test "Recent comments", which should be available (defined as
     // "administrative") but not enabled.
     $this->drupalGet('admin/dashboard');
-    $this->assertNoText(t('Recent comments'), t('"Recent comments" not on dashboard.'));
+    $this->assertNoText(t('Recent comments'), '"Recent comments" not on dashboard.');
     $this->drupalGet('admin/dashboard/drawer');
-    $this->assertText(t('Recent comments'), t('Drawer of disabled blocks includes a block defined as "administrative".'));
-    $this->assertNoText(t('Syndicate'), t('Drawer of disabled blocks excludes a block not defined as "administrative".'));
+    $this->assertText(t('Recent comments'), 'Drawer of disabled blocks includes a block defined as "administrative".');
+    $this->assertNoText(t('Syndicate'), 'Drawer of disabled blocks excludes a block not defined as "administrative".');
     $this->drupalGet('admin/dashboard/configure');
     $elements = $this->xpath('//select[@id=:id]//option[@selected="selected"]', array(':id' => 'edit-blocks-comment-recent-region'));
-    $this->assertTrue($elements[0]['value'] == 'dashboard_inactive', t('A block defined as "administrative" defaults to dashboard_inactive.'));
+    $this->assertTrue($elements[0]['value'] == 'dashboard_inactive', 'A block defined as "administrative" defaults to dashboard_inactive.');
 
     // Now enable the block on the dashboard.
     $values = array();
     $values['blocks[comment_recent][region]'] = 'dashboard_main';
     $this->drupalPost('admin/dashboard/configure', $values, t('Save blocks'));
     $this->drupalGet('admin/dashboard');
-    $this->assertText(t('Recent comments'), t('"Recent comments" was placed on dashboard.'));
+    $this->assertText(t('Recent comments'), '"Recent comments" was placed on dashboard.');
     $this->drupalGet('admin/dashboard/drawer');
-    $this->assertNoText(t('Recent comments'), t('Drawer of disabled blocks excludes enabled blocks.'));
+    $this->assertNoText(t('Recent comments'), 'Drawer of disabled blocks excludes enabled blocks.');
   }
 }
diff --git a/modules/dblog/dblog.info b/modules/dblog/dblog.info
index 760af5bd..09d28969 100755
--- a/modules/dblog/dblog.info
+++ b/modules/dblog/dblog.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = dblog.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/dblog/dblog.test b/modules/dblog/dblog.test
index f1d1034d..bf409c94 100755
--- a/modules/dblog/dblog.test
+++ b/modules/dblog/dblog.test
@@ -11,7 +11,7 @@
 class DBLogTestCase extends DrupalWebTestCase {
 
   /**
-   * A user with some relevent administrative permissions.
+   * A user with some relevant administrative permissions.
    *
    * @var object
    */
diff --git a/modules/field/field.api.php b/modules/field/field.api.php
index 463da551..365fc404 100755
--- a/modules/field/field.api.php
+++ b/modules/field/field.api.php
@@ -1,4 +1,8 @@
 <?php
+/**
+ * @file
+ * Hooks provided by the Field module.
+ */
 
 /**
  * @addtogroup hooks
@@ -37,6 +41,8 @@
  *   - delete: (optional) String containing markup (normally a link) used as the
  *     element's 'delete' operation in the administration interface. Only for
  *     'form' context.
+ *
+ * @ingroup field_types
  */
 function hook_field_extra_fields() {
   $extra['node']['poll'] = array(
@@ -76,6 +82,8 @@ function hook_field_extra_fields() {
  *   The associative array of 'pseudo-field' components.
  *
  * @see hook_field_extra_fields()
+ *
+ * @ingroup field_types
  */
 function hook_field_extra_fields_alter(&$info) {
   // Force node title to always be at the top of the list by default.
@@ -113,6 +121,9 @@ function hook_field_extra_fields_alter(&$info) {
 /**
  * Define Field API field types.
  *
+ * Along with this hook, you also need to implement other hooks. See
+ * @link field_types Field Types API @endlink for more information.
+ *
  * @return
  *   An array whose keys are field type names and whose values are arrays
  *   describing the field type, with the following key/value pairs:
@@ -199,8 +210,11 @@ function hook_field_info_alter(&$info) {
 /**
  * Define the Field API schema for a field structure.
  *
- * This hook MUST be defined in .install for it to be detected during
- * installation and upgrade.
+ * This is invoked when a field is created, in order to obtain the database
+ * schema from the module that defines the field's type.
+ *
+ * This hook must be defined in the module's .install file for it to be detected
+ * during installation and upgrade.
  *
  * @param $field
  *   A field structure.
@@ -650,6 +664,8 @@ function hook_field_delete_revision($entity_type, $entity, $field, $instance, $l
  *   The source entity from which field values are being copied.
  * @param $source_langcode
  *   The source language from which field values are being copied.
+ *
+ * @ingroup field_language
  */
 function hook_field_prepare_translation($entity_type, $entity, $field, $instance, $langcode, &$items, $source_entity, $source_langcode) {
   // If the translating user is not permitted to use the assigned text format,
@@ -1244,7 +1260,7 @@ function hook_field_formatter_view($entity_type, $entity, $field, $instance, $la
  */
 
 /**
- * @ingroup field_attach
+ * @addtogroup field_attach
  * @{
  */
 
@@ -1306,6 +1322,13 @@ function hook_field_attach_load($entity_type, $entities, $age, $options) {
  * This hook is invoked after the field module has performed the operation.
  *
  * See field_attach_validate() for details and arguments.
+ *
+ * @param $entity_type
+ *   The type of $entity; e.g., 'node' or 'user'.
+ * @param $entity
+ *   The entity with fields to validate.
+ * @param array $errors
+ *   An associative array of errors keyed by field_name, language, delta.
  */
 function hook_field_attach_validate($entity_type, $entity, &$errors) {
   // @todo Needs function body.
@@ -1510,6 +1533,8 @@ function hook_field_attach_prepare_translation_alter(&$entity, $context) {
  *   - entity_type: The type of the entity to be displayed.
  *   - entity: The entity with fields to render.
  *   - langcode: The language code $entity has to be displayed in.
+ *
+ * @ingroup field_language
  */
 function hook_field_language_alter(&$display_language, $context) {
   // Do not apply core language fallback rules if they are disabled or if Locale
@@ -1531,6 +1556,8 @@ function hook_field_language_alter(&$display_language, $context) {
  *   An associative array containing:
  *   - entity_type: The type of the entity the field is attached to.
  *   - field: A field data structure.
+ *
+ * @ingroup field_language
  */
 function hook_field_available_languages_alter(&$languages, $context) {
   // Add an unavailable language.
@@ -1581,7 +1608,7 @@ function hook_field_attach_rename_bundle($entity_type, $bundle_old, $bundle_new)
  * @param $entity_type
  *   The type of entity; for example, 'node' or 'user'.
  * @param $bundle
- *   The bundle that was just deleted.
+ *   The name of the bundle that was just deleted.
  * @param $instances
  *   An array of all instances that existed for the bundle before it was
  *   deleted.
@@ -1596,7 +1623,7 @@ function hook_field_attach_delete_bundle($entity_type, $bundle, $instances) {
 }
 
 /**
- * @} End of "defgroup field_attach".
+ * @} End of "addtogroup field_attach".
  */
 
 /**
@@ -2256,6 +2283,10 @@ function hook_field_storage_pre_update($entity_type, $entity, &$skip_fields) {
   }
 }
 
+/**
+ * @} End of "addtogroup field_storage
+ */
+
 /**
  * Returns the maximum weight for the entity components handled by the module.
  *
@@ -2269,9 +2300,12 @@ function hook_field_storage_pre_update($entity_type, $entity, &$skip_fields) {
  * @param $context
  *   The context for which the maximum weight is requested. Either 'form', or
  *   the name of a view mode.
+ *
  * @return
  *   The maximum weight of the entity's components, or NULL if no components
  *   were found.
+ *
+ * @ingroup field_info
  */
 function hook_field_info_max_weight($entity_type, $bundle, $context) {
   $weights = array();
@@ -2283,6 +2317,11 @@ function hook_field_info_max_weight($entity_type, $bundle, $context) {
   return $weights ? max($weights) : NULL;
 }
 
+/**
+ * @addtogroup field_types
+ * @{
+ */
+
 /**
  * Alters the display settings of a field before it gets displayed.
  *
@@ -2349,6 +2388,10 @@ function hook_field_display_ENTITY_TYPE_alter(&$display, $context) {
   }
 }
 
+/**
+ * @} End of "addtogroup field_types
+ */
+
 /**
  * Alters the display settings of pseudo-fields before an entity is displayed.
  *
@@ -2364,6 +2407,8 @@ function hook_field_display_ENTITY_TYPE_alter(&$display, $context) {
  *   - entity_type: The entity type; e.g., 'node' or 'user'.
  *   - bundle: The bundle name.
  *   - view_mode: The view mode, e.g. 'full', 'teaser'...
+ *
+ * @ingroup field_types
  */
 function hook_field_extra_fields_display_alter(&$displays, $context) {
   if ($context['entity_type'] == 'taxonomy_term' && $context['view_mode'] == 'full') {
@@ -2393,6 +2438,8 @@ function hook_field_extra_fields_display_alter(&$displays, $context) {
  *   - instance: The instance of the field.
  *
  * @see hook_field_widget_properties_alter()
+ *
+ * @ingroup field_widget
  */
 function hook_field_widget_properties_ENTITY_TYPE_alter(&$widget, $context) {
   // Change a widget's type according to the time of day.
@@ -2403,10 +2450,6 @@ function hook_field_widget_properties_ENTITY_TYPE_alter(&$widget, $context) {
   }
 }
 
-/**
- * @} End of "addtogroup field_storage".
- */
-
 /**
  * @addtogroup field_crud
  * @{
@@ -2602,6 +2645,8 @@ function hook_field_purge_instance($instance) {
  *
  * @param $field
  *   The field being purged.
+ *
+ * @ingroup field_storage
  */
 function hook_field_storage_purge_field($field) {
   $table_name = _field_sql_storage_tablename($field);
@@ -2619,6 +2664,8 @@ function hook_field_storage_purge_field($field) {
  *
  * @param $instance
  *   The instance being purged.
+ *
+ * @ingroup field_storage
  */
 function hook_field_storage_purge_field_instance($instance) {
   db_delete('my_module_field_instance_info')
@@ -2640,6 +2687,8 @@ function hook_field_storage_purge_field_instance($instance) {
  *   The (possibly deleted) field whose data is being purged.
  * @param $instance
  *   The deleted field instance whose data is being purged.
+ *
+ * @ingroup field_storage
  */
 function hook_field_storage_purge($entity_type, $entity, $field, $instance) {
   list($id, $vid, $bundle) = entity_extract_ids($entity_type, $entity);
@@ -2679,6 +2728,8 @@ function hook_field_storage_purge($entity_type, $entity, $field, $instance) {
  *
  * @return
  *   TRUE if the operation is allowed, and FALSE if the operation is denied.
+ *
+ * @ingroup field_types
  */
 function hook_field_access($op, $field, $entity_type, $entity, $account) {
   if ($field['field_name'] == 'field_of_interest' && $op == 'edit') {
diff --git a/modules/field/field.attach.inc b/modules/field/field.attach.inc
index 30a12d00..4a90961d 100755
--- a/modules/field/field.attach.inc
+++ b/modules/field/field.attach.inc
@@ -976,6 +976,12 @@ function field_attach_insert($entity_type, $entity) {
 /**
  * Save field data for an existing entity.
  *
+ * When calling this function outside an entity save operation be sure to
+ * clear caches for the entity:
+ * @code
+ * entity_get_controller($entity_type)->resetCache(array($entity_id))
+ * @endcode
+ *
  * @param $entity_type
  *   The type of $entity; e.g. 'node' or 'user'.
  * @param $entity
diff --git a/modules/field/field.info b/modules/field/field.info
index fc9c3191..72ee3bd4 100755
--- a/modules/field/field.info
+++ b/modules/field/field.info
@@ -11,8 +11,8 @@ dependencies[] = field_sql_storage
 required = TRUE
 stylesheets[all][] = theme/field.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/field.module b/modules/field/field.module
index 4331cdf4..52faf354 100755
--- a/modules/field/field.module
+++ b/modules/field/field.module
@@ -819,9 +819,9 @@ function field_view_value($entity_type, $entity, $field_name, $item, $display =
  *
  * This function can be used by third-party modules that need to output an
  * isolated field.
- * - Do not use inside node (or other entities) templates, use
+ * - Do not use inside node (or any other entity) templates; use
  *   render($content[FIELD_NAME]) instead.
- * - Do not use to display all fields in an entity, use
+ * - Do not use to display all fields in an entity; use
  *   field_attach_prepare_view() and field_attach_view() instead.
  * - The field_view_value() function can be used to output a single formatted
  *   field value, without label or wrapping field markup.
diff --git a/modules/field/modules/field_sql_storage/field_sql_storage.info b/modules/field/modules/field_sql_storage/field_sql_storage.info
index 3f73a1b7..2cd799ac 100755
--- a/modules/field/modules/field_sql_storage/field_sql_storage.info
+++ b/modules/field/modules/field_sql_storage/field_sql_storage.info
@@ -7,8 +7,8 @@ dependencies[] = field
 files[] = field_sql_storage.test
 required = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/modules/list/list.info b/modules/field/modules/list/list.info
index 24dfc987..14226b9e 100755
--- a/modules/field/modules/list/list.info
+++ b/modules/field/modules/list/list.info
@@ -7,8 +7,8 @@ dependencies[] = field
 dependencies[] = options
 files[] = tests/list.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/modules/list/tests/list_test.info b/modules/field/modules/list/tests/list_test.info
index ff08ef95..6089a469 100755
--- a/modules/field/modules/list/tests/list_test.info
+++ b/modules/field/modules/list/tests/list_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/modules/number/number.info b/modules/field/modules/number/number.info
index 69fd1ac3..d4eeafe2 100755
--- a/modules/field/modules/number/number.info
+++ b/modules/field/modules/number/number.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = number.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/modules/options/options.info b/modules/field/modules/options/options.info
index 5afe004c..0dd78c24 100755
--- a/modules/field/modules/options/options.info
+++ b/modules/field/modules/options/options.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = options.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/modules/options/options.test b/modules/field/modules/options/options.test
index 44b3caf2..7183311b 100755
--- a/modules/field/modules/options/options.test
+++ b/modules/field/modules/options/options.test
@@ -359,7 +359,7 @@ class OptionsWidgetsTestCase extends FieldTestCase {
 
     // Test the 'None' option.
 
-    // Check that the 'none' option has no efect if actual options are selected
+    // Check that the 'none' option has no effect if actual options are selected
     // as well.
     $edit = array("card_2[$langcode][]" => array('_none' => '_none', 0 => 0));
     $this->drupalPost('test-entity/manage/' . $entity->ftid . '/edit', $edit, t('Save'));
diff --git a/modules/field/modules/text/text.info b/modules/field/modules/text/text.info
index f3a6ae6f..ce42e0a1 100755
--- a/modules/field/modules/text/text.info
+++ b/modules/field/modules/text/text.info
@@ -7,8 +7,8 @@ dependencies[] = field
 files[] = text.test
 required = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/tests/field_test.info b/modules/field/tests/field_test.info
index 385a0534..7a17d30a 100755
--- a/modules/field/tests/field_test.info
+++ b/modules/field/tests/field_test.info
@@ -6,8 +6,8 @@ files[] = field_test.entity.inc
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field/tests/field_test.install b/modules/field/tests/field_test.install
index a224520b..eaf13902 100755
--- a/modules/field/tests/field_test.install
+++ b/modules/field/tests/field_test.install
@@ -60,7 +60,7 @@ function field_test_schema() {
     'description' => 'The base table for test entities with a bundle key.',
     'fields' => array(
       'ftid' => array(
-        'description' => 'The primary indentifier for a test_entity_bundle_key.',
+        'description' => 'The primary identifier for a test_entity_bundle_key.',
         'type' => 'int',
         'unsigned' => TRUE,
         'not null' => TRUE,
@@ -79,7 +79,7 @@ function field_test_schema() {
     'description' => 'The base table for test entities with a bundle.',
     'fields' => array(
       'ftid' => array(
-        'description' => 'The primary indentifier for a test_entity_bundle.',
+        'description' => 'The primary identifier for a test_entity_bundle.',
         'type' => 'int',
         'unsigned' => TRUE,
         'not null' => TRUE,
diff --git a/modules/field_ui/field_ui.admin.inc b/modules/field_ui/field_ui.admin.inc
index 5c6f5299..5d74a5ca 100755
--- a/modules/field_ui/field_ui.admin.inc
+++ b/modules/field_ui/field_ui.admin.inc
@@ -936,7 +936,7 @@ function field_ui_display_overview_form($form, &$form_state, $entity_type, $bund
   $field_label_options = array(
     'above' => t('Above'),
     'inline' => t('Inline'),
-    'hidden' => t('<Hidden>'),
+    'hidden' => '<' . t('Hidden') . '>',
   );
   $extra_visibility_options = array(
     'visible' => t('Visible'),
@@ -992,7 +992,7 @@ function field_ui_display_overview_form($form, &$form_state, $entity_type, $bund
     );
 
     $formatter_options = field_ui_formatter_options($field['type']);
-    $formatter_options['hidden'] = t('<Hidden>');
+    $formatter_options['hidden'] = '<' . t('Hidden') . '>';
     $table[$name]['format'] = array(
       'type' => array(
         '#type' => 'select',
diff --git a/modules/field_ui/field_ui.info b/modules/field_ui/field_ui.info
index 0b32314b..f00cc4fb 100755
--- a/modules/field_ui/field_ui.info
+++ b/modules/field_ui/field_ui.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = field_ui.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/field_ui/field_ui.module b/modules/field_ui/field_ui.module
index 5f8bc45e..ed833feb 100755
--- a/modules/field_ui/field_ui.module
+++ b/modules/field_ui/field_ui.module
@@ -318,7 +318,7 @@ function field_ui_field_attach_create_bundle($entity_type, $bundle) {
 }
 
 /**
- * Determines the adminstration path for a bundle.
+ * Determines the administration path for a bundle.
  */
 function _field_ui_bundle_admin_path($entity_type, $bundle_name) {
   $bundles = field_info_bundles($entity_type);
diff --git a/modules/file/file.field.inc b/modules/file/file.field.inc
index 319cd584..59b547a7 100755
--- a/modules/file/file.field.inc
+++ b/modules/file/file.field.inc
@@ -186,7 +186,7 @@ function file_field_load($entity_type, $entities, $field, $instances, $langcode,
         $items[$id][$delta] = NULL;
       }
       else {
-        $items[$id][$delta] = array_merge($item, (array) $files[$item['fid']]);
+        $items[$id][$delta] = array_merge((array) $files[$item['fid']], $item);
       }
     }
   }
@@ -215,8 +215,16 @@ function file_field_presave($entity_type, $entity, $field, $instance, $langcode,
   // Make sure that each file which will be saved with this object has a
   // permanent status, so that it will not be removed when temporary files are
   // cleaned up.
-  foreach ($items as $item) {
+  foreach ($items as $delta => $item) {
+    if (empty($item['fid'])) {
+      unset($items[$delta]);
+      continue;
+    }
     $file = file_load($item['fid']);
+    if (empty($file)) {
+      unset($items[$delta]);
+      continue;
+    }
     if (!$file->status) {
       $file->status = FILE_STATUS_PERMANENT;
       file_save($file);
@@ -760,7 +768,7 @@ function file_field_widget_submit($form, &$form_state) {
   $langcode = $element['#language'];
   $parents = $element['#field_parents'];
 
-  $submitted_values = drupal_array_get_nested_value($form_state['values'], array_slice($button['#array_parents'], 0, -2));
+  $submitted_values = drupal_array_get_nested_value($form_state['values'], array_slice($button['#parents'], 0, -2));
   foreach ($submitted_values as $delta => $submitted_value) {
     if (!$submitted_value['fid']) {
       unset($submitted_values[$delta]);
@@ -771,7 +779,7 @@ function file_field_widget_submit($form, &$form_state) {
   $submitted_values = array_values($submitted_values);
 
   // Update form_state values.
-  drupal_array_set_nested_value($form_state['values'], array_slice($button['#array_parents'], 0, -2), $submitted_values);
+  drupal_array_set_nested_value($form_state['values'], array_slice($button['#parents'], 0, -2), $submitted_values);
 
   // Update items.
   $field_state = field_form_get_state($parents, $field_name, $langcode, $form_state);
diff --git a/modules/file/file.info b/modules/file/file.info
index 972c15dd..418b3843 100755
--- a/modules/file/file.info
+++ b/modules/file/file.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = field
 files[] = tests/file.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/file/file.js b/modules/file/file.js
index 0135a3b2..fffec6b7 100755
--- a/modules/file/file.js
+++ b/modules/file/file.js
@@ -83,7 +83,7 @@ Drupal.file = Drupal.file || {
           '%filename': this.value.replace('C:\\fakepath\\', ''),
           '%extensions': extensionPattern.replace(/\|/g, ', ')
         });
-        $(this).closest('div.form-managed-file').prepend('<div class="messages error file-upload-js-error">' + error + '</div>');
+        $(this).closest('div.form-managed-file').prepend('<div class="messages error file-upload-js-error" aria-live="polite">' + error + '</div>');
         this.value = '';
         return false;
       }
diff --git a/modules/file/file.module b/modules/file/file.module
index 3d351fa2..5a635fd7 100755
--- a/modules/file/file.module
+++ b/modules/file/file.module
@@ -246,7 +246,7 @@ function file_ajax_upload() {
     return array('#type' => 'ajax', '#commands' => $commands);
   }
 
-  list($form, $form_state) = ajax_get_form();
+  list($form, $form_state, $form_id, $form_build_id, $commands) = ajax_get_form();
 
   if (!$form) {
     // Invalid form_build_id.
@@ -284,7 +284,6 @@ function file_ajax_upload() {
   $js = drupal_add_js();
   $settings = call_user_func_array('array_merge_recursive', $js['settings']['data']);
 
-  $commands = array();
   $commands[] = ajax_command_replace(NULL, $output, $settings);
   return array('#type' => 'ajax', '#commands' => $commands);
 }
diff --git a/modules/file/tests/file_module_test.info b/modules/file/tests/file_module_test.info
index a13b627b..09418495 100755
--- a/modules/file/tests/file_module_test.info
+++ b/modules/file/tests/file_module_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/filter/filter.info b/modules/filter/filter.info
index c9390820..7d26d478 100755
--- a/modules/filter/filter.info
+++ b/modules/filter/filter.info
@@ -7,8 +7,8 @@ files[] = filter.test
 required = TRUE
 configure = admin/config/content/formats
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/filter/filter.module b/modules/filter/filter.module
index 2afe901e..5c2b8c97 100755
--- a/modules/filter/filter.module
+++ b/modules/filter/filter.module
@@ -739,8 +739,8 @@ function filter_list_format($format_id) {
  * @param $text
  *   The text to be filtered.
  * @param $format_id
- *   (optional) The format ID of the text to be filtered. If no format is
- *   assigned, the fallback format will be used. Defaults to NULL.
+ *   (optional) The machine name of the filter format to be used to filter the
+ *   text. Defaults to the fallback format. See filter_fallback_format().
  * @param $langcode
  *   (optional) The language code of the text to be filtered, e.g. 'en' for
  *   English. This allows filters to be language aware so language specific
diff --git a/modules/forum/forum.info b/modules/forum/forum.info
index 57ea9438..e28d10e1 100755
--- a/modules/forum/forum.info
+++ b/modules/forum/forum.info
@@ -9,8 +9,8 @@ files[] = forum.test
 configure = admin/structure/forum
 stylesheets[all][] = forum.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/help/help.info b/modules/help/help.info
index 2b51edc6..f882a440 100755
--- a/modules/help/help.info
+++ b/modules/help/help.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = help.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/image/image.admin.inc b/modules/image/image.admin.inc
index 7e626219..cebe8940 100755
--- a/modules/image/image.admin.inc
+++ b/modules/image/image.admin.inc
@@ -592,15 +592,15 @@ function image_crop_form($data) {
     '#type' => 'radios',
     '#title' => t('Anchor'),
     '#options' => array(
-      'left-top'      => t('Top') . ' ' . t('Left'),
-      'center-top'    => t('Top') . ' ' . t('Center'),
-      'right-top'     => t('Top') . ' ' . t('Right'),
-      'left-center'   => t('Center') . ' ' . t('Left'),
+      'left-top'      => t('Top left'),
+      'center-top'    => t('Top center'),
+      'right-top'     => t('Top right'),
+      'left-center'   => t('Center left'),
       'center-center' => t('Center'),
-      'right-center'  => t('Center') . ' ' . t('Right'),
-      'left-bottom'   => t('Bottom') . ' ' . t('Left'),
-      'center-bottom' => t('Bottom') . ' ' . t('Center'),
-      'right-bottom'  => t('Bottom') . ' ' . t('Right'),
+      'right-center'  => t('Center right'),
+      'left-bottom'   => t('Bottom left'),
+      'center-bottom' => t('Bottom center'),
+      'right-bottom'  => t('Bottom right'),
     ),
     '#theme' => 'image_anchor',
     '#default_value' => $data['anchor'],
diff --git a/modules/image/image.field.inc b/modules/image/image.field.inc
index 23547385..6d1867cb 100755
--- a/modules/image/image.field.inc
+++ b/modules/image/image.field.inc
@@ -351,7 +351,7 @@ function image_field_widget_form(&$form, &$form_state, $field, $instance, $langc
   if ($field['cardinality'] == 1) {
     // If there's only one field, return it as delta 0.
     if (empty($elements[0]['#default_value']['fid'])) {
-      $elements[0]['#description'] = theme('file_upload_help', array('description' => $instance['description'], 'upload_validators' => $elements[0]['#upload_validators']));
+      $elements[0]['#description'] = theme('file_upload_help', array('description' => field_filter_xss($instance['description']), 'upload_validators' => $elements[0]['#upload_validators']));
     }
   }
   else {
diff --git a/modules/image/image.info b/modules/image/image.info
index 9a45ade8..a1adc322 100755
--- a/modules/image/image.info
+++ b/modules/image/image.info
@@ -7,8 +7,8 @@ dependencies[] = file
 files[] = image.test
 configure = admin/config/media/image-styles
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/image/image.module b/modules/image/image.module
index b3ba7c44..c6a23f25 100755
--- a/modules/image/image.module
+++ b/modules/image/image.module
@@ -835,7 +835,7 @@ function image_style_deliver($style, $scheme) {
     else {
       $headers = module_invoke_all('file_download', $image_uri);
       if (in_array(-1, $headers) || empty($headers)) {
-        return drupal_access_denied();
+        return MENU_ACCESS_DENIED;
       }
       if (count($headers)) {
         foreach ($headers as $name => $value) {
@@ -972,7 +972,9 @@ function image_style_flush($style) {
   // Delete the style directory in each registered wrapper.
   $wrappers = file_get_stream_wrappers(STREAM_WRAPPERS_WRITE_VISIBLE);
   foreach ($wrappers as $wrapper => $wrapper_data) {
-    file_unmanaged_delete_recursive($wrapper . '://styles/' . $style['name']);
+    if (file_exists($directory = $wrapper . '://styles/' . $style['name'])) {
+      file_unmanaged_delete_recursive($directory);
+    }
   }
 
   // Let other modules update as necessary on flush.
@@ -1010,10 +1012,14 @@ function image_style_flush($style) {
  */
 function image_style_url($style_name, $path) {
   $uri = image_style_path($style_name, $path);
+
+  // The passed-in $path variable can be either a relative path or a full URI.
+  $original_uri = file_uri_scheme($path) ? file_stream_wrapper_uri_normalize($path) : file_build_uri($path);
+
   // The token query is added even if the 'image_allow_insecure_derivatives'
   // variable is TRUE, so that the emitted links remain valid if it is changed
   // back to the default FALSE.
-  $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
+  $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, $original_uri));
 
   // If not using clean URLs, the image derivative callback is only available
   // with the query string. If the file does not exist, use url() to ensure
diff --git a/modules/image/image.test b/modules/image/image.test
index 7db68e6c..4a4aab05 100755
--- a/modules/image/image.test
+++ b/modules/image/image.test
@@ -216,10 +216,20 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
     }
     // Add some extra chars to the token.
     $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', IMAGE_DERIVATIVE_TOKEN . '=Zo', $generate_url));
-    $this->assertResponse(403, 'Image was inaccessible at the URL wih an invalid token.');
+    $this->assertResponse(403, 'Image was inaccessible at the URL with an invalid token.');
     // Change the parameter name so the token is missing.
     $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $generate_url));
-    $this->assertResponse(403, 'Image was inaccessible at the URL wih a missing token.');
+    $this->assertResponse(403, 'Image was inaccessible at the URL with a missing token.');
+
+    // Check that the generated URL is the same when we pass in a relative path
+    // rather than a URI. We need to temporarily switch the default scheme to
+    // match the desired scheme before testing this, then switch it back to the
+    // "temporary" scheme used throughout this test afterwards.
+    variable_set('file_default_scheme', $scheme);
+    $relative_path = file_uri_target($original_uri);
+    $generate_url_from_relative_path = image_style_url($this->style_name, $relative_path);
+    $this->assertEqual($generate_url, $generate_url_from_relative_path, 'Generated URL is the same regardless of whether it came from a relative path or a file URI.');
+    variable_set('file_default_scheme', 'temporary');
 
     // Fetch the URL that generates the file.
     $this->drupalGet($generate_url);
@@ -268,7 +278,7 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
     elseif ($clean_url) {
       // Add some extra chars to the token.
       $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', IMAGE_DERIVATIVE_TOKEN . '=Zo', $generate_url));
-      $this->assertResponse(200, 'Existing image was accessible at the URL wih an invalid token.');
+      $this->assertResponse(200, 'Existing image was accessible at the URL with an invalid token.');
     }
 
     // Allow insecure image derivatives to be created for the remainder of this
diff --git a/modules/image/tests/image_module_test.info b/modules/image/tests/image_module_test.info
index 16166783..21dfb92c 100755
--- a/modules/image/tests/image_module_test.info
+++ b/modules/image/tests/image_module_test.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = image_module_test.module
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/locale/locale.admin.inc b/modules/locale/locale.admin.inc
index f1a71ddf..b736f79b 100755
--- a/modules/locale/locale.admin.inc
+++ b/modules/locale/locale.admin.inc
@@ -1242,9 +1242,7 @@ function locale_translate_delete_page($lid) {
   if ($source = db_query('SELECT lid, source FROM {locales_source} WHERE lid = :lid', array(':lid' => $lid))->fetchObject()) {
     return drupal_get_form('locale_translate_delete_form', $source);
   }
-  else {
-    return drupal_not_found();
-  }
+  return MENU_NOT_FOUND;
 }
 
 /**
diff --git a/modules/locale/locale.info b/modules/locale/locale.info
index bc59c28e..b9868f3d 100755
--- a/modules/locale/locale.info
+++ b/modules/locale/locale.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = locale.test
 configure = admin/config/regional/language
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/locale/locale.test b/modules/locale/locale.test
index edf72e4d..9ffec9f1 100755
--- a/modules/locale/locale.test
+++ b/modules/locale/locale.test
@@ -1685,7 +1685,7 @@ class LocaleBrowserDetectionTest extends DrupalUnitTestCase {
     );
 
     $test_cases = array(
-      // Equal qvalue for each language, choose the site prefered one.
+      // Equal qvalue for each language, choose the site preferred one.
       'en,en-US,fr-CA,fr,es-MX' => 'en',
       'en-US,en,fr-CA,fr,es-MX' => 'en',
       'fr,en' => 'en',
diff --git a/modules/locale/tests/locale_test.info b/modules/locale/tests/locale_test.info
index 21ce383a..868b6831 100755
--- a/modules/locale/tests/locale_test.info
+++ b/modules/locale/tests/locale_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/menu/menu.admin.inc b/modules/menu/menu.admin.inc
index 68d8e12d..66bd6f3b 100755
--- a/modules/menu/menu.admin.inc
+++ b/modules/menu/menu.admin.inc
@@ -512,8 +512,7 @@ function menu_delete_menu_page($menu) {
   // System-defined menus may not be deleted.
   $system_menus = menu_list_system_menus();
   if (isset($system_menus[$menu['menu_name']])) {
-    drupal_access_denied();
-    return;
+    return MENU_ACCESS_DENIED;
   }
   return drupal_get_form('menu_delete_menu_confirm', $menu);
 }
@@ -622,8 +621,7 @@ function menu_item_delete_page($item) {
   // Links defined via hook_menu may not be deleted. Updated items are an
   // exception, as they can be broken.
   if ($item['module'] == 'system' && !$item['updated']) {
-    drupal_access_denied();
-    return;
+    return MENU_ACCESS_DENIED;
   }
   return drupal_get_form('menu_item_delete_form', $item);
 }
diff --git a/modules/menu/menu.info b/modules/menu/menu.info
index d85c5e53..f941c232 100755
--- a/modules/menu/menu.info
+++ b/modules/menu/menu.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = menu.test
 configure = admin/structure/menu
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/node/content_types.inc b/modules/node/content_types.inc
index 4b722ee0..55af6670 100755
--- a/modules/node/content_types.inc
+++ b/modules/node/content_types.inc
@@ -255,11 +255,11 @@ function _node_characters($length) {
  */
 function node_type_form_validate($form, &$form_state) {
   $type = new stdClass();
-  $type->type = trim($form_state['values']['type']);
+  $type->type = $form_state['values']['type'];
   $type->name = trim($form_state['values']['name']);
 
   // Work out what the type was before the user submitted this form
-  $old_type = trim($form_state['values']['old_type']);
+  $old_type = $form_state['values']['old_type'];
 
   $types = node_type_get_names();
 
@@ -288,7 +288,7 @@ function node_type_form_submit($form, &$form_state) {
 
   $type = node_type_set_defaults();
 
-  $type->type = trim($form_state['values']['type']);
+  $type->type = $form_state['values']['type'];
   $type->name = trim($form_state['values']['name']);
   $type->orig_type = trim($form_state['values']['orig_type']);
   $type->old_type = isset($form_state['values']['old_type']) ? $form_state['values']['old_type'] : $type->type;
diff --git a/modules/node/node.admin.inc b/modules/node/node.admin.inc
index be09b37c..35f4c1d5 100755
--- a/modules/node/node.admin.inc
+++ b/modules/node/node.admin.inc
@@ -471,6 +471,7 @@ function node_admin_nodes() {
   $header['operations'] = array('data' => t('Operations'));
 
   $query = db_select('node', 'n')->extend('PagerDefault')->extend('TableSort');
+  $query->addTag('node_admin_filter');
   node_build_filter_query($query);
 
   if (!user_access('bypass node access')) {
@@ -695,6 +696,7 @@ function node_multiple_delete_confirm($form, &$form_state, $nodes) {
 function node_multiple_delete_confirm_submit($form, &$form_state) {
   if ($form_state['values']['confirm']) {
     node_delete_multiple(array_keys($form_state['values']['nodes']));
+    cache_clear_all();
     $count = count($form_state['values']['nodes']);
     watchdog('content', 'Deleted @count posts.', array('@count' => $count));
     drupal_set_message(format_plural($count, 'Deleted 1 post.', 'Deleted @count posts.'));
diff --git a/modules/node/node.api.php b/modules/node/node.api.php
index f8dcfdef..95026761 100755
--- a/modules/node/node.api.php
+++ b/modules/node/node.api.php
@@ -1033,9 +1033,17 @@ function hook_node_type_delete($info) {
  * This hook is invoked only on the module that defines the node's content type
  * (use hook_node_delete() to respond to all node deletions).
  *
- * This hook is invoked from node_delete_multiple() after the node has been
- * removed from the node table in the database, before hook_node_delete() is
- * invoked, and before field_attach_delete() is called.
+ * This hook is invoked from node_delete_multiple() before hook_node_delete()
+ * is invoked and before field_attach_delete() is called.
+ *
+ * Note that when this hook is invoked, the changes have not yet been written
+ * to the database, because a database transaction is still in progress. The
+ * transaction is not finalized until the delete operation is entirely
+ * completed and node_delete_multiple() goes out of scope. You should not rely
+ * on data in the database at this time as it is not updated yet. You should
+ * also note that any write/update database queries executed from this hook are
+ * also not committed immediately. Check node_delete_multiple() and
+ * db_transaction() for more info.
  *
  * @param $node
  *   The node that is being deleted.
@@ -1063,21 +1071,19 @@ function hook_delete($node) {
  * @ingroup node_api_hooks
  */
 function hook_prepare($node) {
-  if ($file = file_check_upload($field_name)) {
-    $file = file_save_upload($field_name, _image_filename($file->filename, NULL, TRUE));
-    if ($file) {
-      if (!image_get_info($file->uri)) {
-        form_set_error($field_name, t('Uploaded file is not a valid image'));
-        return;
-      }
-    }
-    else {
+  $file = file_save_upload($field_name, _image_filename($file->filename, NULL, TRUE));
+  if ($file) {
+    if (!image_get_info($file->uri)) {
+      form_set_error($field_name, t('Uploaded file is not a valid image'));
       return;
     }
-    $node->images['_original'] = $file->uri;
-    _image_build_derivatives($node, TRUE);
-    $node->new_file = TRUE;
   }
+  else {
+    return;
+  }
+  $node->images['_original'] = $file->uri;
+  _image_build_derivatives($node, TRUE);
+  $node->new_file = TRUE;
 }
 
 /**
diff --git a/modules/node/node.info b/modules/node/node.info
index fb92c29a..f0acbc5f 100755
--- a/modules/node/node.info
+++ b/modules/node/node.info
@@ -9,8 +9,8 @@ required = TRUE
 configure = admin/structure/types
 stylesheets[all][] = node.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/node/node.install b/modules/node/node.install
index 43bfd531..76c2aec2 100755
--- a/modules/node/node.install
+++ b/modules/node/node.install
@@ -114,6 +114,7 @@ function node_schema() {
       'uid'                 => array('uid'),
       'tnid'                => array('tnid'),
       'translate'           => array('translate'),
+      'language'            => array('language'),
     ),
     'unique keys' => array(
       'vid' => array('vid'),
@@ -925,6 +926,13 @@ function node_update_7013() {
   db_add_unique_key('node', 'vid', array('vid'));
 }
 
+/**
+ * Add an index on {node}.language.
+ */
+function node_update_7014() {
+  db_add_index('node', 'language', array('language'));
+}
+
 /**
  * @} End of "addtogroup updates-7.x-extra".
  */
diff --git a/modules/node/node.module b/modules/node/node.module
index 26807625..5a4e0194 100755
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -1179,10 +1179,8 @@ function node_save($node) {
     module_invoke_all('node_' . $op, $node);
     module_invoke_all('entity_' . $op, $node, 'node');
 
-    // Update the node access table for this node. There's no need to delete
-    // existing records if the node is new.
-    $delete = $op == 'update';
-    node_access_acquire_grants($node, $delete);
+    // Update the node access table for this node.
+    node_access_acquire_grants($node);
 
     // Clear internal properties.
     unset($node->is_new);
@@ -1685,7 +1683,7 @@ function node_search_admin() {
   );
   $form['content_ranking']['#theme'] = 'node_search_admin';
   $form['content_ranking']['info'] = array(
-    '#value' => '<em>' . t('The following numbers control which properties the content search should favor when ordering the results. Higher numbers mean more influence, zero means the property is ignored. Changing these numbers does not require the search index to be rebuilt. Changes take effect immediately.') . '</em>'
+    '#markup' => '<p><em>' . t('Influence is a numeric multiplier used in ordering search results. A higher number means the corresponding factor has more influence on search results; zero means the factor is ignored. Changing these numbers does not require the search index to be rebuilt. Changes take effect immediately.') . '</em></p>'
   );
 
   // Note: reversed to reflect that higher number = higher ranking.
@@ -1872,7 +1870,7 @@ function theme_node_search_admin($variables) {
 
   $output = drupal_render($form['info']);
 
-  $header = array(t('Factor'), t('Weight'));
+  $header = array(t('Factor'), t('Influence'));
   foreach (element_children($form['factors']) as $key) {
     $row = array();
     $row[] = $form['factors'][$key]['#title'];
@@ -2224,8 +2222,8 @@ function node_last_changed($nid) {
 /**
  * Returns a list of all the existing revision numbers.
  *
- * @param Drupal\node\Node $node
- *   The node entity.
+ * @param $node
+ *   The node object.
  *
  * @return
  *   An associative array keyed by node revision number.
@@ -3292,6 +3290,17 @@ function node_query_entity_field_access_alter(QueryAlterableInterface $query) {
 /**
  * Helper for node access functions.
  *
+ * Queries tagged with 'node_access' that are not against the {node} table
+ * should add the base table as metadata. For example:
+ * @code
+ *   $query
+ *     ->addTag('node_access')
+ *     ->addMetaData('base_table', 'taxonomy_index');
+ * @endcode
+ * If the query is not against the {node} table, an attempt is made to guess
+ * the table, but is not recommended to rely on this as it is deprecated and not
+ * allowed in Drupal 8. It is always safer to provide the table.
+ *
  * @param $query
  *   The query to add conditions to.
  * @param $type
diff --git a/modules/node/node.pages.inc b/modules/node/node.pages.inc
index 75ed0ddb..62674636 100755
--- a/modules/node/node.pages.inc
+++ b/modules/node/node.pages.inc
@@ -542,6 +542,7 @@ function node_delete_confirm_submit($form, &$form_state) {
   if ($form_state['values']['confirm']) {
     $node = node_load($form_state['values']['nid']);
     node_delete($form_state['values']['nid']);
+    cache_clear_all();
     watchdog('content', '@type: deleted %title.', array('@type' => $node->type, '%title' => $node->title));
     drupal_set_message(t('@type %title has been deleted.', array('@type' => node_type_get_name($node), '%title' => $node->title)));
   }
diff --git a/modules/node/node.test b/modules/node/node.test
index b1d78fa1..0777e113 100755
--- a/modules/node/node.test
+++ b/modules/node/node.test
@@ -571,6 +571,8 @@ class NodeCreationTestCase extends DrupalWebTestCase {
     );
 
     try {
+      // An exception is generated by node_test_exception_node_insert() if the
+      // title is 'testing_transaction_exception'.
       node_save((object) $edit);
       $this->fail(t('Expected exception has not been thrown.'));
     }
@@ -1363,6 +1365,22 @@ class NodeSaveTestCase extends DrupalWebTestCase {
     $node = node_load($node->nid);
     $this->assertEqual($node->title, 'updated_presave', 'Static cache has been cleared.');
   }
+
+  /**
+   * Tests saving a node on node insert.
+   *
+   * This test ensures that a node has been fully saved when hook_node_insert()
+   * is invoked, so that the node can be saved again in a hook implementation
+   * without errors.
+   *
+   * @see node_test_node_insert()
+   */
+  function testNodeSaveOnInsert() {
+    // node_test_node_insert() triggers a save on insert if the title equals
+    // 'new'.
+    $node = $this->drupalCreateNode(array('title' => 'new'));
+    $this->assertEqual($node->title, 'Node ' . $node->nid, 'Node saved on node insert.');
+  }
 }
 
 /**
@@ -2426,6 +2444,35 @@ class NodeTokenReplaceTestCase extends DrupalWebTestCase {
       $output = token_replace($input, array('node' => $node), array('language' => $language, 'sanitize' => FALSE));
       $this->assertEqual($output, $expected, format_string('Unsanitized node token %token replaced.', array('%token' => $input)));
     }
+
+    // Repeat for a node without a summary.
+    $settings['body'] = array(LANGUAGE_NONE => array(array('value' => $this->randomName(32), 'summary' => '')));
+    $node = $this->drupalCreateNode($settings);
+
+    // Load node (without summary) so that the body and summary fields are
+    // structured properly.
+    $node = node_load($node->nid);
+    $instance = field_info_instance('node', 'body', $node->type);
+
+    // Generate and test sanitized token - use full body as expected value.
+    $tests = array();
+    $tests['[node:summary]'] = _text_sanitize($instance, $langcode, $node->body[$langcode][0], 'value');
+
+    // Test to make sure that we generated something for each token.
+    $this->assertFalse(in_array(0, array_map('strlen', $tests)), 'No empty tokens generated for node without a summary.');
+
+    foreach ($tests as $input => $expected) {
+      $output = token_replace($input, array('node' => $node), array('language' => $language));
+      $this->assertEqual($output, $expected, format_string('Sanitized node token %token replaced for node without a summary.', array('%token' => $input)));
+    }
+
+    // Generate and test unsanitized tokens.
+    $tests['[node:summary]'] = $node->body[$langcode][0]['value'];
+
+    foreach ($tests as $input => $expected) {
+      $output = token_replace($input, array('node' => $node), array('language' => $language, 'sanitize' => FALSE));
+      $this->assertEqual($output, $expected, format_string('Unsanitized node token %token replaced for node without a summary.', array('%token' => $input)));
+    }
   }
 }
 
@@ -2755,3 +2802,78 @@ class NodeEntityViewModeAlterTest extends NodeWebTestCase {
     $this->assertEqual($build['#view_mode'], 'teaser', 'The view mode has correctly been set to teaser.');
   }
 }
+
+/**
+ * Tests the cache invalidation of node operations.
+ */
+class NodePageCacheTest extends NodeWebTestCase {
+
+  /**
+   * An admin user with administrative permissions for nodes.
+   */
+  protected $admin_user;
+
+  public static function getInfo() {
+    return array(
+        'name' => 'Node page cache test',
+        'description' => 'Test cache invalidation of node operations.',
+        'group' => 'Node',
+    );
+  }
+
+  function setUp() {
+    parent::setUp();
+
+    variable_set('cache', 1);
+    variable_set('page_cache_maximum_age', 300);
+
+    $this->admin_user = $this->drupalCreateUser(array(
+        'bypass node access',
+        'access content overview',
+        'administer nodes',
+    ));
+  }
+
+  /**
+   * Tests deleting nodes clears page cache.
+   */
+  public function testNodeDelete() {
+    $node_path = 'node/' . $this->drupalCreateNode()->nid;
+
+    // Populate page cache.
+    $this->drupalGet($node_path);
+
+    // Login and delete the node.
+    $this->drupalLogin($this->admin_user);
+    $this->drupalPost($node_path . '/delete', array(), t('Delete'));
+
+    // Logout and check the node is not available.
+    $this->drupalLogout();
+    $this->drupalGet($node_path);
+    $this->assertResponse(404);
+
+    // Create two new nodes.
+    $nodes[0] = $this->drupalCreateNode();
+    $nodes[1] = $this->drupalCreateNode();
+    $node_path = 'node/' . $nodes[0]->nid;
+
+    // Populate page cache.
+    $this->drupalGet($node_path);
+
+    // Login and delete the nodes.
+    $this->drupalLogin($this->admin_user);
+    $this->drupalGet('admin/content');
+    $edit = array(
+        'operation' => 'delete',
+        'nodes[' . $nodes[0]->nid . ']' => TRUE,
+        'nodes[' . $nodes[1]->nid . ']' => TRUE,
+    );
+    $this->drupalPost(NULL, $edit, t('Update'));
+    $this->drupalPost(NULL, array(), t('Delete'));
+
+    // Logout and check the node is not available.
+    $this->drupalLogout();
+    $this->drupalGet($node_path);
+    $this->assertResponse(404);
+  }
+}
diff --git a/modules/node/node.tokens.inc b/modules/node/node.tokens.inc
index e43db5e7..e63c751d 100755
--- a/modules/node/node.tokens.inc
+++ b/modules/node/node.tokens.inc
@@ -136,10 +136,29 @@ function node_tokens($type, $tokens, array $data = array(), array $options = arr
         case 'body':
         case 'summary':
           if ($items = field_get_items('node', $node, 'body', $language_code)) {
-            $column = ($name == 'body') ? 'value' : 'summary';
             $instance = field_info_instance('node', 'body', $node->type);
             $field_langcode = field_language('node', $node, 'body', $language_code);
-            $replacements[$original] = $sanitize ? _text_sanitize($instance, $field_langcode, $items[0], $column) : $items[0][$column];
+            // If the summary was requested and is not empty, use it.
+            if ($name == 'summary' && !empty($items[0]['summary'])) {
+              $output = $sanitize ? _text_sanitize($instance, $field_langcode, $items[0], 'summary') : $items[0]['summary'];
+            }
+            // Attempt to provide a suitable version of the 'body' field.
+            else {
+              $output = $sanitize ? _text_sanitize($instance, $field_langcode, $items[0], 'value') : $items[0]['value'];
+              // A summary was requested.
+              if ($name == 'summary') {
+                if (isset($instance['display']['teaser']['settings']['trim_length'])) {
+                  $trim_length = $instance['display']['teaser']['settings']['trim_length'];
+                }
+                else {
+                  // Use default value.
+                  $trim_length = NULL;
+                }
+                // Generate an optionally trimmed summary of the body field.
+                $output = text_summary($output, $instance['settings']['text_processing'] ? $items[0]['format'] : NULL, $trim_length);
+              }
+            }
+            $replacements[$original] = $output;
           }
           break;
 
diff --git a/modules/node/tests/node_access_test.info b/modules/node/tests/node_access_test.info
index 371cb9f6..a2216141 100755
--- a/modules/node/tests/node_access_test.info
+++ b/modules/node/tests/node_access_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/node/tests/node_test.info b/modules/node/tests/node_test.info
index 043e28a7..5b28222d 100755
--- a/modules/node/tests/node_test.info
+++ b/modules/node/tests/node_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/node/tests/node_test.module b/modules/node/tests/node_test.module
index fb667852..edc175f1 100755
--- a/modules/node/tests/node_test.module
+++ b/modules/node/tests/node_test.module
@@ -161,3 +161,21 @@ function node_test_entity_view_mode_alter(&$view_mode, $context) {
     $view_mode = $change_view_mode;
   }
 }
+
+/**
+ * Implements hook_node_insert().
+ *
+ * This tests saving a node on node insert.
+ *
+ * @see NodeSaveTest::testNodeSaveOnInsert()
+ */
+function node_test_node_insert($node) {
+  // Set the node title to the node ID and save.
+  if ($node->title == 'new') {
+    $node->title = 'Node '. $node->nid;
+    // Remove the is_new flag, so that the node is updated and not inserted
+    // again.
+    unset($node->is_new);
+    node_save($node);
+  }
+}
diff --git a/modules/node/tests/node_test_exception.info b/modules/node/tests/node_test_exception.info
index 3d789ff2..92eba8fc 100755
--- a/modules/node/tests/node_test_exception.info
+++ b/modules/node/tests/node_test_exception.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/openid/openid.inc b/modules/openid/openid.inc
index 74a08d57..d7ef663b 100755
--- a/modules/openid/openid.inc
+++ b/modules/openid/openid.inc
@@ -380,6 +380,9 @@ function _openid_parse_message($message) {
 
 /**
  * Return a nonce value - formatted per OpenID spec.
+ *
+ * NOTE: This nonce is not cryptographically secure and only suitable for use
+ * by the test framework.
  */
 function _openid_nonce() {
   // YYYY-MM-DDThh:mm:ssZ, plus some optional extra unique characters.
@@ -549,7 +552,7 @@ function _openid_dh_rand($stop) {
   }
 
   do {
-    $bytes = "\x00" . _openid_get_bytes($nbytes);
+    $bytes = "\x00" . drupal_random_bytes($nbytes);
     $n = _openid_dh_binary_to_long($bytes);
     // Keep looping if this value is in the low duplicated range.
   } while (_openid_math_cmp($n, $duplicate) < 0);
@@ -558,23 +561,7 @@ function _openid_dh_rand($stop) {
 }
 
 function _openid_get_bytes($num_bytes) {
-  $f = &drupal_static(__FUNCTION__);
-  $bytes = '';
-  if (!isset($f)) {
-    $f = @fopen(OPENID_RAND_SOURCE, "r");
-  }
-  if (!$f) {
-    // pseudorandom used
-    $bytes = '';
-    for ($i = 0; $i < $num_bytes; $i += 4) {
-      $bytes .= pack('L', mt_rand());
-    }
-    $bytes = substr($bytes, 0, $num_bytes);
-  }
-  else {
-    $bytes = fread($f, $num_bytes);
-  }
-  return $bytes;
+  return drupal_random_bytes($num_bytes);
 }
 
 function _openid_response($str = NULL) {
diff --git a/modules/openid/openid.info b/modules/openid/openid.info
index a193e819..b92aacd1 100755
--- a/modules/openid/openid.info
+++ b/modules/openid/openid.info
@@ -5,8 +5,8 @@ package = Core
 core = 7.x
 files[] = openid.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/openid/openid.install b/modules/openid/openid.install
index 4b77b710..e382d869 100755
--- a/modules/openid/openid.install
+++ b/modules/openid/openid.install
@@ -15,13 +15,14 @@ function openid_schema() {
       'idp_endpoint_uri' => array(
         'type' => 'varchar',
         'length' => 255,
-        'description' => 'URI of the OpenID Provider endpoint.',
+        'not null' => TRUE,
+        'description' => 'Primary Key: URI of the OpenID Provider endpoint.',
       ),
       'assoc_handle' => array(
         'type' => 'varchar',
         'length' => 255,
         'not null' => TRUE,
-        'description' => 'Primary Key: Used to refer to this association in subsequent messages.',
+        'description' => 'Used to refer to this association in subsequent messages.',
       ),
       'assoc_type' => array(
         'type' => 'varchar',
@@ -51,7 +52,10 @@ function openid_schema() {
         'description' => 'The lifetime, in seconds, of this association.',
       ),
     ),
-    'primary key' => array('assoc_handle'),
+    'primary key' => array('idp_endpoint_uri'),
+    'unique keys' => array(
+      'assoc_handle' => array('assoc_handle'),
+    ),
   );
 
   $schema['openid_nonce'] = array(
@@ -158,3 +162,69 @@ function openid_update_6000() {
 /**
  * @} End of "addtogroup updates-6.x-to-7.x".
  */
+
+/**
+ * @addtogroup updates-7.x-extra
+ * @{
+ */
+
+/**
+ * Bind associations to their providers.
+ */
+function openid_update_7000() {
+  db_drop_table('openid_association');
+
+  $schema = array(
+    'description' => 'Stores temporary shared key association information for OpenID authentication.',
+    'fields' => array(
+      'idp_endpoint_uri' => array(
+        'type' => 'varchar',
+        'length' => 255,
+        'not null' => TRUE,
+        'description' => 'Primary Key: URI of the OpenID Provider endpoint.',
+      ),
+      'assoc_handle' => array(
+        'type' => 'varchar',
+        'length' => 255,
+        'not null' => TRUE,
+        'description' => 'Used to refer to this association in subsequent messages.',
+      ),
+      'assoc_type' => array(
+        'type' => 'varchar',
+        'length' => 32,
+        'description' => 'The signature algorithm used: one of HMAC-SHA1 or HMAC-SHA256.',
+      ),
+      'session_type' => array(
+        'type' => 'varchar',
+        'length' => 32,
+        'description' => 'Valid association session types: "no-encryption", "DH-SHA1", and "DH-SHA256".',
+      ),
+      'mac_key' => array(
+        'type' => 'varchar',
+        'length' => 255,
+        'description' => 'The MAC key (shared secret) for this association.',
+      ),
+      'created' => array(
+        'type' => 'int',
+        'not null' => TRUE,
+        'default' => 0,
+        'description' => 'UNIX timestamp for when the association was created.',
+      ),
+      'expires_in' => array(
+        'type' => 'int',
+        'not null' => TRUE,
+        'default' => 0,
+        'description' => 'The lifetime, in seconds, of this association.',
+      ),
+    ),
+    'primary key' => array('idp_endpoint_uri'),
+    'unique keys' => array(
+      'assoc_handle' => array('assoc_handle'),
+    ),
+  );
+  db_create_table('openid_association', $schema);
+}
+
+/**
+ * @} End of "addtogroup updates-7.x-extra".
+ */
diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index 1f764e04..a28f452a 100755
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -839,7 +839,7 @@ function openid_verify_assertion($service, $response) {
   // direct verification: ignore the openid.assoc_handle, even if present.
   // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.1
   if (!empty($response['openid.assoc_handle']) && empty($response['openid.invalidate_handle'])) {
-    $association = db_query("SELECT * FROM {openid_association} WHERE assoc_handle = :assoc_handle", array(':assoc_handle' => $response['openid.assoc_handle']))->fetchObject();
+    $association = db_query("SELECT * FROM {openid_association} WHERE idp_endpoint_uri = :endpoint AND assoc_handle = :assoc_handle", array(':endpoint' => $service['uri'], ':assoc_handle' => $response['openid.assoc_handle']))->fetchObject();
   }
 
   if ($association && isset($association->session_type)) {
@@ -871,6 +871,7 @@ function openid_verify_assertion($service, $response) {
           // database to avoid reusing it again on a subsequent authentication request.
           // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.2
           db_delete('openid_association')
+            ->condition('idp_endpoint_uri', $service['uri'])
             ->condition('assoc_handle', $response['invalidate_handle'])
             ->execute();
         }
diff --git a/modules/openid/openid.test b/modules/openid/openid.test
index 292c5317..41af3f82 100755
--- a/modules/openid/openid.test
+++ b/modules/openid/openid.test
@@ -694,13 +694,6 @@ class OpenIDTestCase extends DrupalWebTestCase {
     $this->assertEqual(_openid_dh_xorsecret('123456790123456790123456790', "abc123ABC\x00\xFF"), "\xa4'\x06\xbe\xf1.\x00y\xff\xc2\xc1", '_openid_dh_xorsecret() returned expected result.');
   }
 
-  /**
-   * Test _openid_get_bytes().
-   */
-  function testOpenidGetBytes() {
-    $this->assertEqual(strlen(_openid_get_bytes(20)), 20, '_openid_get_bytes() returned expected result.');
-  }
-
   /**
    * Test _openid_signature().
    */
diff --git a/modules/openid/tests/openid_test.info b/modules/openid/tests/openid_test.info
index a55e2b9e..b17175e3 100755
--- a/modules/openid/tests/openid_test.info
+++ b/modules/openid/tests/openid_test.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = openid
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/openid/tests/openid_test.install b/modules/openid/tests/openid_test.install
index 3bd4978f..d30e2dc4 100755
--- a/modules/openid/tests/openid_test.install
+++ b/modules/openid/tests/openid_test.install
@@ -13,5 +13,5 @@ function openid_test_install() {
   // Generate a MAC key (Message Authentication Code) used for signing messages.
   // The variable is base64-encoded, because variables cannot contain non-UTF-8
   // data.
-  variable_set('openid_test_mac_key', base64_encode(_openid_get_bytes(20)));
+  variable_set('openid_test_mac_key', drupal_random_key(20));
 }
diff --git a/modules/overlay/overlay.info b/modules/overlay/overlay.info
index e5459e7a..e559572a 100755
--- a/modules/overlay/overlay.info
+++ b/modules/overlay/overlay.info
@@ -4,8 +4,8 @@ package = Core
 version = VERSION
 core = 7.x
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/overlay/overlay.module b/modules/overlay/overlay.module
index 72819868..7b2fc939 100755
--- a/modules/overlay/overlay.module
+++ b/modules/overlay/overlay.module
@@ -146,6 +146,10 @@ function overlay_init() {
       // If this page shouldn't be rendered inside the overlay, redirect to the
       // parent.
       elseif (!path_is_admin($current_path)) {
+        // Prevent open redirects by ensuring the current path is not an absolute URL.
+        if (url_is_external($current_path)) {
+          $current_path = '<front>';
+        }
         overlay_close_dialog($current_path, array('query' => drupal_get_query_parameters(NULL, array('q', 'render'))));
       }
 
diff --git a/modules/path/path.info b/modules/path/path.info
index 7007fdf8..d4f5b55f 100755
--- a/modules/path/path.info
+++ b/modules/path/path.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = path.test
 configure = admin/config/search/path
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/php/php.info b/modules/php/php.info
index 39de081f..aa5f7633 100755
--- a/modules/php/php.info
+++ b/modules/php/php.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = php.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/php/php.module b/modules/php/php.module
index da9d01db..67616f6b 100755
--- a/modules/php/php.module
+++ b/modules/php/php.module
@@ -17,7 +17,7 @@ function php_help($path, $arg) {
       $output .= '<h3>' . t('Uses') . '</h3>';
       $output .= '<dl>';
       $output .= '<dt>' . t('Enabling execution of PHP in text fields') . '</dt>';
-      $output .= '<dd>' . t('The PHP filter module allows users with the proper permissions to include custom PHP code that will get executed when pages of your site are processed. While this is a powerful and flexible feature if used by a trusted user with PHP experience, it is a significant and dangerous security risk in the hands of a malicious or inexperienced user. Even a trusted user may accidentally compromise the site by entering malformed or incorrect PHP code. Only the most trusted users should be granted permission to use the PHP filter, and all PHP code added through the PHP filter should be carefully examined before use. <a href="@php-snippets">Example PHP snippets</a> can be found on Drupal.org.', array('@php-snippets' => url('http://http://drupal.org/documentation/customization/php-snippets'))) . '</dd>';
+      $output .= '<dd>' . t('The PHP filter module allows users with the proper permissions to include custom PHP code that will get executed when pages of your site are processed. While this is a powerful and flexible feature if used by a trusted user with PHP experience, it is a significant and dangerous security risk in the hands of a malicious or inexperienced user. Even a trusted user may accidentally compromise the site by entering malformed or incorrect PHP code. Only the most trusted users should be granted permission to use the PHP filter, and all PHP code added through the PHP filter should be carefully examined before use. <a href="@php-snippets">Example PHP snippets</a> can be found on Drupal.org.', array('@php-snippets' => url('http://drupal.org/documentation/customization/php-snippets'))) . '</dd>';
       $output .= '</dl>';
       return $output;
   }
diff --git a/modules/poll/poll.info b/modules/poll/poll.info
index 2087de06..fe99797f 100755
--- a/modules/poll/poll.info
+++ b/modules/poll/poll.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = poll.test
 stylesheets[all][] = poll.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/profile/profile.info b/modules/profile/profile.info
index 5ee4deb8..68a5f07f 100755
--- a/modules/profile/profile.info
+++ b/modules/profile/profile.info
@@ -11,8 +11,8 @@ configure = admin/config/people/profile
 ; See user_system_info_alter().
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/profile/profile.module b/modules/profile/profile.module
index d76d08ac..39cf030a 100755
--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -571,6 +571,7 @@ function template_preprocess_profile_listing(&$variables) {
   // Supply filtered version of $fields that have values.
   foreach ($variables['fields'] as $field) {
     if ($field->value) {
+      $variables['profile'][$field->name] = new stdClass();
       $variables['profile'][$field->name]->title = $field->title;
       $variables['profile'][$field->name]->value = $field->value;
       $variables['profile'][$field->name]->type = $field->type;
diff --git a/modules/profile/profile.pages.inc b/modules/profile/profile.pages.inc
index 06f96323..056015a3 100755
--- a/modules/profile/profile.pages.inc
+++ b/modules/profile/profile.pages.inc
@@ -17,17 +17,15 @@ function profile_browse() {
   if ($name && $field->fid) {
     // Only allow browsing of fields that have a page title set.
     if (empty($field->page)) {
-      drupal_not_found();
-      return;
+      return MENU_NOT_FOUND;
     }
     // Do not allow browsing of private and hidden fields by non-admins.
     if (!user_access('administer users') && ($field->visibility == PROFILE_PRIVATE || $field->visibility == PROFILE_HIDDEN)) {
-      drupal_access_denied();
-      return;
+      return MENU_ACCESS_DENIED;
     }
 
     // Compile a list of fields to show.
-    $fields = db_query('SELECT name, title, type, weight, page FROM {profile_field} WHERE fid <> :fid AND visibility = :visibility ORDER BY weight', array(
+    $fields = db_query('SELECT name, title, type, weight, page, visibility FROM {profile_field} WHERE fid <> :fid AND visibility = :visibility ORDER BY weight', array(
       ':fid' => $field->fid,
       ':visibility' => PROFILE_PUBLIC_LISTINGS,
     ))->fetchAll();
@@ -54,8 +52,7 @@ function profile_browse() {
         $query->condition('v.value', '%' . db_like($value) . '%', 'LIKE');
         break;
       default:
-        drupal_not_found();
-        return;
+        return MENU_NOT_FOUND;
     }
 
     $uids = $query
@@ -85,7 +82,7 @@ function profile_browse() {
     return $output;
   }
   elseif ($name && !$field->fid) {
-    drupal_not_found();
+    return MENU_NOT_FOUND;
   }
   else {
     // Compile a list of fields to show.
diff --git a/modules/profile/profile.test b/modules/profile/profile.test
index 87fca4a3..42a1a42d 100755
--- a/modules/profile/profile.test
+++ b/modules/profile/profile.test
@@ -42,25 +42,25 @@ class ProfileTestCase extends DrupalWebTestCase {
 
     $this->drupalPost('admin/config/people/profile/add/' . $type, $edit, t('Save field'));
     $fid = db_query("SELECT fid FROM {profile_field} WHERE title = :title", array(':title' => $title))->fetchField();
-    $this->assertTrue($fid, t('New Profile field has been entered in the database'));
+    $this->assertTrue($fid, 'New Profile field has been entered in the database');
 
     // Check that the new field is appearing on the user edit form.
     $this->drupalGet('user/' . $this->admin_user->uid . '/edit/' . $category);
 
     // Checking field.
     if ($type == 'date') {
-      $this->assertField($form_name . '[month]', t('Found month selection field'));
-      $this->assertField($form_name . '[day]', t('Found day selection field'));
-      $this->assertField($form_name . '[year]', t('Found day selection field'));
+      $this->assertField($form_name . '[month]', 'Found month selection field');
+      $this->assertField($form_name . '[day]', 'Found day selection field');
+      $this->assertField($form_name . '[year]', 'Found day selection field');
     }
     else {
-      $this->assertField($form_name , t('Found form named @name', array('@name' => $form_name)));
+      $this->assertField($form_name , format_string('Found form named @name', array('@name' => $form_name)));
     }
 
     // Checking name.
-    $this->assertText($title, t('Checking title for field %title', array('%title' => $title)));
+    $this->assertText($title, format_string('Checking title for field %title', array('%title' => $title)));
     // Checking explanation.
-    $this->assertText($edit['explanation'], t('Checking explanation for field %title', array('%title' => $title)));
+    $this->assertText($edit['explanation'], format_string('Checking explanation for field %title', array('%title' => $title)));
 
     return array(
       'fid' => $fid,
@@ -96,18 +96,18 @@ class ProfileTestCase extends DrupalWebTestCase {
 
     // Checking field.
     if ($type == 'date') {
-      $this->assertField($form_name . '[month]', t('Found month selection field'));
-      $this->assertField($form_name . '[day]', t('Found day selection field'));
-      $this->assertField($form_name . '[year]', t('Found day selection field'));
+      $this->assertField($form_name . '[month]', 'Found month selection field');
+      $this->assertField($form_name . '[day]', 'Found day selection field');
+      $this->assertField($form_name . '[year]', 'Found day selection field');
     }
     else {
-      $this->assertField($form_name , t('Found form named @name', array('@name' => $form_name)));
+      $this->assertField($form_name , format_string('Found form named @name', array('@name' => $form_name)));
     }
 
     // Checking name.
-    $this->assertText($title, t('Checking title for field %title', array('%title' => $title)));
+    $this->assertText($title, format_string('Checking title for field %title', array('%title' => $title)));
     // Checking explanation.
-    $this->assertText($edit['explanation'], t('Checking explanation for field %title', array('%title' => $title)));
+    $this->assertText($edit['explanation'], format_string('Checking explanation for field %title', array('%title' => $title)));
 
     return array(
       'fid' => $fid,
@@ -141,11 +141,11 @@ class ProfileTestCase extends DrupalWebTestCase {
 
     // Check profile page.
     $content = $this->drupalGet('user/' . $this->normal_user->uid);
-    $this->assertText($field['title'], t('Found profile field with title %title', array('%title' => $field['title'])));
+    $this->assertText($field['title'], format_string('Found profile field with title %title', array('%title' => $field['title'])));
 
     if ($field['type'] != 'checkbox') {
       // $value must be cast to a string in order to be found by assertText.
-      $this->assertText("$value", t('Found profile field with value %value', array('%value' => $value)));
+      $this->assertText("$value", format_string('Found profile field with value %value', array('%value' => $value)));
     }
 
     return $value;
@@ -160,7 +160,7 @@ class ProfileTestCase extends DrupalWebTestCase {
   function deleteProfileField($field) {
     $this->drupalPost('admin/config/people/profile/delete/' . $field['fid'], array(), t('Delete'));
     $this->drupalGet('admin/config/people/profile');
-    $this->assertNoText($field['title'], t('Checking deleted field %title', array('%title' => $field['title'])));
+    $this->assertNoText($field['title'], format_string('Checking deleted field %title', array('%title' => $field['title'])));
   }
 }
 
@@ -270,9 +270,9 @@ class ProfileTestDate extends ProfileTestCase {
 
     // Check profile page.
     $this->drupalGet('user/' . $this->normal_user->uid);
-    $this->assertText($field['title'], t('Found profile field with title %title', array('%title' => $field['title'])));
+    $this->assertText($field['title'], format_string('Found profile field with title %title', array('%title' => $field['title'])));
 
-    $this->assertText('01/09/1983', t('Found date profile field.'));
+    $this->assertText('01/09/1983', 'Found date profile field.');
 
     $edit = array(
       'name' => $field['form_name'],
@@ -305,10 +305,10 @@ class ProfileTestWeights extends ProfileTestCase {
     $this->setProfileField($field2, $this->randomName(8));
 
     $profile_edit = $this->drupalGet('user/' . $this->normal_user->uid . '/edit/' . $category);
-    $this->assertTrue(strpos($profile_edit, $field1['title']) > strpos($profile_edit, $field2['title']), t('Profile field weights are respected on the user edit form.'));
+    $this->assertTrue(strpos($profile_edit, $field1['title']) > strpos($profile_edit, $field2['title']), 'Profile field weights are respected on the user edit form.');
 
     $profile_page = $this->drupalGet('user/' . $this->normal_user->uid);
-    $this->assertTrue(strpos($profile_page, $field1['title']) > strpos($profile_page, $field2['title']), t('Profile field weights are respected on the user profile page.'));
+    $this->assertTrue(strpos($profile_page, $field1['title']) > strpos($profile_page, $field2['title']), 'Profile field weights are respected on the user profile page.');
   }
 }
 
@@ -344,15 +344,15 @@ class ProfileTestAutocomplete extends ProfileTestCase {
 
     // Check that autocompletion html is found on the user's profile edit page.
     $this->drupalGet('user/' . $this->admin_user->uid . '/edit/' . $category);
-    $this->assertRaw($autocomplete_html, t('Autocomplete found.'));
-    $this->assertRaw('misc/autocomplete.js', t('Autocomplete JavaScript found.'));
-    $this->assertRaw('class="form-text form-autocomplete"', t('Autocomplete form element class found.'));
+    $this->assertRaw($autocomplete_html, 'Autocomplete found.');
+    $this->assertRaw('misc/autocomplete.js', 'Autocomplete JavaScript found.');
+    $this->assertRaw('class="form-text form-autocomplete"', 'Autocomplete form element class found.');
 
     // Check the autocompletion path using the first letter of our user's profile
     // field value to make sure access is allowed and a valid result if found.
     $this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]);
-    $this->assertResponse(200, t('Autocomplete path allowed to user with permission.'));
-    $this->assertRaw($field['value'], t('Autocomplete value found.'));
+    $this->assertResponse(200, 'Autocomplete path allowed to user with permission.');
+    $this->assertRaw($field['value'], 'Autocomplete value found.');
 
     // Logout and login with a user without the 'access user profiles' permission.
     $this->drupalLogout();
@@ -360,11 +360,11 @@ class ProfileTestAutocomplete extends ProfileTestCase {
 
     // Check that autocompletion html is not found on the user's profile edit page.
     $this->drupalGet('user/' . $this->normal_user->uid . '/edit/' . $category);
-    $this->assertNoRaw($autocomplete_html, t('Autocomplete not found.'));
+    $this->assertNoRaw($autocomplete_html, 'Autocomplete not found.');
 
     // User should be denied access to the profile autocomplete path.
     $this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]);
-    $this->assertResponse(403, t('Autocomplete path denied to user without permission.'));
+    $this->assertResponse(403, 'Autocomplete path denied to user without permission.');
   }
 }
 
@@ -403,48 +403,48 @@ class ProfileBlockTestCase extends ProfileTestCase {
     $edit = array();
     $edit['blocks[profile_author-information][region]'] = 'footer';
     $this->drupalPost('admin/structure/block', $edit, t('Save blocks'));
-    $this->assertText(t('The block settings have been updated.'), t('Block successfully move to footer region.'));
+    $this->assertText(t('The block settings have been updated.'), 'Block successfully move to footer region.');
 
     // Enable field 1.
     $this->drupalPost('admin/structure/block/manage/profile/author-information/configure', array(
       'profile_block_author_fields[' . $this->field1['form_name'] . ']' => TRUE,
     ), t('Save block'));
-    $this->assertText(t('The block configuration has been saved.'), t('Block configuration set.'));
+    $this->assertText(t('The block configuration has been saved.'), 'Block configuration set.');
 
     // Visit the node and confirm that the field is displayed.
     $this->drupalGet('node/' . $this->node->nid);
-    $this->assertRaw($this->value1, t('Field 1 is displayed'));
-    $this->assertNoRaw($this->value2, t('Field 2 is not displayed'));
+    $this->assertRaw($this->value1, 'Field 1 is displayed');
+    $this->assertNoRaw($this->value2, 'Field 2 is not displayed');
 
     // Enable only field 2.
     $this->drupalPost('admin/structure/block/manage/profile/author-information/configure', array(
       'profile_block_author_fields[' . $this->field1['form_name'] . ']' => FALSE,
       'profile_block_author_fields[' . $this->field2['form_name'] . ']' => TRUE,
     ), t('Save block'));
-    $this->assertText(t('The block configuration has been saved.'), t('Block configuration set.'));
+    $this->assertText(t('The block configuration has been saved.'), 'Block configuration set.');
 
     // Visit the node and confirm that the field is displayed.
     $this->drupalGet('node/' . $this->node->nid);
-    $this->assertNoRaw($this->value1, t('Field 1 is not displayed'));
-    $this->assertRaw($this->value2, t('Field 2 is displayed'));
+    $this->assertNoRaw($this->value1, 'Field 1 is not displayed');
+    $this->assertRaw($this->value2, 'Field 2 is displayed');
 
     // Enable both fields.
     $this->drupalPost('admin/structure/block/manage/profile/author-information/configure', array(
       'profile_block_author_fields[' . $this->field1['form_name'] . ']' => TRUE,
       'profile_block_author_fields[' . $this->field2['form_name'] . ']' => TRUE,
     ), t('Save block'));
-    $this->assertText(t('The block configuration has been saved.'), t('Block configuration set.'));
+    $this->assertText(t('The block configuration has been saved.'), 'Block configuration set.');
 
     // Visit the node and confirm that the field is displayed.
     $this->drupalGet('node/' . $this->node->nid);
-    $this->assertRaw($this->value1, t('Field 1 is displayed'));
-    $this->assertRaw($this->value2, t('Field 2 is displayed'));
+    $this->assertRaw($this->value1, 'Field 1 is displayed');
+    $this->assertRaw($this->value2, 'Field 2 is displayed');
 
     // Enable the link to the user profile.
     $this->drupalPost('admin/structure/block/manage/profile/author-information/configure', array(
       'profile_block_author_fields[user_profile]' => TRUE,
     ), t('Save block'));
-    $this->assertText(t('The block configuration has been saved.'), t('Block configuration set.'));
+    $this->assertText(t('The block configuration has been saved.'), 'Block configuration set.');
 
     // Visit the node and confirm that the user profile link is displayed.
     $this->drupalGet('node/' . $this->node->nid);
diff --git a/modules/rdf/rdf.info b/modules/rdf/rdf.info
index 595a622a..dba2b8e3 100755
--- a/modules/rdf/rdf.info
+++ b/modules/rdf/rdf.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 files[] = rdf.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/rdf/rdf.module b/modules/rdf/rdf.module
index e22d5a93..877b598c 100755
--- a/modules/rdf/rdf.module
+++ b/modules/rdf/rdf.module
@@ -484,7 +484,7 @@ function rdf_preprocess_node(&$variables) {
     $element = array(
       '#tag' => 'meta',
       '#attributes' => array(
-        'content' => $variables['title'],
+        'content' => $variables['node']->title,
         'about' => $variables['node_url'],
       ),
     );
diff --git a/modules/rdf/rdf.test b/modules/rdf/rdf.test
index 4d73377f..370dbb25 100755
--- a/modules/rdf/rdf.test
+++ b/modules/rdf/rdf.test
@@ -313,13 +313,18 @@ class RdfMappingDefinitionTestCase extends TaxonomyWebTestCase {
    */
   function testAttributesInMarkup2() {
     $type = $this->drupalCreateContentType(array('type' => 'test_bundle_hook_install'));
-    $node = $this->drupalCreateNode(array('type' => 'test_bundle_hook_install'));
+    // Create node with single quotation mark title to ensure it does not get
+    // escaped more than once.
+    $node = $this->drupalCreateNode(array(
+      'type' => 'test_bundle_hook_install',
+      'title' => $this->randomName(8) . "'",
+    ));
     $isoDate = date('c', $node->changed);
     $url = url('node/' . $node->nid);
     $this->drupalGet('node/' . $node->nid);
 
     // Ensure the mapping defined in rdf_module.test is used.
-    $test_bundle_title = $this->xpath("//meta[@property='dc:title' and @content='$node->title']");
+    $test_bundle_title = $this->xpath('//meta[@property="dc:title" and @content="' . $node->title . '"]');
     $test_bundle_meta = $this->xpath("//div[(@about='$url') and contains(@typeof, 'foo:mapping_install1') and contains(@typeof, 'bar:mapping_install2')]//span[contains(@property, 'dc:date') and contains(@property, 'dc:created') and @datatype='xsd:dateTime' and @content='$isoDate']");
     $this->assertTrue(!empty($test_bundle_title), 'Property dc:title is present in meta tag.');
     $this->assertTrue(!empty($test_bundle_meta), 'RDF type is present on post. Properties dc:date and dc:created are present on post date.');
@@ -436,7 +441,7 @@ class RdfCommentAttributesTestCase extends CommentHelperCase {
     $this->setCommentPreview(DRUPAL_OPTIONAL);
     $this->setCommentForm(TRUE);
     $this->setCommentSubject(TRUE);
-    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, t('Comment paging changed.'));
+    $this->setCommentSettings('comment_default_mode', COMMENT_MODE_THREADED, 'Comment paging changed.');
 
     // Creates the nodes on which the test comments will be posted.
     $this->drupalLogin($this->web_user);
diff --git a/modules/rdf/tests/rdf_test.info b/modules/rdf/tests/rdf_test.info
index 25951787..286b5cce 100755
--- a/modules/rdf/tests/rdf_test.info
+++ b/modules/rdf/tests/rdf_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/search/search-result.tpl.php b/modules/search/search-result.tpl.php
index 47e89ef8..5f2e8bd2 100755
--- a/modules/search/search-result.tpl.php
+++ b/modules/search/search-result.tpl.php
@@ -25,7 +25,7 @@
  *   the template.
  *
  * Default keys within $info_split:
- * - $info_split['type']: Node type (or item type string supplied by module).
+ * - $info_split['module']: The module that implemented the search query.
  * - $info_split['user']: Author of the node linked to users profile. Depends
  *   on permission.
  * - $info_split['date']: Last update of the node. Short formatted.
diff --git a/modules/search/search.extender.inc b/modules/search/search.extender.inc
index ad4b86e8..67094666 100755
--- a/modules/search/search.extender.inc
+++ b/modules/search/search.extender.inc
@@ -105,6 +105,8 @@ class SearchQuery extends SelectQueryExtender {
    * Stores score expressions.
    *
    * @var array
+   *
+   * @see addScore()
    */
   protected $scores = array();
 
@@ -116,7 +118,7 @@ class SearchQuery extends SelectQueryExtender {
   protected $scoresArguments = array();
 
   /**
-   * Total value of all the multipliers.
+   * Stores multipliers for score expressions.
    *
    * @var array
    */
@@ -391,21 +393,39 @@ class SearchQuery extends SelectQueryExtender {
   /**
    * Adds a custom score expression to the search query.
    *
-   * Each score expression can optionally use a multiplier, and multiple
-   * expressions are combined.
+   * Score expressions are used to order search results. If no calls to
+   * addScore() have taken place, a default keyword relevance score will be
+   * used. However, if at least one call to addScore() has taken place, the
+   * keyword relevance score is not automatically added.
+   *
+   * Also note that if you call orderBy() directly on the query, search scores
+   * will not automatically be used to order search results. Your orderBy()
+   * expression can reference 'calculated_score', which will be the total
+   * calculated score value.
    *
    * @param $score
-   *   The score expression.
+   *   The score expression, which should evaluate to a number between 0 and 1.
+   *   The string 'i.relevance' in a score expression will be replaced by a
+   *   measure of keyword relevance between 0 and 1.
    * @param $arguments
-   *   Custom query arguments for that expression.
+   *   Query arguments needed to provide values to the score expression.
    * @param $multiply
-   *   If set, the score is multiplied with that value. Search query ensures
-   *   that the search scores are still normalized.
+   *   If set, the score is multiplied with this value. However, all scores
+   *   with multipliers are then divided by the total of all multipliers, so
+   *   that overall, the normalization is maintained.
+   *
+   * @return object
+   *   The updated query object.
    */
   public function addScore($score, $arguments = array(), $multiply = FALSE) {
     if ($multiply) {
       $i = count($this->multiply);
+      // Modify the score expression so it is multiplied by the multiplier,
+      // with a divisor to renormalize.
       $score = "CAST(:multiply_$i AS DECIMAL) * COALESCE(( " . $score . "), 0) / CAST(:total_$i AS DECIMAL)";
+      // Add an argument for the multiplier. The :total_$i argument is taken
+      // care of in the execute() method, which is when the total divisor is
+      // calculated.
       $arguments[':multiply_' . $i] = $multiply;
       $this->multiply[] = $multiply;
     }
@@ -446,8 +466,9 @@ class SearchQuery extends SelectQueryExtender {
     }
 
     if (count($this->multiply)) {
-      // Add the total multiplicator as many times as requested to maintain
-      // normalization as far as possible.
+      // Re-normalize scores with multipliers by dividing by the total of all
+      // multipliers. The expressions were altered in addScore(), so here just
+      // add the arguments for the total.
       $i = 0;
       $sum = array_sum($this->multiply);
       foreach ($this->multiply as $total) {
@@ -456,13 +477,20 @@ class SearchQuery extends SelectQueryExtender {
       }
     }
 
-    // Replace i.relevance pseudo-field with the actual, normalized value.
-    $this->scores = str_replace('i.relevance', '(' . (1.0 / $this->normalize) . ' * i.score * t.count)', $this->scores);
-    // Convert scores to an expression.
+    // Replace the pseudo-expression 'i.relevance' with a measure of keyword
+    // relevance in all score expressions, using string replacement. Careful
+    // though! If you just print out a float, some locales use ',' as the
+    // decimal separator in PHP, while SQL always uses '.'. So, make sure to
+    // set the number format correctly.
+    $relevance = number_format((1.0 / $this->normalize), 10, '.', '');
+    $this->scores = str_replace('i.relevance', '(' . $relevance . ' * i.score * t.count)', $this->scores);
+
+    // Add all scores together to form a query field.
     $this->addExpression('SUM(' . implode(' + ', $this->scores) . ')', 'calculated_score', $this->scoresArguments);
 
+    // If an order has not yet been set for this query, add a default order
+    // that sorts by the calculated sum of scores.
     if (count($this->getOrderBy()) == 0) {
-      // Add default order after adding the expression.
       $this->orderBy('calculated_score', 'DESC');
     }
 
diff --git a/modules/search/search.info b/modules/search/search.info
index 85412867..cdf9b209 100755
--- a/modules/search/search.info
+++ b/modules/search/search.info
@@ -8,8 +8,8 @@ files[] = search.test
 configure = admin/config/search/settings
 stylesheets[all][] = search.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/search/search.test b/modules/search/search.test
index 28926002..19f4e551 100755
--- a/modules/search/search.test
+++ b/modules/search/search.test
@@ -11,6 +11,9 @@ define('SEARCH_TYPE', '_test_');
 define('SEARCH_TYPE_2', '_test2_');
 define('SEARCH_TYPE_JPN', '_test3_');
 
+/**
+ * Indexes content and queries it.
+ */
 class SearchMatchTestCase extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
@@ -307,6 +310,9 @@ class SearchPageText extends DrupalWebTestCase {
   }
 }
 
+/**
+ * Indexes content and tests the advanced search form.
+ */
 class SearchAdvancedSearchForm extends DrupalWebTestCase {
   protected $node;
 
@@ -370,6 +376,9 @@ class SearchAdvancedSearchForm extends DrupalWebTestCase {
   }
 }
 
+/**
+ * Indexes content and tests ranking factors.
+ */
 class SearchRankingTestCase extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
@@ -580,6 +589,9 @@ class SearchRankingTestCase extends DrupalWebTestCase {
   }
 }
 
+/**
+ * Tests the rendering of the search block.
+ */
 class SearchBlockTestCase extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
@@ -727,7 +739,7 @@ class SearchCommentTestCase extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
       'name' => 'Comment Search tests',
-      'description' => 'Verify text formats and filters used elsewhere.',
+      'description' => 'Test integration searching comments.',
       'group' => 'Search',
     );
   }
@@ -1567,7 +1579,7 @@ class SearchConfigSettingsForm extends DrupalWebTestCase {
 /**
  * Tests the search_excerpt() function.
  */
-class SearchExcerptTestCase extends DrupalUnitTestCase {
+class SearchExcerptTestCase extends DrupalWebTestCase {
   public static function getInfo() {
     return array(
       'name' => 'Search excerpt extraction',
@@ -1577,8 +1589,7 @@ class SearchExcerptTestCase extends DrupalUnitTestCase {
   }
 
   function setUp() {
-    drupal_load('module', 'search');
-    parent::setUp();
+    parent::setUp('search');
   }
 
   /**
@@ -1603,7 +1614,7 @@ class SearchExcerptTestCase extends DrupalUnitTestCase {
     $this->assertEqual($result, 'The quick brown <strong>fox</strong> &amp; jumps over the lazy dog ...', 'Found keyword is highlighted');
 
     $longtext = str_repeat($text . ' ', 10);
-    $result = preg_replace('| +|', ' ', search_excerpt('nothing', $text));
+    $result = preg_replace('| +|', ' ', search_excerpt('nothing', $longtext));
     $this->assertTrue(strpos($result, $expected) === 0, 'When keyword is not found in long string, return value starts as expected');
 
     $entities = str_repeat('k&eacute;sz&iacute;t&eacute;se ', 20);
@@ -2036,3 +2047,45 @@ class SearchNodeAccessTest extends DrupalWebTestCase {
     $this->assertText($node->title);
   }
 }
+
+/**
+ * Tests searching with locale values set.
+ */
+class SearchSetLocaleTest extends DrupalWebTestCase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Search with numeric locale set',
+      'description' => 'Check that search works with numeric locale settings',
+      'group' => 'Search',
+    );
+  }
+
+  function setUp() {
+    parent::setUp('search');
+
+    // Create a simple node so something will be put in the index.
+    $info = array(
+      'body' => array(LANGUAGE_NONE => array(array('value' => 'Tapir'))),
+    );
+    $this->drupalCreateNode($info);
+
+    // Run cron to index.
+    $this->cronRun();
+  }
+
+  /**
+   * Verify that search works with a numeric locale set.
+   */
+  public function testSearchWithNumericLocale() {
+    // French decimal point is comma.
+    setlocale(LC_NUMERIC, 'fr_FR');
+
+    // An exception will be thrown if a float in the wrong format occurs in the
+    // query to the database, so an assertion is not necessary here.
+    db_select('search_index', 'i')
+      ->extend('searchquery')
+      ->searchexpression('tapir', 'node')
+      ->execute();
+  }
+}
diff --git a/modules/search/tests/search_embedded_form.info b/modules/search/tests/search_embedded_form.info
index c74d1527..9f3d6532 100755
--- a/modules/search/tests/search_embedded_form.info
+++ b/modules/search/tests/search_embedded_form.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/search/tests/search_extra_type.info b/modules/search/tests/search_extra_type.info
index 84502bac..c96e6eef 100755
--- a/modules/search/tests/search_extra_type.info
+++ b/modules/search/tests/search_extra_type.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/shortcut/shortcut.admin.inc b/modules/shortcut/shortcut.admin.inc
index c592a318..2e8ddb43 100755
--- a/modules/shortcut/shortcut.admin.inc
+++ b/modules/shortcut/shortcut.admin.inc
@@ -784,5 +784,5 @@ function shortcut_link_add_inline($shortcut_set) {
     drupal_goto();
   }
 
-  return drupal_access_denied();
+  return MENU_ACCESS_DENIED;
 }
diff --git a/modules/shortcut/shortcut.info b/modules/shortcut/shortcut.info
index bea4570f..1ef44041 100755
--- a/modules/shortcut/shortcut.info
+++ b/modules/shortcut/shortcut.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = shortcut.test
 configure = admin/config/user-interface/shortcut
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/drupal_web_test_case.php b/modules/simpletest/drupal_web_test_case.php
index 0853c7d9..414a3778 100755
--- a/modules/simpletest/drupal_web_test_case.php
+++ b/modules/simpletest/drupal_web_test_case.php
@@ -541,6 +541,15 @@ abstract class DrupalTestCase {
         E_RECOVERABLE_ERROR => 'Recoverable error',
       );
 
+      // PHP 5.3 adds new error logging constants. Add these conditionally for
+      // backwards compatibility with PHP 5.2.
+      if (defined('E_DEPRECATED')) {
+        $error_map += array(
+          E_DEPRECATED => 'Deprecated',
+          E_USER_DEPRECATED => 'User deprecated',
+        );
+      }
+
       $backtrace = debug_backtrace();
       $this->error($message, $error_map[$severity], _drupal_get_last_caller($backtrace));
     }
@@ -730,6 +739,10 @@ class DrupalUnitTestCase extends DrupalTestCase {
     // subsequently will fail as the database is not accessible.
     $module_list = module_list();
     if (isset($module_list['locale'])) {
+      // Transform the list into the format expected as input to module_list().
+      foreach ($module_list as &$module) {
+        $module = array('filename' => drupal_get_filename('module', $module));
+      }
       $this->originalModuleList = $module_list;
       unset($module_list['locale']);
       module_list(TRUE, FALSE, FALSE, $module_list);
@@ -1132,7 +1145,7 @@ class DrupalWebTestCase extends DrupalTestCase {
   }
 
   /**
-   * Internal helper function; Create a role with specified permissions.
+   * Creates a role with specified permissions.
    *
    * @param $permissions
    *   Array of permission names to assign to role.
@@ -2042,7 +2055,14 @@ class DrupalWebTestCase extends DrupalTestCase {
             foreach ($upload as $key => $file) {
               $file = drupal_realpath($file);
               if ($file && is_file($file)) {
-                $post[$key] = '@' . $file;
+                // Use the new CurlFile class for file uploads when using PHP
+                // 5.5 or higher.
+                if (class_exists('CurlFile')) {
+                  $post[$key] = curl_file_create($file);
+                }
+                else {
+                  $post[$key] = '@' . $file;
+                }
               }
             }
           }
@@ -2249,6 +2269,13 @@ class DrupalWebTestCase extends DrupalTestCase {
             }
             break;
 
+          case 'updateBuildId':
+            $buildId = $xpath->query('//input[@name="form_build_id" and @value="' . $command['old'] . '"]')->item(0);
+            if ($buildId) {
+              $buildId->setAttribute('value', $command['new']);
+            }
+            break;
+
           // @todo Add suitable implementations for these commands in order to
           //   have full test coverage of what ajax.js can do.
           case 'remove':
@@ -2267,6 +2294,14 @@ class DrupalWebTestCase extends DrupalTestCase {
     }
     $this->drupalSetContent($content);
     $this->drupalSetSettings($drupal_settings);
+
+    $verbose = 'AJAX POST request to: ' . $path;
+    $verbose .= '<br />AJAX callback path: ' . $ajax_path;
+    $verbose .= '<hr />Ending URL: ' . $this->getUrl();
+    $verbose .= '<hr />' . $this->content;
+
+    $this->verbose($verbose);
+
     return $return;
   }
 
diff --git a/modules/simpletest/files/css_test_files/css_input_with_import.css.unoptimized.css b/modules/simpletest/files/css_test_files/css_input_with_import.css.unoptimized.css
index 4c905f56..19323c12 100755
--- a/modules/simpletest/files/css_test_files/css_input_with_import.css.unoptimized.css
+++ b/modules/simpletest/files/css_test_files/css_input_with_import.css.unoptimized.css
@@ -1,6 +1,16 @@
 
 
 
+ul, select {
+  font: 1em/160% Verdana, sans-serif;
+  color: #494949;
+}
+.ui-icon{background-image: url(images/icon.png);}
+
+p, select {
+  font: 1em/160% Verdana, sans-serif;
+  color: #494949;
+}
 
 
 body {
diff --git a/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css b/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css
new file mode 100644
index 00000000..d90ecbcb
--- /dev/null
+++ b/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css
@@ -0,0 +1,29 @@
+
+
+@import "../import1.css";
+@import "../import2.css";
+
+body {
+  margin: 0;
+  padding: 0;
+  background: #edf5fa;
+  font: 76%/170% Verdana, sans-serif;
+  color: #494949;
+}
+
+.this .is .a .test {
+  font: 1em/100% Verdana, sans-serif;
+  color: #494949;
+}
+.this
+.is
+.a
+.test {
+font: 1em/100% Verdana, sans-serif;
+color: #494949;
+}
+
+textarea, select {
+  font: 1em/160% Verdana, sans-serif;
+  color: #494949;
+}
diff --git a/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.optimized.css b/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.optimized.css
new file mode 100644
index 00000000..aba3b210
--- /dev/null
+++ b/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.optimized.css
@@ -0,0 +1,6 @@
+ul,select{font:1em/160% Verdana,sans-serif;color:#494949;}.ui-icon{background-image:url(../images/icon.png);}
+p,select{font:1em/160% Verdana,sans-serif;color:#494949;}
+body{margin:0;padding:0;background:#edf5fa;font:76%/170% Verdana,sans-serif;color:#494949;}.this .is .a .test{font:1em/100% Verdana,sans-serif;color:#494949;}.this
+.is
+.a
+.test{font:1em/100% Verdana,sans-serif;color:#494949;}textarea,select{font:1em/160% Verdana,sans-serif;color:#494949;}
diff --git a/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.unoptimized.css b/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.unoptimized.css
new file mode 100644
index 00000000..710d8f14
--- /dev/null
+++ b/modules/simpletest/files/css_test_files/css_subfolder/css_input_with_import.css.unoptimized.css
@@ -0,0 +1,39 @@
+
+
+
+ul, select {
+  font: 1em/160% Verdana, sans-serif;
+  color: #494949;
+}
+.ui-icon{background-image: url(../images/icon.png);}
+
+p, select {
+  font: 1em/160% Verdana, sans-serif;
+  color: #494949;
+}
+
+
+body {
+  margin: 0;
+  padding: 0;
+  background: #edf5fa;
+  font: 76%/170% Verdana, sans-serif;
+  color: #494949;
+}
+
+.this .is .a .test {
+  font: 1em/100% Verdana, sans-serif;
+  color: #494949;
+}
+.this
+.is
+.a
+.test {
+font: 1em/100% Verdana, sans-serif;
+color: #494949;
+}
+
+textarea, select {
+  font: 1em/160% Verdana, sans-serif;
+  color: #494949;
+}
diff --git a/modules/simpletest/simpletest.info b/modules/simpletest/simpletest.info
index a57d47ba..8c71aabe 100755
--- a/modules/simpletest/simpletest.info
+++ b/modules/simpletest/simpletest.info
@@ -15,6 +15,7 @@ files[] = tests/bootstrap.test
 files[] = tests/cache.test
 files[] = tests/common.test
 files[] = tests/database_test.test
+files[] = tests/entity_crud.test
 files[] = tests/entity_crud_hook_test.test
 files[] = tests/entity_query.test
 files[] = tests/error.test
@@ -55,8 +56,8 @@ files[] = tests/upgrade/update.trigger.test
 files[] = tests/upgrade/update.field.test
 files[] = tests/upgrade/update.user.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/actions_loop_test.info b/modules/simpletest/tests/actions_loop_test.info
index 7e5a14ea..a202dff6 100755
--- a/modules/simpletest/tests/actions_loop_test.info
+++ b/modules/simpletest/tests/actions_loop_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/ajax.test b/modules/simpletest/tests/ajax.test
index 664d5204..a0c7be8a 100755
--- a/modules/simpletest/tests/ajax.test
+++ b/modules/simpletest/tests/ajax.test
@@ -497,6 +497,85 @@ class AJAXMultiFormTestCase extends AJAXTestCase {
   }
 }
 
+/**
+ * Test Ajax forms when page caching for anonymous users is turned on.
+ */
+class AJAXFormPageCacheTestCase extends AJAXTestCase {
+  protected $profile = 'testing';
+
+  public static function getInfo() {
+    return array(
+      'name' => 'AJAX forms on cached pages',
+      'description' => 'Tests that AJAX forms work properly for anonymous users on cached pages.',
+      'group' => 'AJAX',
+    );
+  }
+
+  public function setUp() {
+    parent::setUp();
+
+    variable_set('cache', TRUE);
+  }
+
+  /**
+   * Return the build id of the current form.
+   */
+  protected function getFormBuildId() {
+    $build_id_fields = $this->xpath('//input[@name="form_build_id"]');
+    $this->assertEqual(count($build_id_fields), 1, 'One form build id field on the page');
+    return (string) $build_id_fields[0]['value'];
+  }
+
+  /**
+   * Create a simple form, then POST to system/ajax to change to it.
+   */
+  public function testSimpleAJAXFormValue() {
+    $this->drupalGet('ajax_forms_test_get_form');
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS', 'Page was not cached.');
+    $build_id_initial = $this->getFormBuildId();
+
+    $edit = array('select' => 'green');
+    $commands = $this->drupalPostAJAX(NULL, $edit, 'select');
+    $build_id_first_ajax = $this->getFormBuildId();
+    $this->assertNotEqual($build_id_initial, $build_id_first_ajax, 'Build id is changed in the simpletest-DOM on first AJAX submission');
+    $expected = array(
+      'command' => 'updateBuildId',
+      'old' => $build_id_initial,
+      'new' => $build_id_first_ajax,
+    );
+    $this->assertCommand($commands, $expected, 'Build id change command issued on first AJAX submission');
+
+    $edit = array('select' => 'red');
+    $commands = $this->drupalPostAJAX(NULL, $edit, 'select');
+    $build_id_second_ajax = $this->getFormBuildId();
+    $this->assertEqual($build_id_first_ajax, $build_id_second_ajax, 'Build id remains the same on subsequent AJAX submissions');
+
+    // Repeat the test sequence but this time with a page loaded from the cache.
+    $this->drupalGet('ajax_forms_test_get_form');
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.');
+    $build_id_from_cache_initial = $this->getFormBuildId();
+    $this->assertEqual($build_id_initial, $build_id_from_cache_initial, 'Build id is the same as on the first request');
+
+    $edit = array('select' => 'green');
+    $commands = $this->drupalPostAJAX(NULL, $edit, 'select');
+    $build_id_from_cache_first_ajax = $this->getFormBuildId();
+    $this->assertNotEqual($build_id_from_cache_initial, $build_id_from_cache_first_ajax, 'Build id is changed in the simpletest-DOM on first AJAX submission');
+    $this->assertNotEqual($build_id_first_ajax, $build_id_from_cache_first_ajax, 'Build id from first user is not reused');
+    $expected = array(
+      'command' => 'updateBuildId',
+      'old' => $build_id_from_cache_initial,
+      'new' => $build_id_from_cache_first_ajax,
+    );
+    $this->assertCommand($commands, $expected, 'Build id change command issued on first AJAX submission');
+
+    $edit = array('select' => 'red');
+    $commands = $this->drupalPostAJAX(NULL, $edit, 'select');
+    $build_id_from_cache_second_ajax = $this->getFormBuildId();
+    $this->assertEqual($build_id_from_cache_first_ajax, $build_id_from_cache_second_ajax, 'Build id remains the same on subsequent AJAX submissions');
+  }
+}
+
+
 /**
  * Miscellaneous Ajax tests using ajax_test module.
  */
diff --git a/modules/simpletest/tests/ajax_forms_test.info b/modules/simpletest/tests/ajax_forms_test.info
index 5c0dfcf1..b0e0b331 100755
--- a/modules/simpletest/tests/ajax_forms_test.info
+++ b/modules/simpletest/tests/ajax_forms_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/ajax_test.info b/modules/simpletest/tests/ajax_test.info
index 696fb20b..f464c091 100755
--- a/modules/simpletest/tests/ajax_test.info
+++ b/modules/simpletest/tests/ajax_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/batch_test.info b/modules/simpletest/tests/batch_test.info
index 1e468479..4c004910 100755
--- a/modules/simpletest/tests/batch_test.info
+++ b/modules/simpletest/tests/batch_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/bootstrap.test b/modules/simpletest/tests/bootstrap.test
index 87b59608..4fda15c8 100755
--- a/modules/simpletest/tests/bootstrap.test
+++ b/modules/simpletest/tests/bootstrap.test
@@ -219,6 +219,18 @@ class BootstrapPageCacheTestCase extends DrupalWebTestCase {
     $this->assertFalse($this->drupalGetHeader('Content-Encoding'), 'A Content-Encoding header was not sent.');
     $this->assertTitle(t('Welcome to @site-name | @site-name', array('@site-name' => variable_get('site_name', 'Drupal'))), 'Site title matches.');
     $this->assertRaw('</html>', 'Page was not compressed.');
+
+    // Disable compression mode.
+    variable_set('page_compression', FALSE);
+
+    // Verify if cached page is still available for a client with compression support.
+    $this->drupalGet('', array(), array('Accept-Encoding: gzip,deflate'));
+    $this->drupalSetContent(gzinflate(substr($this->drupalGetContent(), 10, -8)));
+    $this->assertRaw('</html>', 'Page was delivered after compression mode is changed (compression support enabled).');
+
+    // Verify if cached page is still available for a client without compression support.
+    $this->drupalGet('');
+    $this->assertRaw('</html>', 'Page was delivered after compression mode is changed (compression support disabled).');
   }
 }
 
diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index 8694ff32..f6e03b00 100755
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -686,6 +686,31 @@ class CascadingStylesheetsTestCase extends DrupalWebTestCase {
     $this->assertEqual(trim($styles), $css_preprocessed, 'Rendering preprocessed inline CSS adds it to the page.');
   }
 
+  /**
+   * Tests removing charset when rendering stylesheets with preprocessing on.
+   */
+  function testRenderRemoveCharsetPreprocess() {
+    $cases = array(
+      array(
+        'asset' => '@charset "UTF-8";html{font-family:"sans-serif";}',
+        'expected' => 'html{font-family:"sans-serif";}',
+      ),
+      // This asset contains extra \n character.
+      array(
+        'asset' => "@charset 'UTF-8';\nhtml{font-family:'sans-serif';}",
+        'expected' => "\nhtml{font-family:'sans-serif';}",
+      ),
+    );
+
+    foreach ($cases as $case) {
+      $this->assertEqual(
+        $case['expected'],
+        drupal_load_stylesheet_content($case['asset']),
+        'CSS optimizing correctly removes the charset declaration.'
+      );
+    }
+  }
+
   /**
    * Tests rendering inline stylesheets with preprocessing off.
    */
@@ -901,26 +926,30 @@ class CascadingStylesheetsUnitTest extends DrupalUnitTestCase {
     $testfiles = array(
       'css_input_without_import.css',
       'css_input_with_import.css',
+      'css_subfolder/css_input_with_import.css',
       'comment_hacks.css'
     );
     $path = drupal_get_path('module', 'simpletest') . '/files/css_test_files';
     foreach ($testfiles as $file) {
-      $expected = file_get_contents("$path/$file.unoptimized.css");
-      $unoptimized_output = drupal_load_stylesheet("$path/$file.unoptimized.css", FALSE);
+      $file_path = $path . '/' . $file;
+      $file_url = $GLOBALS['base_url'] . '/' . $file_path;
+
+      $expected = file_get_contents($file_path . '.unoptimized.css');
+      $unoptimized_output = drupal_load_stylesheet($file_path, FALSE);
       $this->assertEqual($unoptimized_output, $expected, format_string('Unoptimized CSS file has expected contents (@file)', array('@file' => $file)));
 
-      $expected = file_get_contents("$path/$file.optimized.css");
-      $optimized_output = drupal_load_stylesheet("$path/$file", TRUE);
+      $expected = file_get_contents($file_path . '.optimized.css');
+      $optimized_output = drupal_load_stylesheet($file_path, TRUE);
       $this->assertEqual($optimized_output, $expected, format_string('Optimized CSS file has expected contents (@file)', array('@file' => $file)));
 
       // Repeat the tests by accessing the stylesheets by URL.
-      $expected = file_get_contents("$path/$file.unoptimized.css");
-      $unoptimized_output_url = drupal_load_stylesheet($GLOBALS['base_url'] . "/$path/$file.unoptimized.css", FALSE);
-      $this->assertEqual($unoptimized_output, $expected, format_string('Unoptimized CSS file (loaded from an URL) has expected contents (@file)', array('@file' => $file)));
+      $expected = file_get_contents($file_path . '.unoptimized.css');
+      $unoptimized_output_url = drupal_load_stylesheet($file_url, FALSE);
+      $this->assertEqual($unoptimized_output_url, $expected, format_string('Unoptimized CSS file (loaded from an URL) has expected contents (@file)', array('@file' => $file)));
 
-      $expected = file_get_contents("$path/$file.optimized.css");
-      $optimized_output = drupal_load_stylesheet($GLOBALS['base_url'] . "/$path/$file", TRUE);
-      $this->assertEqual($optimized_output, $expected, format_string('Optimized CSS file (loaded from an URL) has expected contents (@file)', array('@file' => $file)));
+      $expected = file_get_contents($file_path . '.optimized.css');
+      $optimized_output_url = drupal_load_stylesheet($file_url, TRUE);
+      $this->assertEqual($optimized_output_url, $expected, format_string('Optimized CSS file (loaded from an URL) has expected contents (@file)', array('@file' => $file)));
     }
   }
 }
@@ -993,8 +1022,8 @@ class DrupalHTTPRequestTestCase extends DrupalWebTestCase {
     $result = drupal_http_request($auth);
 
     $this->drupalSetContent($result->data);
-    $this->assertRaw($username, '$_SERVER["PHP_AUTH_USER"] is passed correctly.');
-    $this->assertRaw($password, '$_SERVER["PHP_AUTH_PW"] is passed correctly.');
+    $this->assertRaw($username, 'Username is passed correctly.');
+    $this->assertRaw($password, 'Password is passed correctly.');
   }
 
   function testDrupalHTTPRequestRedirect() {
@@ -2756,3 +2785,28 @@ class ArrayDiffUnitTest extends DrupalUnitTestCase {
     $this->assertIdentical(drupal_array_diff_assoc_recursive($this->array1, $this->array2), $expected);
   }
 }
+
+/**
+ * Tests the functionality of drupal_get_query_array().
+ */
+class DrupalGetQueryArrayTestCase extends DrupalWebTestCase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Query parsing using drupal_get_query_array()',
+      'description' => 'Tests that drupal_get_query_array() correctly parses query parameters.',
+      'group' => 'System',
+    );
+  }
+
+  /**
+   * Tests that drupal_get_query_array() correctly explodes query parameters.
+   */
+  public function testDrupalGetQueryArray() {
+    $url = "http://my.site.com/somepath?foo=/content/folder[@name='foo']/folder[@name='bar']";
+    $parsed = parse_url($url);
+    $result = drupal_get_query_array($parsed['query']);
+    $this->assertEqual($result['foo'], "/content/folder[@name='foo']/folder[@name='bar']", 'drupal_get_query_array() should only explode parameters on the first equals sign.');
+  }
+
+}
diff --git a/modules/simpletest/tests/common_test.info b/modules/simpletest/tests/common_test.info
index b851cf03..51bd7713 100755
--- a/modules/simpletest/tests/common_test.info
+++ b/modules/simpletest/tests/common_test.info
@@ -7,8 +7,8 @@ stylesheets[all][] = common_test.css
 stylesheets[print][] = common_test.print.css
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/common_test_cron_helper.info b/modules/simpletest/tests/common_test_cron_helper.info
index 231942a0..7869526e 100755
--- a/modules/simpletest/tests/common_test_cron_helper.info
+++ b/modules/simpletest/tests/common_test_cron_helper.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/database_test.info b/modules/simpletest/tests/database_test.info
index 1e94047b..62b59335 100755
--- a/modules/simpletest/tests/database_test.info
+++ b/modules/simpletest/tests/database_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/database_test.install b/modules/simpletest/tests/database_test.install
index 867d8132..11361151 100755
--- a/modules/simpletest/tests/database_test.install
+++ b/modules/simpletest/tests/database_test.install
@@ -87,6 +87,9 @@ function database_test_schema() {
     ),
   );
 
+  $schema['test_people_copy'] = $schema['test_people'];
+  $schema['test_people_copy']['description'] = 'A duplicate version of the test_people table, used for additional tests.';
+
   $schema['test_one_blob'] = array(
     'description' => 'A simple table including a BLOB field for testing BLOB behavior.',
     'fields' => array(
diff --git a/modules/simpletest/tests/database_test.test b/modules/simpletest/tests/database_test.test
index b58578e9..dba04b27 100755
--- a/modules/simpletest/tests/database_test.test
+++ b/modules/simpletest/tests/database_test.test
@@ -23,6 +23,7 @@ class DatabaseTestCase extends DrupalWebTestCase {
 
     $schema['test'] = drupal_get_schema('test');
     $schema['test_people'] = drupal_get_schema('test_people');
+    $schema['test_people_copy'] = drupal_get_schema('test_people_copy');
     $schema['test_one_blob'] = drupal_get_schema('test_one_blob');
     $schema['test_two_blobs'] = drupal_get_schema('test_two_blobs');
     $schema['test_task'] = drupal_get_schema('test_task');
@@ -603,9 +604,9 @@ class DatabaseInsertTestCase extends DatabaseTestCase {
   }
 
   /**
-   * Test that the INSERT INTO ... SELECT ... syntax works.
+   * Test that the INSERT INTO ... SELECT (fields) ... syntax works.
    */
-  function testInsertSelect() {
+  function testInsertSelectFields() {
     $query = db_select('test_people', 'tp');
     // The query builder will always append expressions after fields.
     // Add the expression first to test that the insert fields are correctly
@@ -627,6 +628,27 @@ class DatabaseInsertTestCase extends DatabaseTestCase {
     $saved_age = db_query('SELECT age FROM {test} WHERE name = :name', array(':name' => 'Meredith'))->fetchField();
     $this->assertIdentical($saved_age, '30', 'Can retrieve after inserting.');
   }
+
+  /**
+   * Tests that the INSERT INTO ... SELECT * ... syntax works.
+   */
+  function testInsertSelectAll() {
+    $query = db_select('test_people', 'tp')
+      ->fields('tp')
+      ->condition('tp.name', 'Meredith');
+
+    // The resulting query should be equivalent to:
+    // INSERT INTO test_people_copy
+    // SELECT *
+    // FROM test_people tp
+    // WHERE tp.name = 'Meredith'
+    db_insert('test_people_copy')
+      ->from($query)
+      ->execute();
+
+    $saved_age = db_query('SELECT age FROM {test_people_copy} WHERE name = :name', array(':name' => 'Meredith'))->fetchField();
+    $this->assertIdentical($saved_age, '30', 'Can retrieve after inserting.');
+  }
 }
 
 /**
@@ -2599,6 +2621,52 @@ class DatabaseTaggingTestCase extends DatabaseTestCase {
     $this->assertFalse($query->hasAnyTag('other', 'stuff'), 'hasAnyTag() returned false.');
   }
 
+  /**
+   * Confirm that an extended query has a "tag" added to it.
+   */
+  function testExtenderHasTag() {
+    $query = db_select('test')
+      ->extend('SelectQueryExtender');
+    $query->addField('test', 'name');
+    $query->addField('test', 'age', 'age');
+
+    $query->addTag('test');
+
+    $this->assertTrue($query->hasTag('test'), 'hasTag() returned true.');
+    $this->assertFalse($query->hasTag('other'), 'hasTag() returned false.');
+  }
+
+  /**
+   * Test extended query tagging "has all of these tags" functionality.
+   */
+  function testExtenderHasAllTags() {
+    $query = db_select('test')
+      ->extend('SelectQueryExtender');
+    $query->addField('test', 'name');
+    $query->addField('test', 'age', 'age');
+
+    $query->addTag('test');
+    $query->addTag('other');
+
+    $this->assertTrue($query->hasAllTags('test', 'other'), 'hasAllTags() returned true.');
+    $this->assertFalse($query->hasAllTags('test', 'stuff'), 'hasAllTags() returned false.');
+  }
+
+  /**
+   * Test extended query tagging "has at least one of these tags" functionality.
+   */
+  function testExtenderHasAnyTag() {
+    $query = db_select('test')
+      ->extend('SelectQueryExtender');
+    $query->addField('test', 'name');
+    $query->addField('test', 'age', 'age');
+
+    $query->addTag('test');
+
+    $this->assertTrue($query->hasAnyTag('test', 'other'), 'hasAnyTag() returned true.');
+    $this->assertFalse($query->hasAnyTag('other', 'stuff'), 'hasAnyTag() returned false.');
+  }
+
   /**
    * Test that we can attach meta data to a query object.
    *
@@ -3069,6 +3137,15 @@ class DatabaseTemporaryQueryTestCase extends DrupalWebTestCase {
 
     $this->assertEqual($this->countTableRows($table_name_system), $this->countTableRows("system"), 'A temporary table was created successfully in this request.');
     $this->assertEqual($this->countTableRows($table_name_users), $this->countTableRows("users"), 'A second temporary table was created successfully in this request.');
+
+    // Check that leading whitespace and comments do not cause problems
+    // in the modified query.
+    $sql = "
+      -- Let's select some rows into a temporary table
+      SELECT name FROM {test}
+    ";
+    $table_name_test = db_query_temporary($sql, array());
+    $this->assertEqual($this->countTableRows($table_name_test), $this->countTableRows('test'), 'Leading white space and comments do not interfere with temporary table creation.');
   }
 }
 
diff --git a/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info b/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
index b1073dea..39fd955c 100755
--- a/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
+++ b/modules/simpletest/tests/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info b/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
index 918f4d73..87ed7d44 100755
--- a/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
+++ b/modules/simpletest/tests/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/entity_cache_test.info b/modules/simpletest/tests/entity_cache_test.info
index baa9ddaa..d9ecc8ba 100755
--- a/modules/simpletest/tests/entity_cache_test.info
+++ b/modules/simpletest/tests/entity_cache_test.info
@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = entity_cache_test_dependency
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/entity_cache_test_dependency.info b/modules/simpletest/tests/entity_cache_test_dependency.info
index fac49ea4..0751b37e 100755
--- a/modules/simpletest/tests/entity_cache_test_dependency.info
+++ b/modules/simpletest/tests/entity_cache_test_dependency.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/entity_crud.test b/modules/simpletest/tests/entity_crud.test
new file mode 100644
index 00000000..be159779
--- /dev/null
+++ b/modules/simpletest/tests/entity_crud.test
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * @file
+ * Tests for the Entity CRUD API.
+ */
+
+/**
+ * Tests the entity_load() function.
+ */
+class EntityLoadTestCase extends DrupalWebTestCase {
+  protected $profile = 'testing';
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Entity loading',
+      'description' => 'Tests the entity_load() function.',
+      'group' => 'Entity API',
+    );
+  }
+
+  /**
+   * Tests the functionality for loading entities matching certain conditions.
+   */
+  public function testEntityLoadConditions() {
+    // Create a few nodes. One of them is given an edge-case title of "Array",
+    // because loading entities by an array of conditions is subject to PHP
+    // array-to-string conversion issues and we want to test those.
+    $node_1 = $this->drupalCreateNode(array('title' => 'Array'));
+    $node_2 = $this->drupalCreateNode(array('title' => 'Node 2'));
+    $node_3 = $this->drupalCreateNode(array('title' => 'Node 3'));
+
+    // Load all entities so that they are statically cached.
+    $all_nodes = entity_load('node', FALSE);
+
+    // Check that the first node can be loaded by title.
+    $nodes_loaded = entity_load('node', FALSE, array('title' => 'Array'));
+    $this->assertEqual(array_keys($nodes_loaded), array($node_1->nid));
+
+    // Check that the second and third nodes can be loaded by title using an
+    // array of conditions, and that the first node is not loaded from the
+    // cache along with them.
+    $nodes_loaded = entity_load('node', FALSE, array('title' => array('Node 2', 'Node 3')));
+    ksort($nodes_loaded);
+    $this->assertEqual(array_keys($nodes_loaded), array($node_2->nid, $node_3->nid));
+    $this->assertIdentical($nodes_loaded[$node_2->nid], $all_nodes[$node_2->nid], 'Loaded node 2 is identical to cached node.');
+    $this->assertIdentical($nodes_loaded[$node_3->nid], $all_nodes[$node_3->nid], 'Loaded node 3 is identical to cached node.');
+  }
+}
diff --git a/modules/simpletest/tests/entity_crud_hook_test.info b/modules/simpletest/tests/entity_crud_hook_test.info
index f4aed27d..c2b90c78 100755
--- a/modules/simpletest/tests/entity_crud_hook_test.info
+++ b/modules/simpletest/tests/entity_crud_hook_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/entity_query_access_test.info b/modules/simpletest/tests/entity_query_access_test.info
index 0e4316a4..7039eea5 100755
--- a/modules/simpletest/tests/entity_query_access_test.info
+++ b/modules/simpletest/tests/entity_query_access_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/error_test.info b/modules/simpletest/tests/error_test.info
index 86fb3675..c42bc9ef 100755
--- a/modules/simpletest/tests/error_test.info
+++ b/modules/simpletest/tests/error_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/file.test b/modules/simpletest/tests/file.test
index 0f2cdb64..20dd2737 100755
--- a/modules/simpletest/tests/file.test
+++ b/modules/simpletest/tests/file.test
@@ -952,7 +952,7 @@ class FileDirectoryTest extends FileTestCase {
     $this->assertTrue(is_file(file_default_scheme() . '://.htaccess'), 'Successfully re-created the .htaccess file in the files directory.', 'File');
     // Verify contents of .htaccess file.
     $file = file_get_contents(file_default_scheme() . '://.htaccess');
-    $this->assertEqual($file, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks", 'The .htaccess file contains the proper content.', 'File');
+    $this->assertEqual($file, file_htaccess_lines(FALSE), 'The .htaccess file contains the proper content.', 'File');
   }
 
   /**
@@ -2388,7 +2388,7 @@ class FileDownloadTest extends FileTestCase {
     $this->assertEqual($headers['x-foo'], 'Bar', 'Found header set by file_test module on private download.');
     $this->assertResponse(200, 'Correctly allowed access to a file when file_test provides headers.');
 
-    // Test that the file transfered correctly.
+    // Test that the file transferred correctly.
     $this->assertEqual($contents, $this->content, 'Contents of the file are correct.');
 
     // Deny access to all downloads via a -1 header.
diff --git a/modules/simpletest/tests/file_test.info b/modules/simpletest/tests/file_test.info
index 50bc9dbe..771b3ca0 100755
--- a/modules/simpletest/tests/file_test.info
+++ b/modules/simpletest/tests/file_test.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = file_test.module
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/filter_test.info b/modules/simpletest/tests/filter_test.info
index ff3aaafd..21110a3a 100755
--- a/modules/simpletest/tests/filter_test.info
+++ b/modules/simpletest/tests/filter_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/form.test b/modules/simpletest/tests/form.test
index a1506ccd..f90b854c 100755
--- a/modules/simpletest/tests/form.test
+++ b/modules/simpletest/tests/form.test
@@ -82,6 +82,10 @@ class FormsTestCase extends DrupalWebTestCase {
           $form_state['input'][$element] = $empty;
           $form_state['input']['form_id'] = $form_id;
           $form_state['method'] = 'post';
+
+          // The form token CSRF protection should not interfere with this test,
+          // so we bypass it by marking this test form as programmed.
+          $form_state['programmed'] = TRUE;
           drupal_prepare_form($form_id, $form, $form_state);
           drupal_process_form($form_id, $form, $form_state);
           $errors = form_get_errors();
@@ -614,6 +618,18 @@ class FormValidationTestCase extends DrupalWebTestCase {
     $this->drupalPost(NULL, array(), 'Save');
     $this->assertNoFieldByName('name', 'Form element was hidden.');
     $this->assertText('Name value: element_validate_access', 'Value for inaccessible form element exists.');
+
+    // Verify that #validate handlers don't run if the CSRF token is invalid.
+    $this->drupalLogin($this->drupalCreateUser());
+    $this->drupalGet('form-test/validate');
+    $edit = array(
+      'name' => 'validate',
+      'form_token' => 'invalid token'
+    );
+    $this->drupalPost(NULL, $edit, 'Save');
+    $this->assertNoFieldByName('name', '#value changed by #validate', 'Form element #value was not altered.');
+    $this->assertNoText('Name value: value changed by form_set_value() in #validate', 'Form element value in $form_state was not altered.');
+    $this->assertText('The form has become outdated. Copy any unsaved work in the form below');
   }
 
   /**
@@ -941,6 +957,10 @@ class FormsElementsTableSelectFunctionalTest extends DrupalWebTestCase {
     $form_state['input'] = $edit;
     $form_state['input']['form_id'] = $form_id;
 
+    // The form token CSRF protection should not interfere with this test,
+    // so we bypass it by marking this test form as programmed.
+    $form_state['programmed'] = TRUE;
+
     drupal_prepare_form($form_id, $form, $form_state);
 
     drupal_process_form($form_id, $form, $form_state);
@@ -1136,6 +1156,182 @@ class FormsFormStorageTestCase extends DrupalWebTestCase {
       $this->assertText('State persisted.');
     }
   }
+
+  /**
+   * Verify that the form build-id remains the same when validation errors
+   * occur on a mutable form.
+   */
+  function testMutableForm() {
+    // Request the form with 'cache' query parameter to enable form caching.
+    $this->drupalGet('form_test/form-storage', array('query' => array('cache' => 1)));
+    $buildIdFields = $this->xpath('//input[@name="form_build_id"]');
+    $this->assertEqual(count($buildIdFields), 1, 'One form build id field on the page');
+    $buildId = (string) $buildIdFields[0]['value'];
+
+    // Trigger validation error by submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Continue submit');
+
+    // Verify that the build-id did not change.
+    $this->assertFieldByName('form_build_id', $buildId, 'Build id remains the same when form validation fails');
+  }
+
+  /**
+   * Verifies that form build-id is regenerated when loading an immutable form
+   * from the cache.
+   */
+  function testImmutableForm() {
+    // Request the form with 'cache' query parameter to enable form caching.
+    $this->drupalGet('form_test/form-storage', array('query' => array('cache' => 1, 'immutable' => 1)));
+    $buildIdFields = $this->xpath('//input[@name="form_build_id"]');
+    $this->assertEqual(count($buildIdFields), 1, 'One form build id field on the page');
+    $buildId = (string) $buildIdFields[0]['value'];
+
+    // Trigger validation error by submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Continue submit');
+
+    // Verify that the build-id did change.
+    $this->assertNoFieldByName('form_build_id', $buildId, 'Build id changes when form validation fails');
+
+    // Retrieve the new build-id.
+    $buildIdFields = $this->xpath('//input[@name="form_build_id"]');
+    $this->assertEqual(count($buildIdFields), 1, 'One form build id field on the page');
+    $buildId = (string) $buildIdFields[0]['value'];
+
+    // Trigger validation error by again submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Continue submit');
+
+    // Verify that the build-id does not change the second time.
+    $this->assertFieldByName('form_build_id', $buildId, 'Build id remains the same when form validation fails subsequently');
+  }
+
+  /**
+   * Verify that existing contrib code cannot overwrite immutable form state.
+   */
+  public function testImmutableFormLegacyProtection() {
+    $this->drupalGet('form_test/form-storage', array('query' => array('cache' => 1, 'immutable' => 1)));
+    $build_id_fields = $this->xpath('//input[@name="form_build_id"]');
+    $this->assertEqual(count($build_id_fields), 1, 'One form build id field on the page');
+    $build_id = (string) $build_id_fields[0]['value'];
+
+    // Try to poison the form cache.
+    $original = $this->drupalGetAJAX('form_test/form-storage-legacy/' . $build_id);
+    $this->assertEqual($original['form']['#build_id_old'], $build_id, 'Original build_id was recorded');
+    $this->assertNotEqual($original['form']['#build_id'], $build_id, 'New build_id was generated');
+
+    // Assert that a watchdog message was logged by form_set_cache.
+    $status = (bool) db_query_range('SELECT 1 FROM {watchdog} WHERE message = :message', 0, 1, array(':message' => 'Form build-id mismatch detected while attempting to store a form in the cache.'));
+    $this->assert($status, 'A watchdog message was logged by form_set_cache');
+
+    // Ensure that the form state was not poisoned by the preceeding call.
+    $original = $this->drupalGetAJAX('form_test/form-storage-legacy/' . $build_id);
+    $this->assertEqual($original['form']['#build_id_old'], $build_id, 'Original build_id was recorded');
+    $this->assertNotEqual($original['form']['#build_id'], $build_id, 'New build_id was generated');
+    $this->assert(empty($original['form']['#poisoned']), 'Original form structure was preserved');
+    $this->assert(empty($original['form_state']['poisoned']), 'Original form state was preserved');
+  }
+}
+
+/**
+ * Test the form storage when page caching for anonymous users is turned on.
+ */
+class FormsFormStoragePageCacheTestCase extends DrupalWebTestCase {
+  protected $profile = 'testing';
+
+  public static function getInfo() {
+    return array(
+      'name'  => 'Forms using form storage on cached pages',
+      'description'  => 'Tests a form using form storage and makes sure validation and caching works when page caching for anonymous users is turned on.',
+      'group' => 'Form API',
+    );
+  }
+
+  public function setUp() {
+    parent::setUp('form_test');
+
+    variable_set('cache', TRUE);
+  }
+
+  /**
+   * Return the build id of the current form.
+   */
+  protected function getFormBuildId() {
+    $build_id_fields = $this->xpath('//input[@name="form_build_id"]');
+    $this->assertEqual(count($build_id_fields), 1, 'One form build id field on the page');
+    return (string) $build_id_fields[0]['value'];
+  }
+
+  /**
+   * Build-id is regenerated when validating cached form.
+   */
+  public function testValidateFormStorageOnCachedPage() {
+    $this->drupalGet('form_test/form-storage-page-cache');
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS', 'Page was not cached.');
+    $this->assertText('No old build id', 'No old build id on the page');
+    $build_id_initial = $this->getFormBuildId();
+
+    // Trigger validation error by submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Save');
+    $this->assertText($build_id_initial, 'Old build id on the page');
+    $build_id_first_validation = $this->getFormBuildId();
+    $this->assertNotEqual($build_id_initial, $build_id_first_validation, 'Build id changes when form validation fails');
+
+    // Trigger validation error by again submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Save');
+    $this->assertText('No old build id', 'No old build id on the page');
+    $build_id_second_validation = $this->getFormBuildId();
+    $this->assertEqual($build_id_first_validation, $build_id_second_validation, 'Build id remains the same when form validation fails subsequently');
+
+    // Repeat the test sequence but this time with a page loaded from the cache.
+    $this->drupalGet('form_test/form-storage-page-cache');
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'HIT', 'Page was cached.');
+    $this->assertText('No old build id', 'No old build id on the page');
+    $build_id_from_cache_initial = $this->getFormBuildId();
+    $this->assertEqual($build_id_initial, $build_id_from_cache_initial, 'Build id is the same as on the first request');
+
+    // Trigger validation error by submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Save');
+    $this->assertText($build_id_initial, 'Old build id is initial build id');
+    $build_id_from_cache_first_validation = $this->getFormBuildId();
+    $this->assertNotEqual($build_id_initial, $build_id_from_cache_first_validation, 'Build id changes when form validation fails');
+    $this->assertNotEqual($build_id_first_validation, $build_id_from_cache_first_validation, 'Build id from first user is not reused');
+
+    // Trigger validation error by again submitting an empty title.
+    $edit = array('title' => '');
+    $this->drupalPost(NULL, $edit, 'Save');
+    $this->assertText('No old build id', 'No old build id on the page');
+    $build_id_from_cache_second_validation = $this->getFormBuildId();
+    $this->assertEqual($build_id_from_cache_first_validation, $build_id_from_cache_second_validation, 'Build id remains the same when form validation fails subsequently');
+  }
+
+  /**
+   * Build-id is regenerated when rebuilding cached form.
+   */
+  public function testRebuildFormStorageOnCachedPage() {
+    $this->drupalGet('form_test/form-storage-page-cache');
+    $this->assertEqual($this->drupalGetHeader('X-Drupal-Cache'), 'MISS', 'Page was not cached.');
+    $this->assertText('No old build id', 'No old build id on the page');
+    $build_id_initial = $this->getFormBuildId();
+
+    // Trigger rebuild, should regenerate build id.
+    $edit = array('title' => 'something');
+    $this->drupalPost(NULL, $edit, 'Rebuild');
+    $this->assertText($build_id_initial, 'Initial build id as old build id on the page');
+    $build_id_first_rebuild = $this->getFormBuildId();
+    $this->assertNotEqual($build_id_initial, $build_id_first_rebuild, 'Build id changes on first rebuild.');
+
+    // Trigger subsequent rebuild, should regenerate the build id again.
+    $edit = array('title' => 'something');
+    $this->drupalPost(NULL, $edit, 'Rebuild');
+    $this->assertText($build_id_first_rebuild, 'First build id as old build id on the page');
+    $build_id_second_rebuild = $this->getFormBuildId();
+    $this->assertNotEqual($build_id_first_rebuild, $build_id_second_rebuild, 'Build id changes on second rebuild.');
+  }
 }
 
 /**
@@ -1466,6 +1662,16 @@ class FormsProgrammaticTestCase extends DrupalWebTestCase {
     $this->submitForm(array('textfield' => 'dummy value', 'checkboxes' => array(1 => NULL, 2 => 2)), TRUE);
     $this->submitForm(array('textfield' => 'dummy value', 'checkboxes' => array(1 => NULL, 2 => NULL)), TRUE);
 
+    // Test that a programmatic form submission can successfully submit values
+    // even for fields where the #access property is FALSE.
+    $this->submitForm(array('textfield' => 'dummy value', 'textfield_no_access' => 'test value'), TRUE);
+    // Test that #access is respected for programmatic form submissions when
+    // requested to do so.
+    $submitted_values = array('textfield' => 'dummy value', 'textfield_no_access' => 'test value');
+    $expected_values = array('textfield' => 'dummy value', 'textfield_no_access' => 'default value');
+    $form_state = array('programmed_bypass_access_check' => FALSE);
+    $this->submitForm($submitted_values, TRUE, $expected_values, $form_state);
+
     // Test that a programmatic form submission can correctly click a button
     // that limits validation errors based on user input. Since we do not
     // submit any values for "textfield" here and the textfield is required, we
@@ -1488,10 +1694,18 @@ class FormsProgrammaticTestCase extends DrupalWebTestCase {
    * @param $valid_input
    *   A boolean indicating whether or not the form submission is expected to
    *   be valid.
+   * @param $expected_values
+   *   (Optional) An array of field values that are expected to be stored by
+   *   the form submit handler. If not set, the submitted $values are assumed
+   *   to also be the expected stored values.
+   * @param $form_state
+   *   (Optional) A keyed array containing the state of the form, to be sent in
+   *   the call to drupal_form_submit(). The $values parameter is added to
+   *   $form_state['values'] by default, if it is not already set.
    */
-  private function submitForm($values, $valid_input) {
+  private function submitForm($values, $valid_input, $expected_values = NULL, $form_state = array()) {
     // Programmatically submit the given values.
-    $form_state = array('values' => $values);
+    $form_state += array('values' => $values);
     drupal_form_submit('form_test_programmatic_form', $form_state);
 
     // Check that the form returns an error when expected, and vice versa.
@@ -1508,7 +1722,10 @@ class FormsProgrammaticTestCase extends DrupalWebTestCase {
       // By fetching the values from $form_state['storage'] we ensure that the
       // submission handler was properly executed.
       $stored_values = $form_state['storage']['programmatic_form_submit'];
-      foreach ($values as $key => $value) {
+      if (!isset($expected_values)) {
+        $expected_values = $values;
+      }
+      foreach ($expected_values as $key => $value) {
         $this->assertTrue(isset($stored_values[$key]) && $stored_values[$key] == $value, format_string('Submission handler correctly executed: %stored_key is %stored_value', array('%stored_key' => $key, '%stored_value' => print_r($value, TRUE))));
       }
     }
diff --git a/modules/simpletest/tests/form_test.info b/modules/simpletest/tests/form_test.info
index 2cc60367..b0303de4 100755
--- a/modules/simpletest/tests/form_test.info
+++ b/modules/simpletest/tests/form_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/form_test.module b/modules/simpletest/tests/form_test.module
index b4d2f549..602b4090 100755
--- a/modules/simpletest/tests/form_test.module
+++ b/modules/simpletest/tests/form_test.module
@@ -90,6 +90,21 @@ function form_test_menu() {
     'type' => MENU_CALLBACK,
   );
 
+  $items['form_test/form-storage-legacy'] = array(
+    'title' => 'Emulate legacy AHAH-style ajax callback',
+    'page callback' => 'form_test_storage_legacy_handler',
+    'access arguments' => array('access content'),
+    'type' => MENU_CALLBACK,
+  );
+
+  $items['form_test/form-storage-page-cache'] = array(
+    'title' => 'Form storage with page cache test',
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('form_test_storage_page_cache_form'),
+    'access arguments' => array('access content'),
+    'type' => MENU_CALLBACK,
+  );
+
   $items['form_test/wrapper-callback'] = array(
     'title' => 'Form wrapper callback test',
     'page callback' => 'form_test_wrapper_callback',
@@ -746,9 +761,36 @@ function form_test_storage_form($form, &$form_state) {
     $form_state['cache'] = TRUE;
   }
 
+  if (isset($_REQUEST['immutable'])) {
+    $form_state['build_info']['immutable'] = TRUE;
+  }
+
   return $form;
 }
 
+/**
+ * Emulate legacy AHAH-style ajax callback.
+ *
+ * Drupal 6 AHAH callbacks used to operate directly on forms retrieved using
+ * form_get_cache and stored using form_set_cache after manipulation. This
+ * callback helps testing whether form_set_cache prevents resaving of immutable
+ * forms.
+ */
+function form_test_storage_legacy_handler($form_build_id) {
+  $form_state = array();
+  $form = form_get_cache($form_build_id, $form_state);
+
+  drupal_json_output(array(
+    'form' => $form,
+    'form_state' => $form_state,
+  ));
+
+  $form['#poisoned'] = TRUE;
+  $form_state['poisoned'] = TRUE;
+
+  form_set_cache($form_build_id, $form, $form_state);
+}
+
 /**
  * Form element validation handler for 'value' element in form_test_storage_form().
  *
@@ -785,6 +827,56 @@ function form_test_storage_form_submit($form, &$form_state) {
   $form_state['redirect'] = 'node';
 }
 
+/**
+ * A simple form for testing form storage when page caching is enabled.
+ */
+function form_test_storage_page_cache_form($form, &$form_state) {
+  $form['title'] = array(
+    '#type' => 'textfield',
+    '#title' => 'Title',
+    '#required' => TRUE,
+  );
+
+  $form['test_build_id_old'] = array(
+    '#type' => 'item',
+    '#title' => 'Old build id',
+    '#markup' => 'No old build id',
+  );
+
+  $form['submit'] = array(
+    '#type' => 'submit',
+    '#value' => 'Save',
+  );
+
+  $form['rebuild'] = array(
+    '#type' => 'submit',
+    '#value' => 'Rebuild',
+    '#submit' => array('form_test_storage_page_cache_rebuild'),
+  );
+
+  $form['#after_build'] = array('form_test_storage_page_cache_old_build_id');
+  $form_state['cache'] = TRUE;
+
+  return $form;
+}
+
+/**
+ * Form element #after_build callback: output the old form build-id.
+ */
+function form_test_storage_page_cache_old_build_id($form) {
+  if (isset($form['#build_id_old'])) {
+    $form['test_build_id_old']['#markup'] = check_plain($form['#build_id_old']);
+  }
+  return $form;
+}
+
+/**
+ * Form submit callback: Rebuild the form and continue.
+ */
+function form_test_storage_page_cache_rebuild($form, &$form_state) {
+  $form_state['rebuild'] = TRUE;
+}
+
 /**
  * A form for testing form labels and required marks.
  */
@@ -1548,6 +1640,15 @@ function form_test_programmatic_form($form, &$form_state) {
     '#default_value' => array(1, 2),
   );
 
+  // This is used to test that programmatic form submissions can bypass #access
+  // restrictions.
+  $form['textfield_no_access'] = array(
+    '#type' => 'textfield',
+    '#title' => 'Textfield no access',
+    '#default_value' => 'default value',
+    '#access' => FALSE,
+  );
+
   $form['field_to_validate'] = array(
     '#type' => 'radios',
     '#title' => 'Field to validate (in the case of limited validation)',
diff --git a/modules/simpletest/tests/image_test.info b/modules/simpletest/tests/image_test.info
index 0ad875be..f46c00e6 100755
--- a/modules/simpletest/tests/image_test.info
+++ b/modules/simpletest/tests/image_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/mail.test b/modules/simpletest/tests/mail.test
index 8024010a..70a43cb4 100755
--- a/modules/simpletest/tests/mail.test
+++ b/modules/simpletest/tests/mail.test
@@ -267,6 +267,31 @@ class DrupalHtmlToTextTestCase extends DrupalWebTestCase {
     );
   }
 
+  /**
+   * Tests that drupal_wrap_mail() removes trailing whitespace before newlines.
+   */
+  function testDrupalHtmltoTextRemoveTrailingWhitespace() {
+    $text = "Hi there! \nHerp Derp";
+    $mail_lines = explode("\n", drupal_wrap_mail($text));
+    $this->assertNotEqual(" ", substr($mail_lines[0], -1), 'Trailing whitespace removed.');
+  }
+
+  /**
+   * Tests drupal_wrap_mail() retains whitespace from Usenet style signatures.
+   *
+   * RFC 3676 says, "This is a special case; an (optionally quoted or quoted and
+   * stuffed) line consisting of DASH DASH SP is neither fixed nor flowed."
+   */
+  function testDrupalHtmltoTextUsenetSignature() {
+    $text = "Hi there!\n-- \nHerp Derp";
+    $mail_lines = explode("\n", drupal_wrap_mail($text));
+    $this->assertEqual("-- ", $mail_lines[1], 'Trailing whitespace not removed for dash-dash-space signatures.');
+
+    $text = "Hi there!\n--  \nHerp Derp";
+    $mail_lines = explode("\n", drupal_wrap_mail($text));
+    $this->assertEqual("--", $mail_lines[1], 'Trailing whitespace removed for incorrect dash-dash-space signatures.');
+  }
+
   /**
    * Test that whitespace is collapsed.
    */
diff --git a/modules/simpletest/tests/menu.test b/modules/simpletest/tests/menu.test
index 52672c53..f5d7d290 100755
--- a/modules/simpletest/tests/menu.test
+++ b/modules/simpletest/tests/menu.test
@@ -1025,8 +1025,8 @@ class MenuTreeOutputTestCase extends DrupalWebTestCase {
     $output = menu_tree_output($this->tree_data);
 
     // Validate that the - in main-menu is changed into an underscore
-    $this->assertEqual( $output['1']['#theme'], 'menu_link__main_menu', 'Hyphen is changed to a dash on menu_link');
-    $this->assertEqual( $output['#theme_wrappers'][0], 'menu_tree__main_menu', 'Hyphen is changed to a dash on menu_tree wrapper');
+    $this->assertEqual($output['1']['#theme'], 'menu_link__main_menu', 'Hyphen is changed to an underscore on menu_link');
+    $this->assertEqual($output['#theme_wrappers'][0], 'menu_tree__main_menu', 'Hyphen is changed to an underscore on menu_tree wrapper');
     // Looking for child items in the data
     $this->assertEqual( $output['1']['#below']['2']['#href'], 'a/b', 'Checking the href on a child item');
     $this->assertTrue( in_array('active-trail',$output['1']['#below']['2']['#attributes']['class']) , 'Checking the active trail class');
diff --git a/modules/simpletest/tests/menu_test.info b/modules/simpletest/tests/menu_test.info
index 4ca24fa2..c656a1b2 100755
--- a/modules/simpletest/tests/menu_test.info
+++ b/modules/simpletest/tests/menu_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/module_test.info b/modules/simpletest/tests/module_test.info
index e1f16573..0d395252 100755
--- a/modules/simpletest/tests/module_test.info
+++ b/modules/simpletest/tests/module_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/path_test.info b/modules/simpletest/tests/path_test.info
index 71d20c3d..ecc90be6 100755
--- a/modules/simpletest/tests/path_test.info
+++ b/modules/simpletest/tests/path_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/psr_0_test/psr_0_test.info b/modules/simpletest/tests/psr_0_test/psr_0_test.info
index b9acbf37..187a2cc4 100755
--- a/modules/simpletest/tests/psr_0_test/psr_0_test.info
+++ b/modules/simpletest/tests/psr_0_test/psr_0_test.info
@@ -5,8 +5,8 @@ core = 7.x
 hidden = TRUE
 package = Testing
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/requirements1_test.info b/modules/simpletest/tests/requirements1_test.info
index 9a8929aa..509bddcf 100755
--- a/modules/simpletest/tests/requirements1_test.info
+++ b/modules/simpletest/tests/requirements1_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/requirements2_test.info b/modules/simpletest/tests/requirements2_test.info
index 3b3ecdd6..a79154fe 100755
--- a/modules/simpletest/tests/requirements2_test.info
+++ b/modules/simpletest/tests/requirements2_test.info
@@ -7,8 +7,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/session.test b/modules/simpletest/tests/session.test
index 0d9b6bd5..097503b6 100755
--- a/modules/simpletest/tests/session.test
+++ b/modules/simpletest/tests/session.test
@@ -68,8 +68,7 @@ class SessionTestCase extends DrupalWebTestCase {
   }
 
   /**
-   * Test data persistence via the session_test module callbacks. Also tests
-   * drupal_session_count() since session data is already generated here.
+   * Test data persistence via the session_test module callbacks.
    */
   function testDataPersistence() {
     $user = $this->drupalCreateUser(array('access content'));
diff --git a/modules/simpletest/tests/session_test.info b/modules/simpletest/tests/session_test.info
index d1985f9d..a4079fcb 100755
--- a/modules/simpletest/tests/session_test.info
+++ b/modules/simpletest/tests/session_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_dependencies_test.info b/modules/simpletest/tests/system_dependencies_test.info
index d50da29b..f43455e3 100755
--- a/modules/simpletest/tests/system_dependencies_test.info
+++ b/modules/simpletest/tests/system_dependencies_test.info
@@ -6,8 +6,8 @@ core = 7.x
 hidden = TRUE
 dependencies[] = _missing_dependency
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_incompatible_core_version_dependencies_test.info b/modules/simpletest/tests/system_incompatible_core_version_dependencies_test.info
index 01d8b9d8..e8ffcf22 100755
--- a/modules/simpletest/tests/system_incompatible_core_version_dependencies_test.info
+++ b/modules/simpletest/tests/system_incompatible_core_version_dependencies_test.info
@@ -6,8 +6,8 @@ core = 7.x
 hidden = TRUE
 dependencies[] = system_incompatible_core_version_test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_incompatible_core_version_test.info b/modules/simpletest/tests/system_incompatible_core_version_test.info
index 2d6c5584..4df3730f 100755
--- a/modules/simpletest/tests/system_incompatible_core_version_test.info
+++ b/modules/simpletest/tests/system_incompatible_core_version_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 5.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_incompatible_module_version_dependencies_test.info b/modules/simpletest/tests/system_incompatible_module_version_dependencies_test.info
index 64cde55a..7ec488bf 100755
--- a/modules/simpletest/tests/system_incompatible_module_version_dependencies_test.info
+++ b/modules/simpletest/tests/system_incompatible_module_version_dependencies_test.info
@@ -7,8 +7,8 @@ hidden = TRUE
 ; system_incompatible_module_version_test declares version 1.0
 dependencies[] = system_incompatible_module_version_test (>2.0)
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_incompatible_module_version_test.info b/modules/simpletest/tests/system_incompatible_module_version_test.info
index 785f7a2b..cc613241 100755
--- a/modules/simpletest/tests/system_incompatible_module_version_test.info
+++ b/modules/simpletest/tests/system_incompatible_module_version_test.info
@@ -5,8 +5,8 @@ version = 1.0
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_test.info b/modules/simpletest/tests/system_test.info
index 103c0122..f55a6890 100755
--- a/modules/simpletest/tests/system_test.info
+++ b/modules/simpletest/tests/system_test.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = system_test.module
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/system_test.module b/modules/simpletest/tests/system_test.module
index 8cb0e837..2eda351e 100755
--- a/modules/simpletest/tests/system_test.module
+++ b/modules/simpletest/tests/system_test.module
@@ -114,8 +114,23 @@ function system_test_sleep($seconds) {
 }
 
 function system_test_basic_auth_page() {
-  $output = t('$_SERVER[\'PHP_AUTH_USER\'] is @username.', array('@username' => $_SERVER['PHP_AUTH_USER']));
-  $output .= t('$_SERVER[\'PHP_AUTH_PW\'] is @password.', array('@password' => $_SERVER['PHP_AUTH_PW']));
+  // The Authorization HTTP header is forwarded via Drupal's .htaccess file even
+  // for PHP CGI SAPIs.
+  if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+    $authorization_header = $_SERVER['HTTP_AUTHORIZATION'];
+  }
+  // If using CGI on Apache with mod_rewrite, the forwarded HTTP header appears
+  // in the redirected HTTP headers. See
+  // https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/ServerBag.php#L61
+  elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+    $authorization_header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
+  }
+  // Resemble PHP_AUTH_USER and PHP_AUTH_PW for a Basic authentication from
+  // the HTTP_AUTHORIZATION header. See
+  // http://www.php.net/manual/features.http-auth.php
+  list($user, $pw) = explode(':', base64_decode(substr($authorization_header, 6)));
+  $output = t('Username is @username.', array('@username' => $user));
+  $output .= t('Password is @password.', array('@password' => $pw));
   return $output;
 }
 
diff --git a/modules/simpletest/tests/taxonomy_test.info b/modules/simpletest/tests/taxonomy_test.info
index 4e82d2e6..293cb1fb 100755
--- a/modules/simpletest/tests/taxonomy_test.info
+++ b/modules/simpletest/tests/taxonomy_test.info
@@ -6,8 +6,8 @@ core = 7.x
 hidden = TRUE
 dependencies[] = taxonomy
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/theme_test.info b/modules/simpletest/tests/theme_test.info
index cb2761f5..d23d6058 100755
--- a/modules/simpletest/tests/theme_test.info
+++ b/modules/simpletest/tests/theme_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/themes/test_basetheme/test_basetheme.info b/modules/simpletest/tests/themes/test_basetheme/test_basetheme.info
index 34160a0e..6eb3e0eb 100755
--- a/modules/simpletest/tests/themes/test_basetheme/test_basetheme.info
+++ b/modules/simpletest/tests/themes/test_basetheme/test_basetheme.info
@@ -6,8 +6,8 @@ hidden = TRUE
 settings[basetheme_only] = base theme value
 settings[subtheme_override] = base theme value
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/themes/test_subtheme/test_subtheme.info b/modules/simpletest/tests/themes/test_subtheme/test_subtheme.info
index 307f5467..8163e62f 100755
--- a/modules/simpletest/tests/themes/test_subtheme/test_subtheme.info
+++ b/modules/simpletest/tests/themes/test_subtheme/test_subtheme.info
@@ -6,8 +6,8 @@ hidden = TRUE
 
 settings[subtheme_override] = subtheme value
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/themes/test_theme/test_theme.info b/modules/simpletest/tests/themes/test_theme/test_theme.info
index 1a9cae4a..6edff7b2 100755
--- a/modules/simpletest/tests/themes/test_theme/test_theme.info
+++ b/modules/simpletest/tests/themes/test_theme/test_theme.info
@@ -17,8 +17,8 @@ stylesheets[all][] = system.base.css
 
 settings[theme_test_setting] = default value
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/update_script_test.info b/modules/simpletest/tests/update_script_test.info
index 3ba2c70c..49f5c908 100755
--- a/modules/simpletest/tests/update_script_test.info
+++ b/modules/simpletest/tests/update_script_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/update_test_1.info b/modules/simpletest/tests/update_test_1.info
index 978a07a8..d70f2152 100755
--- a/modules/simpletest/tests/update_test_1.info
+++ b/modules/simpletest/tests/update_test_1.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/update_test_2.info b/modules/simpletest/tests/update_test_2.info
index 978a07a8..d70f2152 100755
--- a/modules/simpletest/tests/update_test_2.info
+++ b/modules/simpletest/tests/update_test_2.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/update_test_3.info b/modules/simpletest/tests/update_test_3.info
index 978a07a8..d70f2152 100755
--- a/modules/simpletest/tests/update_test_3.info
+++ b/modules/simpletest/tests/update_test_3.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/upgrade/upgrade.taxonomy.test b/modules/simpletest/tests/upgrade/upgrade.taxonomy.test
index e0142f4b..58a4d5c1 100755
--- a/modules/simpletest/tests/upgrade/upgrade.taxonomy.test
+++ b/modules/simpletest/tests/upgrade/upgrade.taxonomy.test
@@ -56,6 +56,11 @@ class UpgradePathTaxonomyTestCase extends UpgradePathTestCase {
     $this->assertFalse(db_table_exists('taxonomy_vocabulary_node_type'), 'taxonomy_vocabulary_node_type has been removed.');
     $this->assertFalse(db_table_exists('taxonomy_term_node'), 'taxonomy_term_node has been removed.');
 
+    // Check that taxonomy_index has not stored nids of unpublished nodes.
+    $nids = db_query('SELECT nid from {node} WHERE status = :status', array(':status' => NODE_NOT_PUBLISHED))->fetchCol();
+    $indexed_nids = db_query('SELECT DISTINCT nid from {taxonomy_index}')->fetchCol();
+    $this->assertFalse(array_intersect($nids, $indexed_nids), 'No unpublished nid present in taxonomy_index');
+
     // Check that the node type 'page' has been associated to a taxonomy
     // reference field for each vocabulary.
     $voc_keys = array();
diff --git a/modules/simpletest/tests/url_alter_test.info b/modules/simpletest/tests/url_alter_test.info
index 78b12d66..f4611d40 100755
--- a/modules/simpletest/tests/url_alter_test.info
+++ b/modules/simpletest/tests/url_alter_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/simpletest/tests/xmlrpc_test.info b/modules/simpletest/tests/xmlrpc_test.info
index 5c749c73..3a641f4d 100755
--- a/modules/simpletest/tests/xmlrpc_test.info
+++ b/modules/simpletest/tests/xmlrpc_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/statistics/statistics.admin.inc b/modules/statistics/statistics.admin.inc
index 415fd005..71e64aa5 100755
--- a/modules/statistics/statistics.admin.inc
+++ b/modules/statistics/statistics.admin.inc
@@ -263,9 +263,7 @@ function statistics_access_log($aid) {
     );
     return $build;
   }
-  else {
-    drupal_not_found();
-  }
+  return MENU_NOT_FOUND;
 }
 
 /**
@@ -305,6 +303,17 @@ function statistics_settings_form() {
     '#default_value' => variable_get('statistics_count_content_views', 0),
     '#description' => t('Increment a counter each time content is viewed.'),
   );
+  $form['content']['statistics_count_content_views_ajax'] = array(
+    '#type' => 'checkbox',
+    '#title' => t('Use Ajax to increment the counter'),
+    '#default_value' => variable_get('statistics_count_content_views_ajax', 0),
+    '#description' => t('Perform the count asynchronously after page load rather than during page generation.'),
+    '#states' => array(
+      'disabled' => array(
+        ':input[name="statistics_count_content_views"]' => array('checked' => FALSE),
+      ),
+    ),
+  );
 
   return system_settings_form($form);
 }
diff --git a/modules/statistics/statistics.info b/modules/statistics/statistics.info
index b3ca7c0f..df51af26 100755
--- a/modules/statistics/statistics.info
+++ b/modules/statistics/statistics.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = statistics.test
 configure = admin/config/system/statistics
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/statistics/statistics.install b/modules/statistics/statistics.install
index b8574355..231c90ec 100755
--- a/modules/statistics/statistics.install
+++ b/modules/statistics/statistics.install
@@ -11,6 +11,7 @@
 function statistics_uninstall() {
   // Remove variables.
   variable_del('statistics_count_content_views');
+  variable_del('statistics_count_content_views_ajax');
   variable_del('statistics_enable_access_log');
   variable_del('statistics_flush_accesslog_timer');
   variable_del('statistics_day_timestamp');
diff --git a/modules/statistics/statistics.js b/modules/statistics/statistics.js
new file mode 100644
index 00000000..b7c56157
--- /dev/null
+++ b/modules/statistics/statistics.js
@@ -0,0 +1,10 @@
+(function ($) {
+  $(document).ready(function() {
+    $.ajax({
+      type: "POST",
+      cache: false,
+      url: Drupal.settings.statistics.url,
+      data: Drupal.settings.statistics.data
+    });
+  });
+})(jQuery);
diff --git a/modules/statistics/statistics.module b/modules/statistics/statistics.module
index 81d24b75..f665a14f 100755
--- a/modules/statistics/statistics.module
+++ b/modules/statistics/statistics.module
@@ -57,7 +57,7 @@ function statistics_exit() {
   // in which case we need to bootstrap to the session phase anyway.
   drupal_bootstrap(DRUPAL_BOOTSTRAP_VARIABLES);
 
-  if (variable_get('statistics_count_content_views', 0)) {
+  if (variable_get('statistics_count_content_views', 0) && !variable_get('statistics_count_content_views_ajax', 0)) {
     // We are counting content views.
     if (arg(0) == 'node' && is_numeric(arg(1)) && arg(2) == NULL) {
       // A node has been viewed, so update the node's counters.
@@ -115,6 +115,22 @@ function statistics_permission() {
  * Implements hook_node_view().
  */
 function statistics_node_view($node, $view_mode) {
+  // Attach Ajax node count statistics if configured.
+  if (variable_get('statistics_count_content_views', 0) && variable_get('statistics_count_content_views_ajax', 0)) {
+    if (!empty($node->nid) && $view_mode == 'full' && node_is_page($node) && empty($node->in_preview)) {
+      $node->content['#attached']['js'] = array(
+        drupal_get_path('module', 'statistics') . '/statistics.js' => array(
+          'scope' => 'footer'
+        ),
+      );
+      $settings = array('data' => array('nid' => $node->nid), 'url' => url(drupal_get_path('module', 'statistics') . '/statistics.php'));
+      $node->content['#attached']['js'][] = array(
+        'data' => array('statistics' => $settings),
+        'type' => 'setting',
+      );
+    }
+  }
+
   if ($view_mode != 'rss') {
     if (user_access('view post access counter')) {
       $statistics = statistics_get($node->nid);
diff --git a/modules/statistics/statistics.pages.inc b/modules/statistics/statistics.pages.inc
index 8bd9712f..dd50aae3 100755
--- a/modules/statistics/statistics.pages.inc
+++ b/modules/statistics/statistics.pages.inc
@@ -54,9 +54,7 @@ function statistics_node_tracker() {
     $build['statistics_pager'] = array('#theme' => 'pager');
     return $build;
   }
-  else {
-    drupal_not_found();
-  }
+  return MENU_NOT_FOUND;
 }
 
 /**
@@ -99,7 +97,5 @@ function statistics_user_tracker() {
     $build['statistics_pager'] = array('#theme' => 'pager');
     return $build;
   }
-  else {
-    drupal_not_found();
-  }
+  return MENU_NOT_FOUND;
 }
diff --git a/modules/statistics/statistics.php b/modules/statistics/statistics.php
new file mode 100644
index 00000000..f00e0397
--- /dev/null
+++ b/modules/statistics/statistics.php
@@ -0,0 +1,31 @@
+<?php
+
+/**
+ * @file
+ * Handles counts of node views via Ajax with minimal bootstrap.
+ */
+
+/**
+* Root directory of Drupal installation.
+*/
+define('DRUPAL_ROOT', substr($_SERVER['SCRIPT_FILENAME'], 0, strpos($_SERVER['SCRIPT_FILENAME'], '/modules/statistics/statistics.php')));
+// Change the directory to the Drupal root.
+chdir(DRUPAL_ROOT);
+
+include_once DRUPAL_ROOT . '/includes/bootstrap.inc';
+drupal_bootstrap(DRUPAL_BOOTSTRAP_VARIABLES);
+if (variable_get('statistics_count_content_views', 0) && variable_get('statistics_count_content_views_ajax', 0)) {
+  $nid = $_POST['nid'];
+  if (is_numeric($nid)) {
+    db_merge('node_counter')
+      ->key(array('nid' => $nid))
+      ->fields(array(
+        'daycount' => 1,
+        'totalcount' => 1,
+        'timestamp' => REQUEST_TIME,
+      ))
+      ->expression('daycount', 'daycount + 1')
+      ->expression('totalcount', 'totalcount + 1')
+      ->execute();
+  }
+}
diff --git a/modules/statistics/statistics.test b/modules/statistics/statistics.test
index d2155da6..0498bb76 100755
--- a/modules/statistics/statistics.test
+++ b/modules/statistics/statistics.test
@@ -118,6 +118,22 @@ class StatisticsLoggingTestCase extends DrupalWebTestCase {
     $node_counter = statistics_get($this->node->nid);
     $this->assertIdentical($node_counter['totalcount'], '3');
 
+    // Test that Ajax logging doesn't occur when disabled.
+    $post = http_build_query(array('nid' => $this->node->nid));
+    $headers = array('Content-Type' => 'application/x-www-form-urlencoded');
+    global $base_url;
+    $stats_path = $base_url . '/' . drupal_get_path('module', 'statistics'). '/statistics.php';
+    drupal_http_request($stats_path, array('method' => 'POST', 'data' => $post, 'headers' => $headers, 'timeout' => 10000));
+    $node_counter = statistics_get($this->node->nid);
+    $this->assertIdentical($node_counter['totalcount'], '3', 'Page request was not counted via Ajax.');
+
+    // Test that Ajax logging occurs when enabled.
+    variable_set('statistics_count_content_views_ajax', 1);
+    drupal_http_request($stats_path, array('method' => 'POST', 'data' => $post, 'headers' => $headers, 'timeout' => 10000));
+    $node_counter = statistics_get($this->node->nid);
+    $this->assertIdentical($node_counter['totalcount'], '4', 'Page request was counted via Ajax.');
+    variable_set('statistics_count_content_views_ajax', 0);
+
     // Visit edit page to generate a title greater than 255.
     $path = 'node/' . $this->node->nid . '/edit';
     $expected = array(
@@ -142,7 +158,6 @@ class StatisticsLoggingTestCase extends DrupalWebTestCase {
     $log = db_query('SELECT * FROM {accesslog}')->fetchAll(PDO::FETCH_ASSOC);
     $this->assertTrue(is_array($log) && count($log) == 8, 'Page request was logged for a path over 255 characters.');
     $this->assertEqual($log[7]['path'], truncate_utf8($long_path, 255));
-
   }
 }
 
diff --git a/modules/syslog/syslog.info b/modules/syslog/syslog.info
index 542ec714..54c246bf 100755
--- a/modules/syslog/syslog.info
+++ b/modules/syslog/syslog.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = syslog.test
 configure = admin/config/development/logging
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/system/form.api.php b/modules/system/form.api.php
new file mode 100644
index 00000000..3cfec865
--- /dev/null
+++ b/modules/system/form.api.php
@@ -0,0 +1,126 @@
+<?php
+
+/**
+ * @file
+ * Callbacks provided by the form system.
+ */
+
+/**
+ * @addtogroup callbacks
+ * @{
+ */
+
+/**
+ * Perform a single batch operation.
+ *
+ * Callback for batch_set().
+ *
+ * @param $MULTIPLE_PARAMS
+ *   Additional parameters specific to the batch. These are specified in the
+ *   array passed to batch_set().
+ * @param $context
+ *   The batch context array, passed by reference. This contains the following
+ *   properties:
+ *   - 'finished': A float number between 0 and 1 informing the processing
+ *     engine of the completion level for the operation. 1 (or no value
+ *     explicitly set) means the operation is finished: the operation will not
+ *     be called again, and execution passes to the next operation or the
+ *     callback_batch_finished() implementation. Any other value causes this
+ *     operation to be called again; however it should be noted that the value
+ *     set here does not persist between executions of this callback: each time
+ *     it is set to 1 by default by the batch system.
+ *   - 'sandbox': This may be used by operations to persist data between
+ *     successive calls to the current operation. Any values set in
+ *     $context['sandbox'] will be there the next time this function is called
+ *     for the current operation. For example, an operation may wish to store a
+ *     pointer in a file or an offset for a large query. The 'sandbox' array key
+ *     is not initially set when this callback is first called, which makes it
+ *     useful for determining whether it is the first call of the callback or
+ *     not:
+ *     @code
+ *       if (empty($context['sandbox'])) {
+ *         // Perform set-up steps here.
+ *       }
+ *     @endcode
+ *     The values in the sandbox are stored and updated in the database between
+ *     http requests until the batch finishes processing. This avoids problems
+ *     if the user navigates away from the page before the batch finishes.
+ *   - 'message': A text message displayed in the progress page.
+ *   - 'results': The array of results gathered so far by the batch processing.
+ *     This array is highly useful for passing data between operations. After
+ *     all operations have finished, this is passed to callback_batch_finished()
+ *     where results may be referenced to display information to the end-user,
+ *     such as how many total items were processed.
+ */
+function callback_batch_operation($MULTIPLE_PARAMS, &$context) {
+  if (!isset($context['sandbox']['progress'])) {
+    $context['sandbox']['progress'] = 0;
+    $context['sandbox']['current_node'] = 0;
+    $context['sandbox']['max'] = db_query('SELECT COUNT(DISTINCT nid) FROM {node}')->fetchField();
+  }
+
+  // For this example, we decide that we can safely process
+  // 5 nodes at a time without a timeout.
+  $limit = 5;
+
+  // With each pass through the callback, retrieve the next group of nids.
+  $result = db_query_range("SELECT nid FROM {node} WHERE nid > %d ORDER BY nid ASC", $context['sandbox']['current_node'], 0, $limit);
+  while ($row = db_fetch_array($result)) {
+
+    // Here we actually perform our processing on the current node.
+    $node = node_load($row['nid'], NULL, TRUE);
+    $node->value1 = $options1;
+    $node->value2 = $options2;
+    node_save($node);
+
+    // Store some result for post-processing in the finished callback.
+    $context['results'][] = check_plain($node->title);
+
+    // Update our progress information.
+    $context['sandbox']['progress']++;
+    $context['sandbox']['current_node'] = $node->nid;
+    $context['message'] = t('Now processing %node', array('%node' => $node->title));
+  }
+
+  // Inform the batch engine that we are not finished,
+  // and provide an estimation of the completion level we reached.
+  if ($context['sandbox']['progress'] != $context['sandbox']['max']) {
+    $context['finished'] = $context['sandbox']['progress'] / $context['sandbox']['max'];
+  }
+}
+
+/**
+ * Complete a batch process.
+ *
+ * Callback for batch_set().
+ *
+ * This callback may be specified in a batch to perform clean-up operations, or
+ * to analyze the results of the batch operations.
+ *
+ * @param $success
+ *   A boolean indicating whether the batch has completed successfully.
+ * @param $results
+ *   The value set in $context['results'] by callback_batch_operation().
+ * @param $operations
+ *   If $success is FALSE, contains the operations that remained unprocessed.
+ */
+function callback_batch_finished($success, $results, $operations) {
+  if ($success) {
+    // Here we do something meaningful with the results.
+    $message = t("!count items were processed.", array(
+      '!count' => count($results),
+      ));
+    $message .= theme('item_list', array('items' => $results));
+    drupal_set_message($message);
+  }
+  else {
+    // An error occurred.
+    // $operations contains the operations that remained unprocessed.
+    $error_operation = reset($operations);
+    $message = t('An error occurred while processing %error_operation with arguments: @arguments', array(
+      '%error_operation' => $error_operation[0],
+      '@arguments' => print_r($error_operation[1], TRUE)
+    ));
+    drupal_set_message($message, 'error');
+  }
+}
diff --git a/modules/system/image.gd.inc b/modules/system/image.gd.inc
index 91c0b05f..d9035e4c 100755
--- a/modules/system/image.gd.inc
+++ b/modules/system/image.gd.inc
@@ -56,13 +56,8 @@ function image_gd_settings_validate($form, &$form_state) {
  *   A boolean indicating if the GD toolkit is available on this machine.
  */
 function image_gd_check_settings() {
-  if ($check = get_extension_funcs('gd')) {
-    if (in_array('imagegd2', $check)) {
-      // GD2 support is available.
-      return TRUE;
-    }
-  }
-  return FALSE;
+  // GD2 support is available.
+  return function_exists('imagegd2');
 }
 
 /**
@@ -346,7 +341,7 @@ function image_gd_create_tmp(stdClass $image, $width, $height) {
  */
 function image_gd_get_info(stdClass $image) {
   $details = FALSE;
-  $data = getimagesize($image->source);
+  $data = @getimagesize($image->source);
 
   if (isset($data) && is_array($data)) {
     $extensions = array('1' => 'gif', '2' => 'jpg', '3' => 'png');
diff --git a/modules/system/language.api.php b/modules/system/language.api.php
index d868b6fe..40bb3f36 100755
--- a/modules/system/language.api.php
+++ b/modules/system/language.api.php
@@ -111,18 +111,18 @@ function hook_language_types_info_alter(array &$language_types) {
  *
  * @return
  *   An associative array of language negotiation provider definitions. The keys
- *   are provider identifiers, and the values are associative arrays definining
+ *   are provider identifiers, and the values are associative arrays defining
  *   each provider, with the following elements:
  *   - types: An array of allowed language types. If a language negotiation
  *     provider does not specify which language types it should be used with, it
  *     will be available for all the configurable language types.
  *   - callbacks: An associative array of functions that will be called to
  *     perform various tasks. Possible elements are:
- *     - negotiation: (required) Name of the callback function that determines
- *       the language value.
- *     - language_switch: (optional) Name of the callback function that
- *       determines links for a language switcher block associated with this
- *       provider. See language_switcher_url() for an example.
+ *     - language: (required) Name of the callback function that determines the
+ *       language value.
+ *     - switcher: (optional) Name of the callback function that determines
+ *       links for a language switcher block associated with this provider. See
+ *       language_switcher_url() for an example.
  *     - url_rewrite: (optional) Name of the callback function that provides URL
  *       rewriting, if needed by this provider.
  *   - file: The file where callback functions are defined (this file will be
diff --git a/modules/system/system.admin.inc b/modules/system/system.admin.inc
index 05543be6..c1e81f0b 100755
--- a/modules/system/system.admin.inc
+++ b/modules/system/system.admin.inc
@@ -309,7 +309,7 @@ function system_theme_enable() {
     }
     drupal_goto('admin/appearance');
   }
-  return drupal_access_denied();
+  return MENU_ACCESS_DENIED;
 }
 
 /**
@@ -337,7 +337,7 @@ function system_theme_disable() {
     }
     drupal_goto('admin/appearance');
   }
-  return drupal_access_denied();
+  return MENU_ACCESS_DENIED;
 }
 
 /**
@@ -383,7 +383,7 @@ function system_theme_default() {
     }
     drupal_goto('admin/appearance');
   }
-  return drupal_access_denied();
+  return MENU_ACCESS_DENIED;
 }
 
 /**
@@ -995,22 +995,28 @@ function _system_modules_build_row($info, $extra) {
   $status_short = '';
   $status_long = '';
 
+  // Initialize empty arrays of long and short reasons explaining why the
+  // module is incompatible.
+  // Add each reason as a separate element in both the arrays.
+  $reasons_short = array();
+  $reasons_long = array();
+
   // Check the core compatibility.
   if (!isset($info['core']) || $info['core'] != DRUPAL_CORE_COMPATIBILITY) {
     $compatible = FALSE;
-    $status_short .= t('Incompatible with this version of Drupal core.');
-    $status_long .= t('This version is not compatible with Drupal !core_version and should be replaced.', array('!core_version' => DRUPAL_CORE_COMPATIBILITY));
+    $reasons_short[] = t('Incompatible with this version of Drupal core.');
+    $reasons_long[] = t('This version is not compatible with Drupal !core_version and should be replaced.', array('!core_version' => DRUPAL_CORE_COMPATIBILITY));
   }
 
   // Ensure this module is compatible with the currently installed version of PHP.
   if (version_compare(phpversion(), $info['php']) < 0) {
     $compatible = FALSE;
-    $status_short .= t('Incompatible with this version of PHP');
+    $reasons_short[] = t('Incompatible with this version of PHP');
     $php_required = $info['php'];
     if (substr_count($info['php'], '.') < 2) {
       $php_required .= '.*';
     }
-    $status_long .= t('This module requires PHP version @php_required and is incompatible with PHP version !php_version.', array('@php_required' => $php_required, '!php_version' => phpversion()));
+    $reasons_long[] = t('This module requires PHP version @php_required and is incompatible with PHP version !php_version.', array('@php_required' => $php_required, '!php_version' => phpversion()));
   }
 
   // If this module is compatible, present a checkbox indicating
@@ -1026,6 +1032,8 @@ function _system_modules_build_row($info, $extra) {
     }
   }
   else {
+    $status_short = implode(' ', $reasons_short);
+    $status_long = implode(' ', $reasons_long);
     $form['enable'] = array(
       '#markup' =>  theme('image', array('path' => 'misc/watchdog-error.png', 'alt' => $status_short, 'title' => $status_short)),
     );
@@ -1618,6 +1626,7 @@ function system_cron_settings() {
   $form['cron']['cron_safe_threshold'] = array(
     '#type' => 'select',
     '#title' => t('Run cron every'),
+    '#description' => t('More information about setting up scheduled tasks can be found by <a href="@url">reading the cron tutorial on drupal.org</a>.', array('@url' => url('http://drupal.org/cron'))),
     '#default_value' => variable_get('cron_safe_threshold', DRUPAL_CRON_DEFAULT_THRESHOLD),
     '#options' => array(0 => t('Never')) + drupal_map_assoc(array(3600, 10800, 21600, 43200, 86400, 604800), 'format_interval'),
   );
@@ -2575,7 +2584,7 @@ function theme_status_report($variables) {
 
   foreach ($requirements as $requirement) {
     if (empty($requirement['#type'])) {
-      $severity = $severities[isset($requirement['severity']) ? (int) $requirement['severity'] : 0];
+      $severity = $severities[isset($requirement['severity']) ? (int) $requirement['severity'] : REQUIREMENT_OK];
       $severity['icon'] = '<div title="' . $severity['title'] . '"><span class="element-invisible">' . $severity['title'] . '</span></div>';
 
       // Output table row(s)
diff --git a/modules/system/system.api.php b/modules/system/system.api.php
index 2c529d48..fbcb1734 100755
--- a/modules/system/system.api.php
+++ b/modules/system/system.api.php
@@ -607,10 +607,12 @@ function hook_cron() {
  *   An associative array where the key is the queue name and the value is
  *   again an associative array. Possible keys are:
  *   - 'worker callback': The name of the function to call. It will be called
- *     with one argument, the item created via DrupalQueue::createItem() in
- *     hook_cron().
+ *     with one argument, the item created via DrupalQueue::createItem().
  *   - 'time': (optional) How much time Drupal should spend on calling this
  *     worker in seconds. Defaults to 15.
+ *   - 'skip on cron': (optional) Set to TRUE to avoid being processed during
+ *     cron runs (for example, if you want to control all queue execution
+ *     manually).
  *
  * @see hook_cron()
  * @see hook_cron_queue_info_alter()
@@ -873,7 +875,7 @@ function hook_css_alter(&$css) {
  *
  * @see ajax_render()
  */
-function hook_ajax_render_alter($commands) {
+function hook_ajax_render_alter(&$commands) {
   // Inject any new status messages into the content area.
   $commands[] = ajax_command_prepend('#block-system-main .content', theme('status_messages'));
 }
@@ -3098,37 +3100,39 @@ function hook_requirements($phase) {
 /**
  * Define the current version of the database schema.
  *
- * A Drupal schema definition is an array structure representing one or
- * more tables and their related keys and indexes. A schema is defined by
+ * A Drupal schema definition is an array structure representing one or more
+ * tables and their related keys and indexes. A schema is defined by
  * hook_schema() which must live in your module's .install file.
  *
- * This hook is called at install and uninstall time, and in the latter
- * case, it cannot rely on the .module file being loaded or hooks being known.
- * If the .module file is needed, it may be loaded with drupal_load().
+ * This hook is called at install and uninstall time, and in the latter case, it
+ * cannot rely on the .module file being loaded or hooks being known. If the
+ * .module file is needed, it may be loaded with drupal_load().
  *
- * The tables declared by this hook will be automatically created when
- * the module is first enabled, and removed when the module is uninstalled.
- * This happens before hook_install() is invoked, and after hook_uninstall()
- * is invoked, respectively.
+ * The tables declared by this hook will be automatically created when the
+ * module is first enabled, and removed when the module is uninstalled. This
+ * happens before hook_install() is invoked, and after hook_uninstall() is
+ * invoked, respectively.
  *
  * By declaring the tables used by your module via an implementation of
  * hook_schema(), these tables will be available on all supported database
  * engines. You don't have to deal with the different SQL dialects for table
  * creation and alteration of the supported database engines.
  *
- * See the Schema API Handbook at http://drupal.org/node/146843 for
- * details on schema definition structures.
+ * See the Schema API Handbook at http://drupal.org/node/146843 for details on
+ * schema definition structures.
  *
- * @return
+ * @return array
  *   A schema definition structure array. For each element of the
  *   array, the key is a table name and the value is a table structure
  *   definition.
  *
+ * @see hook_schema_alter()
+ *
  * @ingroup schemaapi
  */
 function hook_schema() {
   $schema['node'] = array(
-    // example (partial) specification for table "node"
+    // Example (partial) specification for table "node".
     'description' => 'The base table for nodes.',
     'fields' => array(
       'nid' => array(
@@ -4095,7 +4099,7 @@ function hook_date_format_types_alter(&$types) {
  *     declared in an implementation of hook_date_format_types().
  *   - 'format': A PHP date format string to use when formatting dates. It
  *     can contain any of the formatting options described at
- *     http://php.net/manual/en/function.date.php
+ *     http://php.net/manual/function.date.php
  *   - 'locales': (optional) An array of 2 and 5 character locale codes,
  *     defining which locales this format applies to (for example, 'en',
  *     'en-us', etc.). If your date format is not language-specific, leave this
diff --git a/modules/system/system.info b/modules/system/system.info
index eb9b96c8..79b57d4b 100755
--- a/modules/system/system.info
+++ b/modules/system/system.info
@@ -12,8 +12,8 @@ files[] = system.test
 required = TRUE
 configure = admin/config/system
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/system/system.install b/modules/system/system.install
index a58e855a..43c7383a 100755
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -6,12 +6,7 @@
  */
 
 /**
- * Test and report Drupal installation requirements.
- *
- * @param $phase
- *   The current system installation phase.
- * @return
- *   An array of system requirements.
+ * Implements hook_requirements().
  */
 function system_requirements($phase) {
   global $base_url;
@@ -258,6 +253,39 @@ function system_requirements($phase) {
     $requirements['settings.php']['title'] = $t('Configuration file');
   }
 
+  // Test the contents of the .htaccess files.
+  if ($phase == 'runtime') {
+    // Try to write the .htaccess files first, to prevent false alarms in case
+    // (for example) the /tmp directory was wiped.
+    file_ensure_htaccess();
+    $htaccess_files['public://.htaccess'] = array(
+      'title' => $t('Public files directory'),
+      'directory' => variable_get('file_public_path', conf_path() . '/files'),
+    );
+    if ($private_files_directory = variable_get('file_private_path')) {
+      $htaccess_files['private://.htaccess'] = array(
+        'title' => $t('Private files directory'),
+        'directory' => $private_files_directory,
+      );
+    }
+    $htaccess_files['temporary://.htaccess'] = array(
+      'title' => $t('Temporary files directory'),
+      'directory' => variable_get('file_temporary_path', file_directory_temp()),
+    );
+    foreach ($htaccess_files as $htaccess_file => $info) {
+      // Check for the string which was added to the recommended .htaccess file
+      // in the latest security update.
+      if (!file_exists($htaccess_file) || !($contents = @file_get_contents($htaccess_file)) || strpos($contents, 'Drupal_Security_Do_Not_Remove_See_SA_2013_003') === FALSE) {
+        $requirements[$htaccess_file] = array(
+          'title' => $info['title'],
+          'value' => $t('Not fully protected'),
+          'severity' => REQUIREMENT_ERROR,
+          'description' => $t('See <a href="@url">@url</a> for information about the recommended .htaccess file which should be added to the %directory directory to help protect against arbitrary code execution.', array('@url' => 'http://drupal.org/SA-CORE-2013-003', '%directory' => $info['directory'])),
+        );
+      }
+    }
+  }
+
   // Report cron status.
   if ($phase == 'runtime') {
     // Cron warning threshold defaults to two days.
@@ -516,7 +544,7 @@ function system_install() {
     ->execute();
 
   // Populate the cron key variable.
-  $cron_key = drupal_hash_base64(drupal_random_bytes(55));
+  $cron_key = drupal_random_key();
   variable_set('cron_key', $cron_key);
 }
 
@@ -830,6 +858,7 @@ function system_schema() {
       'filesize' => array(
         'description' => 'The size of the file in bytes.',
         'type' => 'int',
+        'size' => 'big',
         'unsigned' => TRUE,
         'not null' => TRUE,
         'default' => 0,
@@ -1743,7 +1772,7 @@ function system_update_7000() {
  * Generate a cron key and save it in the variables table.
  */
 function system_update_7001() {
-  variable_set('cron_key', drupal_hash_base64(drupal_random_bytes(55)));
+  variable_set('cron_key', drupal_random_key());
 }
 
 /**
@@ -3106,6 +3135,21 @@ function system_update_7078() {
   ), array('unique keys' => array('formats' => array('format', 'type'))));
 }
 
+/**
+ * Convert the 'filesize' column in {file_managed} to a bigint.
+ */
+function system_update_7079() {
+  $spec = array(
+    'description' => 'The size of the file in bytes.',
+    'type' => 'int',
+    'size' => 'big',
+    'unsigned' => TRUE,
+    'not null' => TRUE,
+    'default' => 0,
+  );
+  db_change_field('file_managed', 'filesize', 'filesize', $spec);
+}
+
 /**
  * @} End of "defgroup updates-7.x-extra".
  * The next series of updates should start at 8000.
diff --git a/modules/system/system.mail.inc b/modules/system/system.mail.inc
index 4e754400..443e5740 100755
--- a/modules/system/system.mail.inc
+++ b/modules/system/system.mail.inc
@@ -31,7 +31,7 @@ class DefaultMailSystem implements MailSystemInterface {
   /**
    * Send an e-mail message, using Drupal variables and default settings.
    *
-   * @see http://php.net/manual/en/function.mail.php
+   * @see http://php.net/manual/function.mail.php
    * @see drupal_mail()
    *
    * @param $message
diff --git a/modules/system/system.module b/modules/system/system.module
index 2bbcd7fc..d4f3bc47 100755
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -2730,7 +2730,17 @@ function system_default_region($theme) {
 }
 
 /**
- * Add default buttons to a form and set its prefix.
+ * Sets up a form to save information automatically.
+ *
+ * This function adds a submit handler and a submit button to a form array. The
+ * submit function saves all the data in the form, using variable_set(), to
+ * variables named the same as the keys in the form array. Note that this means
+ * you should normally prefix your form array keys with your module name, so
+ * that they are unique when passed into variable_set().
+ *
+ * If you need to manipulate the data in a custom manner, you can either put
+ * your own submission handler in the form array before calling this function,
+ * or just use your own submission handler instead of calling this function.
  *
  * @param $form
  *   An associative array containing the structure of the form.
@@ -2739,6 +2749,7 @@ function system_default_region($theme) {
  *   The form structure.
  *
  * @see system_settings_form_submit()
+ *
  * @ingroup forms
  */
 function system_settings_form($form) {
@@ -2757,7 +2768,7 @@ function system_settings_form($form) {
 }
 
 /**
- * Execute the system_settings_form.
+ * Form submission handler for system_settings_form().
  *
  * If you want node type configure style handling of your checkboxes,
  * add an array_filter value to your form.
@@ -3411,30 +3422,32 @@ function system_image_toolkits() {
 /**
  * Attempts to get a file using drupal_http_request and to store it locally.
  *
- * @param $url
+ * @param string $url
  *   The URL of the file to grab.
- *
- * @param $destination
+ * @param string $destination
  *   Stream wrapper URI specifying where the file should be placed. If a
  *   directory path is provided, the file is saved into that directory under
  *   its original name. If the path contains a filename as well, that one will
  *   be used instead.
  *   If this value is omitted, the site's default files scheme will be used,
  *   usually "public://".
- *
- * @param $managed boolean
+ * @param bool $managed
  *   If this is set to TRUE, the file API hooks will be invoked and the file is
  *   registered in the database.
- *
- * @param $replace boolean
+ * @param int $replace
  *   Replace behavior when the destination file already exists:
  *   - FILE_EXISTS_REPLACE: Replace the existing file.
  *   - FILE_EXISTS_RENAME: Append _{incrementing number} until the filename is
  *     unique.
  *   - FILE_EXISTS_ERROR: Do nothing and return FALSE.
  *
- * @return
- *   On success the location the file was saved to, FALSE on failure.
+ * @return mixed
+ *   One of these possibilities:
+ *   - If it succeeds and $managed is FALSE, the location where the file was
+ *     saved.
+ *   - If it succeeds and $managed is TRUE, a \Drupal\file\FileInterface
+ *     object which describes the file.
+ *   - If it fails, FALSE.
  */
 function system_retrieve_file($url, $destination = NULL, $managed = FALSE, $replace = FILE_EXISTS_RENAME) {
   $parsed_url = parse_url($url);
diff --git a/modules/system/system.test b/modules/system/system.test
index 99e0cbe9..cae5cc78 100755
--- a/modules/system/system.test
+++ b/modules/system/system.test
@@ -867,6 +867,44 @@ class CronRunTestCase extends DrupalWebTestCase {
   }
 }
 
+/**
+ * Test execution of the cron queue.
+ */
+class CronQueueTestCase extends DrupalWebTestCase {
+  /**
+   * Implement getInfo().
+   */
+  public static function getInfo() {
+    return array(
+      'name' => 'Cron queue functionality',
+      'description' => 'Tests the cron queue runner.',
+      'group' => 'System'
+    );
+  }
+
+  function setUp() {
+    parent::setUp(array('common_test', 'common_test_cron_helper'));
+  }
+
+  /**
+   * Tests that exceptions thrown by workers are handled properly.
+   */
+  function testExceptions() {
+    $queue = DrupalQueue::get('cron_queue_test_exception');
+
+    // Enqueue an item for processing.
+    $queue->createItem(array($this->randomName() => $this->randomName()));
+
+    // Run cron; the worker for this queue should throw an exception and handle
+    // it.
+    $this->cronRun();
+
+    // The item should be left in the queue.
+    $this->assertEqual($queue->numberOfItems(), 1, 'Failing item still in the queue after throwing an exception.');
+  }
+
+}
+
 class AdminMetaTagTestCase extends DrupalWebTestCase {
   /**
    * Implement getInfo().
@@ -2712,3 +2750,50 @@ class TokenScanTest extends DrupalWebTestCase {
   }
 }
 
+/**
+ * Test case for drupal_valid_token().
+ */
+class SystemValidTokenTest extends DrupalUnitTestCase {
+
+  /**
+   * Flag to indicate whether PHP error reportings should be asserted.
+   *
+   * @var bool
+   */
+  protected $assertErrors = TRUE;
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Token validation',
+      'description' => 'Test the security token validation.',
+      'group' => 'System',
+    );
+  }
+
+  /**
+   * Tests invalid invocations of drupal_valid_token() that must return FALSE.
+   */
+  public function testTokenValidation() {
+    // The following checks will throw PHP notices, so we disable error
+    // assertions.
+    $this->assertErrors = FALSE;
+    $this->assertFalse(drupal_valid_token(NULL, new stdClass()), 'Token NULL, value object returns FALSE.');
+    $this->assertFalse(drupal_valid_token(0, array()), 'Token 0, value array returns FALSE.');
+    $this->assertFalse(drupal_valid_token('', array()), "Token '', value array returns FALSE.");
+    $this->assertFalse('' === drupal_get_token(array()), 'Token generation does not return an empty string on invalid parameters.');
+    $this->assertErrors = TRUE;
+
+    $this->assertFalse(drupal_valid_token(TRUE, 'foo'), 'Token TRUE, value foo returns FALSE.');
+    $this->assertFalse(drupal_valid_token(0, 'foo'), 'Token 0, value foo returns FALSE.');
+  }
+
+  /**
+   * Overrides DrupalTestCase::errorHandler().
+   */
+  public function errorHandler($severity, $message, $file = NULL, $line = NULL) {
+    if ($this->assertErrors) {
+      return parent::errorHandler($severity, $message, $file, $line);
+    }
+    return TRUE;
+  }
+}
diff --git a/modules/system/tests/cron_queue_test.info b/modules/system/tests/cron_queue_test.info
new file mode 100644
index 00000000..da0984a1
--- /dev/null
+++ b/modules/system/tests/cron_queue_test.info
@@ -0,0 +1,12 @@
+name = Cron Queue test
+description = 'Support module for the cron queue runner.'
+package = Testing
+version = VERSION
+core = 7.x
+hidden = TRUE
+
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
+project = "drupal"
+datestamp = "1399522731"
+
diff --git a/modules/system/tests/cron_queue_test.module b/modules/system/tests/cron_queue_test.module
new file mode 100644
index 00000000..e95c6b6a
--- /dev/null
+++ b/modules/system/tests/cron_queue_test.module
@@ -0,0 +1,15 @@
+<?php
+
+/**
+ * Implements hook_cron_queue_info().
+ */
+function cron_queue_test_cron_queue_info() {
+  $queues['cron_queue_test_exception'] = array(
+    'worker callback' => 'cron_queue_test_exception',
+  );
+  return $queues;
+}
+
+function cron_queue_test_exception($item) {
+  throw new Exception('That is not supposed to happen.');
+}
diff --git a/modules/taxonomy/taxonomy.info b/modules/taxonomy/taxonomy.info
index 98c00eb4..d8dcd982 100755
--- a/modules/taxonomy/taxonomy.info
+++ b/modules/taxonomy/taxonomy.info
@@ -8,8 +8,8 @@ files[] = taxonomy.module
 files[] = taxonomy.test
 configure = admin/structure/taxonomy
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/taxonomy/taxonomy.install b/modules/taxonomy/taxonomy.install
index 2d44d3db..ebd0084a 100755
--- a/modules/taxonomy/taxonomy.install
+++ b/modules/taxonomy/taxonomy.install
@@ -638,6 +638,10 @@ function taxonomy_update_7005(&$sandbox) {
           'type' => 'int',
           'not null' => FALSE,
         ),
+        'status' => array(
+          'type' => 'int',
+          'not null' => FALSE,
+        ),
         'is_current' => array(
           'type' => 'int',
           'unsigned' => TRUE,
@@ -670,6 +674,7 @@ function taxonomy_update_7005(&$sandbox) {
     $query->addField('n', 'type');
     $query->addField('n2', 'created');
     $query->addField('n2', 'sticky');
+    $query->addField('n2', 'status');
     $query->addField('n2', 'nid', 'is_current');
     // This query must return a consistent ordering across multiple calls.
     // We need them ordered by node vid (since we use that to decide when
@@ -698,7 +703,7 @@ function taxonomy_update_7005(&$sandbox) {
     // We do each pass in batches of 1000.
     $batch = 1000;
 
-    $result = db_query_range('SELECT vocab_id, tid, nid, vid, type, created, sticky, is_current FROM {taxonomy_update_7005} ORDER BY n', $sandbox['last'], $batch);
+    $result = db_query_range('SELECT vocab_id, tid, nid, vid, type, created, sticky, status, is_current FROM {taxonomy_update_7005} ORDER BY n', $sandbox['last'], $batch);
     if (isset($sandbox['cursor'])) {
       $values = $sandbox['cursor']['values'];
       $deltas = $sandbox['cursor']['deltas'];
@@ -765,12 +770,14 @@ function taxonomy_update_7005(&$sandbox) {
       // is_current column is a node ID if this revision is also current.
       if ($record->is_current) {
         db_insert($table_name)->fields($columns)->values($values)->execute();
-
-        // Update the {taxonomy_index} table.
-        db_insert('taxonomy_index')
-          ->fields(array('nid', 'tid', 'sticky', 'created',))
-          ->values(array($record->nid, $record->tid, $record->sticky, $record->created))
-          ->execute();
+        // Only insert a record in the taxonomy index if the node is published.
+        if ($record->status) {
+          // Update the {taxonomy_index} table.
+          db_insert('taxonomy_index')
+            ->fields(array('nid', 'tid', 'sticky', 'created',))
+            ->values(array($record->nid, $record->tid, $record->sticky, $record->created))
+            ->execute();
+        }
       }
     }
 
@@ -888,3 +895,44 @@ function taxonomy_update_7010() {
   ));
 }
 
+/**
+ * @addtogroup updates-7.x-extra
+ * @{
+ */
+
+/**
+ * Drop unpublished nodes from the index.
+ */
+function taxonomy_update_7011(&$sandbox) {
+  // Initialize information needed by the batch update system.
+  if (!isset($sandbox['progress'])) {
+    $sandbox['progress'] = 0;
+    $sandbox['max'] = db_query('SELECT COUNT(DISTINCT n.nid) FROM {node} n INNER JOIN {taxonomy_index} t ON n.nid = t.nid WHERE n.status = :status', array(':status' => NODE_NOT_PUBLISHED))->fetchField();
+    // If there's no data, don't bother with the extra work.
+    if (empty($sandbox['max'])) {
+      return;
+    }
+  }
+
+  // Process records in groups of 5000.
+  $limit = 5000;
+  $nids = db_query_range('SELECT DISTINCT n.nid FROM {node} n INNER JOIN {taxonomy_index} t ON n.nid = t.nid WHERE n.status = :status', 0, $limit, array(':status' => NODE_NOT_PUBLISHED))->fetchCol();
+  if (!empty($nids)) {
+    db_delete('taxonomy_index')
+      ->condition('nid', $nids)
+      ->execute();
+  }
+
+  // Update our progress information for the batch update.
+  $sandbox['progress'] += $limit;
+
+  // Indicate our current progress to the batch update system, if the update is
+  // not yet complete.
+  if ($sandbox['progress'] < $sandbox['max']) {
+    $sandbox['#finished'] = $sandbox['progress'] / $sandbox['max'];
+  }
+}
+
+/**
+ * @} End of "addtogroup updates-7.x-extra".
+ */
diff --git a/modules/taxonomy/taxonomy.module b/modules/taxonomy/taxonomy.module
index 7ad28e9f..4191146a 100755
--- a/modules/taxonomy/taxonomy.module
+++ b/modules/taxonomy/taxonomy.module
@@ -457,7 +457,12 @@ function taxonomy_vocabulary_save($vocabulary) {
 }
 
 /**
- * Delete a vocabulary.
+ * Deletes a vocabulary.
+ *
+ * This will update all Taxonomy fields so that they don't reference the
+ * deleted vocabulary. It also will delete fields that have no remaining
+ * vocabulary references. All taxonomy terms of the deleted vocabulary
+ * will be deleted as well.
  *
  * @param $vid
  *   A vocabulary ID.
@@ -748,7 +753,7 @@ function taxonomy_term_delete($tid) {
  * @param term
  *   A taxonomy term object.
  * @return
- *   A $page element suitable for use by drupal_page_render().
+ *   A $page element suitable for use by drupal_render().
  */
 function taxonomy_term_show($term) {
   return taxonomy_term_view_multiple(array($term->tid => $term), 'full');
diff --git a/modules/taxonomy/taxonomy.test b/modules/taxonomy/taxonomy.test
index 665f9aeb..fdf354b7 100755
--- a/modules/taxonomy/taxonomy.test
+++ b/modules/taxonomy/taxonomy.test
@@ -690,15 +690,20 @@ class TaxonomyTermTestCase extends TaxonomyWebTestCase {
       $term_objects[$key] = reset($term_objects[$key]);
     }
 
+    // Test editing the node.
+    $node = $this->drupalGetNodeByTitle($edit["title"]);
+    $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
+    foreach ($terms as $term) {
+      $this->assertText($term, 'The term was retained after edit and still appears on the node page.');
+    }
+
     // Delete term 1.
     $this->drupalPost('taxonomy/term/' . $term_objects['term1']->tid . '/edit', array(), t('Delete'));
     $this->drupalPost(NULL, NULL, t('Delete'));
     $term_names = array($term_objects['term2']->name, $term_objects['term3']->name);
 
-    // Get the node.
-    $node = $this->drupalGetNodeByTitle($edit["title"]);
+    // Get the node and verify that the terms that should be there still are.
     $this->drupalGet('node/' . $node->nid);
-
     foreach ($term_names as $term_name) {
       $this->assertText($term_name, format_string('The term %name appears on the node page after one term %deleted was deleted', array('%name' => $term_name, '%deleted' => $term_objects['term1']->name)));
     }
diff --git a/modules/toolbar/toolbar.info b/modules/toolbar/toolbar.info
index 19d4ab78..7cf9fd02 100755
--- a/modules/toolbar/toolbar.info
+++ b/modules/toolbar/toolbar.info
@@ -4,8 +4,8 @@ core = 7.x
 package = Core
 version = VERSION
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/tracker/tracker.info b/modules/tracker/tracker.info
index 7ee7d6fc..85826146 100755
--- a/modules/tracker/tracker.info
+++ b/modules/tracker/tracker.info
@@ -6,8 +6,8 @@ version = VERSION
 core = 7.x
 files[] = tracker.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/tracker/tracker.pages.inc b/modules/tracker/tracker.pages.inc
index baa99866..fa16b657 100755
--- a/modules/tracker/tracker.pages.inc
+++ b/modules/tracker/tracker.pages.inc
@@ -120,7 +120,6 @@ function tracker_page($account = NULL, $set_title = FALSE) {
   );
   $page['pager'] = array(
     '#theme' => 'pager',
-    '#quantity' => 25,
     '#weight' => 10,
   );
   $page['#sorted'] = TRUE;
diff --git a/modules/translation/tests/translation_test.info b/modules/translation/tests/translation_test.info
index f6cf50be..c959a4cd 100755
--- a/modules/translation/tests/translation_test.info
+++ b/modules/translation/tests/translation_test.info
@@ -5,8 +5,8 @@ package = Testing
 version = VERSION
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/translation/translation.info b/modules/translation/translation.info
index f70c24f5..fa53de36 100755
--- a/modules/translation/translation.info
+++ b/modules/translation/translation.info
@@ -6,8 +6,8 @@ version = VERSION
 core = 7.x
 files[] = translation.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/trigger/tests/trigger_test.info b/modules/trigger/tests/trigger_test.info
index b3a13d2e..8a0a3458 100755
--- a/modules/trigger/tests/trigger_test.info
+++ b/modules/trigger/tests/trigger_test.info
@@ -4,8 +4,8 @@ package = Testing
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/trigger/trigger.info b/modules/trigger/trigger.info
index de8150ec..3ffb5f58 100755
--- a/modules/trigger/trigger.info
+++ b/modules/trigger/trigger.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = trigger.test
 configure = admin/structure/trigger
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/trigger/trigger.test b/modules/trigger/trigger.test
index 72e0f720..9e5f1142 100755
--- a/modules/trigger/trigger.test
+++ b/modules/trigger/trigger.test
@@ -82,10 +82,10 @@ class TriggerContentTestCase extends TriggerWebTestCase {
       $edit[$info['property']] = !$info['expected'];
       $this->drupalPost('node/add/page', $edit, t('Save'));
       // Make sure the text we want appears.
-      $this->assertRaw(t('!post %title has been created.', array('!post' => 'Basic page', '%title' => $edit["title"])), t('Make sure the Basic page has actually been created'));
+      $this->assertRaw(t('!post %title has been created.', array('!post' => 'Basic page', '%title' => $edit["title"])), 'Make sure the Basic page has actually been created');
       // Action should have been fired.
       $loaded_node = $this->drupalGetNodeByTitle($edit["title"]);
-      $this->assertTrue($loaded_node->$info['property'] == $info['expected'], t('Make sure the @action action fired.', array('@action' => $info['name'])));
+      $this->assertTrue($loaded_node->$info['property'] == $info['expected'], format_string('Make sure the @action action fired.', array('@action' => $info['name'])));
       // Leave action assigned for next test
 
       // There should be an error when the action is assigned to the trigger
@@ -94,13 +94,13 @@ class TriggerContentTestCase extends TriggerWebTestCase {
       // This action already assigned in this test.
       $edit = array('aid' => $hash);
       $this->drupalPost('admin/structure/trigger/node', $edit, t('Assign'), array(), array(), 'trigger-node-presave-assign-form');
-      $this->assertRaw(t('The action you chose is already assigned to that trigger.'), t('Check to make sure an error occurs when assigning an action to a trigger twice.'));
+      $this->assertRaw(t('The action you chose is already assigned to that trigger.'), 'Check to make sure an error occurs when assigning an action to a trigger twice.');
 
       // The action should be able to be unassigned from a trigger.
       $this->drupalPost('admin/structure/trigger/unassign/node/node_presave/' . $hash, array(), t('Unassign'));
-      $this->assertRaw(t('Action %action has been unassigned.', array('%action' => ucfirst($info['name']))), t('Check to make sure the @action action can be unassigned from the trigger.', array('@action' => $info['name'])));
+      $this->assertRaw(t('Action %action has been unassigned.', array('%action' => ucfirst($info['name']))), format_string('Check to make sure the @action action can be unassigned from the trigger.', array('@action' => $info['name'])));
       $assigned = db_query("SELECT COUNT(*) FROM {trigger_assignments} WHERE aid IN (:keys)", array(':keys' => $content_actions))->fetchField();
-      $this->assertFalse($assigned, t('Check to make sure unassign worked properly at the database level.'));
+      $this->assertFalse($assigned, 'Check to make sure unassign worked properly at the database level.');
     }
   }
 
@@ -132,7 +132,7 @@ class TriggerContentTestCase extends TriggerWebTestCase {
     );
     $this->drupalPost('admin/content', $edit, t('Update'));
     $count = variable_get('trigger_test_generic_any_action', 0);
-    $this->assertTrue($count == 2, t('Action was triggered 2 times. Actual: %count', array('%count' => $count)));
+    $this->assertTrue($count == 2, format_string('Action was triggered 2 times. Actual: %count', array('%count' => $count)));
   }
 
   /**
@@ -242,11 +242,11 @@ class TriggerCronTestCase extends TriggerWebTestCase {
 
     // Make sure the non-configurable action has fired.
     $action_run = variable_get('trigger_test_system_cron_action', FALSE);
-    $this->assertTrue($action_run, t('Check that the cron run triggered the test action.'));
+    $this->assertTrue($action_run, 'Check that the cron run triggered the test action.');
 
     // Make sure that both configurable actions have fired.
     $action_run = variable_get('trigger_test_system_cron_conf_action', 0) == 2;
-    $this->assertTrue($action_run, t('Check that the cron run triggered both complex actions.'));
+    $this->assertTrue($action_run, 'Check that the cron run triggered both complex actions.');
   }
 }
 
@@ -321,7 +321,7 @@ class TriggerActionTestCase extends TriggerWebTestCase {
     $trigger_type = preg_replace('/_.*/', '', $trigger);
     $this->drupalPost("admin/structure/trigger/$trigger_type", $edit, t('Assign'), array(), array(), $form_html_id);
     $actions = trigger_get_assigned_actions($trigger);
-    $this->assertTrue(!empty($actions[$action]), t('Simple action @action assigned to trigger @trigger', array('@action' => $action, '@trigger' => $trigger)));
+    $this->assertTrue(!empty($actions[$action]), format_string('Simple action @action assigned to trigger @trigger', array('@action' => $action, '@trigger' => $trigger)));
   }
 
   /**
@@ -402,7 +402,7 @@ class TriggerActionTestCase extends TriggerWebTestCase {
   function assertSystemMessageTokenReplacement($trigger, $account) {
     $expected = $this->generateTokenExpandedComparison($trigger, $account);
     $this->assertText($expected,
-      t('Expected system message to contain token-replaced text "@expected" found in configured system message action', array('@expected' => $expected )) );
+      format_string('Expected system message to contain token-replaced text "@expected" found in configured system message action', array('@expected' => $expected )) );
   }
 
 
@@ -421,7 +421,7 @@ class TriggerActionTestCase extends TriggerWebTestCase {
     $expected = $this->generateTokenExpandedComparison($trigger, $account);
     $this->assertMailString('subject', $expected, $email_depth);
     $this->assertMailString('body', $expected, $email_depth);
-    $this->assertMail('to', $account->mail, t('Mail sent to correct destination'));
+    $this->assertMail('to', $account->mail, 'Mail sent to correct destination');
   }
 }
 
@@ -517,7 +517,7 @@ class TriggerUserActionTestCase extends TriggerActionTestCase {
     $this->drupalPost("node/{$node->nid}", array('comment_body[und][0][value]' => t("my comment"), 'subject' => t("my comment subject")), t('Save'));
     // Posting a comment should have blocked this user.
     $account = user_load($test_user->uid, TRUE);
-    $this->assertTrue($account->status == 0, t('Account is blocked'));
+    $this->assertTrue($account->status == 0, 'Account is blocked');
     $comment_author_uid = $account->uid;
     // Now rehabilitate the comment author so it can be be blocked again when
     // the comment is updated.
@@ -529,7 +529,7 @@ class TriggerUserActionTestCase extends TriggerActionTestCase {
     // Our original comment will have been comment 1.
     $this->drupalPost("comment/1/edit", array('comment_body[und][0][value]' => t("my comment, updated"), 'subject' => t("my comment subject")), t('Save'));
     $comment_author_account = user_load($comment_author_uid, TRUE);
-    $this->assertTrue($comment_author_account->status == 0, t('Comment author account (uid=@uid) is blocked after update to comment', array('@uid' => $comment_author_uid)));
+    $this->assertTrue($comment_author_account->status == 0, format_string('Comment author account (uid=@uid) is blocked after update to comment', array('@uid' => $comment_author_uid)));
 
     // Verify that the comment was updated.
     $test_user = $this->drupalCreateUser(array('administer actions', 'create article content', 'access comments', 'administer comments', 'skip comment approval', 'edit own comments'));
@@ -589,7 +589,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase {
     $this->drupalPost('admin/people/create', $edit, t('Create new account'));
 
     // Verify that the action variable has been set.
-    $this->assertTrue(variable_get($action_id, FALSE), t('Check that creating a user triggered the test action.'));
+    $this->assertTrue(variable_get($action_id, FALSE), 'Check that creating a user triggered the test action.');
 
     // Reset the action variable.
     variable_set($action_id, FALSE);
@@ -608,8 +608,8 @@ class TriggerOtherTestCase extends TriggerWebTestCase {
 
     // Verify that the action has been assigned to the correct hook.
     $actions = trigger_get_assigned_actions('user_login');
-    $this->assertEqual(1, count($actions), t('One Action assigned to the hook'));
-    $this->assertEqual($actions[$aid]['label'], $action_edit['actions_label'], t('Correct action label found.'));
+    $this->assertEqual(1, count($actions), 'One Action assigned to the hook');
+    $this->assertEqual($actions[$aid]['label'], $action_edit['actions_label'], 'Correct action label found.');
 
     // User should get the configured message at login.
     $contact_user = $this->drupalCreateUser(array('access site-wide contact form'));;
@@ -643,7 +643,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase {
     $this->drupalPost(NULL, $edit, t('Save'));
 
     // Verify that the action variable has been set.
-    $this->assertTrue(variable_get($action_id, FALSE), t('Check that creating a comment triggered the action.'));
+    $this->assertTrue(variable_get($action_id, FALSE), 'Check that creating a comment triggered the action.');
   }
 
   /**
@@ -679,7 +679,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase {
     taxonomy_term_save($term);
 
     // Verify that the action variable has been set.
-    $this->assertTrue(variable_get($action_id, FALSE), t('Check that creating a taxonomy term triggered the action.'));
+    $this->assertTrue(variable_get($action_id, FALSE), 'Check that creating a taxonomy term triggered the action.');
   }
 
 }
@@ -723,10 +723,10 @@ class TriggerOrphanedActionsTestCase extends DrupalWebTestCase {
     $edit["title"] = '!SimpleTest test node! ' . $this->randomName(10);
     $edit["body[$langcode][0][value]"] = '!SimpleTest test body! ' . $this->randomName(32) . ' ' . $this->randomName(32);
     $this->drupalPost('node/add/page', $edit, t('Save'));
-    $this->assertRaw(t('!post %title has been created.', array('!post' => 'Basic page', '%title' => $edit["title"])), t('Make sure the Basic page has actually been created'));
+    $this->assertRaw(t('!post %title has been created.', array('!post' => 'Basic page', '%title' => $edit["title"])), 'Make sure the Basic page has actually been created');
 
     // Action should have been fired.
-    $this->assertTrue(variable_get('trigger_test_generic_any_action', FALSE), t('Trigger test action successfully fired.'));
+    $this->assertTrue(variable_get('trigger_test_generic_any_action', FALSE), 'Trigger test action successfully fired.');
 
     // Disable the module that provides the action and make sure the trigger
     // doesn't white screen.
@@ -737,7 +737,7 @@ class TriggerOrphanedActionsTestCase extends DrupalWebTestCase {
 
     // If the node body was updated successfully we have dealt with the
     // unavailable action.
-    $this->assertRaw(t('!post %title has been updated.', array('!post' => 'Basic page', '%title' => $edit["title"])), t('Make sure the Basic page can be updated with the missing trigger function.'));
+    $this->assertRaw(t('!post %title has been updated.', array('!post' => 'Basic page', '%title' => $edit["title"])), 'Make sure the Basic page can be updated with the missing trigger function.');
   }
 }
 
diff --git a/modules/update/tests/aaa_update_test.info b/modules/update/tests/aaa_update_test.info
index 0b9171ca..f5c804f6 100755
--- a/modules/update/tests/aaa_update_test.info
+++ b/modules/update/tests/aaa_update_test.info
@@ -4,8 +4,8 @@ package = Testing
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/tests/bbb_update_test.info b/modules/update/tests/bbb_update_test.info
index 2adf08c1..9d1a30cc 100755
--- a/modules/update/tests/bbb_update_test.info
+++ b/modules/update/tests/bbb_update_test.info
@@ -4,8 +4,8 @@ package = Testing
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/tests/ccc_update_test.info b/modules/update/tests/ccc_update_test.info
index 810ac615..dbf63f6d 100755
--- a/modules/update/tests/ccc_update_test.info
+++ b/modules/update/tests/ccc_update_test.info
@@ -4,8 +4,8 @@ package = Testing
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/tests/themes/update_test_basetheme/update_test_basetheme.info b/modules/update/tests/themes/update_test_basetheme/update_test_basetheme.info
index 0401560e..faa6cdff 100755
--- a/modules/update/tests/themes/update_test_basetheme/update_test_basetheme.info
+++ b/modules/update/tests/themes/update_test_basetheme/update_test_basetheme.info
@@ -3,8 +3,8 @@ description = Test theme which acts as a base theme for other test subthemes.
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/tests/themes/update_test_subtheme/update_test_subtheme.info b/modules/update/tests/themes/update_test_subtheme/update_test_subtheme.info
index d6520f7a..dced67c6 100755
--- a/modules/update/tests/themes/update_test_subtheme/update_test_subtheme.info
+++ b/modules/update/tests/themes/update_test_subtheme/update_test_subtheme.info
@@ -4,8 +4,8 @@ core = 7.x
 base theme = update_test_basetheme
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/tests/update_test.info b/modules/update/tests/update_test.info
index d1fea4dc..af28f502 100755
--- a/modules/update/tests/update_test.info
+++ b/modules/update/tests/update_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/update.fetch.inc b/modules/update/update.fetch.inc
index bf0039f4..9dd2f0ba 100755
--- a/modules/update/update.fetch.inc
+++ b/modules/update/update.fetch.inc
@@ -289,7 +289,7 @@ function _update_build_fetch_url($project, $site_key = '') {
   $url = _update_get_fetch_url_base($project);
   $url .= '/' . $name . '/' . DRUPAL_CORE_COMPATIBILITY;
 
-  // Only append usage infomation if we have a site key and the project is
+  // Only append usage information if we have a site key and the project is
   // enabled. We do not want to record usage statistics for disabled projects.
   if (!empty($site_key) && (strpos($project['project_type'], 'disabled') === FALSE)) {
     // Append the site key.
diff --git a/modules/update/update.info b/modules/update/update.info
index 251e7cda..f416d5de 100755
--- a/modules/update/update.info
+++ b/modules/update/update.info
@@ -6,8 +6,8 @@ core = 7.x
 files[] = update.test
 configure = admin/reports/updates/settings
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/update/update.module b/modules/update/update.module
index d5728be3..d1f0d856 100755
--- a/modules/update/update.module
+++ b/modules/update/update.module
@@ -71,7 +71,7 @@ define('UPDATE_MAX_FETCH_ATTEMPTS', 2);
 /**
  * Maximum number of seconds to try fetching available update data at a time.
  */
-define('UPDATE_MAX_FETCH_TIME', 5);
+define('UPDATE_MAX_FETCH_TIME', 30);
 
 /**
  * Implements hook_help().
diff --git a/modules/user/tests/user_form_test.info b/modules/user/tests/user_form_test.info
index 87c91d06..2639cff1 100755
--- a/modules/user/tests/user_form_test.info
+++ b/modules/user/tests/user_form_test.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/user/user.info b/modules/user/user.info
index 806a44b2..c51b75b9 100755
--- a/modules/user/user.info
+++ b/modules/user/user.info
@@ -9,8 +9,8 @@ required = TRUE
 configure = admin/config/people
 stylesheets[all][] = user.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/modules/user/user.module b/modules/user/user.module
index 0af80601..b2397993 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -717,10 +717,14 @@ function user_password($length = 10) {
 
   // Loop the number of times specified by $length.
   for ($i = 0; $i < $length; $i++) {
+    do {
+      // Find a secure random number within the range needed.
+      $index = ord(drupal_random_bytes(1));
+    } while ($index > $len);
 
     // Each iteration, pick a random character from the
     // allowable string and append it to the password:
-    $pass .= $allowable_characters[mt_rand(0, $len)];
+    $pass .= $allowable_characters[$index];
   }
 
   return $pass;
@@ -733,8 +737,9 @@ function user_password($length = 10) {
  *   An array whose keys are the role IDs of interest, such as $user->roles.
  *
  * @return
- *   An array indexed by role ID. Each value is an array whose keys are the
- *   permission strings for the given role ID.
+ *   If $roles is a non-empty array, an array indexed by role ID is returned.
+ *   Each value is an array whose keys are the permission strings for the given
+ *   role ID. If $roles is empty nothing is returned.
  */
 function user_role_permissions($roles = array()) {
   $cache = &drupal_static(__FUNCTION__, array());
@@ -1728,14 +1733,14 @@ function user_menu() {
 
   // Administration pages.
   $items['admin/config/people'] = array(
-   'title' => 'People',
-   'description' => 'Configure user accounts.',
-   'position' => 'left',
-   'weight' => -20,
-   'page callback' => 'system_admin_menu_block_page',
-   'access arguments' => array('access administration pages'),
-   'file' => 'system.admin.inc',
-   'file path' => drupal_get_path('module', 'system'),
+    'title' => 'People',
+    'description' => 'Configure user accounts.',
+    'position' => 'left',
+    'weight' => -20,
+    'page callback' => 'system_admin_menu_block_page',
+    'access arguments' => array('access administration pages'),
+    'file' => 'system.admin.inc',
+    'file path' => drupal_get_path('module', 'system'),
   );
   $items['admin/config/people/accounts'] = array(
     'title' => 'Account settings',
@@ -2118,7 +2123,7 @@ function user_login_default_validators() {
  * A FAPI validate handler. Sets an error if supplied username has been blocked.
  */
 function user_login_name_validate($form, &$form_state) {
-  if (isset($form_state['values']['name']) && user_is_blocked($form_state['values']['name'])) {
+  if (!empty($form_state['values']['name']) && user_is_blocked($form_state['values']['name'])) {
     // Blocked in user administration.
     form_set_error('name', t('The username %name has not been activated or is blocked.', array('%name' => $form_state['values']['name'])));
   }
@@ -2314,27 +2319,18 @@ function user_external_login_register($name, $module) {
  * Generates a unique URL for a user to login and reset their password.
  *
  * @param object $account
- *   An object containing the user account.
- * @param array $options
- *   (optional) A keyed array of settings. Supported options are:
- *   - langcode: A language code to be used when generating locale-sensitive
- *    urls. If langcode is NULL the users preferred language is used.
+ *   An object containing the user account, which must contain at least the
+ *   following properties:
+ *   - uid: The user ID number.
+ *   - login: The UNIX timestamp of the user's last login.
  *
  * @return
  *   A unique URL that provides a one-time log in for the user, from which
  *   they can change their password.
  */
-function user_pass_reset_url($account, $options = array()) {
+function user_pass_reset_url($account) {
   $timestamp = REQUEST_TIME;
-  $url_options = array('absolute' => TRUE);
-  if (isset($options['langcode'])) {
-    $languages = language_list();
-    $url_options['language'] = $languages[$options['langcode']];
-  }
-  else {
-    $url_options['language'] = user_preferred_language($account);
-  }
-  return url("user/reset/$account->uid/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), $url_options);
+  return url("user/reset/$account->uid/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
 }
 
 /**
@@ -2343,13 +2339,9 @@ function user_pass_reset_url($account, $options = array()) {
  * @param object $account
  *   The user account object, which must contain at least the following
  *   properties:
- *   - uid: The user uid number.
+ *   - uid: The user ID number.
  *   - pass: The hashed user password string.
- *   - login: The user login name.
- * @param array $options
- *   (optional) A keyed array of settings. Supported options are:
- *   - langcode: A language code to be used when generating locale-sensitive
-  *    urls. If langcode is NULL the users preferred language is used.
+ *   - login: The UNIX timestamp of the user's last login.
  *
  * @return
  *   A unique URL that may be used to confirm the cancellation of the user
@@ -2358,17 +2350,9 @@ function user_pass_reset_url($account, $options = array()) {
  * @see user_mail_tokens()
  * @see user_cancel_confirm()
  */
-function user_cancel_url($account, $options = array()) {
+function user_cancel_url($account) {
   $timestamp = REQUEST_TIME;
-  $url_options = array('absolute' => TRUE);
-  if (isset($options['langcode'])) {
-    $languages = language_list();
-    $url_options['language'] = $languages[$options['langcode']];
-  }
-  else {
-    $url_options['language'] = user_preferred_language($account);
-  }
-  return url("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), $url_options);
+  return url("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
 }
 
 /**
@@ -2379,15 +2363,15 @@ function user_cancel_url($account, $options = array()) {
  * order to validate the URL, the same hash can be generated again, from the
  * same information, and compared to the hash value from the URL. The URL
  * normally contains both the time stamp and the numeric user ID. The login
- * name and hashed password are retrieved from the database as necessary. For a
- * usage example, see user_cancel_url() and user_cancel_confirm().
+ * timestamp and hashed password are retrieved from the database as necessary.
+ * For a usage example, see user_cancel_url() and user_cancel_confirm().
  *
- * @param $password
+ * @param string $password
  *   The hashed user account password value.
- * @param $timestamp
- *   A unix timestamp.
- * @param $login
- *   The user account login name.
+ * @param int $timestamp
+ *   A UNIX timestamp, typically REQUEST_TIME.
+ * @param int $login
+ *   The UNIX timestamp of the user's last login.
  *
  * @return
  *   A string that is safe for use in URLs and SQL statements.
@@ -2838,7 +2822,7 @@ Your account on [site:name] has been canceled.
   if ($replace) {
     // We do not sanitize the token replacement, since the output of this
     // replacement is intended for an e-mail message, not a web browser.
-    return token_replace($text, $variables, array('langcode' => $langcode, 'callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
+    return token_replace($text, $variables, array('language' => $language, 'callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
   }
 
   return $text;
@@ -2858,15 +2842,15 @@ Your account on [site:name] has been canceled.
  *   An associative array of token replacement values. If the 'user' element
  *   exists, it must contain a user account object with the following
  *   properties:
- *   - login: The account login name.
+ *   - login: The UNIX timestamp of the user's last login.
  *   - pass: The hashed account login password.
  * @param $options
  *   Unused parameter required by the token_replace() function.
  */
 function user_mail_tokens(&$replacements, $data, $options) {
   if (isset($data['user'])) {
-    $replacements['[user:one-time-login-url]'] = user_pass_reset_url($data['user'], $options);
-    $replacements['[user:cancel-url]'] = user_cancel_url($data['user'], $options);
+    $replacements['[user:one-time-login-url]'] = user_pass_reset_url($data['user']);
+    $replacements['[user:cancel-url]'] = user_cancel_url($data['user']);
   }
 }
 
@@ -3694,7 +3678,14 @@ function user_action_info() {
 }
 
 /**
- * Blocks the current user.
+ * Blocks a specific user or the current user, if one is not specified.
+ *
+ * @param $entity
+ *   (optional) An entity object; if it is provided and it has a uid property,
+ *   the user with that ID is blocked.
+ * @param $context
+ *   (optional) An associative array; if no user ID is found in $entity, the
+ *   'uid' element of this array determines the user to block.
  *
  * @ingroup actions
  */
diff --git a/modules/user/user.module.orig b/modules/user/user.module.orig
deleted file mode 100755
index 51242070..00000000
--- a/modules/user/user.module.orig
+++ /dev/null
@@ -1,4014 +0,0 @@
-<?php
-
-/**
- * @file
- * Enables the user registration and login system.
- */
-
-/**
- * Maximum length of username text field.
- */
-define('USERNAME_MAX_LENGTH', 60);
-
-/**
- * Maximum length of user e-mail text field.
- */
-define('EMAIL_MAX_LENGTH', 254);
-
-/**
- * Only administrators can create user accounts.
- */
-define('USER_REGISTER_ADMINISTRATORS_ONLY', 0);
-
-/**
- * Visitors can create their own accounts.
- */
-define('USER_REGISTER_VISITORS', 1);
-
-/**
- * Visitors can create accounts, but they don't become active without
- * administrative approval.
- */
-define('USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL', 2);
-
-/**
- * Implement hook_help().
- */
-function user_help($path, $arg) {
-  global $user;
-
-  switch ($path) {
-    case 'admin/help#user':
-      $output = '';
-      $output .= '<h3>' . t('About') . '</h3>';
-      $output .= '<p>' . t('The User module allows users to register, log in, and log out. It also allows users with proper permissions to manage user roles (used to classify users) and permissions associated with those roles. For more information, see the online handbook entry for <a href="@user">User module</a>.', array('@user' => 'http://drupal.org/documentation/modules/user')) . '</p>';
-      $output .= '<h3>' . t('Uses') . '</h3>';
-      $output .= '<dl>';
-      $output .= '<dt>' . t('Creating and managing users') . '</dt>';
-      $output .= '<dd>' . t('The User module allows users with the appropriate <a href="@permissions">permissions</a> to create user accounts through the <a href="@people">People administration page</a>, where they can also assign users to one or more roles, and block or delete user accounts. If allowed, users without accounts (anonymous users) can create their own accounts on the <a href="@register">Create new account</a> page.', array('@permissions' => url('admin/people/permissions', array('fragment' => 'module-user')), '@people' => url('admin/people'), '@register' => url('user/register'))) . '</dd>';
-      $output .= '<dt>' . t('User roles and permissions') . '</dt>';
-      $output .= '<dd>' . t('<em>Roles</em> are used to group and classify users; each user can be assigned one or more roles. By default there are two roles: <em>anonymous user</em> (users that are not logged in) and <em>authenticated user</em> (users that are registered and logged in). Depending on choices you made when you installed Drupal, the installation process may have defined more roles, and you can create additional custom roles on the <a href="@roles">Roles page</a>. After creating roles, you can set permissions for each role on the <a href="@permissions_user">Permissions page</a>. Granting a permission allows users who have been assigned a particular role to perform an action on the site, such as viewing a particular type of content, editing or creating content, administering settings for a particular module, or using a particular function of the site (such as search).', array('@permissions_user' => url('admin/people/permissions'), '@roles' => url('admin/people/permissions/roles'))) . '</dd>';
-      $output .= '<dt>' . t('Account settings') . '</dt>';
-      $output .= '<dd>' . t('The <a href="@accounts">Account settings page</a> allows you to manage settings for the displayed name of the anonymous user role, personal contact forms, user registration, and account cancellation. On this page you can also manage settings for account personalization (including signatures and user pictures), and adapt the text for the e-mail messages that are sent automatically during the user registration process.', array('@accounts'  => url('admin/config/people/accounts'))) . '</dd>';
-      $output .= '</dl>';
-      return $output;
-    case 'admin/people/create':
-      return '<p>' . t("This web page allows administrators to register new users. Users' e-mail addresses and usernames must be unique.") . '</p>';
-    case 'admin/people/permissions':
-      return '<p>' . t('Permissions let you control what users can do and see on your site. You can define a specific set of permissions for each role. (See the <a href="@role">Roles</a> page to create a role). Two important roles to consider are Authenticated Users and Administrators. Any permissions granted to the Authenticated Users role will be given to any user who can log into your site. You can make any role the Administrator role for the site, meaning this will be granted all new permissions automatically. You can do this on the <a href="@settings">User Settings</a> page. You should be careful to ensure that only trusted users are given this access and level of control of your site.', array('@role' => url('admin/people/permissions/roles'), '@settings' => url('admin/config/people/accounts'))) . '</p>';
-    case 'admin/people/permissions/roles':
-      $output = '<p>' . t('Roles allow you to fine tune the security and administration of Drupal. A role defines a group of users that have certain privileges as defined on the <a href="@permissions">permissions page</a>. Examples of roles include: anonymous user, authenticated user, moderator, administrator and so on. In this area you will define the names and order of the roles on your site. It is recommended to order your roles from least permissive (anonymous user) to most permissive (administrator). To delete a role choose "edit role".', array('@permissions' => url('admin/people/permissions'))) . '</p>';
-      $output .= '<p>' . t('By default, Drupal comes with two user roles:') . '</p>';
-      $output .= '<ul>';
-      $output .= '<li>' . t("Anonymous user: this role is used for users that don't have a user account or that are not authenticated.") . '</li>';
-      $output .= '<li>' . t('Authenticated user: this role is automatically granted to all logged in users.') . '</li>';
-      $output .= '</ul>';
-      return $output;
-    case 'admin/config/people/accounts/fields':
-      return '<p>' . t('This form lets administrators add, edit, and arrange fields for storing user data.') . '</p>';
-    case 'admin/config/people/accounts/display':
-      return '<p>' . t('This form lets administrators configure how fields should be displayed when rendering a user profile page.') . '</p>';
-    case 'admin/people/search':
-      return '<p>' . t('Enter a simple pattern ("*" may be used as a wildcard match) to search for a username or e-mail address. For example, one may search for "br" and Drupal might return "brian", "brad", and "brenda@example.com".') . '</p>';
-  }
-}
-
-/**
- * Invokes a user hook in every module.
- *
- * We cannot use module_invoke() for this, because the arguments need to
- * be passed by reference.
- *
- * @param $type
- *   A text string that controls which user hook to invoke.  Valid choices are:
- *   - cancel: Invokes hook_user_cancel().
- *   - insert: Invokes hook_user_insert().
- *   - login: Invokes hook_user_login().
- *   - presave: Invokes hook_user_presave().
- *   - update: Invokes hook_user_update().
- * @param $edit
- *   An associative array variable containing form values to be passed
- *   as the first parameter of the hook function.
- * @param $account
- *   The user account object to be passed as the second parameter of the hook
- *   function.
- * @param $category
- *   The category of user information being acted upon.
- */
-function user_module_invoke($type, &$edit, $account, $category = NULL) {
-  foreach (module_implements('user_' . $type) as $module) {
-    $function = $module . '_user_' . $type;
-    $function($edit, $account, $category);
-  }
-}
-
-/**
- * Implements hook_theme().
- */
-function user_theme() {
-  return array(
-    'user_picture' => array(
-      'variables' => array('account' => NULL),
-      'template' => 'user-picture',
-    ),
-    'user_profile' => array(
-      'render element' => 'elements',
-      'template' => 'user-profile',
-      'file' => 'user.pages.inc',
-    ),
-    'user_profile_category' => array(
-      'render element' => 'element',
-      'template' => 'user-profile-category',
-      'file' => 'user.pages.inc',
-    ),
-    'user_profile_item' => array(
-      'render element' => 'element',
-      'template' => 'user-profile-item',
-      'file' => 'user.pages.inc',
-    ),
-    'user_list' => array(
-      'variables' => array('users' => NULL, 'title' => NULL),
-    ),
-    'user_admin_permissions' => array(
-      'render element' => 'form',
-      'file' => 'user.admin.inc',
-    ),
-    'user_admin_roles' => array(
-      'render element' => 'form',
-      'file' => 'user.admin.inc',
-    ),
-    'user_permission_description' => array(
-      'variables' => array('permission_item' => NULL, 'hide' => NULL),
-      'file' => 'user.admin.inc',
-    ),
-    'user_signature' => array(
-      'variables' => array('signature' => NULL),
-    ),
-  );
-}
-
-/**
- * Implements hook_entity_info().
- */
-function user_entity_info() {
-  $return = array(
-    'user' => array(
-      'label' => t('User'),
-      'controller class' => 'UserController',
-      'base table' => 'users',
-      'uri callback' => 'user_uri',
-      'label callback' => 'format_username',
-      'fieldable' => TRUE,
-      // $user->language is only the preferred user language for the user
-      // interface textual elements. As it is not necessarily related to the
-      // language assigned to fields, we do not define it as the entity language
-      // key.
-      'entity keys' => array(
-        'id' => 'uid',
-      ),
-      'bundles' => array(
-        'user' => array(
-          'label' => t('User'),
-          'admin' => array(
-            'path' => 'admin/config/people/accounts',
-            'access arguments' => array('administer users'),
-          ),
-        ),
-      ),
-      'view modes' => array(
-        'full' => array(
-          'label' => t('User account'),
-          'custom settings' => FALSE,
-        ),
-      ),
-    ),
-  );
-  return $return;
-}
-
-/**
- * Implements callback_entity_info_uri().
- */
-function user_uri($user) {
-  return array(
-    'path' => 'user/' . $user->uid,
-  );
-}
-
-/**
- * Implements hook_field_info_alter().
- */
-function user_field_info_alter(&$info) {
-  // Add the 'user_register_form' instance setting to all field types.
-  foreach ($info as $field_type => &$field_type_info) {
-    $field_type_info += array('instance_settings' => array());
-    $field_type_info['instance_settings'] += array(
-      'user_register_form' => FALSE,
-    );
-  }
-}
-
-/**
- * Implements hook_field_extra_fields().
- */
-function user_field_extra_fields() {
-  $return['user']['user'] = array(
-    'form' => array(
-      'account' => array(
-        'label' => t('User name and password'),
-        'description' => t('User module account form elements.'),
-        'weight' => -10,
-      ),
-      'timezone' => array(
-        'label' => t('Timezone'),
-        'description' => t('User module timezone form element.'),
-        'weight' => 6,
-      ),
-    ),
-    'display' => array(
-      'summary' => array(
-        'label' => t('History'),
-        'description' => t('User module history view element.'),
-        'weight' => 5,
-      ),
-    ),
-  );
-
-  return $return;
-}
-
-/**
- * Fetches a user object based on an external authentication source.
- *
- * @param string $authname
- *   The external authentication username.
- *
- * @return
- *   A fully-loaded user object if the user is found or FALSE if not found.
- */
-function user_external_load($authname) {
-  $uid = db_query("SELECT uid FROM {authmap} WHERE authname = :authname", array(':authname' => $authname))->fetchField();
-
-  if ($uid) {
-    return user_load($uid);
-  }
-  else {
-    return FALSE;
-  }
-}
-
-/**
- * Load multiple users based on certain conditions.
- *
- * This function should be used whenever you need to load more than one user
- * from the database. Users are loaded into memory and will not require
- * database access if loaded again during the same page request.
- *
- * @param $uids
- *   An array of user IDs.
- * @param $conditions
- *   (deprecated) An associative array of conditions on the {users}
- *   table, where the keys are the database fields and the values are the
- *   values those fields must have. Instead, it is preferable to use
- *   EntityFieldQuery to retrieve a list of entity IDs loadable by
- *   this function.
- * @param $reset
- *   A boolean indicating that the internal cache should be reset. Use this if
- *   loading a user object which has been altered during the page request.
- *
- * @return
- *   An array of user objects, indexed by uid.
- *
- * @see entity_load()
- * @see user_load()
- * @see user_load_by_mail()
- * @see user_load_by_name()
- * @see EntityFieldQuery
- *
- * @todo Remove $conditions in Drupal 8.
- */
-function user_load_multiple($uids = array(), $conditions = array(), $reset = FALSE) {
-  return entity_load('user', $uids, $conditions, $reset);
-}
-
-/**
- * Controller class for users.
- *
- * This extends the DrupalDefaultEntityController class, adding required
- * special handling for user objects.
- */
-class UserController extends DrupalDefaultEntityController {
-
-  function attachLoad(&$queried_users, $revision_id = FALSE) {
-    // Build an array of user picture IDs so that these can be fetched later.
-    $picture_fids = array();
-    foreach ($queried_users as $key => $record) {
-      $picture_fids[] = $record->picture;
-      $queried_users[$key]->data = unserialize($record->data);
-      $queried_users[$key]->roles = array();
-      if ($record->uid) {
-        $queried_users[$record->uid]->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user';
-      }
-      else {
-        $queried_users[$record->uid]->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user';
-      }
-    }
-
-    // Add any additional roles from the database.
-    $result = db_query('SELECT r.rid, r.name, ur.uid FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid IN (:uids)', array(':uids' => array_keys($queried_users)));
-    foreach ($result as $record) {
-      $queried_users[$record->uid]->roles[$record->rid] = $record->name;
-    }
-
-    // Add the full file objects for user pictures if enabled.
-    if (!empty($picture_fids) && variable_get('user_pictures', 0)) {
-      $pictures = file_load_multiple($picture_fids);
-      foreach ($queried_users as $account) {
-        if (!empty($account->picture) && isset($pictures[$account->picture])) {
-          $account->picture = $pictures[$account->picture];
-        }
-        else {
-          $account->picture = NULL;
-        }
-      }
-    }
-    // Call the default attachLoad() method. This will add fields and call
-    // hook_user_load().
-    parent::attachLoad($queried_users, $revision_id);
-  }
-}
-
-/**
- * Loads a user object.
- *
- * Drupal has a global $user object, which represents the currently-logged-in
- * user. So to avoid confusion and to avoid clobbering the global $user object,
- * it is a good idea to assign the result of this function to a different local
- * variable, generally $account. If you actually do want to act as the user you
- * are loading, it is essential to call drupal_save_session(FALSE); first.
- * See
- * @link http://drupal.org/node/218104 Safely impersonating another user @endlink
- * for more information.
- *
- * @param $uid
- *   Integer specifying the user ID to load.
- * @param $reset
- *   TRUE to reset the internal cache and load from the database; FALSE
- *   (default) to load from the internal cache, if set.
- *
- * @return
- *   A fully-loaded user object upon successful user load, or FALSE if the user
- *   cannot be loaded.
- *
- * @see user_load_multiple()
- */
-function user_load($uid, $reset = FALSE) {
-  $users = user_load_multiple(array($uid), array(), $reset);
-  return reset($users);
-}
-
-/**
- * Fetch a user object by email address.
- *
- * @param $mail
- *   String with the account's e-mail address.
- * @return
- *   A fully-loaded $user object upon successful user load or FALSE if user
- *   cannot be loaded.
- *
- * @see user_load_multiple()
- */
-function user_load_by_mail($mail) {
-  $users = user_load_multiple(array(), array('mail' => $mail));
-  return reset($users);
-}
-
-/**
- * Fetch a user object by account name.
- *
- * @param $name
- *   String with the account's user name.
- * @return
- *   A fully-loaded $user object upon successful user load or FALSE if user
- *   cannot be loaded.
- *
- * @see user_load_multiple()
- */
-function user_load_by_name($name) {
-  $users = user_load_multiple(array(), array('name' => $name));
-  return reset($users);
-}
-
-/**
- * Save changes to a user account or add a new user.
- *
- * @param $account
- *   (optional) The user object to modify or add. If you want to modify
- *   an existing user account, you will need to ensure that (a) $account
- *   is an object, and (b) you have set $account->uid to the numeric
- *   user ID of the user account you wish to modify. If you
- *   want to create a new user account, you can set $account->is_new to
- *   TRUE or omit the $account->uid field.
- * @param $edit
- *   An array of fields and values to save. For example array('name'
- *   => 'My name'). Key / value pairs added to the $edit['data'] will be
- *   serialized and saved in the {users.data} column.
- * @param $category
- *   (optional) The category for storing profile information in.
- *
- * @return
- *   A fully-loaded $user object upon successful save or FALSE if the save failed.
- *
- * @todo D8: Drop $edit and fix user_save() to be consistent with others.
- */
-function user_save($account, $edit = array(), $category = 'account') {
-  $transaction = db_transaction();
-  try {
-    if (!empty($edit['pass'])) {
-      // Allow alternate password hashing schemes.
-      require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
-      $edit['pass'] = user_hash_password(trim($edit['pass']));
-      // Abort if the hashing failed and returned FALSE.
-      if (!$edit['pass']) {
-        return FALSE;
-      }
-    }
-    else {
-      // Avoid overwriting an existing password with a blank password.
-      unset($edit['pass']);
-    }
-    if (isset($edit['mail'])) {
-      $edit['mail'] = trim($edit['mail']);
-    }
-
-    // Load the stored entity, if any.
-    if (!empty($account->uid) && !isset($account->original)) {
-      $account->original = entity_load_unchanged('user', $account->uid);
-    }
-
-    if (empty($account)) {
-      $account = new stdClass();
-    }
-    if (!isset($account->is_new)) {
-      $account->is_new = empty($account->uid);
-    }
-    // Prepopulate $edit['data'] with the current value of $account->data.
-    // Modules can add to or remove from this array in hook_user_presave().
-    if (!empty($account->data)) {
-      $edit['data'] = !empty($edit['data']) ? array_merge($account->data, $edit['data']) : $account->data;
-    }
-
-    // Invoke hook_user_presave() for all modules.
-    user_module_invoke('presave', $edit, $account, $category);
-
-    // Invoke presave operations of Field Attach API and Entity API. Those APIs
-    // require a fully-fledged and updated entity object. Therefore, we need to
-    // copy any new property values of $edit into it.
-    foreach ($edit as $key => $value) {
-      $account->$key = $value;
-    }
-    field_attach_presave('user', $account);
-    module_invoke_all('entity_presave', $account, 'user');
-
-    if (is_object($account) && !$account->is_new) {
-      // Process picture uploads.
-      if (!empty($account->picture->fid) && (!isset($account->original->picture->fid) || $account->picture->fid != $account->original->picture->fid)) {
-        $picture = $account->picture;
-        // If the picture is a temporary file move it to its final location and
-        // make it permanent.
-        if (!$picture->status) {
-          $info = image_get_info($picture->uri);
-          $picture_directory =  file_default_scheme() . '://' . variable_get('user_picture_path', 'pictures');
-
-          // Prepare the pictures directory.
-          file_prepare_directory($picture_directory, FILE_CREATE_DIRECTORY);
-          $destination = file_stream_wrapper_uri_normalize($picture_directory . '/picture-' . $account->uid . '-' . REQUEST_TIME . '.' . $info['extension']);
-
-          // Move the temporary file into the final location.
-          if ($picture = file_move($picture, $destination, FILE_EXISTS_RENAME)) {
-            $picture->status = FILE_STATUS_PERMANENT;
-            $account->picture = file_save($picture);
-            file_usage_add($picture, 'user', 'user', $account->uid);
-          }
-        }
-        // Delete the previous picture if it was deleted or replaced.
-        if (!empty($account->original->picture->fid)) {
-          file_usage_delete($account->original->picture, 'user', 'user', $account->uid);
-          file_delete($account->original->picture);
-        }
-      }
-      elseif (isset($edit['picture_delete']) && $edit['picture_delete']) {
-        file_usage_delete($account->original->picture, 'user', 'user', $account->uid);
-        file_delete($account->original->picture);
-      }
-      $account->picture = empty($account->picture->fid) ? 0 : $account->picture->fid;
-
-      // Do not allow 'uid' to be changed.
-      $account->uid = $account->original->uid;
-      // Save changes to the user table.
-      $success = drupal_write_record('users', $account, 'uid');
-      if ($success === FALSE) {
-        // The query failed - better to abort the save than risk further
-        // data loss.
-        return FALSE;
-      }
-
-      // Reload user roles if provided.
-      if ($account->roles != $account->original->roles) {
-        db_delete('users_roles')
-          ->condition('uid', $account->uid)
-          ->execute();
-
-        $query = db_insert('users_roles')->fields(array('uid', 'rid'));
-        foreach (array_keys($account->roles) as $rid) {
-          if (!in_array($rid, array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID))) {
-            $query->values(array(
-              'uid' => $account->uid,
-              'rid' => $rid,
-            ));
-          }
-        }
-        $query->execute();
-      }
-
-      // Delete a blocked user's sessions to kick them if they are online.
-      if ($account->original->status != $account->status && $account->status == 0) {
-        drupal_session_destroy_uid($account->uid);
-      }
-
-      // If the password changed, delete all open sessions and recreate
-      // the current one.
-      if ($account->pass != $account->original->pass) {
-        drupal_session_destroy_uid($account->uid);
-        if ($account->uid == $GLOBALS['user']->uid) {
-          drupal_session_regenerate();
-        }
-      }
-
-      // Save Field data.
-      field_attach_update('user', $account);
-
-      // Send emails after we have the new user object.
-      if ($account->status != $account->original->status) {
-        // The user's status is changing; conditionally send notification email.
-        $op = $account->status == 1 ? 'status_activated' : 'status_blocked';
-        _user_mail_notify($op, $account);
-      }
-
-      // Update $edit with any interim changes to $account.
-      foreach ($account as $key => $value) {
-        if (!property_exists($account->original, $key) || $value !== $account->original->$key) {
-          $edit[$key] = $value;
-        }
-      }
-      user_module_invoke('update', $edit, $account, $category);
-      module_invoke_all('entity_update', $account, 'user');
-    }
-    else {
-      // Allow 'uid' to be set by the caller. There is no danger of writing an
-      // existing user as drupal_write_record will do an INSERT.
-      if (empty($account->uid)) {
-        $account->uid = db_next_id(db_query('SELECT MAX(uid) FROM {users}')->fetchField());
-      }
-      // Allow 'created' to be set by the caller.
-      if (!isset($account->created)) {
-        $account->created = REQUEST_TIME;
-      }
-      $success = drupal_write_record('users', $account);
-      if ($success === FALSE) {
-        // On a failed INSERT some other existing user's uid may be returned.
-        // We must abort to avoid overwriting their account.
-        return FALSE;
-      }
-
-      // Make sure $account is properly initialized.
-      $account->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user';
-
-      field_attach_insert('user', $account);
-      $edit = (array) $account;
-      user_module_invoke('insert', $edit, $account, $category);
-      module_invoke_all('entity_insert', $account, 'user');
-
-      // Save user roles.
-      if (count($account->roles) > 1) {
-        $query = db_insert('users_roles')->fields(array('uid', 'rid'));
-        foreach (array_keys($account->roles) as $rid) {
-          if (!in_array($rid, array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID))) {
-            $query->values(array(
-              'uid' => $account->uid,
-              'rid' => $rid,
-            ));
-          }
-        }
-        $query->execute();
-      }
-    }
-    // Clear internal properties.
-    unset($account->is_new);
-    unset($account->original);
-    // Clear the static loading cache.
-    entity_get_controller('user')->resetCache(array($account->uid));
-
-    return $account;
-  }
-  catch (Exception $e) {
-    $transaction->rollback();
-    watchdog_exception('user', $e);
-    throw $e;
-  }
-}
-
-/**
- * Verify the syntax of the given name.
- */
-function user_validate_name($name) {
-  if (!$name) {
-    return t('You must enter a username.');
-  }
-  if (substr($name, 0, 1) == ' ') {
-    return t('The username cannot begin with a space.');
-  }
-  if (substr($name, -1) == ' ') {
-    return t('The username cannot end with a space.');
-  }
-  if (strpos($name, '  ') !== FALSE) {
-    return t('The username cannot contain multiple spaces in a row.');
-  }
-  if (preg_match('/[^\x{80}-\x{F7} a-z0-9@_.\'-]/i', $name)) {
-    return t('The username contains an illegal character.');
-  }
-  if (preg_match('/[\x{80}-\x{A0}' .         // Non-printable ISO-8859-1 + NBSP
-                  '\x{AD}' .                // Soft-hyphen
-                  '\x{2000}-\x{200F}' .     // Various space characters
-                  '\x{2028}-\x{202F}' .     // Bidirectional text overrides
-                  '\x{205F}-\x{206F}' .     // Various text hinting characters
-                  '\x{FEFF}' .              // Byte order mark
-                  '\x{FF01}-\x{FF60}' .     // Full-width latin
-                  '\x{FFF9}-\x{FFFD}' .     // Replacement characters
-                  '\x{0}-\x{1F}]/u',        // NULL byte and control characters
-                  $name)) {
-    return t('The username contains an illegal character.');
-  }
-  if (drupal_strlen($name) > USERNAME_MAX_LENGTH) {
-    return t('The username %name is too long: it must be %max characters or less.', array('%name' => $name, '%max' => USERNAME_MAX_LENGTH));
-  }
-}
-
-/**
- * Validates a user's email address.
- *
- * Checks that a user's email address exists and follows all standard
- * validation rules. Returns error messages when the address is invalid.
- *
- * @param $mail
- *   A user's email address.
- *
- * @return
- *   If the address is invalid, a human-readable error message is returned.
- *   If the address is valid, nothing is returned.
- */
-function user_validate_mail($mail) {
-  if (!$mail) {
-    return t('You must enter an e-mail address.');
-  }
-  if (!valid_email_address($mail)) {
-    return t('The e-mail address %mail is not valid.', array('%mail' => $mail));
-  }
-}
-
-/**
- * Validates an image uploaded by a user.
- *
- * @see user_account_form()
- */
-function user_validate_picture(&$form, &$form_state) {
-  // If required, validate the uploaded picture.
-  $validators = array(
-    'file_validate_is_image' => array(),
-    'file_validate_image_resolution' => array(variable_get('user_picture_dimensions', '85x85')),
-    'file_validate_size' => array(variable_get('user_picture_file_size', '30') * 1024),
-  );
-
-  // Save the file as a temporary file.
-  $file = file_save_upload('picture_upload', $validators);
-  if ($file === FALSE) {
-    form_set_error('picture_upload', t("Failed to upload the picture image; the %directory directory doesn't exist or is not writable.", array('%directory' => variable_get('user_picture_path', 'pictures'))));
-  }
-  elseif ($file !== NULL) {
-    $form_state['values']['picture_upload'] = $file;
-  }
-}
-
-/**
- * Generate a random alphanumeric password.
- */
-function user_password($length = 10) {
-  // This variable contains the list of allowable characters for the
-  // password. Note that the number 0 and the letter 'O' have been
-  // removed to avoid confusion between the two. The same is true
-  // of 'I', 1, and 'l'.
-  $allowable_characters = 'abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789';
-
-  // Zero-based count of characters in the allowable list:
-  $len = strlen($allowable_characters) - 1;
-
-  // Declare the password as a blank string.
-  $pass = '';
-
-  // Loop the number of times specified by $length.
-  for ($i = 0; $i < $length; $i++) {
-
-    // Each iteration, pick a random character from the
-    // allowable string and append it to the password:
-    $pass .= $allowable_characters[mt_rand(0, $len)];
-  }
-
-  return $pass;
-}
-
-/**
- * Determine the permissions for one or more roles.
- *
- * @param $roles
- *   An array whose keys are the role IDs of interest, such as $user->roles.
- *
- * @return
- *   An array indexed by role ID. Each value is an array whose keys are the
- *   permission strings for the given role ID.
- */
-function user_role_permissions($roles = array()) {
-  $cache = &drupal_static(__FUNCTION__, array());
-
-  $role_permissions = $fetch = array();
-
-  if ($roles) {
-    foreach ($roles as $rid => $name) {
-      if (isset($cache[$rid])) {
-        $role_permissions[$rid] = $cache[$rid];
-      }
-      else {
-        // Add this rid to the list of those needing to be fetched.
-        $fetch[] = $rid;
-        // Prepare in case no permissions are returned.
-        $cache[$rid] = array();
-      }
-    }
-
-    if ($fetch) {
-      // Get from the database permissions that were not in the static variable.
-      // Only role IDs with at least one permission assigned will return rows.
-      $result = db_query("SELECT rid, permission FROM {role_permission} WHERE rid IN (:fetch)", array(':fetch' => $fetch));
-
-      foreach ($result as $row) {
-        $cache[$row->rid][$row->permission] = TRUE;
-      }
-      foreach ($fetch as $rid) {
-        // For every rid, we know we at least assigned an empty array.
-        $role_permissions[$rid] = $cache[$rid];
-      }
-    }
-  }
-
-  return $role_permissions;
-}
-
-/**
- * Determine whether the user has a given privilege.
- *
- * @param $string
- *   The permission, such as "administer nodes", being checked for.
- * @param $account
- *   (optional) The account to check, if not given use currently logged in user.
- *
- * @return
- *   Boolean TRUE if the current user has the requested permission.
- *
- * All permission checks in Drupal should go through this function. This
- * way, we guarantee consistent behavior, and ensure that the superuser
- * can perform all actions.
- */
-function user_access($string, $account = NULL) {
-  global $user;
-
-  if (!isset($account)) {
-    $account = $user;
-  }
-
-  // User #1 has all privileges:
-  if ($account->uid == 1) {
-    return TRUE;
-  }
-
-  // To reduce the number of SQL queries, we cache the user's permissions
-  // in a static variable.
-  // Use the advanced drupal_static() pattern, since this is called very often.
-  static $drupal_static_fast;
-  if (!isset($drupal_static_fast)) {
-    $drupal_static_fast['perm'] = &drupal_static(__FUNCTION__);
-  }
-  $perm = &$drupal_static_fast['perm'];
-  if (!isset($perm[$account->uid])) {
-    $role_permissions = user_role_permissions($account->roles);
-
-    $perms = array();
-    foreach ($role_permissions as $one_role) {
-      $perms += $one_role;
-    }
-    $perm[$account->uid] = $perms;
-  }
-
-  return isset($perm[$account->uid][$string]);
-}
-
-/**
- * Checks for usernames blocked by user administration.
- *
- * @param $name
- *   A string containing a name of the user.
- *
- * @return
- *   Object with property 'name' (the user name), if the user is blocked;
- *   FALSE if the user is not blocked.
- */
-function user_is_blocked($name) {
-  return db_select('users')
-    ->fields('users', array('name'))
-    ->condition('name', db_like($name), 'LIKE')
-    ->condition('status', 0)
-    ->execute()->fetchObject();
-}
-
-/**
- * Implements hook_permission().
- */
-function user_permission() {
-  return array(
-    'administer permissions' =>  array(
-      'title' => t('Administer permissions'),
-      'restrict access' => TRUE,
-    ),
-    'administer users' => array(
-      'title' => t('Administer users'),
-      'restrict access' => TRUE,
-    ),
-    'access user profiles' => array(
-      'title' => t('View user profiles'),
-    ),
-    'change own username' => array(
-      'title' => t('Change own username'),
-    ),
-    'cancel account' => array(
-      'title' => t('Cancel own user account'),
-      'description' => t('Note: content may be kept, unpublished, deleted or transferred to the %anonymous-name user depending on the configured <a href="@user-settings-url">user settings</a>.', array('%anonymous-name' => variable_get('anonymous', t('Anonymous')), '@user-settings-url' => url('admin/config/people/accounts'))),
-    ),
-    'select account cancellation method' => array(
-      'title' => t('Select method for cancelling own account'),
-      'restrict access' => TRUE,
-    ),
-  );
-}
-
-/**
- * Implements hook_file_download().
- *
- * Ensure that user pictures (avatars) are always downloadable.
- */
-function user_file_download($uri) {
-  if (strpos(file_uri_target($uri), variable_get('user_picture_path', 'pictures') . '/picture-') === 0) {
-    $info = image_get_info($uri);
-    return array('Content-Type' => $info['mime_type']);
-  }
-}
-
-/**
- * Implements hook_file_move().
- */
-function user_file_move($file, $source) {
-  // If a user's picture is replaced with a new one, update the record in
-  // the users table.
-  if (isset($file->fid) && isset($source->fid) && $file->fid != $source->fid) {
-    db_update('users')
-      ->fields(array(
-        'picture' => $file->fid,
-      ))
-      ->condition('picture', $source->fid)
-      ->execute();
-  }
-}
-
-/**
- * Implements hook_file_delete().
- */
-function user_file_delete($file) {
-  // Remove any references to the file.
-  db_update('users')
-    ->fields(array('picture' => 0))
-    ->condition('picture', $file->fid)
-    ->execute();
-}
-
-/**
- * Implements hook_search_info().
- */
-function user_search_info() {
-  return array(
-    'title' => 'Users',
-  );
-}
-
-/**
- * Implements hook_search_access().
- */
-function user_search_access() {
-  return user_access('access user profiles');
-}
-
-/**
- * Implements hook_search_execute().
- */
-function user_search_execute($keys = NULL, $conditions = NULL) {
-  $find = array();
-  // Replace wildcards with MySQL/PostgreSQL wildcards.
-  $keys = preg_replace('!\*+!', '%', $keys);
-  $query = db_select('users')->extend('PagerDefault');
-  $query->fields('users', array('uid'));
-  if (user_access('administer users')) {
-    // Administrators can also search in the otherwise private email field,
-    // and they don't need to be restricted to only active users.
-    $query->fields('users', array('mail'));
-    $query->condition(db_or()->
-      condition('name', '%' . db_like($keys) . '%', 'LIKE')->
-      condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
-  }
-  else {
-    // Regular users can only search via usernames, and we do not show them
-    // blocked accounts.
-    $query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
-      ->condition('status', 1);
-  }
-  $uids = $query
-    ->limit(15)
-    ->execute()
-    ->fetchCol();
-  $accounts = user_load_multiple($uids);
-
-  $results = array();
-  foreach ($accounts as $account) {
-    $result = array(
-      'title' => format_username($account),
-      'link' => url('user/' . $account->uid, array('absolute' => TRUE)),
-    );
-    if (user_access('administer users')) {
-      $result['title'] .= ' (' . $account->mail . ')';
-    }
-    $results[] = $result;
-  }
-
-  return $results;
-}
-
-/**
- * Implements hook_element_info().
- */
-function user_element_info() {
-  $types['user_profile_category'] = array(
-    '#theme_wrappers' => array('user_profile_category'),
-  );
-  $types['user_profile_item'] = array(
-    '#theme' => 'user_profile_item',
-  );
-  return $types;
-}
-
-/**
- * Implements hook_user_view().
- */
-function user_user_view($account) {
-  $account->content['user_picture'] = array(
-    '#markup' => theme('user_picture', array('account' => $account)),
-    '#weight' => -10,
-  );
-  if (!isset($account->content['summary'])) {
-    $account->content['summary'] = array();
-  }
-  $account->content['summary'] += array(
-    '#type' => 'user_profile_category',
-    '#attributes' => array('class' => array('user-member')),
-    '#weight' => 5,
-    '#title' => t('History'),
-  );
-  $account->content['summary']['member_for'] = array(
-    '#type' => 'user_profile_item',
-    '#title' => t('Member for'),
-    '#markup' => format_interval(REQUEST_TIME - $account->created),
-  );
-}
-
-/**
- * Helper function to add default user account fields to user registration and edit form.
- *
- * @see user_account_form_validate()
- * @see user_validate_current_pass()
- * @see user_validate_picture()
- * @see user_validate_mail()
- */
-function user_account_form(&$form, &$form_state) {
-  global $user;
-
-  $account = $form['#user'];
-  $register = ($form['#user']->uid > 0 ? FALSE : TRUE);
-
-  $admin = user_access('administer users');
-
-  $form['#validate'][] = 'user_account_form_validate';
-
-  // Account information.
-  $form['account'] = array(
-    '#type'   => 'container',
-    '#weight' => -10,
-  );
-  // Only show name field on registration form or user can change own username.
-  $form['account']['name'] = array(
-    '#type' => 'textfield',
-    '#title' => t('Username'),
-    '#maxlength' => USERNAME_MAX_LENGTH,
-    '#description' => t('Spaces are allowed; punctuation is not allowed except for periods, hyphens, apostrophes, and underscores.'),
-    '#required' => TRUE,
-    '#attributes' => array('class' => array('username')),
-    '#default_value' => (!$register ? $account->name : ''),
-    '#access' => ($register || ($user->uid == $account->uid && user_access('change own username')) || $admin),
-    '#weight' => -10,
-  );
-
-  $form['account']['mail'] = array(
-    '#type' => 'textfield',
-    '#title' => t('E-mail address'),
-    '#maxlength' => EMAIL_MAX_LENGTH,
-    '#description' => t('A valid e-mail address. All e-mails from the system will be sent to this address. The e-mail address is not made public and will only be used if you wish to receive a new password or wish to receive certain news or notifications by e-mail.'),
-    '#required' => TRUE,
-    '#default_value' => (!$register ? $account->mail : ''),
-  );
-
-  // Display password field only for existing users or when user is allowed to
-  // assign a password during registration.
-  if (!$register) {
-    $form['account']['pass'] = array(
-      '#type' => 'password_confirm',
-      '#size' => 25,
-      '#description' => t('To change the current user password, enter the new password in both fields.'),
-    );
-    // To skip the current password field, the user must have logged in via a
-    // one-time link and have the token in the URL.
-    $pass_reset = isset($_SESSION['pass_reset_' . $account->uid]) && isset($_GET['pass-reset-token']) && ($_GET['pass-reset-token'] == $_SESSION['pass_reset_' . $account->uid]);
-    $protected_values = array();
-    $current_pass_description = '';
-    // The user may only change their own password without their current
-    // password if they logged in via a one-time login link.
-    if (!$pass_reset) {
-      $protected_values['mail'] = $form['account']['mail']['#title'];
-      $protected_values['pass'] = t('Password');
-      $request_new = l(t('Request new password'), 'user/password', array('attributes' => array('title' => t('Request new password via e-mail.'))));
-      $current_pass_description = t('Enter your current password to change the %mail or %pass. !request_new.', array('%mail' => $protected_values['mail'], '%pass' => $protected_values['pass'], '!request_new' => $request_new));
-    }
-    // The user must enter their current password to change to a new one.
-    if ($user->uid == $account->uid) {
-      $form['account']['current_pass_required_values'] = array(
-        '#type' => 'value',
-        '#value' => $protected_values,
-      );
-      $form['account']['current_pass'] = array(
-        '#type' => 'password',
-        '#title' => t('Current password'),
-        '#size' => 25,
-        '#access' => !empty($protected_values),
-        '#description' => $current_pass_description,
-        '#weight' => -5,
-        // Do not let web browsers remember this password, since we are trying
-        // to confirm that the person submitting the form actually knows the
-        // current one.
-        '#attributes' => array('autocomplete' => 'off'),
-      );
-      $form['#validate'][] = 'user_validate_current_pass';
-    }
-  }
-  elseif (!variable_get('user_email_verification', TRUE) || $admin) {
-    $form['account']['pass'] = array(
-      '#type' => 'password_confirm',
-      '#size' => 25,
-      '#description' => t('Provide a password for the new account in both fields.'),
-      '#required' => TRUE,
-    );
-  }
-
-  if ($admin) {
-    $status = isset($account->status) ? $account->status : 1;
-  }
-  else {
-    $status = $register ? variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) == USER_REGISTER_VISITORS : $account->status;
-  }
-  $form['account']['status'] = array(
-    '#type' => 'radios',
-    '#title' => t('Status'),
-    '#default_value' => $status,
-    '#options' => array(t('Blocked'), t('Active')),
-    '#access' => $admin,
-  );
-
-  $roles = array_map('check_plain', user_roles(TRUE));
-  // The disabled checkbox subelement for the 'authenticated user' role
-  // must be generated separately and added to the checkboxes element,
-  // because of a limitation in Form API not supporting a single disabled
-  // checkbox within a set of checkboxes.
-  // @todo This should be solved more elegantly. See issue #119038.
-  $checkbox_authenticated = array(
-    '#type' => 'checkbox',
-    '#title' => $roles[DRUPAL_AUTHENTICATED_RID],
-    '#default_value' => TRUE,
-    '#disabled' => TRUE,
-  );
-  unset($roles[DRUPAL_AUTHENTICATED_RID]);
-  $form['account']['roles'] = array(
-    '#type' => 'checkboxes',
-    '#title' => t('Roles'),
-    '#default_value' => (!$register && isset($account->roles) ? array_keys($account->roles) : array()),
-    '#options' => $roles,
-    '#access' => $roles && user_access('administer permissions'),
-    DRUPAL_AUTHENTICATED_RID => $checkbox_authenticated,
-  );
-
-  $form['account']['notify'] = array(
-    '#type' => 'checkbox',
-    '#title' => t('Notify user of new account'),
-    '#access' => $register && $admin,
-  );
-
-  // Signature.
-  $form['signature_settings'] = array(
-    '#type' => 'fieldset',
-    '#title' => t('Signature settings'),
-    '#weight' => 1,
-    '#access' => (!$register && variable_get('user_signatures', 0)),
-  );
-
-  $form['signature_settings']['signature'] = array(
-    '#type' => 'text_format',
-    '#title' => t('Signature'),
-    '#default_value' => isset($account->signature) ? $account->signature : '',
-    '#description' => t('Your signature will be publicly displayed at the end of your comments.'),
-    '#format' => isset($account->signature_format) ? $account->signature_format : NULL,
-  );
-
-  // Picture/avatar.
-  $form['picture'] = array(
-    '#type' => 'fieldset',
-    '#title' => t('Picture'),
-    '#weight' => 1,
-    '#access' => (!$register && variable_get('user_pictures', 0)),
-  );
-  $form['picture']['picture'] = array(
-    '#type' => 'value',
-    '#value' => isset($account->picture) ? $account->picture : NULL,
-  );
-  $form['picture']['picture_current'] = array(
-    '#markup' => theme('user_picture', array('account' => $account)),
-  );
-  $form['picture']['picture_delete'] = array(
-    '#type' => 'checkbox',
-    '#title' => t('Delete picture'),
-    '#access' => !empty($account->picture->fid),
-    '#description' => t('Check this box to delete your current picture.'),
-  );
-  $form['picture']['picture_upload'] = array(
-    '#type' => 'file',
-    '#title' => t('Upload picture'),
-    '#size' => 48,
-    '#description' => t('Your virtual face or picture. Pictures larger than @dimensions pixels will be scaled down.', array('@dimensions' => variable_get('user_picture_dimensions', '85x85'))) . ' ' . filter_xss_admin(variable_get('user_picture_guidelines', '')),
-  );
-  $form['#validate'][] = 'user_validate_picture';
-}
-
-/**
- * Form validation handler for the current password on the user_account_form().
- *
- * @see user_account_form()
- */
-function user_validate_current_pass(&$form, &$form_state) {
-  $account = $form['#user'];
-  foreach ($form_state['values']['current_pass_required_values'] as $key => $name) {
-    // This validation only works for required textfields (like mail) or
-    // form values like password_confirm that have their own validation
-    // that prevent them from being empty if they are changed.
-    if ((strlen(trim($form_state['values'][$key])) > 0) && ($form_state['values'][$key] != $account->$key)) {
-      require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
-      $current_pass_failed = empty($form_state['values']['current_pass']) || !user_check_password($form_state['values']['current_pass'], $account);
-      if ($current_pass_failed) {
-        form_set_error('current_pass', t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => $name)));
-        form_set_error($key);
-      }
-      // We only need to check the password once.
-      break;
-    }
-  }
-}
-
-/**
- * Form validation handler for user_account_form().
- *
- * @see user_account_form()
- */
-function user_account_form_validate($form, &$form_state) {
-  if ($form['#user_category'] == 'account' || $form['#user_category'] == 'register') {
-    $account = $form['#user'];
-    // Validate new or changing username.
-    if (isset($form_state['values']['name'])) {
-      if ($error = user_validate_name($form_state['values']['name'])) {
-        form_set_error('name', $error);
-      }
-      elseif ((bool) db_select('users')->fields('users', array('uid'))->condition('uid', $account->uid, '<>')->condition('name', db_like($form_state['values']['name']), 'LIKE')->range(0, 1)->execute()->fetchField()) {
-        form_set_error('name', t('The name %name is already taken.', array('%name' => $form_state['values']['name'])));
-      }
-    }
-
-    // Trim whitespace from mail, to prevent confusing 'e-mail not valid'
-    // warnings often caused by cutting and pasting.
-    $mail = trim($form_state['values']['mail']);
-    form_set_value($form['account']['mail'], $mail, $form_state);
-
-    // Validate the e-mail address, and check if it is taken by an existing user.
-    if ($error = user_validate_mail($form_state['values']['mail'])) {
-      form_set_error('mail', $error);
-    }
-    elseif ((bool) db_select('users')->fields('users', array('uid'))->condition('uid', $account->uid, '<>')->condition('mail', db_like($form_state['values']['mail']), 'LIKE')->range(0, 1)->execute()->fetchField()) {
-      // Format error message dependent on whether the user is logged in or not.
-      if ($GLOBALS['user']->uid) {
-        form_set_error('mail', t('The e-mail address %email is already taken.', array('%email' => $form_state['values']['mail'])));
-      }
-      else {
-        form_set_error('mail', t('The e-mail address %email is already registered. <a href="@password">Have you forgotten your password?</a>', array('%email' => $form_state['values']['mail'], '@password' => url('user/password'))));
-      }
-    }
-
-    // Make sure the signature isn't longer than the size of the database field.
-    // Signatures are disabled by default, so make sure it exists first.
-    if (isset($form_state['values']['signature'])) {
-      // Move text format for user signature into 'signature_format'.
-      $form_state['values']['signature_format'] = $form_state['values']['signature']['format'];
-      // Move text value for user signature into 'signature'.
-      $form_state['values']['signature'] = $form_state['values']['signature']['value'];
-
-      $user_schema = drupal_get_schema('users');
-      if (drupal_strlen($form_state['values']['signature']) > $user_schema['fields']['signature']['length']) {
-        form_set_error('signature', t('The signature is too long: it must be %max characters or less.', array('%max' => $user_schema['fields']['signature']['length'])));
-      }
-    }
-  }
-}
-
-/**
- * Implements hook_user_presave().
- */
-function user_user_presave(&$edit, $account, $category) {
-  if ($category == 'account' || $category == 'register') {
-    if (!empty($edit['picture_upload'])) {
-      $edit['picture'] = $edit['picture_upload'];
-    }
-    // Delete picture if requested, and if no replacement picture was given.
-    elseif (!empty($edit['picture_delete'])) {
-      $edit['picture'] = NULL;
-    }
-    // Prepare user roles.
-    if (isset($edit['roles'])) {
-      $edit['roles'] = array_filter($edit['roles']);
-    }
-  }
-
-  // Move account cancellation information into $user->data.
-  foreach (array('user_cancel_method', 'user_cancel_notify') as $key) {
-    if (isset($edit[$key])) {
-      $edit['data'][$key] = $edit[$key];
-    }
-  }
-}
-
-/**
- * Implements hook_user_categories().
- */
-function user_user_categories() {
-  return array(array(
-    'name' => 'account',
-    'title' => t('Account settings'),
-    'weight' => 1,
-  ));
-}
-
-function user_login_block($form) {
-  $form['#action'] = url(current_path(), array('query' => drupal_get_destination(), 'external' => FALSE));
-  $form['#id'] = 'user-login-form';
-  $form['#validate'] = user_login_default_validators();
-  $form['#submit'][] = 'user_login_submit';
-  $form['name'] = array('#type' => 'textfield',
-    '#title' => t('Username'),
-    '#maxlength' => USERNAME_MAX_LENGTH,
-    '#size' => 15,
-    '#required' => TRUE,
-  );
-  $form['pass'] = array('#type' => 'password',
-    '#title' => t('Password'),
-    '#size' => 15,
-    '#required' => TRUE,
-  );
-  $form['actions'] = array('#type' => 'actions');
-  $form['actions']['submit'] = array('#type' => 'submit',
-    '#value' => t('Log in'),
-  );
-  $items = array();
-  if (variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL)) {
-    $items[] = l(t('Create new account'), 'user/register', array('attributes' => array('title' => t('Create a new user account.'))));
-  }
-  $items[] = l(t('Request new password'), 'user/password', array('attributes' => array('title' => t('Request new password via e-mail.'))));
-  $form['links'] = array('#markup' => theme('item_list', array('items' => $items)));
-  return $form;
-}
-
-/**
- * Implements hook_block_info().
- */
-function user_block_info() {
-  global $user;
-
-  $blocks['login']['info'] = t('User login');
-  // Not worth caching.
-  $blocks['login']['cache'] = DRUPAL_NO_CACHE;
-
-  $blocks['new']['info'] = t('Who\'s new');
-  $blocks['new']['properties']['administrative'] = TRUE;
-
-  // Too dynamic to cache.
-  $blocks['online']['info'] = t('Who\'s online');
-  $blocks['online']['cache'] = DRUPAL_NO_CACHE;
-  $blocks['online']['properties']['administrative'] = TRUE;
-
-  return $blocks;
-}
-
-/**
- * Implements hook_block_configure().
- */
-function user_block_configure($delta = '') {
-  global $user;
-
-  switch ($delta) {
-    case 'new':
-      $form['user_block_whois_new_count'] = array(
-        '#type' => 'select',
-        '#title' => t('Number of users to display'),
-        '#default_value' => variable_get('user_block_whois_new_count', 5),
-        '#options' => drupal_map_assoc(array(1, 2, 3, 4, 5, 6, 7, 8, 9, 10)),
-      );
-      return $form;
-
-    case 'online':
-      $period = drupal_map_assoc(array(30, 60, 120, 180, 300, 600, 900, 1800, 2700, 3600, 5400, 7200, 10800, 21600, 43200, 86400), 'format_interval');
-      $form['user_block_seconds_online'] = array('#type' => 'select', '#title' => t('User activity'), '#default_value' => variable_get('user_block_seconds_online', 900), '#options' => $period, '#description' => t('A user is considered online for this long after they have last viewed a page.'));
-      $form['user_block_max_list_count'] = array('#type' => 'select', '#title' => t('User list length'), '#default_value' => variable_get('user_block_max_list_count', 10), '#options' => drupal_map_assoc(array(0, 5, 10, 15, 20, 25, 30, 40, 50, 75, 100)), '#description' => t('Maximum number of currently online users to display.'));
-      return $form;
-  }
-}
-
-/**
- * Implements hook_block_save().
- */
-function user_block_save($delta = '', $edit = array()) {
-  global $user;
-
-  switch ($delta) {
-    case 'new':
-      variable_set('user_block_whois_new_count', $edit['user_block_whois_new_count']);
-      break;
-
-    case 'online':
-      variable_set('user_block_seconds_online', $edit['user_block_seconds_online']);
-      variable_set('user_block_max_list_count', $edit['user_block_max_list_count']);
-      break;
-  }
-}
-
-/**
- * Implements hook_block_view().
- */
-function user_block_view($delta = '') {
-  global $user;
-
-  $block = array();
-
-  switch ($delta) {
-    case 'login':
-      // For usability's sake, avoid showing two login forms on one page.
-      if (!$user->uid && !(arg(0) == 'user' && !is_numeric(arg(1)))) {
-
-        $block['subject'] = t('User login');
-        $block['content'] = drupal_get_form('user_login_block');
-      }
-      return $block;
-
-    case 'new':
-      if (user_access('access content')) {
-        // Retrieve a list of new users who have subsequently accessed the site successfully.
-        $items = db_query_range('SELECT uid, name FROM {users} WHERE status <> 0 AND access <> 0 ORDER BY created DESC', 0, variable_get('user_block_whois_new_count', 5))->fetchAll();
-        $output = theme('user_list', array('users' => $items));
-
-        $block['subject'] = t('Who\'s new');
-        $block['content'] = $output;
-      }
-      return $block;
-
-    case 'online':
-      if (user_access('access content')) {
-        // Count users active within the defined period.
-        $interval = REQUEST_TIME - variable_get('user_block_seconds_online', 900);
-
-        // Perform database queries to gather online user lists. We use s.timestamp
-        // rather than u.access because it is much faster.
-        $authenticated_count = db_query("SELECT COUNT(DISTINCT s.uid) FROM {sessions} s WHERE s.timestamp >= :timestamp AND s.uid > 0", array(':timestamp' => $interval))->fetchField();
-
-        $output = '<p>' . format_plural($authenticated_count, 'There is currently 1 user online.', 'There are currently @count users online.') . '</p>';
-
-        // Display a list of currently online users.
-        $max_users = variable_get('user_block_max_list_count', 10);
-        if ($authenticated_count && $max_users) {
-          $items = db_query_range('SELECT u.uid, u.name, MAX(s.timestamp) AS max_timestamp FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.timestamp >= :interval AND s.uid > 0 GROUP BY u.uid, u.name ORDER BY max_timestamp DESC', 0, $max_users, array(':interval' => $interval))->fetchAll();
-          $output .= theme('user_list', array('users' => $items));
-        }
-
-        $block['subject'] = t('Who\'s online');
-        $block['content'] = $output;
-      }
-      return $block;
-  }
-}
-
-/**
- * Process variables for user-picture.tpl.php.
- *
- * The $variables array contains the following arguments:
- * - $account: A user, node or comment object with 'name', 'uid' and 'picture'
- *   fields.
- *
- * @see user-picture.tpl.php
- */
-function template_preprocess_user_picture(&$variables) {
-  $variables['user_picture'] = '';
-  if (variable_get('user_pictures', 0)) {
-    $account = $variables['account'];
-    if (!empty($account->picture)) {
-      // @TODO: Ideally this function would only be passed file objects, but
-      // since there's a lot of legacy code that JOINs the {users} table to
-      // {node} or {comments} and passes the results into this function if we
-      // a numeric value in the picture field we'll assume it's a file id
-      // and load it for them. Once we've got user_load_multiple() and
-      // comment_load_multiple() functions the user module will be able to load
-      // the picture files in mass during the object's load process.
-      if (is_numeric($account->picture)) {
-        $account->picture = file_load($account->picture);
-      }
-      if (!empty($account->picture->uri)) {
-        $filepath = $account->picture->uri;
-      }
-    }
-    elseif (variable_get('user_picture_default', '')) {
-      $filepath = variable_get('user_picture_default', '');
-    }
-    if (isset($filepath)) {
-      $alt = t("@user's picture", array('@user' => format_username($account)));
-      // If the image does not have a valid Drupal scheme (for eg. HTTP),
-      // don't load image styles.
-      if (module_exists('image') && file_valid_uri($filepath) && $style = variable_get('user_picture_style', '')) {
-        $variables['user_picture'] = theme('image_style', array('style_name' => $style, 'path' => $filepath, 'alt' => $alt, 'title' => $alt));
-      }
-      else {
-        $variables['user_picture'] = theme('image', array('path' => $filepath, 'alt' => $alt, 'title' => $alt));
-      }
-      if (!empty($account->uid) && user_access('access user profiles')) {
-        $attributes = array('attributes' => array('title' => t('View user profile.')), 'html' => TRUE);
-        $variables['user_picture'] = l($variables['user_picture'], "user/$account->uid", $attributes);
-      }
-    }
-  }
-}
-
-/**
- * Returns HTML for a list of users.
- *
- * @param $variables
- *   An associative array containing:
- *   - users: An array with user objects. Should contain at least the name and
- *     uid.
- *   - title: (optional) Title to pass on to theme_item_list().
- *
- * @ingroup themeable
- */
-function theme_user_list($variables) {
-  $users = $variables['users'];
-  $title = $variables['title'];
-  $items = array();
-
-  if (!empty($users)) {
-    foreach ($users as $user) {
-      $items[] = theme('username', array('account' => $user));
-    }
-  }
-  return theme('item_list', array('items' => $items, 'title' => $title));
-}
-
-/**
- * Determines if the current user is anonymous.
- *
- * @return bool
- *   TRUE if the user is anonymous, FALSE if the user is authenticated.
- */
-function user_is_anonymous() {
-  // Menu administrators can see items for anonymous when administering.
-  return !$GLOBALS['user']->uid || !empty($GLOBALS['menu_admin']);
-}
-
-/**
- * Determines if the current user is logged in.
- *
- * @return bool
- *   TRUE if the user is logged in, FALSE if the user is anonymous.
- */
-function user_is_logged_in() {
-  return (bool) $GLOBALS['user']->uid;
-}
-
-/**
- * Determines if the current user has access to the user registration page.
- *
- * @return bool
- *   TRUE if the user is not already logged in and can register for an account.
- */
-function user_register_access() {
-  return user_is_anonymous() && variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
-}
-
-/**
- * User view access callback.
- *
- * @param $account
- *   Can either be a full user object or a $uid.
- */
-function user_view_access($account) {
-  $uid = is_object($account) ? $account->uid : (int) $account;
-
-  // Never allow access to view the anonymous user account.
-  if ($uid) {
-    // Admins can view all, users can view own profiles at all times.
-    if ($GLOBALS['user']->uid == $uid || user_access('administer users')) {
-      return TRUE;
-    }
-    elseif (user_access('access user profiles')) {
-      // At this point, load the complete account object.
-      if (!is_object($account)) {
-        $account = user_load($uid);
-      }
-      return (is_object($account) && $account->status);
-    }
-  }
-  return FALSE;
-}
-
-/**
- * Access callback for user account editing.
- */
-function user_edit_access($account) {
-  return (($GLOBALS['user']->uid == $account->uid) || user_access('administer users')) && $account->uid > 0;
-}
-
-/**
- * Menu access callback; limit access to account cancellation pages.
- *
- * Limit access to users with the 'cancel account' permission or administrative
- * users, and prevent the anonymous user from cancelling the account.
- */
-function user_cancel_access($account) {
-  return ((($GLOBALS['user']->uid == $account->uid) && user_access('cancel account')) || user_access('administer users')) && $account->uid > 0;
-}
-
-/**
- * Implements hook_menu().
- */
-function user_menu() {
-  $items['user/autocomplete'] = array(
-    'title' => 'User autocomplete',
-    'page callback' => 'user_autocomplete',
-    'access callback' => 'user_access',
-    'access arguments' => array('access user profiles'),
-    'type' => MENU_CALLBACK,
-    'file' => 'user.pages.inc',
-  );
-
-  // Registration and login pages.
-  $items['user'] = array(
-    'title' => 'User account',
-    'title callback' => 'user_menu_title',
-    'page callback' => 'user_page',
-    'access callback' => TRUE,
-    'file' => 'user.pages.inc',
-    'weight' => -10,
-    'menu_name' => 'user-menu',
-  );
-
-  $items['user/login'] = array(
-    'title' => 'Log in',
-    'access callback' => 'user_is_anonymous',
-    'type' => MENU_DEFAULT_LOCAL_TASK,
-  );
-
-  $items['user/register'] = array(
-    'title' => 'Create new account',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_register_form'),
-    'access callback' => 'user_register_access',
-    'type' => MENU_LOCAL_TASK,
-  );
-
-  $items['user/password'] = array(
-    'title' => 'Request new password',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_pass'),
-    'access callback' => TRUE,
-    'type' => MENU_LOCAL_TASK,
-    'file' => 'user.pages.inc',
-  );
-  $items['user/reset/%/%/%'] = array(
-    'title' => 'Reset password',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_pass_reset', 2, 3, 4),
-    'access callback' => TRUE,
-    'type' => MENU_CALLBACK,
-    'file' => 'user.pages.inc',
-  );
-
-  $items['user/logout'] = array(
-    'title' => 'Log out',
-    'access callback' => 'user_is_logged_in',
-    'page callback' => 'user_logout',
-    'weight' => 10,
-    'menu_name' => 'user-menu',
-    'file' => 'user.pages.inc',
-  );
-
-  // User listing pages.
-  $items['admin/people'] = array(
-    'title' => 'People',
-    'description' => 'Manage user accounts, roles, and permissions.',
-    'page callback' => 'user_admin',
-    'page arguments' => array('list'),
-    'access arguments' => array('administer users'),
-    'position' => 'left',
-    'weight' => -4,
-    'file' => 'user.admin.inc',
-  );
-  $items['admin/people/people'] = array(
-    'title' => 'List',
-    'description' => 'Find and manage people interacting with your site.',
-    'access arguments' => array('administer users'),
-    'type' => MENU_DEFAULT_LOCAL_TASK,
-    'weight' => -10,
-    'file' => 'user.admin.inc',
-  );
-
-  // Permissions and role forms.
-  $items['admin/people/permissions'] = array(
-    'title' => 'Permissions',
-    'description' => 'Determine access to features by selecting permissions for roles.',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_admin_permissions'),
-    'access arguments' => array('administer permissions'),
-    'file' => 'user.admin.inc',
-    'type' => MENU_LOCAL_TASK,
-  );
-  $items['admin/people/permissions/list'] = array(
-    'title' => 'Permissions',
-    'description' => 'Determine access to features by selecting permissions for roles.',
-    'type' => MENU_DEFAULT_LOCAL_TASK,
-    'weight' => -8,
-  );
-  $items['admin/people/permissions/roles'] = array(
-    'title' => 'Roles',
-    'description' => 'List, edit, or add user roles.',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_admin_roles'),
-    'access arguments' => array('administer permissions'),
-    'file' => 'user.admin.inc',
-    'type' => MENU_LOCAL_TASK,
-    'weight' => -5,
-  );
-  $items['admin/people/permissions/roles/edit/%user_role'] = array(
-    'title' => 'Edit role',
-    'page arguments' => array('user_admin_role', 5),
-    'access callback' => 'user_role_edit_access',
-    'access arguments' => array(5),
-  );
-  $items['admin/people/permissions/roles/delete/%user_role'] = array(
-    'title' => 'Delete role',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_admin_role_delete_confirm', 5),
-    'access callback' => 'user_role_edit_access',
-    'access arguments' => array(5),
-    'file' => 'user.admin.inc',
-  );
-
-  $items['admin/people/create'] = array(
-    'title' => 'Add user',
-    'page arguments' => array('create'),
-    'access arguments' => array('administer users'),
-    'type' => MENU_LOCAL_ACTION,
-  );
-
-  // Administration pages.
-  $items['admin/config/people'] = array(
-   'title' => 'People',
-   'description' => 'Configure user accounts.',
-   'position' => 'left',
-   'weight' => -20,
-   'page callback' => 'system_admin_menu_block_page',
-   'access arguments' => array('access administration pages'),
-   'file' => 'system.admin.inc',
-   'file path' => drupal_get_path('module', 'system'),
-  );
-  $items['admin/config/people/accounts'] = array(
-    'title' => 'Account settings',
-    'description' => 'Configure default behavior of users, including registration requirements, e-mails, fields, and user pictures.',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_admin_settings'),
-    'access arguments' => array('administer users'),
-    'file' => 'user.admin.inc',
-    'weight' => -10,
-  );
-  $items['admin/config/people/accounts/settings'] = array(
-    'title' => 'Settings',
-    'type' => MENU_DEFAULT_LOCAL_TASK,
-    'weight' => -10,
-  );
-
-  $items['user/%user'] = array(
-    'title' => 'My account',
-    'title callback' => 'user_page_title',
-    'title arguments' => array(1),
-    'page callback' => 'user_view_page',
-    'page arguments' => array(1),
-    'access callback' => 'user_view_access',
-    'access arguments' => array(1),
-    // By assigning a different menu name, this item (and all registered child
-    // paths) are no longer considered as children of 'user'. When accessing the
-    // user account pages, the preferred menu link that is used to build the
-    // active trail (breadcrumb) will be found in this menu (unless there is
-    // more specific link), so the link to 'user' will not be in the breadcrumb.
-    'menu_name' => 'navigation',
-  );
-
-  $items['user/%user/view'] = array(
-    'title' => 'View',
-    'type' => MENU_DEFAULT_LOCAL_TASK,
-    'weight' => -10,
-  );
-
-  $items['user/%user/cancel'] = array(
-    'title' => 'Cancel account',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_cancel_confirm_form', 1),
-    'access callback' => 'user_cancel_access',
-    'access arguments' => array(1),
-    'file' => 'user.pages.inc',
-  );
-
-  $items['user/%user/cancel/confirm/%/%'] = array(
-    'title' => 'Confirm account cancellation',
-    'page callback' => 'user_cancel_confirm',
-    'page arguments' => array(1, 4, 5),
-    'access callback' => 'user_cancel_access',
-    'access arguments' => array(1),
-    'file' => 'user.pages.inc',
-  );
-
-  $items['user/%user/edit'] = array(
-    'title' => 'Edit',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_profile_form', 1),
-    'access callback' => 'user_edit_access',
-    'access arguments' => array(1),
-    'type' => MENU_LOCAL_TASK,
-    'file' => 'user.pages.inc',
-  );
-
-  $items['user/%user_category/edit/account'] = array(
-    'title' => 'Account',
-    'type' => MENU_DEFAULT_LOCAL_TASK,
-    'load arguments' => array('%map', '%index'),
-  );
-
-  if (($categories = _user_categories()) && (count($categories) > 1)) {
-    foreach ($categories as $key => $category) {
-      // 'account' is already handled by the MENU_DEFAULT_LOCAL_TASK.
-      if ($category['name'] != 'account') {
-        $items['user/%user_category/edit/' . $category['name']] = array(
-          'title callback' => 'check_plain',
-          'title arguments' => array($category['title']),
-          'page callback' => 'drupal_get_form',
-          'page arguments' => array('user_profile_form', 1, 3),
-          'access callback' => isset($category['access callback']) ? $category['access callback'] : 'user_edit_access',
-          'access arguments' => isset($category['access arguments']) ? $category['access arguments'] : array(1),
-          'type' => MENU_LOCAL_TASK,
-          'weight' => $category['weight'],
-          'load arguments' => array('%map', '%index'),
-          'tab_parent' => 'user/%/edit',
-          'file' => 'user.pages.inc',
-        );
-      }
-    }
-  }
-  return $items;
-}
-
-/**
- * Implements hook_menu_site_status_alter().
- */
-function user_menu_site_status_alter(&$menu_site_status, $path) {
-  if ($menu_site_status == MENU_SITE_OFFLINE) {
-    // If the site is offline, log out unprivileged users.
-    if (user_is_logged_in() && !user_access('access site in maintenance mode')) {
-      module_load_include('pages.inc', 'user', 'user');
-      user_logout();
-    }
-
-    if (user_is_anonymous()) {
-      switch ($path) {
-        case 'user':
-          // Forward anonymous user to login page.
-          drupal_goto('user/login');
-        case 'user/login':
-        case 'user/password':
-          // Disable offline mode.
-          $menu_site_status = MENU_SITE_ONLINE;
-          break;
-        default:
-          if (strpos($path, 'user/reset/') === 0) {
-            // Disable offline mode.
-            $menu_site_status = MENU_SITE_ONLINE;
-          }
-          break;
-      }
-    }
-  }
-  if (user_is_logged_in()) {
-    if ($path == 'user/login') {
-      // If user is logged in, redirect to 'user' instead of giving 403.
-      drupal_goto('user');
-    }
-    if ($path == 'user/register') {
-      // Authenticated user should be redirected to user edit page.
-      drupal_goto('user/' . $GLOBALS['user']->uid . '/edit');
-    }
-  }
-}
-
-/**
- * Implements hook_menu_link_alter().
- */
-function user_menu_link_alter(&$link) {
-  // The path 'user' must be accessible for anonymous users, but only visible
-  // for authenticated users. Authenticated users should see "My account", but
-  // anonymous users should not see it at all. Therefore, invoke
-  // user_translated_menu_link_alter() to conditionally hide the link.
-  if ($link['link_path'] == 'user' && $link['module'] == 'system') {
-    $link['options']['alter'] = TRUE;
-  }
-
-  // Force the Logout link to appear on the top-level of 'user-menu' menu by
-  // default (i.e., unless it has been customized).
-  if ($link['link_path'] == 'user/logout' && $link['module'] == 'system' && empty($link['customized'])) {
-    $link['plid'] = 0;
-  }
-}
-
-/**
- * Implements hook_translated_menu_link_alter().
- */
-function user_translated_menu_link_alter(&$link) {
-  // Hide the "User account" link for anonymous users.
-  if ($link['link_path'] == 'user' && $link['module'] == 'system' && !$GLOBALS['user']->uid) {
-    $link['hidden'] = 1;
-  }
-}
-
-/**
- * Implements hook_admin_paths().
- */
-function user_admin_paths() {
-  $paths = array(
-    'user/*/cancel' => TRUE,
-    'user/*/edit' => TRUE,
-    'user/*/edit/*' => TRUE,
-  );
-  return $paths;
-}
-
-/**
- * Returns $arg or the user ID of the current user if $arg is '%' or empty.
- *
- * Deprecated. Use %user_uid_optional instead.
- *
- * @todo D8: Remove.
- */
-function user_uid_only_optional_to_arg($arg) {
-  return user_uid_optional_to_arg($arg);
-}
-
-/**
- * Load either a specified or the current user account.
- *
- * @param $uid
- *   An optional user ID of the user to load. If not provided, the current
- *   user's ID will be used.
- * @return
- *   A fully-loaded $user object upon successful user load, FALSE if user
- *   cannot be loaded.
- *
- * @see user_load()
- * @todo rethink the naming of this in Drupal 8.
- */
-function user_uid_optional_load($uid = NULL) {
-  if (!isset($uid)) {
-    $uid = $GLOBALS['user']->uid;
-  }
-  return user_load($uid);
-}
-
-/**
- * Return a user object after checking if any profile category in the path exists.
- */
-function user_category_load($uid, &$map, $index) {
-  static $user_categories, $accounts;
-
-  // Cache $account - this load function will get called for each profile tab.
-  if (!isset($accounts[$uid])) {
-    $accounts[$uid] = user_load($uid);
-  }
-  $valid = TRUE;
-  if ($account = $accounts[$uid]) {
-    // Since the path is like user/%/edit/category_name, the category name will
-    // be at a position 2 beyond the index corresponding to the % wildcard.
-    $category_index = $index + 2;
-    // Valid categories may contain slashes, and hence need to be imploded.
-    $category_path = implode('/', array_slice($map, $category_index));
-    if ($category_path) {
-      // Check that the requested category exists.
-      $valid = FALSE;
-      if (!isset($user_categories)) {
-        $user_categories = _user_categories();
-      }
-      foreach ($user_categories as $category) {
-        if ($category['name'] == $category_path) {
-          $valid = TRUE;
-          // Truncate the map array in case the category name had slashes.
-          $map = array_slice($map, 0, $category_index);
-          // Assign the imploded category name to the last map element.
-          $map[$category_index] = $category_path;
-          break;
-        }
-      }
-    }
-  }
-  return $valid ? $account : FALSE;
-}
-
-/**
- * Returns $arg or the user ID of the current user if $arg is '%' or empty.
- *
- * @todo rethink the naming of this in Drupal 8.
- */
-function user_uid_optional_to_arg($arg) {
-  // Give back the current user uid when called from eg. tracker, aka.
-  // with an empty arg. Also use the current user uid when called from
-  // the menu with a % for the current account link.
-  return empty($arg) || $arg == '%' ? $GLOBALS['user']->uid : $arg;
-}
-
-/**
- * Menu item title callback for the 'user' path.
- *
- * Anonymous users should see "User account", but authenticated users are
- * expected to see "My account".
- */
-function user_menu_title() {
-  return user_is_logged_in() ? t('My account') : t('User account');
-}
-
-/**
- * Menu item title callback - use the user name.
- */
-function user_page_title($account) {
-  return is_object($account) ? format_username($account) : '';
-}
-
-/**
- * Discover which external authentication module(s) authenticated a username.
- *
- * @param $authname
- *   A username used by an external authentication module.
- * @return
- *   An associative array with module as key and username as value.
- */
-function user_get_authmaps($authname = NULL) {
-  $authmaps = db_query("SELECT module, authname FROM {authmap} WHERE authname = :authname", array(':authname' => $authname))->fetchAllKeyed();
-  return count($authmaps) ? $authmaps : 0;
-}
-
-/**
- * Save mappings of which external authentication module(s) authenticated
- * a user. Maps external usernames to user ids in the users table.
- *
- * @param $account
- *   A user object.
- * @param $authmaps
- *   An associative array with a compound key and the username as the value.
- *   The key is made up of 'authname_' plus the name of the external authentication
- *   module.
- * @see user_external_login_register()
- */
-function user_set_authmaps($account, $authmaps) {
-  foreach ($authmaps as $key => $value) {
-    $module = explode('_', $key, 2);
-    if ($value) {
-      db_merge('authmap')
-        ->key(array(
-          'uid' => $account->uid,
-          'module' => $module[1],
-        ))
-        ->fields(array('authname' => $value))
-        ->execute();
-    }
-    else {
-      db_delete('authmap')
-        ->condition('uid', $account->uid)
-        ->condition('module', $module[1])
-        ->execute();
-    }
-  }
-}
-
-/**
- * Form builder; the main user login form.
- *
- * @ingroup forms
- */
-function user_login($form, &$form_state) {
-  global $user;
-
-  // If we are already logged on, go to the user page instead.
-  if ($user->uid) {
-    drupal_goto('user/' . $user->uid);
-  }
-
-  // Display login form:
-  $form['name'] = array('#type' => 'textfield',
-    '#title' => t('Username'),
-    '#size' => 60,
-    '#maxlength' => USERNAME_MAX_LENGTH,
-    '#required' => TRUE,
-  );
-
-  $form['name']['#description'] = t('Enter your @s username.', array('@s' => variable_get('site_name', 'Drupal')));
-  $form['pass'] = array('#type' => 'password',
-    '#title' => t('Password'),
-    '#description' => t('Enter the password that accompanies your username.'),
-    '#required' => TRUE,
-  );
-  $form['#validate'] = user_login_default_validators();
-  $form['actions'] = array('#type' => 'actions');
-  $form['actions']['submit'] = array('#type' => 'submit', '#value' => t('Log in'));
-
-  return $form;
-}
-
-/**
- * Set up a series for validators which check for blocked users,
- * then authenticate against local database, then return an error if
- * authentication fails. Distributed authentication modules are welcome
- * to use hook_form_alter() to change this series in order to
- * authenticate against their user database instead of the local users
- * table. If a distributed authentication module is successful, it
- * should set $form_state['uid'] to a user ID.
- *
- * We use three validators instead of one since external authentication
- * modules usually only need to alter the second validator.
- *
- * @see user_login_name_validate()
- * @see user_login_authenticate_validate()
- * @see user_login_final_validate()
- * @return array
- *   A simple list of validate functions.
- */
-function user_login_default_validators() {
-  return array('user_login_name_validate', 'user_login_authenticate_validate', 'user_login_final_validate');
-}
-
-/**
- * A FAPI validate handler. Sets an error if supplied username has been blocked.
- */
-function user_login_name_validate($form, &$form_state) {
-  if (isset($form_state['values']['name']) && user_is_blocked($form_state['values']['name'])) {
-    // Blocked in user administration.
-    form_set_error('name', t('The username %name has not been activated or is blocked.', array('%name' => $form_state['values']['name'])));
-  }
-}
-
-/**
- * A validate handler on the login form. Check supplied username/password
- * against local users table. If successful, $form_state['uid']
- * is set to the matching user ID.
- */
-function user_login_authenticate_validate($form, &$form_state) {
-  $password = trim($form_state['values']['pass']);
-  if (!empty($form_state['values']['name']) && !empty($password)) {
-    // Do not allow any login from the current user's IP if the limit has been
-    // reached. Default is 50 failed attempts allowed in one hour. This is
-    // independent of the per-user limit to catch attempts from one IP to log
-    // in to many different user accounts.  We have a reasonably high limit
-    // since there may be only one apparent IP for all users at an institution.
-    if (!flood_is_allowed('failed_login_attempt_ip', variable_get('user_failed_login_ip_limit', 50), variable_get('user_failed_login_ip_window', 3600))) {
-      $form_state['flood_control_triggered'] = 'ip';
-      return;
-    }
-    $account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(':name' => $form_state['values']['name']))->fetchObject();
-    if ($account) {
-      if (variable_get('user_failed_login_identifier_uid_only', FALSE)) {
-        // Register flood events based on the uid only, so they apply for any
-        // IP address. This is the most secure option.
-        $identifier = $account->uid;
-      }
-      else {
-        // The default identifier is a combination of uid and IP address. This
-        // is less secure but more resistant to denial-of-service attacks that
-        // could lock out all users with public user names.
-        $identifier = $account->uid . '-' . ip_address();
-      }
-      $form_state['flood_control_user_identifier'] = $identifier;
-
-      // Don't allow login if the limit for this user has been reached.
-      // Default is to allow 5 failed attempts every 6 hours.
-      if (!flood_is_allowed('failed_login_attempt_user', variable_get('user_failed_login_user_limit', 5), variable_get('user_failed_login_user_window', 21600), $identifier)) {
-        $form_state['flood_control_triggered'] = 'user';
-        return;
-      }
-    }
-    // We are not limited by flood control, so try to authenticate.
-    // Set $form_state['uid'] as a flag for user_login_final_validate().
-    $form_state['uid'] = user_authenticate($form_state['values']['name'], $password);
-  }
-}
-
-/**
- * The final validation handler on the login form.
- *
- * Sets a form error if user has not been authenticated, or if too many
- * logins have been attempted. This validation function should always
- * be the last one.
- */
-function user_login_final_validate($form, &$form_state) {
-  if (empty($form_state['uid'])) {
-    // Always register an IP-based failed login event.
-    flood_register_event('failed_login_attempt_ip', variable_get('user_failed_login_ip_window', 3600));
-    // Register a per-user failed login event.
-    if (isset($form_state['flood_control_user_identifier'])) {
-      flood_register_event('failed_login_attempt_user', variable_get('user_failed_login_user_window', 21600), $form_state['flood_control_user_identifier']);
-    }
-
-    if (isset($form_state['flood_control_triggered'])) {
-      if ($form_state['flood_control_triggered'] == 'user') {
-        form_set_error('name', format_plural(variable_get('user_failed_login_user_limit', 5), 'Sorry, there has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', 'Sorry, there have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
-      }
-      else {
-        // We did not find a uid, so the limit is IP-based.
-        form_set_error('name', t('Sorry, too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
-      }
-    }
-    else {
-      form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => array('name' => $form_state['values']['name']))))));
-      watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
-    }
-  }
-  elseif (isset($form_state['flood_control_user_identifier'])) {
-    // Clear past failures for this user so as not to block a user who might
-    // log in and out more than once in an hour.
-    flood_clear_event('failed_login_attempt_user', $form_state['flood_control_user_identifier']);
-  }
-}
-
-/**
- * Try to validate the user's login credentials locally.
- *
- * @param $name
- *   User name to authenticate.
- * @param $password
- *   A plain-text password, such as trimmed text from form values.
- * @return
- *   The user's uid on success, or FALSE on failure to authenticate.
- */
-function user_authenticate($name, $password) {
-  $uid = FALSE;
-  if (!empty($name) && !empty($password)) {
-    $account = user_load_by_name($name);
-    if ($account) {
-      // Allow alternate password hashing schemes.
-      require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
-      if (user_check_password($password, $account)) {
-        // Successful authentication.
-        $uid = $account->uid;
-
-        // Update user to new password scheme if needed.
-        if (user_needs_new_hash($account)) {
-          user_save($account, array('pass' => $password));
-        }
-      }
-    }
-  }
-  return $uid;
-}
-
-/**
- * Finalize the login process. Must be called when logging in a user.
- *
- * The function records a watchdog message about the new session, saves the
- * login timestamp, calls hook_user_login(), and generates a new session.
- *
- * @param array $edit
- *   The array of form values submitted by the user.
- *
- * @see hook_user_login()
- */
-function user_login_finalize(&$edit = array()) {
-  global $user;
-  watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
-  // Update the user table timestamp noting user has logged in.
-  // This is also used to invalidate one-time login links.
-  $user->login = REQUEST_TIME;
-  db_update('users')
-    ->fields(array('login' => $user->login))
-    ->condition('uid', $user->uid)
-    ->execute();
-
-  // Regenerate the session ID to prevent against session fixation attacks.
-  // This is called before hook_user in case one of those functions fails
-  // or incorrectly does a redirect which would leave the old session in place.
-  drupal_session_regenerate();
-
-  user_module_invoke('login', $edit, $user);
-}
-
-/**
- * Submit handler for the login form. Load $user object and perform standard login
- * tasks. The user is then redirected to the My Account page. Setting the
- * destination in the query string overrides the redirect.
- */
-function user_login_submit($form, &$form_state) {
-  global $user;
-  $user = user_load($form_state['uid']);
-  $form_state['redirect'] = 'user/' . $user->uid;
-
-  user_login_finalize($form_state);
-}
-
-/**
- * Helper function for authentication modules. Either logs in or registers
- * the current user, based on username. Either way, the global $user object is
- * populated and login tasks are performed.
- */
-function user_external_login_register($name, $module) {
-  $account = user_external_load($name);
-  if (!$account) {
-    // Register this new user.
-    $userinfo = array(
-      'name' => $name,
-      'pass' => user_password(),
-      'init' => $name,
-      'status' => 1,
-      'access' => REQUEST_TIME
-    );
-    $account = user_save(drupal_anonymous_user(), $userinfo);
-    // Terminate if an error occurred during user_save().
-    if (!$account) {
-      drupal_set_message(t("Error saving user account."), 'error');
-      return;
-    }
-    user_set_authmaps($account, array("authname_$module" => $name));
-  }
-
-  // Log user in.
-  $form_state['uid'] = $account->uid;
-  user_login_submit(array(), $form_state);
-}
-
-/**
- * Generates a unique URL for a user to login and reset their password.
- *
- * @param object $account
- *   An object containing the user account.
- *
- * @return
- *   A unique URL that provides a one-time log in for the user, from which
- *   they can change their password.
- */
-function user_pass_reset_url($account) {
-  $timestamp = REQUEST_TIME;
-  return url("user/reset/$account->uid/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
-}
-
-/**
- * Generates a URL to confirm an account cancellation request.
- *
- * @param object $account
- *   The user account object, which must contain at least the following
- *   properties:
- *   - uid: The user uid number.
- *   - pass: The hashed user password string.
- *   - login: The user login name.
- *
- * @return
- *   A unique URL that may be used to confirm the cancellation of the user
- *   account.
- *
- * @see user_mail_tokens()
- * @see user_cancel_confirm()
- */
-function user_cancel_url($account) {
-  $timestamp = REQUEST_TIME;
-  return url("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login), array('absolute' => TRUE));
-}
-
-/**
- * Creates a unique hash value for use in time-dependent per-user URLs.
- *
- * This hash is normally used to build a unique and secure URL that is sent to
- * the user by email for purposes such as resetting the user's password. In
- * order to validate the URL, the same hash can be generated again, from the
- * same information, and compared to the hash value from the URL. The URL
- * normally contains both the time stamp and the numeric user ID. The login
- * name and hashed password are retrieved from the database as necessary. For a
- * usage example, see user_cancel_url() and user_cancel_confirm().
- *
- * @param $password
- *   The hashed user account password value.
- * @param $timestamp
- *   A unix timestamp.
- * @param $login
- *   The user account login name.
- *
- * @return
- *   A string that is safe for use in URLs and SQL statements.
- */
-function user_pass_rehash($password, $timestamp, $login) {
-  return drupal_hmac_base64($timestamp . $login, drupal_get_hash_salt() . $password);
-}
-
-/**
- * Cancel a user account.
- *
- * Since the user cancellation process needs to be run in a batch, either
- * Form API will invoke it, or batch_process() needs to be invoked after calling
- * this function and should define the path to redirect to.
- *
- * @param $edit
- *   An array of submitted form values.
- * @param $uid
- *   The user ID of the user account to cancel.
- * @param $method
- *   The account cancellation method to use.
- *
- * @see _user_cancel()
- */
-function user_cancel($edit, $uid, $method) {
-  global $user;
-
-  $account = user_load($uid);
-
-  if (!$account) {
-    drupal_set_message(t('The user account %id does not exist.', array('%id' => $uid)), 'error');
-    watchdog('user', 'Attempted to cancel non-existing user account: %id.', array('%id' => $uid), WATCHDOG_ERROR);
-    return;
-  }
-
-  // Initialize batch (to set title).
-  $batch = array(
-    'title' => t('Cancelling account'),
-    'operations' => array(),
-  );
-  batch_set($batch);
-
-  // Modules use hook_user_delete() to respond to deletion.
-  if ($method != 'user_cancel_delete') {
-    // Allow modules to add further sets to this batch.
-    module_invoke_all('user_cancel', $edit, $account, $method);
-  }
-
-  // Finish the batch and actually cancel the account.
-  $batch = array(
-    'title' => t('Cancelling user account'),
-    'operations' => array(
-      array('_user_cancel', array($edit, $account, $method)),
-    ),
-  );
-
-  // After cancelling account, ensure that user is logged out.
-  if ($account->uid == $user->uid) {
-    // Batch API stores data in the session, so use the finished operation to
-    // manipulate the current user's session id.
-    $batch['finished'] = '_user_cancel_session_regenerate';
-  }
-
-  batch_set($batch);
-
-  // Batch processing is either handled via Form API or has to be invoked
-  // manually.
-}
-
-/**
- * Last batch processing step for cancelling a user account.
- *
- * Since batch and session API require a valid user account, the actual
- * cancellation of a user account needs to happen last.
- *
- * @see user_cancel()
- */
-function _user_cancel($edit, $account, $method) {
-  global $user;
-
-  switch ($method) {
-    case 'user_cancel_block':
-    case 'user_cancel_block_unpublish':
-    default:
-      // Send account blocked notification if option was checked.
-      if (!empty($edit['user_cancel_notify'])) {
-        _user_mail_notify('status_blocked', $account);
-      }
-      user_save($account, array('status' => 0));
-      drupal_set_message(t('%name has been disabled.', array('%name' => $account->name)));
-      watchdog('user', 'Blocked user: %name %email.', array('%name' => $account->name, '%email' => '<' . $account->mail . '>'), WATCHDOG_NOTICE);
-      break;
-
-    case 'user_cancel_reassign':
-    case 'user_cancel_delete':
-      // Send account canceled notification if option was checked.
-      if (!empty($edit['user_cancel_notify'])) {
-        _user_mail_notify('status_canceled', $account);
-      }
-      user_delete($account->uid);
-      drupal_set_message(t('%name has been deleted.', array('%name' => $account->name)));
-      watchdog('user', 'Deleted user: %name %email.', array('%name' => $account->name, '%email' => '<' . $account->mail . '>'), WATCHDOG_NOTICE);
-      break;
-  }
-
-  // After cancelling account, ensure that user is logged out. We can't destroy
-  // their session though, as we might have information in it, and we can't
-  // regenerate it because batch API uses the session ID, we will regenerate it
-  // in _user_cancel_session_regenerate().
-  if ($account->uid == $user->uid) {
-    $user = drupal_anonymous_user();
-  }
-
-  // Clear the cache for anonymous users.
-  cache_clear_all();
-}
-
-/**
- * Finished batch processing callback for cancelling a user account.
- *
- * @see user_cancel()
- */
-function _user_cancel_session_regenerate() {
-  // Regenerate the users session instead of calling session_destroy() as we
-  // want to preserve any messages that might have been set.
-  drupal_session_regenerate();
-}
-
-/**
- * Delete a user.
- *
- * @param $uid
- *   A user ID.
- */
-function user_delete($uid) {
-  user_delete_multiple(array($uid));
-}
-
-/**
- * Delete multiple user accounts.
- *
- * @param $uids
- *   An array of user IDs.
- */
-function user_delete_multiple(array $uids) {
-  if (!empty($uids)) {
-    $accounts = user_load_multiple($uids, array());
-
-    $transaction = db_transaction();
-    try {
-      foreach ($accounts as $uid => $account) {
-        module_invoke_all('user_delete', $account);
-        module_invoke_all('entity_delete', $account, 'user');
-        field_attach_delete('user', $account);
-        drupal_session_destroy_uid($account->uid);
-      }
-
-      db_delete('users')
-        ->condition('uid', $uids, 'IN')
-        ->execute();
-      db_delete('users_roles')
-        ->condition('uid', $uids, 'IN')
-        ->execute();
-      db_delete('authmap')
-        ->condition('uid', $uids, 'IN')
-        ->execute();
-    }
-    catch (Exception $e) {
-      $transaction->rollback();
-      watchdog_exception('user', $e);
-      throw $e;
-    }
-    entity_get_controller('user')->resetCache();
-  }
-}
-
-/**
- * Page callback wrapper for user_view().
- */
-function user_view_page($account) {
-  // An administrator may try to view a non-existent account,
-  // so we give them a 404 (versus a 403 for non-admins).
-  return is_object($account) ? user_view($account) : MENU_NOT_FOUND;
-}
-
-/**
- * Generate an array for rendering the given user.
- *
- * When viewing a user profile, the $page array contains:
- *
- * - $page['content']['Profile Category']:
- *   Profile categories keyed by their human-readable names.
- * - $page['content']['Profile Category']['profile_machine_name']:
- *   Profile fields keyed by their machine-readable names.
- * - $page['content']['user_picture']:
- *   User's rendered picture.
- * - $page['content']['summary']:
- *   Contains the default "History" profile data for a user.
- * - $page['content']['#account']:
- *   The user account of the profile being viewed.
- *
- * To theme user profiles, copy modules/user/user-profile.tpl.php
- * to your theme directory, and edit it as instructed in that file's comments.
- *
- * @param $account
- *   A user object.
- * @param $view_mode
- *   View mode, e.g. 'full'.
- * @param $langcode
- *   (optional) A language code to use for rendering. Defaults to the global
- *   content language of the current request.
- *
- * @return
- *   An array as expected by drupal_render().
- */
-function user_view($account, $view_mode = 'full', $langcode = NULL) {
-  if (!isset($langcode)) {
-    $langcode = $GLOBALS['language_content']->language;
-  }
-
-  // Retrieve all profile fields and attach to $account->content.
-  user_build_content($account, $view_mode, $langcode);
-
-  $build = $account->content;
-  // We don't need duplicate rendering info in account->content.
-  unset($account->content);
-
-  $build += array(
-    '#theme' => 'user_profile',
-    '#account' => $account,
-    '#view_mode' => $view_mode,
-    '#language' => $langcode,
-  );
-
-  // Allow modules to modify the structured user.
-  $type = 'user';
-  drupal_alter(array('user_view', 'entity_view'), $build, $type);
-
-  return $build;
-}
-
-/**
- * Builds a structured array representing the profile content.
- *
- * @param $account
- *   A user object.
- * @param $view_mode
- *   View mode, e.g. 'full'.
- * @param $langcode
- *   (optional) A language code to use for rendering. Defaults to the global
- *   content language of the current request.
- */
-function user_build_content($account, $view_mode = 'full', $langcode = NULL) {
-  if (!isset($langcode)) {
-    $langcode = $GLOBALS['language_content']->language;
-  }
-
-  // Remove previously built content, if exists.
-  $account->content = array();
-
-  // Allow modules to change the view mode.
-  $context = array(
-    'entity_type' => 'user',
-    'entity' => $account,
-    'langcode' => $langcode,
-  );
-  drupal_alter('entity_view_mode', $view_mode, $context);
-
-  // Build fields content.
-  field_attach_prepare_view('user', array($account->uid => $account), $view_mode, $langcode);
-  entity_prepare_view('user', array($account->uid => $account), $langcode);
-  $account->content += field_attach_view('user', $account, $view_mode, $langcode);
-
-  // Populate $account->content with a render() array.
-  module_invoke_all('user_view', $account, $view_mode, $langcode);
-  module_invoke_all('entity_view', $account, 'user', $view_mode, $langcode);
-
-  // Make sure the current view mode is stored if no module has already
-  // populated the related key.
-  $account->content += array('#view_mode' => $view_mode);
-}
-
-/**
- * Implements hook_mail().
- */
-function user_mail($key, &$message, $params) {
-  $language = $message['language'];
-  $variables = array('user' => $params['account']);
-  $message['subject'] .= _user_mail_text($key . '_subject', $language, $variables);
-  $message['body'][] = _user_mail_text($key . '_body', $language, $variables);
-}
-
-/**
- * Returns a mail string for a variable name.
- *
- * Used by user_mail() and the settings forms to retrieve strings.
- */
-function _user_mail_text($key, $language = NULL, $variables = array(), $replace = TRUE) {
-  $langcode = isset($language) ? $language->language : NULL;
-
-  if ($admin_setting = variable_get('user_mail_' . $key, FALSE)) {
-    // An admin setting overrides the default string.
-    $text = $admin_setting;
-  }
-  else {
-    // No override, return default string.
-    switch ($key) {
-      case 'register_no_approval_required_subject':
-        $text = t('Account details for [user:name] at [site:name]', array(), array('langcode' => $langcode));
-        break;
-      case 'register_no_approval_required_body':
-        $text = t("[user:name],
-
-Thank you for registering at [site:name]. You may now log in by clicking this link or copying and pasting it to your browser:
-
-[user:one-time-login-url]
-
-This link can only be used once to log in and will lead you to a page where you can set your password.
-
-After setting your password, you will be able to log in at [site:login-url] in the future using:
-
-username: [user:name]
-password: Your password
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-
-      case 'register_admin_created_subject':
-        $text = t('An administrator created an account for you at [site:name]', array(), array('langcode' => $langcode));
-        break;
-      case 'register_admin_created_body':
-        $text = t("[user:name],
-
-A site administrator at [site:name] has created an account for you. You may now log in by clicking this link or copying and pasting it to your browser:
-
-[user:one-time-login-url]
-
-This link can only be used once to log in and will lead you to a page where you can set your password.
-
-After setting your password, you will be able to log in at [site:login-url] in the future using:
-
-username: [user:name]
-password: Your password
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-
-      case 'register_pending_approval_subject':
-      case 'register_pending_approval_admin_subject':
-        $text = t('Account details for [user:name] at [site:name] (pending admin approval)', array(), array('langcode' => $langcode));
-        break;
-      case 'register_pending_approval_body':
-        $text = t("[user:name],
-
-Thank you for registering at [site:name]. Your application for an account is currently pending approval. Once it has been approved, you will receive another e-mail containing information about how to log in, set your password, and other details.
-
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-      case 'register_pending_approval_admin_body':
-        $text = t("[user:name] has applied for an account.
-
-[user:edit-url]", array(), array('langcode' => $langcode));
-        break;
-
-      case 'password_reset_subject':
-        $text = t('Replacement login information for [user:name] at [site:name]', array(), array('langcode' => $langcode));
-        break;
-      case 'password_reset_body':
-        $text = t("[user:name],
-
-A request to reset the password for your account has been made at [site:name].
-
-You may now log in by clicking this link or copying and pasting it to your browser:
-
-[user:one-time-login-url]
-
-This link can only be used once to log in and will lead you to a page where you can set your password. It expires after one day and nothing will happen if it's not used.
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-
-      case 'status_activated_subject':
-        $text = t('Account details for [user:name] at [site:name] (approved)', array(), array('langcode' => $langcode));
-        break;
-      case 'status_activated_body':
-        $text = t("[user:name],
-
-Your account at [site:name] has been activated.
-
-You may now log in by clicking this link or copying and pasting it into your browser:
-
-[user:one-time-login-url]
-
-This link can only be used once to log in and will lead you to a page where you can set your password.
-
-After setting your password, you will be able to log in at [site:login-url] in the future using:
-
-username: [user:name]
-password: Your password
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-
-      case 'status_blocked_subject':
-        $text = t('Account details for [user:name] at [site:name] (blocked)', array(), array('langcode' => $langcode));
-        break;
-      case 'status_blocked_body':
-        $text = t("[user:name],
-
-Your account on [site:name] has been blocked.
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-
-      case 'cancel_confirm_subject':
-        $text = t('Account cancellation request for [user:name] at [site:name]', array(), array('langcode' => $langcode));
-        break;
-      case 'cancel_confirm_body':
-        $text = t("[user:name],
-
-A request to cancel your account has been made at [site:name].
-
-You may now cancel your account on [site:url-brief] by clicking this link or copying and pasting it into your browser:
-
-[user:cancel-url]
-
-NOTE: The cancellation of your account is not reversible.
-
-This link expires in one day and nothing will happen if it is not used.
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-
-      case 'status_canceled_subject':
-        $text = t('Account details for [user:name] at [site:name] (canceled)', array(), array('langcode' => $langcode));
-        break;
-      case 'status_canceled_body':
-        $text = t("[user:name],
-
-Your account on [site:name] has been canceled.
-
---  [site:name] team", array(), array('langcode' => $langcode));
-        break;
-    }
-  }
-
-  if ($replace) {
-    // We do not sanitize the token replacement, since the output of this
-    // replacement is intended for an e-mail message, not a web browser.
-    return token_replace($text, $variables, array('language' => $language, 'callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
-  }
-
-  return $text;
-}
-
-/**
- * Token callback to add unsafe tokens for user mails.
- *
- * This function is used by the token_replace() call at the end of
- * _user_mail_text() to set up some additional tokens that can be
- * used in email messages generated by user_mail().
- *
- * @param $replacements
- *   An associative array variable containing mappings from token names to
- *   values (for use with strtr()).
- * @param $data
- *   An associative array of token replacement values. If the 'user' element
- *   exists, it must contain a user account object with the following
- *   properties:
- *   - login: The account login name.
- *   - pass: The hashed account login password.
- * @param $options
- *   Unused parameter required by the token_replace() function.
- */
-function user_mail_tokens(&$replacements, $data, $options) {
-  if (isset($data['user'])) {
-    $replacements['[user:one-time-login-url]'] = user_pass_reset_url($data['user']);
-    $replacements['[user:cancel-url]'] = user_cancel_url($data['user']);
-  }
-}
-
-/*** Administrative features ***********************************************/
-
-/**
- * Retrieve an array of roles matching specified conditions.
- *
- * @param $membersonly
- *   Set this to TRUE to exclude the 'anonymous' role.
- * @param $permission
- *   A string containing a permission. If set, only roles containing that
- *   permission are returned.
- *
- * @return
- *   An associative array with the role id as the key and the role name as
- *   value.
- */
-function user_roles($membersonly = FALSE, $permission = NULL) {
-  $query = db_select('role', 'r');
-  $query->addTag('translatable');
-  $query->fields('r', array('rid', 'name'));
-  $query->orderBy('weight');
-  $query->orderBy('name');
-  if (!empty($permission)) {
-    $query->innerJoin('role_permission', 'p', 'r.rid = p.rid');
-    $query->condition('p.permission', $permission);
-  }
-  $result = $query->execute();
-
-  $roles = array();
-  foreach ($result as $role) {
-    switch ($role->rid) {
-      // We only translate the built in role names
-      case DRUPAL_ANONYMOUS_RID:
-        if (!$membersonly) {
-          $roles[$role->rid] = t($role->name);
-        }
-        break;
-      case DRUPAL_AUTHENTICATED_RID:
-        $roles[$role->rid] = t($role->name);
-        break;
-      default:
-        $roles[$role->rid] = $role->name;
-    }
-  }
-
-  return $roles;
-}
-
-/**
- * Fetches a user role by role ID.
- *
- * @param $rid
- *   An integer representing the role ID.
- *
- * @return
- *   A fully-loaded role object if a role with the given ID exists, or FALSE
- *   otherwise.
- *
- * @see user_role_load_by_name()
- */
-function user_role_load($rid) {
-  return db_select('role', 'r')
-    ->fields('r')
-    ->condition('rid', $rid)
-    ->execute()
-    ->fetchObject();
-}
-
-/**
- * Fetches a user role by role name.
- *
- * @param $role_name
- *   A string representing the role name.
- *
- * @return
- *   A fully-loaded role object if a role with the given name exists, or FALSE
- *   otherwise.
- *
- * @see user_role_load()
- */
-function user_role_load_by_name($role_name) {
-  return db_select('role', 'r')
-    ->fields('r')
-    ->condition('name', $role_name)
-    ->execute()
-    ->fetchObject();
-}
-
-/**
- * Save a user role to the database.
- *
- * @param $role
- *   A role object to modify or add. If $role->rid is not specified, a new
- *   role will be created.
- * @return
- *   Status constant indicating if role was created or updated.
- *   Failure to write the user role record will return FALSE. Otherwise.
- *   SAVED_NEW or SAVED_UPDATED is returned depending on the operation
- *   performed.
- */
-function user_role_save($role) {
-  if ($role->name) {
-    // Prevent leading and trailing spaces in role names.
-    $role->name = trim($role->name);
-  }
-  if (!isset($role->weight)) {
-    // Set a role weight to make this new role last.
-    $query = db_select('role');
-    $query->addExpression('MAX(weight)');
-    $role->weight = $query->execute()->fetchField() + 1;
-  }
-
-  // Let modules modify the user role before it is saved to the database.
-  module_invoke_all('user_role_presave', $role);
-
-  if (!empty($role->rid) && $role->name) {
-    $status = drupal_write_record('role', $role, 'rid');
-    module_invoke_all('user_role_update', $role);
-  }
-  else {
-    $status = drupal_write_record('role', $role);
-    module_invoke_all('user_role_insert', $role);
-  }
-
-  // Clear the user access cache.
-  drupal_static_reset('user_access');
-  drupal_static_reset('user_role_permissions');
-
-  return $status;
-}
-
-/**
- * Delete a user role from database.
- *
- * @param $role
- *   A string with the role name, or an integer with the role ID.
- */
-function user_role_delete($role) {
-  if (is_int($role)) {
-    $role = user_role_load($role);
-  }
-  else {
-    $role = user_role_load_by_name($role);
-  }
-
-  db_delete('role')
-    ->condition('rid', $role->rid)
-    ->execute();
-  db_delete('role_permission')
-    ->condition('rid', $role->rid)
-    ->execute();
-  // Update the users who have this role set:
-  db_delete('users_roles')
-    ->condition('rid', $role->rid)
-    ->execute();
-
-  module_invoke_all('user_role_delete', $role);
-
-  // Clear the user access cache.
-  drupal_static_reset('user_access');
-  drupal_static_reset('user_role_permissions');
-}
-
-/**
- * Menu access callback for user role editing.
- */
-function user_role_edit_access($role) {
-  // Prevent the system-defined roles from being altered or removed.
-  if ($role->rid == DRUPAL_ANONYMOUS_RID || $role->rid == DRUPAL_AUTHENTICATED_RID) {
-    return FALSE;
-  }
-
-  return user_access('administer permissions');
-}
-
-/**
- * Determine the modules that permissions belong to.
- *
- * @return
- *   An associative array in the format $permission => $module.
- */
-function user_permission_get_modules() {
-  $permissions = array();
-  foreach (module_implements('permission') as $module) {
-    $perms = module_invoke($module, 'permission');
-    foreach ($perms as $key => $value) {
-      $permissions[$key] = $module;
-    }
-  }
-  return $permissions;
-}
-
-/**
- * Change permissions for a user role.
- *
- * This function may be used to grant and revoke multiple permissions at once.
- * For example, when a form exposes checkboxes to configure permissions for a
- * role, the form submit handler may directly pass the submitted values for the
- * checkboxes form element to this function.
- *
- * @param $rid
- *   The ID of a user role to alter.
- * @param $permissions
- *   An associative array, where the key holds the permission name and the value
- *   determines whether to grant or revoke that permission. Any value that
- *   evaluates to TRUE will cause the permission to be granted. Any value that
- *   evaluates to FALSE will cause the permission to be revoked.
- *   @code
- *     array(
- *       'administer nodes' => 0,                // Revoke 'administer nodes'
- *       'administer blocks' => FALSE,           // Revoke 'administer blocks'
- *       'access user profiles' => 1,            // Grant 'access user profiles'
- *       'access content' => TRUE,               // Grant 'access content'
- *       'access comments' => 'access comments', // Grant 'access comments'
- *     )
- *   @endcode
- *   Existing permissions are not changed, unless specified in $permissions.
- *
- * @see user_role_grant_permissions()
- * @see user_role_revoke_permissions()
- */
-function user_role_change_permissions($rid, array $permissions = array()) {
-  // Grant new permissions for the role.
-  $grant = array_filter($permissions);
-  if (!empty($grant)) {
-    user_role_grant_permissions($rid, array_keys($grant));
-  }
-  // Revoke permissions for the role.
-  $revoke = array_diff_assoc($permissions, $grant);
-  if (!empty($revoke)) {
-    user_role_revoke_permissions($rid, array_keys($revoke));
-  }
-}
-
-/**
- * Grant permissions to a user role.
- *
- * @param $rid
- *   The ID of a user role to alter.
- * @param $permissions
- *   A list of permission names to grant.
- *
- * @see user_role_change_permissions()
- * @see user_role_revoke_permissions()
- */
-function user_role_grant_permissions($rid, array $permissions = array()) {
-  $modules = user_permission_get_modules();
-  // Grant new permissions for the role.
-  foreach ($permissions as $name) {
-    db_merge('role_permission')
-      ->key(array(
-        'rid' => $rid,
-        'permission' => $name,
-      ))
-      ->fields(array(
-        'module' => $modules[$name],
-      ))
-      ->execute();
-  }
-
-  // Clear the user access cache.
-  drupal_static_reset('user_access');
-  drupal_static_reset('user_role_permissions');
-}
-
-/**
- * Revoke permissions from a user role.
- *
- * @param $rid
- *   The ID of a user role to alter.
- * @param $permissions
- *   A list of permission names to revoke.
- *
- * @see user_role_change_permissions()
- * @see user_role_grant_permissions()
- */
-function user_role_revoke_permissions($rid, array $permissions = array()) {
-  // Revoke permissions for the role.
-  db_delete('role_permission')
-    ->condition('rid', $rid)
-    ->condition('permission', $permissions, 'IN')
-    ->execute();
-
-  // Clear the user access cache.
-  drupal_static_reset('user_access');
-  drupal_static_reset('user_role_permissions');
-}
-
-/**
- * Implements hook_user_operations().
- */
-function user_user_operations($form = array(), $form_state = array()) {
-  $operations = array(
-    'unblock' => array(
-      'label' => t('Unblock the selected users'),
-      'callback' => 'user_user_operations_unblock',
-    ),
-    'block' => array(
-      'label' => t('Block the selected users'),
-      'callback' => 'user_user_operations_block',
-    ),
-    'cancel' => array(
-      'label' => t('Cancel the selected user accounts'),
-    ),
-  );
-
-  if (user_access('administer permissions')) {
-    $roles = user_roles(TRUE);
-    unset($roles[DRUPAL_AUTHENTICATED_RID]);  // Can't edit authenticated role.
-
-    $add_roles = array();
-    foreach ($roles as $key => $value) {
-      $add_roles['add_role-' . $key] = $value;
-    }
-
-    $remove_roles = array();
-    foreach ($roles as $key => $value) {
-      $remove_roles['remove_role-' . $key] = $value;
-    }
-
-    if (count($roles)) {
-      $role_operations = array(
-        t('Add a role to the selected users') => array(
-          'label' => $add_roles,
-        ),
-        t('Remove a role from the selected users') => array(
-          'label' => $remove_roles,
-        ),
-      );
-
-      $operations += $role_operations;
-    }
-  }
-
-  // If the form has been posted, we need to insert the proper data for
-  // role editing if necessary.
-  if (!empty($form_state['submitted'])) {
-    $operation_rid = explode('-', $form_state['values']['operation']);
-    $operation = $operation_rid[0];
-    if ($operation == 'add_role' || $operation == 'remove_role') {
-      $rid = $operation_rid[1];
-      if (user_access('administer permissions')) {
-        $operations[$form_state['values']['operation']] = array(
-          'callback' => 'user_multiple_role_edit',
-          'callback arguments' => array($operation, $rid),
-        );
-      }
-      else {
-        watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING);
-        return;
-      }
-    }
-  }
-
-  return $operations;
-}
-
-/**
- * Callback function for admin mass unblocking users.
- */
-function user_user_operations_unblock($accounts) {
-  $accounts = user_load_multiple($accounts);
-  foreach ($accounts as $account) {
-    // Skip unblocking user if they are already unblocked.
-    if ($account !== FALSE && $account->status == 0) {
-      user_save($account, array('status' => 1));
-    }
-  }
-}
-
-/**
- * Callback function for admin mass blocking users.
- */
-function user_user_operations_block($accounts) {
-  $accounts = user_load_multiple($accounts);
-  foreach ($accounts as $account) {
-    // Skip blocking user if they are already blocked.
-    if ($account !== FALSE && $account->status == 1) {
-      // For efficiency manually save the original account before applying any
-      // changes.
-      $account->original = clone $account;
-      user_save($account, array('status' => 0));
-    }
-  }
-}
-
-/**
- * Callback function for admin mass adding/deleting a user role.
- */
-function user_multiple_role_edit($accounts, $operation, $rid) {
-  // The role name is not necessary as user_save() will reload the user
-  // object, but some modules' hook_user() may look at this first.
-  $role_name = db_query('SELECT name FROM {role} WHERE rid = :rid', array(':rid' => $rid))->fetchField();
-
-  switch ($operation) {
-    case 'add_role':
-      $accounts = user_load_multiple($accounts);
-      foreach ($accounts as $account) {
-        // Skip adding the role to the user if they already have it.
-        if ($account !== FALSE && !isset($account->roles[$rid])) {
-          $roles = $account->roles + array($rid => $role_name);
-          // For efficiency manually save the original account before applying
-          // any changes.
-          $account->original = clone $account;
-          user_save($account, array('roles' => $roles));
-        }
-      }
-      break;
-    case 'remove_role':
-      $accounts = user_load_multiple($accounts);
-      foreach ($accounts as $account) {
-        // Skip removing the role from the user if they already don't have it.
-        if ($account !== FALSE && isset($account->roles[$rid])) {
-          $roles = array_diff($account->roles, array($rid => $role_name));
-          // For efficiency manually save the original account before applying
-          // any changes.
-          $account->original = clone $account;
-          user_save($account, array('roles' => $roles));
-        }
-      }
-      break;
-  }
-}
-
-function user_multiple_cancel_confirm($form, &$form_state) {
-  $edit = $form_state['input'];
-
-  $form['accounts'] = array('#prefix' => '<ul>', '#suffix' => '</ul>', '#tree' => TRUE);
-  $accounts = user_load_multiple(array_keys(array_filter($edit['accounts'])));
-  foreach ($accounts as $uid => $account) {
-    // Prevent user 1 from being canceled.
-    if ($uid <= 1) {
-      continue;
-    }
-    $form['accounts'][$uid] = array(
-      '#type' => 'hidden',
-      '#value' => $uid,
-      '#prefix' => '<li>',
-      '#suffix' => check_plain($account->name) . "</li>\n",
-    );
-  }
-
-  // Output a notice that user 1 cannot be canceled.
-  if (isset($accounts[1])) {
-    $redirect = (count($accounts) == 1);
-    $message = t('The user account %name cannot be cancelled.', array('%name' => $accounts[1]->name));
-    drupal_set_message($message, $redirect ? 'error' : 'warning');
-    // If only user 1 was selected, redirect to the overview.
-    if ($redirect) {
-      drupal_goto('admin/people');
-    }
-  }
-
-  $form['operation'] = array('#type' => 'hidden', '#value' => 'cancel');
-
-  module_load_include('inc', 'user', 'user.pages');
-  $form['user_cancel_method'] = array(
-    '#type' => 'item',
-    '#title' => t('When cancelling these accounts'),
-  );
-  $form['user_cancel_method'] += user_cancel_methods();
-  // Remove method descriptions.
-  foreach (element_children($form['user_cancel_method']) as $element) {
-    unset($form['user_cancel_method'][$element]['#description']);
-  }
-
-  // Allow to send the account cancellation confirmation mail.
-  $form['user_cancel_confirm'] = array(
-    '#type' => 'checkbox',
-    '#title' => t('Require e-mail confirmation to cancel account.'),
-    '#default_value' => FALSE,
-    '#description' => t('When enabled, the user must confirm the account cancellation via e-mail.'),
-  );
-  // Also allow to send account canceled notification mail, if enabled.
-  $form['user_cancel_notify'] = array(
-    '#type' => 'checkbox',
-    '#title' => t('Notify user when account is canceled.'),
-    '#default_value' => FALSE,
-    '#access' => variable_get('user_mail_status_canceled_notify', FALSE),
-    '#description' => t('When enabled, the user will receive an e-mail notification after the account has been cancelled.'),
-  );
-
-  return confirm_form($form,
-                      t('Are you sure you want to cancel these user accounts?'),
-                      'admin/people', t('This action cannot be undone.'),
-                      t('Cancel accounts'), t('Cancel'));
-}
-
-/**
- * Submit handler for mass-account cancellation form.
- *
- * @see user_multiple_cancel_confirm()
- * @see user_cancel_confirm_form_submit()
- */
-function user_multiple_cancel_confirm_submit($form, &$form_state) {
-  global $user;
-
-  if ($form_state['values']['confirm']) {
-    foreach ($form_state['values']['accounts'] as $uid => $value) {
-      // Prevent programmatic form submissions from cancelling user 1.
-      if ($uid <= 1) {
-        continue;
-      }
-      // Prevent user administrators from deleting themselves without confirmation.
-      if ($uid == $user->uid) {
-        $admin_form_state = $form_state;
-        unset($admin_form_state['values']['user_cancel_confirm']);
-        $admin_form_state['values']['_account'] = $user;
-        user_cancel_confirm_form_submit(array(), $admin_form_state);
-      }
-      else {
-        user_cancel($form_state['values'], $uid, $form_state['values']['user_cancel_method']);
-      }
-    }
-  }
-  $form_state['redirect'] = 'admin/people';
-}
-
-/**
- * Retrieve a list of all user setting/information categories and sort them by weight.
- */
-function _user_categories() {
-  $categories = module_invoke_all('user_categories');
-  usort($categories, '_user_sort');
-
-  return $categories;
-}
-
-function _user_sort($a, $b) {
-  $a = (array) $a + array('weight' => 0, 'title' => '');
-  $b = (array) $b + array('weight' => 0, 'title' => '');
-  return $a['weight'] < $b['weight'] ? -1 : ($a['weight'] > $b['weight'] ? 1 : ($a['title'] < $b['title'] ? -1 : 1));
-}
-
-/**
- * List user administration filters that can be applied.
- */
-function user_filters() {
-  // Regular filters
-  $filters = array();
-  $roles = user_roles(TRUE);
-  unset($roles[DRUPAL_AUTHENTICATED_RID]); // Don't list authorized role.
-  if (count($roles)) {
-    $filters['role'] = array(
-      'title' => t('role'),
-      'field' => 'ur.rid',
-      'options' => array(
-        '[any]' => t('any'),
-      ) + $roles,
-    );
-  }
-
-  $options = array();
-  foreach (module_implements('permission') as $module) {
-    $function = $module . '_permission';
-    if ($permissions = $function()) {
-      asort($permissions);
-      foreach ($permissions as $permission => $description) {
-        $options[t('@module module', array('@module' => $module))][$permission] = t($permission);
-      }
-    }
-  }
-  ksort($options);
-  $filters['permission'] = array(
-    'title' => t('permission'),
-    'options' => array(
-      '[any]' => t('any'),
-    ) + $options,
-  );
-
-  $filters['status'] = array(
-    'title' => t('status'),
-    'field' => 'u.status',
-    'options' => array(
-      '[any]' => t('any'),
-      1 => t('active'),
-      0 => t('blocked'),
-    ),
-  );
-  return $filters;
-}
-
-/**
- * Extends a query object for user administration filters based on session.
- *
- * @param $query
- *   Query object that should be filtered.
- */
-function user_build_filter_query(SelectQuery $query) {
-  $filters = user_filters();
-  // Extend Query with filter conditions.
-  foreach (isset($_SESSION['user_overview_filter']) ? $_SESSION['user_overview_filter'] : array() as $filter) {
-    list($key, $value) = $filter;
-    // This checks to see if this permission filter is an enabled permission for
-    // the authenticated role. If so, then all users would be listed, and we can
-    // skip adding it to the filter query.
-    if ($key == 'permission') {
-      $account = new stdClass();
-      $account->uid = 'user_filter';
-      $account->roles = array(DRUPAL_AUTHENTICATED_RID => 1);
-      if (user_access($value, $account)) {
-        continue;
-      }
-      $users_roles_alias = $query->join('users_roles', 'ur', '%alias.uid = u.uid');
-      $permission_alias = $query->join('role_permission', 'p', $users_roles_alias . '.rid = %alias.rid');
-      $query->condition($permission_alias . '.permission', $value);
-    }
-    elseif ($key == 'role') {
-      $users_roles_alias = $query->join('users_roles', 'ur', '%alias.uid = u.uid');
-      $query->condition($users_roles_alias . '.rid' , $value);
-    }
-    else {
-      $query->condition($filters[$key]['field'], $value);
-    }
-  }
-}
-
-/**
- * Implements hook_comment_view().
- */
-function user_comment_view($comment) {
-  if (variable_get('user_signatures', 0) && !empty($comment->signature)) {
-    // @todo This alters and replaces the original object value, so a
-    //   hypothetical process of loading, viewing, and saving will hijack the
-    //   stored data. Consider renaming to $comment->signature_safe or similar
-    //   here and elsewhere in Drupal 8.
-    $comment->signature = check_markup($comment->signature, $comment->signature_format, '', TRUE);
-  }
-  else {
-    $comment->signature = '';
-  }
-}
-
-/**
- * Returns HTML for a user signature.
- *
- * @param $variables
- *   An associative array containing:
- *   - signature: The user's signature.
- *
- * @ingroup themeable
- */
-function theme_user_signature($variables) {
-  $signature = $variables['signature'];
-  $output = '';
-
-  if ($signature) {
-    $output .= '<div class="clear">';
-    $output .= '<div>—</div>';
-    $output .= $signature;
-    $output .= '</div>';
-  }
-
-  return $output;
-}
-
-/**
- * Get the language object preferred by the user. This user preference can
- * be set on the user account editing page, and is only available if there
- * are more than one languages enabled on the site. If the user did not
- * choose a preferred language, or is the anonymous user, the $default
- * value, or if it is not set, the site default language will be returned.
- *
- * @param $account
- *   User account to look up language for.
- * @param $default
- *   Optional default language object to return if the account
- *   has no valid language.
- */
-function user_preferred_language($account, $default = NULL) {
-  $language_list = language_list();
-  if (!empty($account->language) && isset($language_list[$account->language])) {
-    return $language_list[$account->language];
-  }
-  else {
-    return $default ? $default : language_default();
-  }
-}
-
-/**
- * Conditionally create and send a notification email when a certain
- * operation happens on the given user account.
- *
- * @see user_mail_tokens()
- * @see drupal_mail()
- *
- * @param $op
- *   The operation being performed on the account. Possible values:
- *   - 'register_admin_created': Welcome message for user created by the admin.
- *   - 'register_no_approval_required': Welcome message when user
- *     self-registers.
- *   - 'register_pending_approval': Welcome message, user pending admin
- *     approval.
- *   - 'password_reset': Password recovery request.
- *   - 'status_activated': Account activated.
- *   - 'status_blocked': Account blocked.
- *   - 'cancel_confirm': Account cancellation request.
- *   - 'status_canceled': Account canceled.
- *
- * @param $account
- *   The user object of the account being notified. Must contain at
- *   least the fields 'uid', 'name', and 'mail'.
- * @param $language
- *   Optional language to use for the notification, overriding account language.
- *
- * @return
- *   The return value from drupal_mail_system()->mail(), if ends up being
- *   called.
- */
-function _user_mail_notify($op, $account, $language = NULL) {
-  // By default, we always notify except for canceled and blocked.
-  $default_notify = ($op != 'status_canceled' && $op != 'status_blocked');
-  $notify = variable_get('user_mail_' . $op . '_notify', $default_notify);
-  if ($notify) {
-    $params['account'] = $account;
-    $language = $language ? $language : user_preferred_language($account);
-    $mail = drupal_mail('user', $op, $account->mail, $language, $params);
-    if ($op == 'register_pending_approval') {
-      // If a user registered requiring admin approval, notify the admin, too.
-      // We use the site default language for this.
-      drupal_mail('user', 'register_pending_approval_admin', variable_get('site_mail', ini_get('sendmail_from')), language_default(), $params);
-    }
-  }
-  return empty($mail) ? NULL : $mail['result'];
-}
-
-/**
- * Form element process handler for client-side password validation.
- *
- * This #process handler is automatically invoked for 'password_confirm' form
- * elements to add the JavaScript and string translations for dynamic password
- * validation.
- *
- * @see system_element_info()
- */
-function user_form_process_password_confirm($element) {
-  global $user;
-
-  $js_settings = array(
-    'password' => array(
-      'strengthTitle' => t('Password strength:'),
-      'hasWeaknesses' => t('To make your password stronger:'),
-      'tooShort' => t('Make it at least 6 characters'),
-      'addLowerCase' => t('Add lowercase letters'),
-      'addUpperCase' => t('Add uppercase letters'),
-      'addNumbers' => t('Add numbers'),
-      'addPunctuation' => t('Add punctuation'),
-      'sameAsUsername' => t('Make it different from your username'),
-      'confirmSuccess' => t('yes'),
-      'confirmFailure' => t('no'),
-      'weak' => t('Weak'),
-      'fair' => t('Fair'),
-      'good' => t('Good'),
-      'strong' => t('Strong'),
-      'confirmTitle' => t('Passwords match:'),
-      'username' => (isset($user->name) ? $user->name : ''),
-    ),
-  );
-
-  $element['#attached']['js'][] = drupal_get_path('module', 'user') . '/user.js';
-  // Ensure settings are only added once per page.
-  static $already_added = FALSE;
-  if (!$already_added) {
-    $already_added = TRUE;
-    $element['#attached']['js'][] = array('data' => $js_settings, 'type' => 'setting');
-  }
-
-  return $element;
-}
-
-/**
- * Implements hook_node_load().
- */
-function user_node_load($nodes, $types) {
-  // Build an array of all uids for node authors, keyed by nid.
-  $uids = array();
-  foreach ($nodes as $nid => $node) {
-    $uids[$nid] = $node->uid;
-  }
-
-  // Fetch name, picture, and data for these users.
-  $user_fields = db_query("SELECT uid, name, picture, data FROM {users} WHERE uid IN (:uids)", array(':uids' => $uids))->fetchAllAssoc('uid');
-
-  // Add these values back into the node objects.
-  foreach ($uids as $nid => $uid) {
-    $nodes[$nid]->name = $user_fields[$uid]->name;
-    $nodes[$nid]->picture = $user_fields[$uid]->picture;
-    $nodes[$nid]->data = $user_fields[$uid]->data;
-  }
-}
-
-/**
- * Implements hook_image_style_delete().
- */
-function user_image_style_delete($style) {
-  // If a style is deleted, update the variables.
-  // Administrators choose a replacement style when deleting.
-  user_image_style_save($style);
-}
-
-/**
- * Implements hook_image_style_save().
- */
-function user_image_style_save($style) {
-  // If a style is renamed, update the variables that use it.
-  if (isset($style['old_name']) && $style['old_name'] == variable_get('user_picture_style', '')) {
-    variable_set('user_picture_style', $style['name']);
-  }
-}
-
-/**
- * Implements hook_action_info().
- */
-function user_action_info() {
-  return array(
-    'user_block_user_action' => array(
-      'label' => t('Block current user'),
-      'type' => 'user',
-      'configurable' => FALSE,
-      'triggers' => array('any'),
-    ),
-  );
-}
-
-/**
- * Blocks the current user.
- *
- * @ingroup actions
- */
-function user_block_user_action(&$entity, $context = array()) {
-  // First priority: If there is a $entity->uid, block that user.
-  // This is most likely a user object or the author if a node or comment.
-  if (isset($entity->uid)) {
-    $uid = $entity->uid;
-  }
-  elseif (isset($context['uid'])) {
-    $uid = $context['uid'];
-  }
-  // If neither of those are valid, then block the current user.
-  else {
-    $uid = $GLOBALS['user']->uid;
-  }
-  $account = user_load($uid);
-  $account = user_save($account, array('status' => 0));
-  watchdog('action', 'Blocked user %name.', array('%name' => $account->name));
-}
-
-/**
- * Implements hook_form_FORM_ID_alter().
- *
- * Add a checkbox for the 'user_register_form' instance settings on the 'Edit
- * field instance' form.
- */
-function user_form_field_ui_field_edit_form_alter(&$form, &$form_state, $form_id) {
-  $instance = $form['#instance'];
-
-  if ($instance['entity_type'] == 'user' && !$form['#field']['locked']) {
-    $form['instance']['settings']['user_register_form'] = array(
-      '#type' => 'checkbox',
-      '#title' => t('Display on user registration form.'),
-      '#description' => t("This is compulsory for 'required' fields."),
-      // Field instances created in D7 beta releases before the setting was
-      // introduced might be set as 'required' and 'not shown on user_register
-      // form'. We make sure the checkbox comes as 'checked' for those.
-      '#default_value' => $instance['settings']['user_register_form'] || $instance['required'],
-      // Display just below the 'required' checkbox.
-      '#weight' => $form['instance']['required']['#weight'] + .1,
-      // Disabled when the 'required' checkbox is checked.
-      '#states' => array(
-        'enabled' => array('input[name="instance[required]"]' => array('checked' => FALSE)),
-      ),
-      // Checked when the 'required' checkbox is checked. This is done through
-      // a custom behavior, since the #states system would also synchronize on
-      // uncheck.
-      '#attached' => array(
-        'js' => array(drupal_get_path('module', 'user') . '/user.js'),
-      ),
-    );
-
-    array_unshift($form['#submit'], 'user_form_field_ui_field_edit_form_submit');
-  }
-}
-
-/**
- * Additional submit handler for the 'Edit field instance' form.
- *
- * Make sure the 'user_register_form' setting is set for required fields.
- */
-function user_form_field_ui_field_edit_form_submit($form, &$form_state) {
-  $instance = $form_state['values']['instance'];
-
-  if (!empty($instance['required'])) {
-    form_set_value($form['instance']['settings']['user_register_form'], 1, $form_state);
-  }
-}
-
-/**
- * Form builder; the user registration form.
- *
- * @ingroup forms
- * @see user_account_form()
- * @see user_account_form_validate()
- * @see user_register_submit()
- */
-function user_register_form($form, &$form_state) {
-  global $user;
-
-  $admin = user_access('administer users');
-
-  // Pass access information to the submit handler. Running an access check
-  // inside the submit function interferes with form processing and breaks
-  // hook_form_alter().
-  $form['administer_users'] = array(
-     '#type' => 'value',
-     '#value' => $admin,
-  );
-
-  // If we aren't admin but already logged on, go to the user page instead.
-  if (!$admin && $user->uid) {
-    drupal_goto('user/' . $user->uid);
-  }
-
-  $form['#user'] = drupal_anonymous_user();
-  $form['#user_category'] = 'register';
-
-  $form['#attached']['library'][] = array('system', 'jquery.cookie');
-  $form['#attributes']['class'][] = 'user-info-from-cookie';
-
-  // Start with the default user account fields.
-  user_account_form($form, $form_state);
-
-  // Attach field widgets, and hide the ones where the 'user_register_form'
-  // setting is not on.
-  $langcode = entity_language('user', $form['#user']);
-  field_attach_form('user', $form['#user'], $form, $form_state, $langcode);
-  foreach (field_info_instances('user', 'user') as $field_name => $instance) {
-    if (empty($instance['settings']['user_register_form'])) {
-      $form[$field_name]['#access'] = FALSE;
-    }
-  }
-
-  if ($admin) {
-    // Redirect back to page which initiated the create request;
-    // usually admin/people/create.
-    $form_state['redirect'] = $_GET['q'];
-  }
-
-  $form['actions'] = array('#type' => 'actions');
-  $form['actions']['submit'] = array(
-    '#type' => 'submit',
-    '#value' => t('Create new account'),
-  );
-
-  $form['#validate'][] = 'user_register_validate';
-  // Add the final user registration form submit handler.
-  $form['#submit'][] = 'user_register_submit';
-
-  return $form;
-}
-
-/**
- * Validation function for the user registration form.
- */
-function user_register_validate($form, &$form_state) {
-  entity_form_field_validate('user', $form, $form_state);
-}
-
-/**
- * Submit handler for the user registration form.
- *
- * This function is shared by the installation form and the normal registration form,
- * which is why it can't be in the user.pages.inc file.
- *
- * @see user_register_form()
- */
-function user_register_submit($form, &$form_state) {
-  $admin = $form_state['values']['administer_users'];
-
-  if (!variable_get('user_email_verification', TRUE) || $admin) {
-    $pass = $form_state['values']['pass'];
-  }
-  else {
-    $pass = user_password();
-  }
-  $notify = !empty($form_state['values']['notify']);
-
-  // Remove unneeded values.
-  form_state_values_clean($form_state);
-
-  $form_state['values']['pass'] = $pass;
-  $form_state['values']['init'] = $form_state['values']['mail'];
-
-  $account = $form['#user'];
-
-  entity_form_submit_build_entity('user', $account, $form, $form_state);
-
-  // Populate $edit with the properties of $account, which have been edited on
-  // this form by taking over all values, which appear in the form values too.
-  $edit = array_intersect_key((array) $account, $form_state['values']);
-  $account = user_save($account, $edit);
-
-  // Terminate if an error occurred during user_save().
-  if (!$account) {
-    drupal_set_message(t("Error saving user account."), 'error');
-    $form_state['redirect'] = '';
-    return;
-  }
-  $form_state['user'] = $account;
-  $form_state['values']['uid'] = $account->uid;
-
-  watchdog('user', 'New user: %name (%email).', array('%name' => $form_state['values']['name'], '%email' => $form_state['values']['mail']), WATCHDOG_NOTICE, l(t('edit'), 'user/' . $account->uid . '/edit'));
-
-  // Add plain text password into user account to generate mail tokens.
-  $account->password = $pass;
-
-  // New administrative account without notification.
-  $uri = entity_uri('user', $account);
-  if ($admin && !$notify) {
-    drupal_set_message(t('Created a new user account for <a href="@url">%name</a>. No e-mail has been sent.', array('@url' => url($uri['path'], $uri['options']), '%name' => $account->name)));
-  }
-  // No e-mail verification required; log in user immediately.
-  elseif (!$admin && !variable_get('user_email_verification', TRUE) && $account->status) {
-    _user_mail_notify('register_no_approval_required', $account);
-    $form_state['uid'] = $account->uid;
-    user_login_submit(array(), $form_state);
-    drupal_set_message(t('Registration successful. You are now logged in.'));
-    $form_state['redirect'] = '';
-  }
-  // No administrator approval required.
-  elseif ($account->status || $notify) {
-    $op = $notify ? 'register_admin_created' : 'register_no_approval_required';
-    _user_mail_notify($op, $account);
-    if ($notify) {
-      drupal_set_message(t('A welcome message with further instructions has been e-mailed to the new user <a href="@url">%name</a>.', array('@url' => url($uri['path'], $uri['options']), '%name' => $account->name)));
-    }
-    else {
-      drupal_set_message(t('A welcome message with further instructions has been sent to your e-mail address.'));
-      $form_state['redirect'] = '';
-    }
-  }
-  // Administrator approval required.
-  else {
-    _user_mail_notify('register_pending_approval', $account);
-    drupal_set_message(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.<br />In the meantime, a welcome message with further instructions has been sent to your e-mail address.'));
-    $form_state['redirect'] = '';
-  }
-}
-
-/**
- * Implements hook_modules_installed().
- */
-function user_modules_installed($modules) {
-  // Assign all available permissions to the administrator role.
-  $rid = variable_get('user_admin_role', 0);
-  if ($rid) {
-    $permissions = array();
-    foreach ($modules as $module) {
-      if ($module_permissions = module_invoke($module, 'permission')) {
-        $permissions = array_merge($permissions, array_keys($module_permissions));
-      }
-    }
-    if (!empty($permissions)) {
-      user_role_grant_permissions($rid, $permissions);
-    }
-  }
-}
-
-/**
- * Implements hook_modules_uninstalled().
- */
-function user_modules_uninstalled($modules) {
-   db_delete('role_permission')
-     ->condition('module', $modules, 'IN')
-     ->execute();
-}
-
-/**
- * Helper function to rewrite the destination to avoid redirecting to login page after login.
- *
- * Third-party authentication modules may use this function to determine the
- * proper destination after a user has been properly logged in.
- */
-function user_login_destination() {
-  $destination = drupal_get_destination();
-  if ($destination['destination'] == 'user/login') {
-    $destination['destination'] = 'user';
-  }
-  return $destination;
-}
-
-/**
- * Saves visitor information as a cookie so it can be reused.
- *
- * @param $values
- *   An array of key/value pairs to be saved into a cookie.
- */
-function user_cookie_save(array $values) {
-  foreach ($values as $field => $value) {
-    // Set cookie for 365 days.
-    setrawcookie('Drupal.visitor.' . $field, rawurlencode($value), REQUEST_TIME + 31536000, '/');
-  }
-}
-
-/**
- * Delete a visitor information cookie.
- *
- * @param $cookie_name
- *   A cookie name such as 'homepage'.
- */
-function user_cookie_delete($cookie_name) {
-  setrawcookie('Drupal.visitor.' . $cookie_name, '', REQUEST_TIME - 3600, '/');
-}
-
-/**
- * Implements hook_rdf_mapping().
- */
-function user_rdf_mapping() {
-  return array(
-    array(
-      'type' => 'user',
-      'bundle' => RDF_DEFAULT_BUNDLE,
-      'mapping' => array(
-        'rdftype' => array('sioc:UserAccount'),
-        'name' => array(
-          'predicates' => array('foaf:name'),
-        ),
-        'homepage' => array(
-          'predicates' => array('foaf:page'),
-          'type' => 'rel',
-        ),
-      ),
-    ),
-  );
-}
-
-/**
- * Implements hook_file_download_access().
- */
-function user_file_download_access($field, $entity_type, $entity) {
-  if ($entity_type == 'user') {
-    return user_view_access($entity);
-  }
-}
-
-/**
- * Implements hook_system_info_alter().
- *
- * Drupal 7 ships with two methods to add additional fields to users: Profile
- * module, a legacy module dating back from 2002, and Field API integration
- * with users. While Field API support for users currently provides less end
- * user features, the inefficient data storage mechanism of Profile module, as
- * well as its lack of consistency with the rest of the entity / field based
- * systems in Drupal 7, make this a sub-optimal solution to those who were not
- * using it in previous releases of Drupal.
- *
- * To prevent new Drupal 7 sites from installing Profile module, and
- * unwittingly ending up with two completely different and incompatible methods
- * of extending users, only make the Profile module available if the profile_*
- * tables are present.
- *
- * @todo: Remove in D8, pending upgrade path.
- */
-function user_system_info_alter(&$info, $file, $type) {
-  if ($type == 'module' && $file->name == 'profile' && db_table_exists('profile_field')) {
-    $info['hidden'] = FALSE;
-  }
-}
diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc
index 4cdbc40f..7d40663e 100755
--- a/modules/user/user.pages.inc
+++ b/modules/user/user.pages.inc
@@ -137,7 +137,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
           watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
           drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
           // Let the user's password be changed without the current password check.
-          $token = drupal_hash_base64(drupal_random_bytes(55));
+          $token = drupal_random_key();
           $_SESSION['pass_reset_' . $user->uid] = $token;
           drupal_goto('user/' . $user->uid . '/edit', array('query' => array('pass-reset-token' => $token)));
         }
@@ -159,6 +159,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
       // Deny access, no more clues.
       // Everything will be in the watchdog's URL for the administrator to check.
       drupal_access_denied();
+      drupal_exit();
     }
   }
 }
@@ -534,14 +535,20 @@ function user_cancel_confirm($account, $timestamp = 0, $hashed_pass = '') {
       drupal_goto("user/$account->uid/cancel");
     }
   }
-  drupal_access_denied();
+  return MENU_ACCESS_DENIED;
 }
 
 /**
- * Access callback for path /user.
+ * Page callback: Displays the user page.
  *
  * Displays user profile if user is logged in, or login form for anonymous
  * users.
+ *
+ * @return
+ *   A render array for either a user profile or a login form.
+ *
+ * @see user_view_page()
+ * @see user_login()
  */
 function user_page() {
   global $user;
diff --git a/modules/user/user.test b/modules/user/user.test
index 0fa0345b..e2086d4f 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -2066,26 +2066,6 @@ class UserTokenReplaceTestCase extends DrupalWebTestCase {
     );
   }
 
-  public function setUp() {
-    parent::setUp('locale');
-
-    $account = $this->drupalCreateUser(array('access administration pages', 'administer languages'));
-    $this->drupalLogin($account);
-
-    // Add language.
-    $edit = array('langcode' => 'de');
-    $this->drupalPost('admin/config/regional/language/add', $edit, t('Add language'));
-
-    // Enable URL language detection and selection.
-    $edit = array('language[enabled][locale-url]' => 1);
-    $this->drupalPost('admin/config/regional/language/configure', $edit, t('Save settings'));
-
-    // Reset static caching.
-    drupal_static_reset('language_list');
-    drupal_static_reset('locale_url_outbound_alter');
-    drupal_static_reset('locale_language_url_rewrite_url');
-  }
-
   /**
    * Creates a user, then tests the tokens generated from it.
    */
@@ -2136,39 +2116,6 @@ class UserTokenReplaceTestCase extends DrupalWebTestCase {
       $output = token_replace($input, array('user' => $account), array('language' => $language, 'sanitize' => FALSE));
       $this->assertEqual($output, $expected, format_string('Unsanitized user token %token replaced.', array('%token' => $input)));
     }
-
-    $languages = language_list();
-
-    // Generate login and cancel link.
-    $tests = array();
-    $tests['[user:one-time-login-url]'] = user_pass_reset_url($account);
-    $tests['[user:cancel-url]'] = user_cancel_url($account);
-
-    // Generate tokens with interface language.
-    $link = url('user', array('absolute' => TRUE));
-    foreach ($tests as $input => $expected) {
-      $output = token_replace($input, array('user' => $account), array('langcode' => $language->language, 'callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
-      $this->assertTrue(strpos($output, $link) === 0, 'Generated URL is in interface language.');
-    }
-
-    // Generate tokens with the user's preferred language.
-    $edit['language'] = 'de';
-    $account = user_save($account, $edit);
-    $link = url('user', array('language' => $languages[$account->language], 'absolute' => TRUE));
-    foreach ($tests as $input => $expected) {
-      $output = token_replace($input, array('user' => $account), array('callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
-      $this->assertTrue(strpos($output, $link) === 0, "Generated URL is in the user's preferred language.");
-    }
-
-    // Generate tokens with one specific language.
-    $link = url('user', array('language' => $languages['de'], 'absolute' => TRUE));
-    foreach ($tests as $input => $expected) {
-      foreach (array($user1, $user2) as $account) {
-        $output = token_replace($input, array('user' => $account), array('langcode' => 'de', 'callback' => 'user_mail_tokens', 'sanitize' => FALSE, 'clear' => TRUE));
-        $this->assertTrue(strpos($output, $link) === 0, "Generated URL in in the requested language.");
-      }
-    }
-
   }
 }
 
diff --git a/modules/user/user.test.orig b/modules/user/user.test.orig
deleted file mode 100755
index e2086d4f..00000000
--- a/modules/user/user.test.orig
+++ /dev/null
@@ -1,2368 +0,0 @@
-<?php
-
-/**
- * @file
- * Tests for user.module.
- */
-
-class UserRegistrationTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User registration',
-      'description' => 'Test registration of user under different configurations.',
-      'group' => 'User'
-    );
-  }
-
-  function setUp() {
-    parent::setUp('field_test');
-  }
-
-  function testRegistrationWithEmailVerification() {
-    // Require e-mail verification.
-    variable_set('user_email_verification', TRUE);
-
-    // Set registration to administrator only.
-    variable_set('user_register', USER_REGISTER_ADMINISTRATORS_ONLY);
-    $this->drupalGet('user/register');
-    $this->assertResponse(403, 'Registration page is inaccessible when only administrators can create accounts.');
-
-    // Allow registration by site visitors without administrator approval.
-    variable_set('user_register', USER_REGISTER_VISITORS);
-    $edit = array();
-    $edit['name'] = $name = $this->randomName();
-    $edit['mail'] = $mail = $edit['name'] . '@example.com';
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $this->assertText(t('A welcome message with further instructions has been sent to your e-mail address.'), 'User registered successfully.');
-    $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-    $new_user = reset($accounts);
-    $this->assertTrue($new_user->status, 'New account is active after registration.');
-
-    // Allow registration by site visitors, but require administrator approval.
-    variable_set('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
-    $edit = array();
-    $edit['name'] = $name = $this->randomName();
-    $edit['mail'] = $mail = $edit['name'] . '@example.com';
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-    $new_user = reset($accounts);
-    $this->assertFalse($new_user->status, 'New account is blocked until approved by an administrator.');
-  }
-
-  function testRegistrationWithoutEmailVerification() {
-    // Don't require e-mail verification.
-    variable_set('user_email_verification', FALSE);
-
-    // Allow registration by site visitors without administrator approval.
-    variable_set('user_register', USER_REGISTER_VISITORS);
-    $edit = array();
-    $edit['name'] = $name = $this->randomName();
-    $edit['mail'] = $mail = $edit['name'] . '@example.com';
-
-    // Try entering a mismatching password.
-    $edit['pass[pass1]'] = '99999.0';
-    $edit['pass[pass2]'] = '99999';
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $this->assertText(t('The specified passwords do not match.'), 'Typing mismatched passwords displays an error message.');
-
-    // Enter a correct password.
-    $edit['pass[pass1]'] = $new_pass = $this->randomName();
-    $edit['pass[pass2]'] = $new_pass;
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-    $new_user = reset($accounts);
-    $this->assertText(t('Registration successful. You are now logged in.'), 'Users are logged in after registering.');
-    $this->drupalLogout();
-
-    // Allow registration by site visitors, but require administrator approval.
-    variable_set('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
-    $edit = array();
-    $edit['name'] = $name = $this->randomName();
-    $edit['mail'] = $mail = $edit['name'] . '@example.com';
-    $edit['pass[pass1]'] = $pass = $this->randomName();
-    $edit['pass[pass2]'] = $pass;
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $this->assertText(t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'), 'Users are notified of pending approval');
-
-    // Try to login before administrator approval.
-    $auth = array(
-      'name' => $name,
-      'pass' => $pass,
-    );
-    $this->drupalPost('user/login', $auth, t('Log in'));
-    $this->assertText(t('The username @name has not been activated or is blocked.', array('@name' => $name)), 'User cannot login yet.');
-
-    // Activate the new account.
-    $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-    $new_user = reset($accounts);
-    $admin_user = $this->drupalCreateUser(array('administer users'));
-    $this->drupalLogin($admin_user);
-    $edit = array(
-      'status' => 1,
-    );
-    $this->drupalPost('user/' . $new_user->uid . '/edit', $edit, t('Save'));
-    $this->drupalLogout();
-
-    // Login after administrator approval.
-    $this->drupalPost('user/login', $auth, t('Log in'));
-    $this->assertText(t('Member for'), 'User can log in after administrator approval.');
-  }
-
-  function testRegistrationEmailDuplicates() {
-    // Don't require e-mail verification.
-    variable_set('user_email_verification', FALSE);
-
-    // Allow registration by site visitors without administrator approval.
-    variable_set('user_register', USER_REGISTER_VISITORS);
-
-    // Set up a user to check for duplicates.
-    $duplicate_user = $this->drupalCreateUser();
-
-    $edit = array();
-    $edit['name'] = $this->randomName();
-    $edit['mail'] = $duplicate_user->mail;
-
-    // Attempt to create a new account using an existing e-mail address.
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $this->assertText(t('The e-mail address @email is already registered.', array('@email' => $duplicate_user->mail)), 'Supplying an exact duplicate email address displays an error message');
-
-    // Attempt to bypass duplicate email registration validation by adding spaces.
-    $edit['mail'] = '   ' . $duplicate_user->mail . '   ';
-
-    $this->drupalPost('user/register', $edit, t('Create new account'));
-    $this->assertText(t('The e-mail address @email is already registered.', array('@email' => $duplicate_user->mail)), 'Supplying a duplicate email address with added whitespace displays an error message');
-  }
-
-  function testRegistrationDefaultValues() {
-    // Allow registration by site visitors without administrator approval.
-    variable_set('user_register', USER_REGISTER_VISITORS);
-
-    // Don't require e-mail verification.
-    variable_set('user_email_verification', FALSE);
-
-    // Set the default timezone to Brussels.
-    variable_set('configurable_timezones', 1);
-    variable_set('date_default_timezone', 'Europe/Brussels');
-
-    // Check that the account information fieldset's options are not displayed
-    // is a fieldset if there is not more than one fieldset in the form.
-    $this->drupalGet('user/register');
-    $this->assertNoRaw('<fieldset id="edit-account"><legend>Account information</legend>', 'Account settings fieldset was hidden.');
-
-    $edit = array();
-    $edit['name'] = $name = $this->randomName();
-    $edit['mail'] = $mail = $edit['name'] . '@example.com';
-    $edit['pass[pass1]'] = $new_pass = $this->randomName();
-    $edit['pass[pass2]'] = $new_pass;
-    $this->drupalPost(NULL, $edit, t('Create new account'));
-
-    // Check user fields.
-    $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-    $new_user = reset($accounts);
-    $this->assertEqual($new_user->name, $name, 'Username matches.');
-    $this->assertEqual($new_user->mail, $mail, 'E-mail address matches.');
-    $this->assertEqual($new_user->theme, '', 'Correct theme field.');
-    $this->assertEqual($new_user->signature, '', 'Correct signature field.');
-    $this->assertTrue(($new_user->created > REQUEST_TIME - 20 ), 'Correct creation time.');
-    $this->assertEqual($new_user->status, variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) == USER_REGISTER_VISITORS ? 1 : 0, 'Correct status field.');
-    $this->assertEqual($new_user->timezone, variable_get('date_default_timezone'), 'Correct time zone field.');
-    $this->assertEqual($new_user->language, '', 'Correct language field.');
-    $this->assertEqual($new_user->picture, '', 'Correct picture field.');
-    $this->assertEqual($new_user->init, $mail, 'Correct init field.');
-  }
-
-  /**
-   * Tests Field API fields on user registration forms.
-   */
-  function testRegistrationWithUserFields() {
-    // Create a field, and an instance on 'user' entity type.
-    $field = array(
-      'type' => 'test_field',
-      'field_name' => 'test_user_field',
-      'cardinality' => 1,
-    );
-    field_create_field($field);
-    $instance = array(
-      'field_name' => 'test_user_field',
-      'entity_type' => 'user',
-      'label' => 'Some user field',
-      'bundle' => 'user',
-      'required' => TRUE,
-      'settings' => array('user_register_form' => FALSE),
-    );
-    field_create_instance($instance);
-
-    // Check that the field does not appear on the registration form.
-    $this->drupalGet('user/register');
-    $this->assertNoText($instance['label'], 'The field does not appear on user registration form');
-
-    // Have the field appear on the registration form.
-    $instance['settings']['user_register_form'] = TRUE;
-    field_update_instance($instance);
-    $this->drupalGet('user/register');
-    $this->assertText($instance['label'], 'The field appears on user registration form');
-
-    // Check that validation errors are correctly reported.
-    $edit = array();
-    $edit['name'] = $name = $this->randomName();
-    $edit['mail'] = $mail = $edit['name'] . '@example.com';
-    // Missing input in required field.
-    $edit['test_user_field[und][0][value]'] = '';
-    $this->drupalPost(NULL, $edit, t('Create new account'));
-    $this->assertRaw(t('@name field is required.', array('@name' => $instance['label'])), 'Field validation error was correctly reported.');
-    // Invalid input.
-    $edit['test_user_field[und][0][value]'] = '-1';
-    $this->drupalPost(NULL, $edit, t('Create new account'));
-    $this->assertRaw(t('%name does not accept the value -1.', array('%name' => $instance['label'])), 'Field validation error was correctly reported.');
-
-    // Submit with valid data.
-    $value = rand(1, 255);
-    $edit['test_user_field[und][0][value]'] = $value;
-    $this->drupalPost(NULL, $edit, t('Create new account'));
-    // Check user fields.
-    $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-    $new_user = reset($accounts);
-    $this->assertEqual($new_user->test_user_field[LANGUAGE_NONE][0]['value'], $value, 'The field value was correctly saved.');
-
-    // Check that the 'add more' button works.
-    $field['cardinality'] = FIELD_CARDINALITY_UNLIMITED;
-    field_update_field($field);
-    foreach (array('js', 'nojs') as $js) {
-      $this->drupalGet('user/register');
-      // Add two inputs.
-      $value = rand(1, 255);
-      $edit = array();
-      $edit['test_user_field[und][0][value]'] = $value;
-      if ($js == 'js') {
-        $this->drupalPostAJAX(NULL, $edit, 'test_user_field_add_more');
-        $this->drupalPostAJAX(NULL, $edit, 'test_user_field_add_more');
-      }
-      else {
-        $this->drupalPost(NULL, $edit, t('Add another item'));
-        $this->drupalPost(NULL, $edit, t('Add another item'));
-      }
-      // Submit with three values.
-      $edit['test_user_field[und][1][value]'] = $value + 1;
-      $edit['test_user_field[und][2][value]'] = $value + 2;
-      $edit['name'] = $name = $this->randomName();
-      $edit['mail'] = $mail = $edit['name'] . '@example.com';
-      $this->drupalPost(NULL, $edit, t('Create new account'));
-      // Check user fields.
-      $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail));
-      $new_user = reset($accounts);
-      $this->assertEqual($new_user->test_user_field[LANGUAGE_NONE][0]['value'], $value, format_string('@js : The field value was correclty saved.', array('@js' => $js)));
-      $this->assertEqual($new_user->test_user_field[LANGUAGE_NONE][1]['value'], $value + 1, format_string('@js : The field value was correclty saved.', array('@js' => $js)));
-      $this->assertEqual($new_user->test_user_field[LANGUAGE_NONE][2]['value'], $value + 2, format_string('@js : The field value was correclty saved.', array('@js' => $js)));
-    }
-  }
-}
-
-class UserValidationTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'Username/e-mail validation',
-      'description' => 'Verify that username/email validity checks behave as designed.',
-      'group' => 'User'
-    );
-  }
-
-  // Username validation.
-  function testUsernames() {
-    $test_cases = array( // '<username>' => array('<description>', 'assert<testName>'),
-      'foo'                    => array('Valid username', 'assertNull'),
-      'FOO'                    => array('Valid username', 'assertNull'),
-      'Foo O\'Bar'             => array('Valid username', 'assertNull'),
-      'foo@bar'                => array('Valid username', 'assertNull'),
-      'foo@example.com'        => array('Valid username', 'assertNull'),
-      'foo@-example.com'       => array('Valid username', 'assertNull'), // invalid domains are allowed in usernames
-      'þòøÇߪř€'               => array('Valid username', 'assertNull'),
-      'ᚠᛇᚻ᛫ᛒᛦᚦ'                => array('Valid UTF8 username', 'assertNull'), // runes
-      ' foo'                   => array('Invalid username that starts with a space', 'assertNotNull'),
-      'foo '                   => array('Invalid username that ends with a space', 'assertNotNull'),
-      'foo  bar'               => array('Invalid username that contains 2 spaces \'&nbsp;&nbsp;\'', 'assertNotNull'),
-      ''                       => array('Invalid empty username', 'assertNotNull'),
-      'foo/'                   => array('Invalid username containing invalid chars', 'assertNotNull'),
-      'foo' . chr(0) . 'bar'   => array('Invalid username containing chr(0)', 'assertNotNull'), // NULL
-      'foo' . chr(13) . 'bar'  => array('Invalid username containing chr(13)', 'assertNotNull'), // CR
-      str_repeat('x', USERNAME_MAX_LENGTH + 1) => array('Invalid excessively long username', 'assertNotNull'),
-    );
-    foreach ($test_cases as $name => $test_case) {
-      list($description, $test) = $test_case;
-      $result = user_validate_name($name);
-      $this->$test($result, $description . ' (' . $name . ')');
-    }
-  }
-
-  // Mail validation. More extensive tests can be found at common.test
-  function testMailAddresses() {
-    $test_cases = array( // '<username>' => array('<description>', 'assert<testName>'),
-      ''                => array('Empty mail address', 'assertNotNull'),
-      'foo'             => array('Invalid mail address', 'assertNotNull'),
-      'foo@example.com' => array('Valid mail address', 'assertNull'),
-    );
-    foreach ($test_cases as $name => $test_case) {
-      list($description, $test) = $test_case;
-      $result = user_validate_mail($name);
-      $this->$test($result, $description . ' (' . $name . ')');
-    }
-  }
-}
-
-/**
- * Functional tests for user logins, including rate limiting of login attempts.
- */
-class UserLoginTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User login',
-      'description' => 'Ensure that login works as expected.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Test the global login flood control.
-   */
-  function testGlobalLoginFloodControl() {
-    // Set the global login limit.
-    variable_set('user_failed_login_ip_limit', 10);
-    // Set a high per-user limit out so that it is not relevant in the test.
-    variable_set('user_failed_login_user_limit', 4000);
-
-    $user1 = $this->drupalCreateUser(array());
-    $incorrect_user1 = clone $user1;
-    $incorrect_user1->pass_raw .= 'incorrect';
-
-    // Try 2 failed logins.
-    for ($i = 0; $i < 2; $i++) {
-      $this->assertFailedLogin($incorrect_user1);
-    }
-
-    // A successful login will not reset the IP-based flood control count.
-    $this->drupalLogin($user1);
-    $this->drupalLogout();
-
-    // Try 8 more failed logins, they should not trigger the flood control
-    // mechanism.
-    for ($i = 0; $i < 8; $i++) {
-      $this->assertFailedLogin($incorrect_user1);
-    }
-
-    // The next login trial should result in an IP-based flood error message.
-    $this->assertFailedLogin($incorrect_user1, 'ip');
-
-    // A login with the correct password should also result in a flood error
-    // message.
-    $this->assertFailedLogin($user1, 'ip');
-  }
-
-  /**
-   * Test the per-user login flood control.
-   */
-  function testPerUserLoginFloodControl() {
-    // Set a high global limit out so that it is not relevant in the test.
-    variable_set('user_failed_login_ip_limit', 4000);
-    // Set the per-user login limit.
-    variable_set('user_failed_login_user_limit', 3);
-
-    $user1 = $this->drupalCreateUser(array());
-    $incorrect_user1 = clone $user1;
-    $incorrect_user1->pass_raw .= 'incorrect';
-
-    $user2 = $this->drupalCreateUser(array());
-
-    // Try 2 failed logins.
-    for ($i = 0; $i < 2; $i++) {
-      $this->assertFailedLogin($incorrect_user1);
-    }
-
-    // A successful login will reset the per-user flood control count.
-    $this->drupalLogin($user1);
-    $this->drupalLogout();
-
-    // Try 3 failed logins for user 1, they will not trigger flood control.
-    for ($i = 0; $i < 3; $i++) {
-      $this->assertFailedLogin($incorrect_user1);
-    }
-
-    // Try one successful attempt for user 2, it should not trigger any
-    // flood control.
-    $this->drupalLogin($user2);
-    $this->drupalLogout();
-
-    // Try one more attempt for user 1, it should be rejected, even if the
-    // correct password has been used.
-    $this->assertFailedLogin($user1, 'user');
-  }
-
-  /**
-   * Test that user password is re-hashed upon login after changing $count_log2.
-   */
-  function testPasswordRehashOnLogin() {
-    // Load password hashing API.
-    require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
-    // Set initial $count_log2 to the default, DRUPAL_HASH_COUNT.
-    variable_set('password_count_log2', DRUPAL_HASH_COUNT);
-    // Create a new user and authenticate.
-    $account = $this->drupalCreateUser(array());
-    $password = $account->pass_raw;
-    $this->drupalLogin($account);
-    $this->drupalLogout();
-    // Load the stored user. The password hash should reflect $count_log2.
-    $account = user_load($account->uid);
-    $this->assertIdentical(_password_get_count_log2($account->pass), DRUPAL_HASH_COUNT);
-    // Change $count_log2 and log in again.
-    variable_set('password_count_log2', DRUPAL_HASH_COUNT + 1);
-    $account->pass_raw = $password;
-    $this->drupalLogin($account);
-    // Load the stored user, which should have a different password hash now.
-    $account = user_load($account->uid, TRUE);
-    $this->assertIdentical(_password_get_count_log2($account->pass), DRUPAL_HASH_COUNT + 1);
-  }
-
-  /**
-   * Make an unsuccessful login attempt.
-   *
-   * @param $account
-   *   A user object with name and pass_raw attributes for the login attempt.
-   * @param $flood_trigger
-   *   Whether or not to expect that the flood control mechanism will be
-   *   triggered.
-   */
-  function assertFailedLogin($account, $flood_trigger = NULL) {
-    $edit = array(
-      'name' => $account->name,
-      'pass' => $account->pass_raw,
-    );
-    $this->drupalPost('user', $edit, t('Log in'));
-    $this->assertNoFieldByXPath("//input[@name='pass' and @value!='']", NULL, 'Password value attribute is blank.');
-    if (isset($flood_trigger)) {
-      if ($flood_trigger == 'user') {
-        $this->assertRaw(format_plural(variable_get('user_failed_login_user_limit', 5), 'Sorry, there has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', 'Sorry, there have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
-      }
-      else {
-        // No uid, so the limit is IP-based.
-        $this->assertRaw(t('Sorry, too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
-      }
-    }
-    else {
-      $this->assertText(t('Sorry, unrecognized username or password. Have you forgotten your password?'));
-    }
-  }
-}
-
-/**
- * Tests resetting a user password.
- */
-class UserPasswordResetTestCase extends DrupalWebTestCase {
-  protected $profile = 'standard';
-
-  public static function getInfo() {
-    return array(
-      'name' => 'Reset password',
-      'description' => 'Ensure that password reset methods work as expected.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Tests password reset functionality.
-   */
-  function testUserPasswordReset() {
-    // Create a user.
-    $account = $this->drupalCreateUser();
-    $this->drupalLogin($account);
-    $this->drupalLogout();
-    // Attempt to reset password.
-    $edit = array('name' => $account->name);
-    $this->drupalPost('user/password', $edit, t('E-mail new password'));
-    // Confirm the password reset.
-    $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'Password reset instructions mailed message displayed.');
-  }
-
-  /**
-   * Attempts login using an expired password reset link.
-   */
-  function testUserPasswordResetExpired() {
-    // Set password reset timeout variable to 43200 seconds = 12 hours.
-    $timeout = 43200;
-    variable_set('user_password_reset_timeout', $timeout);
-
-    // Create a user.
-    $account = $this->drupalCreateUser();
-    $this->drupalLogin($account);
-    // Load real user object.
-    $account = user_load($account->uid, TRUE);
-    $this->drupalLogout();
-
-    // To attempt an expired password reset, create a password reset link as if
-    // its request time was 60 seconds older than the allowed limit of timeout.
-    $bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60;
-    $this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
-    $this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
-  }
-
-  /**
-   * Prefill the text box on incorrect login via link to password reset page.
-   */
-  function testUserPasswordTextboxFilled() {
-    $this->drupalGet('user/login');
-    $edit = array(
-      'name' => $this->randomName(),
-      'pass' => $this->randomName(),
-    );
-    $this->drupalPost('user', $edit, t('Log in'));
-    $this->assertRaw(t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>',
-      array('@password' => url('user/password', array('query' => array('name' => $edit['name']))))));
-    unset($edit['pass']);
-    $this->drupalGet('user/password', array('query' => array('name' => $edit['name'])));
-    $this->assertFieldByName('name', $edit['name'], 'User name found.');
-  }
-
-}
-
-/**
- * Test cancelling a user.
- */
-class UserCancelTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'Cancel account',
-      'description' => 'Ensure that account cancellation methods work as expected.',
-      'group' => 'User',
-    );
-  }
-
-  function setUp() {
-    parent::setUp('comment');
-  }
-
-  /**
-   * Attempt to cancel account without permission.
-   */
-  function testUserCancelWithoutPermission() {
-    variable_set('user_cancel_method', 'user_cancel_reassign');
-
-    // Create a user.
-    $account = $this->drupalCreateUser(array());
-    $this->drupalLogin($account);
-    // Load real user object.
-    $account = user_load($account->uid, TRUE);
-
-    // Create a node.
-    $node = $this->drupalCreateNode(array('uid' => $account->uid));
-
-    // Attempt to cancel account.
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->assertNoRaw(t('Cancel account'), 'No cancel account button displayed.');
-
-    // Attempt bogus account cancellation request confirmation.
-    $timestamp = $account->login;
-    $this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
-    $this->assertResponse(403, 'Bogus cancelling request rejected.');
-    $account = user_load($account->uid);
-    $this->assertTrue($account->status == 1, 'User account was not canceled.');
-
-    // Confirm user's content has not been altered.
-    $test_node = node_load($node->nid, NULL, TRUE);
-    $this->assertTrue(($test_node->uid == $account->uid && $test_node->status == 1), 'Node of the user has not been altered.');
-  }
-
-  /**
-   * Tests that user account for uid 1 cannot be cancelled.
-   *
-   * This should never be possible, or the site owner would become unable to
-   * administer the site.
-   */
-  function testUserCancelUid1() {
-    // Update uid 1's name and password to we know it.
-    $password = user_password();
-    require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
-    $account = array(
-      'name' => 'user1',
-      'pass' => user_hash_password(trim($password)),
-    );
-    // We cannot use user_save() here or the password would be hashed again.
-    db_update('users')
-      ->fields($account)
-      ->condition('uid', 1)
-      ->execute();
-
-    // Reload and log in uid 1.
-    $user1 = user_load(1, TRUE);
-    $user1->pass_raw = $password;
-
-    // Try to cancel uid 1's account with a different user.
-    $this->admin_user = $this->drupalCreateUser(array('administer users'));
-    $this->drupalLogin($this->admin_user);
-    $edit = array(
-      'operation' => 'cancel',
-      'accounts[1]' => TRUE,
-    );
-    $this->drupalPost('admin/people', $edit, t('Update'));
-
-    // Verify that uid 1's account was not cancelled.
-    $user1 = user_load(1, TRUE);
-    $this->assertEqual($user1->status, 1, 'User #1 still exists and is not blocked.');
-  }
-
-  /**
-   * Attempt invalid account cancellations.
-   */
-  function testUserCancelInvalid() {
-    variable_set('user_cancel_method', 'user_cancel_reassign');
-
-    // Create a user.
-    $account = $this->drupalCreateUser(array('cancel account'));
-    $this->drupalLogin($account);
-    // Load real user object.
-    $account = user_load($account->uid, TRUE);
-
-    // Create a node.
-    $node = $this->drupalCreateNode(array('uid' => $account->uid));
-
-    // Attempt to cancel account.
-    $this->drupalPost('user/' . $account->uid . '/edit', NULL, t('Cancel account'));
-
-    // Confirm account cancellation.
-    $timestamp = time();
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
-
-    // Attempt bogus account cancellation request confirmation.
-    $bogus_timestamp = $timestamp + 60;
-    $this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
-    $this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Bogus cancelling request rejected.');
-    $account = user_load($account->uid);
-    $this->assertTrue($account->status == 1, 'User account was not canceled.');
-
-    // Attempt expired account cancellation request confirmation.
-    $bogus_timestamp = $timestamp - 86400 - 60;
-    $this->drupalGet("user/$account->uid/cancel/confirm/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
-    $this->assertText(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'Expired cancel account request rejected.');
-    $accounts = user_load_multiple(array($account->uid), array('status' => 1));
-    $this->assertTrue(reset($accounts), 'User account was not canceled.');
-
-    // Confirm user's content has not been altered.
-    $test_node = node_load($node->nid, NULL, TRUE);
-    $this->assertTrue(($test_node->uid == $account->uid && $test_node->status == 1), 'Node of the user has not been altered.');
-  }
-
-  /**
-   * Disable account and keep all content.
-   */
-  function testUserBlock() {
-    variable_set('user_cancel_method', 'user_cancel_block');
-
-    // Create a user.
-    $web_user = $this->drupalCreateUser(array('cancel account'));
-    $this->drupalLogin($web_user);
-
-    // Load real user object.
-    $account = user_load($web_user->uid, TRUE);
-
-    // Attempt to cancel account.
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
-    $this->assertText(t('Your account will be blocked and you will no longer be able to log in. All of your content will remain attributed to your user name.'), 'Informs that all content will be remain as is.');
-    $this->assertNoText(t('Select the method to cancel the account above.'), 'Does not allow user to select account cancellation method.');
-
-    // Confirm account cancellation.
-    $timestamp = time();
-
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
-
-    // Confirm account cancellation request.
-    $this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
-    $account = user_load($account->uid, TRUE);
-    $this->assertTrue($account->status == 0, 'User has been blocked.');
-
-    // Confirm that the confirmation message made it through to the end user.
-    $this->assertRaw(t('%name has been disabled.', array('%name' => $account->name)), "Confirmation message displayed to user.");
-  }
-
-  /**
-   * Disable account and unpublish all content.
-   */
-  function testUserBlockUnpublish() {
-    variable_set('user_cancel_method', 'user_cancel_block_unpublish');
-
-    // Create a user.
-    $account = $this->drupalCreateUser(array('cancel account'));
-    $this->drupalLogin($account);
-    // Load real user object.
-    $account = user_load($account->uid, TRUE);
-
-    // Create a node with two revisions.
-    $node = $this->drupalCreateNode(array('uid' => $account->uid));
-    $settings = get_object_vars($node);
-    $settings['revision'] = 1;
-    $node = $this->drupalCreateNode($settings);
-
-    // Attempt to cancel account.
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
-    $this->assertText(t('Your account will be blocked and you will no longer be able to log in. All of your content will be hidden from everyone but administrators.'), 'Informs that all content will be unpublished.');
-
-    // Confirm account cancellation.
-    $timestamp = time();
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
-
-    // Confirm account cancellation request.
-    $this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
-    $account = user_load($account->uid, TRUE);
-    $this->assertTrue($account->status == 0, 'User has been blocked.');
-
-    // Confirm user's content has been unpublished.
-    $test_node = node_load($node->nid, NULL, TRUE);
-    $this->assertTrue($test_node->status == 0, 'Node of the user has been unpublished.');
-    $test_node = node_load($node->nid, $node->vid, TRUE);
-    $this->assertTrue($test_node->status == 0, 'Node revision of the user has been unpublished.');
-
-    // Confirm that the confirmation message made it through to the end user.
-    $this->assertRaw(t('%name has been disabled.', array('%name' => $account->name)), "Confirmation message displayed to user.");
-  }
-
-  /**
-   * Delete account and anonymize all content.
-   */
-  function testUserAnonymize() {
-    variable_set('user_cancel_method', 'user_cancel_reassign');
-
-    // Create a user.
-    $account = $this->drupalCreateUser(array('cancel account'));
-    $this->drupalLogin($account);
-    // Load real user object.
-    $account = user_load($account->uid, TRUE);
-
-    // Create a simple node.
-    $node = $this->drupalCreateNode(array('uid' => $account->uid));
-
-    // Create a node with two revisions, the initial one belonging to the
-    // cancelling user.
-    $revision_node = $this->drupalCreateNode(array('uid' => $account->uid));
-    $revision = $revision_node->vid;
-    $settings = get_object_vars($revision_node);
-    $settings['revision'] = 1;
-    $settings['uid'] = 1; // Set new/current revision to someone else.
-    $revision_node = $this->drupalCreateNode($settings);
-
-    // Attempt to cancel account.
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
-    $this->assertRaw(t('Your account will be removed and all account information deleted. All of your content will be assigned to the %anonymous-name user.', array('%anonymous-name' => variable_get('anonymous', t('Anonymous')))), 'Informs that all content will be attributed to anonymous account.');
-
-    // Confirm account cancellation.
-    $timestamp = time();
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
-
-    // Confirm account cancellation request.
-    $this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
-    $this->assertFalse(user_load($account->uid, TRUE), 'User is not found in the database.');
-
-    // Confirm that user's content has been attributed to anonymous user.
-    $test_node = node_load($node->nid, NULL, TRUE);
-    $this->assertTrue(($test_node->uid == 0 && $test_node->status == 1), 'Node of the user has been attributed to anonymous user.');
-    $test_node = node_load($revision_node->nid, $revision, TRUE);
-    $this->assertTrue(($test_node->revision_uid == 0 && $test_node->status == 1), 'Node revision of the user has been attributed to anonymous user.');
-    $test_node = node_load($revision_node->nid, NULL, TRUE);
-    $this->assertTrue(($test_node->uid != 0 && $test_node->status == 1), "Current revision of the user's node was not attributed to anonymous user.");
-
-    // Confirm that the confirmation message made it through to the end user.
-    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->name)), "Confirmation message displayed to user.");
-  }
-
-  /**
-   * Delete account and remove all content.
-   */
-  function testUserDelete() {
-    variable_set('user_cancel_method', 'user_cancel_delete');
-
-    // Create a user.
-    $account = $this->drupalCreateUser(array('cancel account', 'post comments', 'skip comment approval'));
-    $this->drupalLogin($account);
-    // Load real user object.
-    $account = user_load($account->uid, TRUE);
-
-    // Create a simple node.
-    $node = $this->drupalCreateNode(array('uid' => $account->uid));
-
-    // Create comment.
-    $langcode = LANGUAGE_NONE;
-    $edit = array();
-    $edit['subject'] = $this->randomName(8);
-    $edit['comment_body[' . $langcode . '][0][value]'] = $this->randomName(16);
-
-    $this->drupalPost('comment/reply/' . $node->nid, $edit, t('Preview'));
-    $this->drupalPost(NULL, array(), t('Save'));
-    $this->assertText(t('Your comment has been posted.'));
-    $comments = comment_load_multiple(array(), array('subject' => $edit['subject']));
-    $comment = reset($comments);
-    $this->assertTrue($comment->cid, 'Comment found.');
-
-    // Create a node with two revisions, the initial one belonging to the
-    // cancelling user.
-    $revision_node = $this->drupalCreateNode(array('uid' => $account->uid));
-    $revision = $revision_node->vid;
-    $settings = get_object_vars($revision_node);
-    $settings['revision'] = 1;
-    $settings['uid'] = 1; // Set new/current revision to someone else.
-    $revision_node = $this->drupalCreateNode($settings);
-
-    // Attempt to cancel account.
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('Are you sure you want to cancel your account?'), 'Confirmation form to cancel account displayed.');
-    $this->assertText(t('Your account will be removed and all account information deleted. All of your content will also be deleted.'), 'Informs that all content will be deleted.');
-
-    // Confirm account cancellation.
-    $timestamp = time();
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
-
-    // Confirm account cancellation request.
-    $this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login));
-    $this->assertFalse(user_load($account->uid, TRUE), 'User is not found in the database.');
-
-    // Confirm that user's content has been deleted.
-    $this->assertFalse(node_load($node->nid, NULL, TRUE), 'Node of the user has been deleted.');
-    $this->assertFalse(node_load($node->nid, $revision, TRUE), 'Node revision of the user has been deleted.');
-    $this->assertTrue(node_load($revision_node->nid, NULL, TRUE), "Current revision of the user's node was not deleted.");
-    $this->assertFalse(comment_load($comment->cid), 'Comment of the user has been deleted.');
-
-    // Confirm that the confirmation message made it through to the end user.
-    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->name)), "Confirmation message displayed to user.");
-  }
-
-  /**
-   * Create an administrative user and delete another user.
-   */
-  function testUserCancelByAdmin() {
-    variable_set('user_cancel_method', 'user_cancel_reassign');
-
-    // Create a regular user.
-    $account = $this->drupalCreateUser(array());
-
-    // Create administrative user.
-    $admin_user = $this->drupalCreateUser(array('administer users'));
-    $this->drupalLogin($admin_user);
-
-    // Delete regular user.
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertRaw(t('Are you sure you want to cancel the account %name?', array('%name' => $account->name)), 'Confirmation form to cancel account displayed.');
-    $this->assertText(t('Select the method to cancel the account above.'), 'Allows to select account cancellation method.');
-
-    // Confirm deletion.
-    $this->drupalPost(NULL, NULL, t('Cancel account'));
-    $this->assertRaw(t('%name has been deleted.', array('%name' => $account->name)), 'User deleted.');
-    $this->assertFalse(user_load($account->uid), 'User is not found in the database.');
-  }
-
-  /**
-   * Create an administrative user and mass-delete other users.
-   */
-  function testMassUserCancelByAdmin() {
-    variable_set('user_cancel_method', 'user_cancel_reassign');
-    // Enable account cancellation notification.
-    variable_set('user_mail_status_canceled_notify', TRUE);
-
-    // Create administrative user.
-    $admin_user = $this->drupalCreateUser(array('administer users'));
-    $this->drupalLogin($admin_user);
-
-    // Create some users.
-    $users = array();
-    for ($i = 0; $i < 3; $i++) {
-      $account = $this->drupalCreateUser(array());
-      $users[$account->uid] = $account;
-    }
-
-    // Cancel user accounts, including own one.
-    $edit = array();
-    $edit['operation'] = 'cancel';
-    foreach ($users as $uid => $account) {
-      $edit['accounts[' . $uid . ']'] = TRUE;
-    }
-    $edit['accounts[' . $admin_user->uid . ']'] = TRUE;
-    // Also try to cancel uid 1.
-    $edit['accounts[1]'] = TRUE;
-    $this->drupalPost('admin/people', $edit, t('Update'));
-    $this->assertText(t('Are you sure you want to cancel these user accounts?'), 'Confirmation form to cancel accounts displayed.');
-    $this->assertText(t('When cancelling these accounts'), 'Allows to select account cancellation method.');
-    $this->assertText(t('Require e-mail confirmation to cancel account.'), 'Allows to send confirmation mail.');
-    $this->assertText(t('Notify user when account is canceled.'), 'Allows to send notification mail.');
-
-    // Confirm deletion.
-    $this->drupalPost(NULL, NULL, t('Cancel accounts'));
-    $status = TRUE;
-    foreach ($users as $account) {
-      $status = $status && (strpos($this->content, t('%name has been deleted.', array('%name' => $account->name))) !== FALSE);
-      $status = $status && !user_load($account->uid, TRUE);
-    }
-    $this->assertTrue($status, 'Users deleted and not found in the database.');
-
-    // Ensure that admin account was not cancelled.
-    $this->assertText(t('A confirmation request to cancel your account has been sent to your e-mail address.'), 'Account cancellation request mailed message displayed.');
-    $admin_user = user_load($admin_user->uid);
-    $this->assertTrue($admin_user->status == 1, 'Administrative user is found in the database and enabled.');
-
-    // Verify that uid 1's account was not cancelled.
-    $user1 = user_load(1, TRUE);
-    $this->assertEqual($user1->status, 1, 'User #1 still exists and is not blocked.');
-  }
-}
-
-class UserPictureTestCase extends DrupalWebTestCase {
-  protected $user;
-  protected $_directory_test;
-
-  public static function getInfo() {
-    return array(
-      'name' => 'Upload user picture',
-      'description' => 'Assure that dimension check, extension check and image scaling work as designed.',
-      'group' => 'User'
-    );
-  }
-
-  function setUp() {
-    parent::setUp();
-    // Enable user pictures.
-    variable_set('user_pictures', 1);
-
-    $this->user = $this->drupalCreateUser();
-
-    // Test if directories specified in settings exist in filesystem.
-    $file_dir = 'public://';
-    $file_check = file_prepare_directory($file_dir, FILE_CREATE_DIRECTORY);
-    // TODO: Test public and private methods?
-
-    $picture_dir = variable_get('user_picture_path', 'pictures');
-    $picture_path = $file_dir . $picture_dir;
-
-    $pic_check = file_prepare_directory($picture_path, FILE_CREATE_DIRECTORY);
-    $this->_directory_test = is_writable($picture_path);
-    $this->assertTrue($this->_directory_test, "The directory $picture_path doesn't exist or is not writable. Further tests won't be made.");
-  }
-
-  function testNoPicture() {
-    $this->drupalLogin($this->user);
-
-    // Try to upload a file that is not an image for the user picture.
-    $not_an_image = current($this->drupalGetTestFiles('html'));
-    $this->saveUserPicture($not_an_image);
-    $this->assertRaw(t('Only JPEG, PNG and GIF images are allowed.'), 'Non-image files are not accepted.');
-  }
-
-  /**
-   * Do the test:
-   *  GD Toolkit is installed
-   *  Picture has invalid dimension
-   *
-   * results: The image should be uploaded because ImageGDToolkit resizes the picture
-   */
-  function testWithGDinvalidDimension() {
-    if ($this->_directory_test && image_get_toolkit()) {
-      $this->drupalLogin($this->user);
-
-      $image = current($this->drupalGetTestFiles('image'));
-      $info = image_get_info($image->uri);
-
-      // Set new variables: invalid dimensions, valid filesize (0 = no limit).
-      $test_dim = ($info['width'] - 10) . 'x' . ($info['height'] - 10);
-      variable_set('user_picture_dimensions', $test_dim);
-      variable_set('user_picture_file_size', 0);
-
-      $pic_path = $this->saveUserPicture($image);
-      // Check that the image was resized and is being displayed on the
-      // user's profile page.
-      $text = t('The image was resized to fit within the maximum allowed dimensions of %dimensions pixels.', array('%dimensions' => $test_dim));
-      $this->assertRaw($text, 'Image was resized.');
-      $alt = t("@user's picture", array('@user' => format_username($this->user)));
-      $style = variable_get('user_picture_style', '');
-      $this->assertRaw(check_plain(image_style_url($style, $pic_path)), "Image is displayed in user's edit page");
-
-      // Check if file is located in proper directory.
-      $this->assertTrue(is_file($pic_path), "File is located in proper directory");
-    }
-  }
-
-  /**
-   * Do the test:
-   *  GD Toolkit is installed
-   *  Picture has invalid size
-   *
-   * results: The image should be uploaded because ImageGDToolkit resizes the picture
-   */
-  function testWithGDinvalidSize() {
-    if ($this->_directory_test && image_get_toolkit()) {
-      $this->drupalLogin($this->user);
-
-      // Images are sorted first by size then by name. We need an image
-      // bigger than 1 KB so we'll grab the last one.
-      $files = $this->drupalGetTestFiles('image');
-      $image = end($files);
-      $info = image_get_info($image->uri);
-
-      // Set new variables: valid dimensions, invalid filesize.
-      $test_dim = ($info['width'] + 10) . 'x' . ($info['height'] + 10);
-      $test_size = 1;
-      variable_set('user_picture_dimensions', $test_dim);
-      variable_set('user_picture_file_size', $test_size);
-
-      $pic_path = $this->saveUserPicture($image);
-
-      // Test that the upload failed and that the correct reason was cited.
-      $text = t('The specified file %filename could not be uploaded.', array('%filename' => $image->filename));
-      $this->assertRaw($text, 'Upload failed.');
-      $text = t('The file is %filesize exceeding the maximum file size of %maxsize.', array('%filesize' => format_size(filesize($image->uri)), '%maxsize' => format_size($test_size * 1024)));
-      $this->assertRaw($text, 'File size cited as reason for failure.');
-
-      // Check if file is not uploaded.
-      $this->assertFalse(is_file($pic_path), 'File was not uploaded.');
-    }
-  }
-
-  /**
-   * Do the test:
-   *  GD Toolkit is not installed
-   *  Picture has invalid size
-   *
-   * results: The image shouldn't be uploaded
-   */
-  function testWithoutGDinvalidDimension() {
-    if ($this->_directory_test && !image_get_toolkit()) {
-      $this->drupalLogin($this->user);
-
-      $image = current($this->drupalGetTestFiles('image'));
-      $info = image_get_info($image->uri);
-
-      // Set new variables: invalid dimensions, valid filesize (0 = no limit).
-      $test_dim = ($info['width'] - 10) . 'x' . ($info['height'] - 10);
-      variable_set('user_picture_dimensions', $test_dim);
-      variable_set('user_picture_file_size', 0);
-
-      $pic_path = $this->saveUserPicture($image);
-
-      // Test that the upload failed and that the correct reason was cited.
-      $text = t('The specified file %filename could not be uploaded.', array('%filename' => $image->filename));
-      $this->assertRaw($text, 'Upload failed.');
-      $text = t('The image is too large; the maximum dimensions are %dimensions pixels.', array('%dimensions' => $test_dim));
-      $this->assertRaw($text, 'Checking response on invalid image (dimensions).');
-
-      // Check if file is not uploaded.
-      $this->assertFalse(is_file($pic_path), 'File was not uploaded.');
-    }
-  }
-
-  /**
-   * Do the test:
-   *  GD Toolkit is not installed
-   *  Picture has invalid size
-   *
-   * results: The image shouldn't be uploaded
-   */
-  function testWithoutGDinvalidSize() {
-    if ($this->_directory_test && !image_get_toolkit()) {
-      $this->drupalLogin($this->user);
-
-      $image = current($this->drupalGetTestFiles('image'));
-      $info = image_get_info($image->uri);
-
-      // Set new variables: valid dimensions, invalid filesize.
-      $test_dim = ($info['width'] + 10) . 'x' . ($info['height'] + 10);
-      $test_size = 1;
-      variable_set('user_picture_dimensions', $test_dim);
-      variable_set('user_picture_file_size', $test_size);
-
-      $pic_path = $this->saveUserPicture($image);
-
-      // Test that the upload failed and that the correct reason was cited.
-      $text = t('The specified file %filename could not be uploaded.', array('%filename' => $image->filename));
-      $this->assertRaw($text, 'Upload failed.');
-      $text = t('The file is %filesize exceeding the maximum file size of %maxsize.', array('%filesize' => format_size(filesize($image->uri)), '%maxsize' => format_size($test_size * 1024)));
-      $this->assertRaw($text, 'File size cited as reason for failure.');
-
-      // Check if file is not uploaded.
-      $this->assertFalse(is_file($pic_path), 'File was not uploaded.');
-    }
-  }
-
-  /**
-   * Do the test:
-   *  Picture is valid (proper size and dimension)
-   *
-   * results: The image should be uploaded
-   */
-  function testPictureIsValid() {
-    if ($this->_directory_test) {
-      $this->drupalLogin($this->user);
-
-      $image = current($this->drupalGetTestFiles('image'));
-      $info = image_get_info($image->uri);
-
-      // Set new variables: valid dimensions, valid filesize (0 = no limit).
-      $test_dim = ($info['width'] + 10) . 'x' . ($info['height'] + 10);
-      variable_set('user_picture_dimensions', $test_dim);
-      variable_set('user_picture_file_size', 0);
-
-      $pic_path = $this->saveUserPicture($image);
-
-      // Check if image is displayed in user's profile page.
-      $this->drupalGet('user');
-      $this->assertRaw(file_uri_target($pic_path), "Image is displayed in user's profile page");
-
-      // Check if file is located in proper directory.
-      $this->assertTrue(is_file($pic_path), 'File is located in proper directory');
-
-      // Set new picture dimensions.
-      $test_dim = ($info['width'] + 5) . 'x' . ($info['height'] + 5);
-      variable_set('user_picture_dimensions', $test_dim);
-
-      $pic_path2 = $this->saveUserPicture($image);
-      $this->assertNotEqual($pic_path, $pic_path2, 'Filename of second picture is different.');
-    }
-  }
-
-  /**
-   * Test HTTP schema working with user pictures.
-   */
-  function testExternalPicture() {
-    $this->drupalLogin($this->user);
-    // Set the default picture to an URI with a HTTP schema.
-    $images = $this->drupalGetTestFiles('image');
-    $image = $images[0];
-    $pic_path = file_create_url($image->uri);
-    variable_set('user_picture_default', $pic_path);
-
-    // Check if image is displayed in user's profile page.
-    $this->drupalGet('user');
-
-    // Get the user picture image via xpath.
-    $elements = $this->xpath('//div[@class="user-picture"]/img');
-    $this->assertEqual(count($elements), 1, "There is exactly one user picture on the user's profile page");
-    $this->assertEqual($pic_path, (string) $elements[0]['src'], "User picture source is correct.");
-  }
-
-  /**
-   * Tests deletion of user pictures.
-   */
-  function testDeletePicture() {
-    $this->drupalLogin($this->user);
-
-    $image = current($this->drupalGetTestFiles('image'));
-    $info = image_get_info($image->uri);
-
-    // Set new variables: valid dimensions, valid filesize (0 = no limit).
-    $test_dim = ($info['width'] + 10) . 'x' . ($info['height'] + 10);
-    variable_set('user_picture_dimensions', $test_dim);
-    variable_set('user_picture_file_size', 0);
-
-    // Save a new picture.
-    $edit = array('files[picture_upload]' => drupal_realpath($image->uri));
-    $this->drupalPost('user/' . $this->user->uid . '/edit', $edit, t('Save'));
-
-    // Load actual user data from database.
-    $account = user_load($this->user->uid, TRUE);
-    $pic_path = isset($account->picture) ? $account->picture->uri : NULL;
-
-    // Check if image is displayed in user's profile page.
-    $this->drupalGet('user');
-    $this->assertRaw(file_uri_target($pic_path), "Image is displayed in user's profile page");
-
-    // Check if file is located in proper directory.
-    $this->assertTrue(is_file($pic_path), 'File is located in proper directory');
-
-    $edit = array('picture_delete' => 1);
-    $this->drupalPost('user/' . $this->user->uid . '/edit', $edit, t('Save'));
-
-    // Load actual user data from database.
-    $account1 = user_load($this->user->uid, TRUE);
-    $this->assertNull($account1->picture, 'User object has no picture');
-
-    $file = file_load($account->picture->fid);
-    $this->assertFalse($file, 'File is removed from database');
-
-    // Clear out PHP's file stat cache so we see the current value.
-    clearstatcache();
-    $this->assertFalse(is_file($pic_path), 'File is removed from file system');
-  }
-
-  function saveUserPicture($image) {
-    $edit = array('files[picture_upload]' => drupal_realpath($image->uri));
-    $this->drupalPost('user/' . $this->user->uid . '/edit', $edit, t('Save'));
-
-    // Load actual user data from database.
-    $account = user_load($this->user->uid, TRUE);
-    return isset($account->picture) ? $account->picture->uri : NULL;
-  }
-
-  /**
-   * Tests the admin form validates user picture settings.
-   */
-  function testUserPictureAdminFormValidation() {
-    $this->drupalLogin($this->drupalCreateUser(array('administer users')));
-
-    // The default values are valid.
-    $this->drupalPost('admin/config/people/accounts', array(), t('Save configuration'));
-    $this->assertText(t('The configuration options have been saved.'), 'The default values are valid.');
-
-    // The form does not save with an invalid file size.
-    $edit = array(
-      'user_picture_file_size' => $this->randomName(),
-    );
-    $this->drupalPost('admin/config/people/accounts', $edit, t('Save configuration'));
-    $this->assertNoText(t('The configuration options have been saved.'), 'The form does not save with an invalid file size.');
-  }
-}
-
-
-class UserPermissionsTestCase extends DrupalWebTestCase {
-  protected $admin_user;
-  protected $rid;
-
-  public static function getInfo() {
-    return array(
-      'name' => 'Role permissions',
-      'description' => 'Verify that role permissions can be added and removed via the permissions page.',
-      'group' => 'User'
-    );
-  }
-
-  function setUp() {
-    parent::setUp();
-
-    $this->admin_user = $this->drupalCreateUser(array('administer permissions', 'access user profiles', 'administer site configuration', 'administer modules', 'administer users'));
-
-    // Find the new role ID - it must be the maximum.
-    $all_rids = array_keys($this->admin_user->roles);
-    sort($all_rids);
-    $this->rid = array_pop($all_rids);
-  }
-
-  /**
-   * Change user permissions and check user_access().
-   */
-  function testUserPermissionChanges() {
-    $this->drupalLogin($this->admin_user);
-    $rid = $this->rid;
-    $account = $this->admin_user;
-
-    // Add a permission.
-    $this->assertFalse(user_access('administer nodes', $account), 'User does not have "administer nodes" permission.');
-    $edit = array();
-    $edit[$rid . '[administer nodes]'] = TRUE;
-    $this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
-    $this->assertText(t('The changes have been saved.'), 'Successful save message displayed.');
-    drupal_static_reset('user_access');
-    drupal_static_reset('user_role_permissions');
-    $this->assertTrue(user_access('administer nodes', $account), 'User now has "administer nodes" permission.');
-
-    // Remove a permission.
-    $this->assertTrue(user_access('access user profiles', $account), 'User has "access user profiles" permission.');
-    $edit = array();
-    $edit[$rid . '[access user profiles]'] = FALSE;
-    $this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
-    $this->assertText(t('The changes have been saved.'), 'Successful save message displayed.');
-    drupal_static_reset('user_access');
-    drupal_static_reset('user_role_permissions');
-    $this->assertFalse(user_access('access user profiles', $account), 'User no longer has "access user profiles" permission.');
-  }
-
-  /**
-   * Test assigning of permissions for the administrator role.
-   */
-  function testAdministratorRole() {
-    $this->drupalLogin($this->admin_user);
-    $this->drupalGet('admin/config/people/accounts');
-
-    // Set the user's role to be the administrator role.
-    $edit = array();
-    $edit['user_admin_role'] = $this->rid;
-    $this->drupalPost('admin/config/people/accounts', $edit, t('Save configuration'));
-
-    // Enable aggregator module and ensure the 'administer news feeds'
-    // permission is assigned by default.
-    $edit = array();
-    $edit['modules[Core][aggregator][enable]'] = TRUE;
-    $this->drupalPost('admin/modules', $edit, t('Save configuration'));
-    $this->assertTrue(user_access('administer news feeds', $this->admin_user), 'The permission was automatically assigned to the administrator role');
-  }
-
-  /**
-   * Verify proper permission changes by user_role_change_permissions().
-   */
-  function testUserRoleChangePermissions() {
-    $rid = $this->rid;
-    $account = $this->admin_user;
-
-    // Verify current permissions.
-    $this->assertFalse(user_access('administer nodes', $account), 'User does not have "administer nodes" permission.');
-    $this->assertTrue(user_access('access user profiles', $account), 'User has "access user profiles" permission.');
-    $this->assertTrue(user_access('administer site configuration', $account), 'User has "administer site configuration" permission.');
-
-    // Change permissions.
-    $permissions = array(
-      'administer nodes' => 1,
-      'access user profiles' => 0,
-    );
-    user_role_change_permissions($rid, $permissions);
-
-    // Verify proper permission changes.
-    $this->assertTrue(user_access('administer nodes', $account), 'User now has "administer nodes" permission.');
-    $this->assertFalse(user_access('access user profiles', $account), 'User no longer has "access user profiles" permission.');
-    $this->assertTrue(user_access('administer site configuration', $account), 'User still has "administer site configuration" permission.');
-  }
-}
-
-class UserAdminTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User administration',
-      'description' => 'Test user administration page functionality.',
-      'group' => 'User'
-    );
-  }
-
-  /**
-   * Registers a user and deletes it.
-   */
-  function testUserAdmin() {
-
-    $user_a = $this->drupalCreateUser(array());
-    $user_b = $this->drupalCreateUser(array('administer taxonomy'));
-    $user_c = $this->drupalCreateUser(array('administer taxonomy'));
-
-    // Create admin user to delete registered user.
-    $admin_user = $this->drupalCreateUser(array('administer users'));
-    $this->drupalLogin($admin_user);
-    $this->drupalGet('admin/people');
-    $this->assertText($user_a->name, 'Found user A on admin users page');
-    $this->assertText($user_b->name, 'Found user B on admin users page');
-    $this->assertText($user_c->name, 'Found user C on admin users page');
-    $this->assertText($admin_user->name, 'Found Admin user on admin users page');
-
-    // Test for existence of edit link in table.
-    $link = l(t('edit'), "user/$user_a->uid/edit", array('query' => array('destination' => 'admin/people')));
-    $this->assertRaw($link, 'Found user A edit link on admin users page');
-
-    // Filter the users by permission 'administer taxonomy'.
-    $edit = array();
-    $edit['permission'] = 'administer taxonomy';
-    $this->drupalPost('admin/people', $edit, t('Filter'));
-
-    // Check if the correct users show up.
-    $this->assertNoText($user_a->name, 'User A not on filtered by perm admin users page');
-    $this->assertText($user_b->name, 'Found user B on filtered by perm admin users page');
-    $this->assertText($user_c->name, 'Found user C on filtered by perm admin users page');
-
-    // Filter the users by role. Grab the system-generated role name for User C.
-    $edit['role'] = max(array_flip($user_c->roles));
-    $this->drupalPost('admin/people', $edit, t('Refine'));
-
-    // Check if the correct users show up when filtered by role.
-    $this->assertNoText($user_a->name, 'User A not on filtered by role on admin users page');
-    $this->assertNoText($user_b->name, 'User B not on filtered by role on admin users page');
-    $this->assertText($user_c->name, 'User C on filtered by role on admin users page');
-
-    // Test blocking of a user.
-    $account = user_load($user_c->uid);
-    $this->assertEqual($account->status, 1, 'User C not blocked');
-    $edit = array();
-    $edit['operation'] = 'block';
-    $edit['accounts[' . $account->uid . ']'] = TRUE;
-    $this->drupalPost('admin/people', $edit, t('Update'));
-    $account = user_load($user_c->uid, TRUE);
-    $this->assertEqual($account->status, 0, 'User C blocked');
-
-    // Test unblocking of a user from /admin/people page and sending of activation mail
-    $editunblock = array();
-    $editunblock['operation'] = 'unblock';
-    $editunblock['accounts[' . $account->uid . ']'] = TRUE;
-    $this->drupalPost('admin/people', $editunblock, t('Update'));
-    $account = user_load($user_c->uid, TRUE);
-    $this->assertEqual($account->status, 1, 'User C unblocked');
-    $this->assertMail("to", $account->mail, "Activation mail sent to user C");
-
-    // Test blocking and unblocking another user from /user/[uid]/edit form and sending of activation mail
-    $user_d = $this->drupalCreateUser(array());
-    $account1 = user_load($user_d->uid, TRUE);
-    $this->drupalPost('user/' . $account1->uid . '/edit', array('status' => 0), t('Save'));
-    $account1 = user_load($user_d->uid, TRUE);
-    $this->assertEqual($account1->status, 0, 'User D blocked');
-    $this->drupalPost('user/' . $account1->uid . '/edit', array('status' => TRUE), t('Save'));
-    $account1 = user_load($user_d->uid, TRUE);
-    $this->assertEqual($account1->status, 1, 'User D unblocked');
-    $this->assertMail("to", $account1->mail, "Activation mail sent to user D");
-  }
-}
-
-/**
- * Tests for user-configurable time zones.
- */
-class UserTimeZoneFunctionalTest extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User time zones',
-      'description' => 'Set a user time zone and verify that dates are displayed in local time.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Tests the display of dates and time when user-configurable time zones are set.
-   */
-  function testUserTimeZone() {
-    // Setup date/time settings for Los Angeles time.
-    variable_set('date_default_timezone', 'America/Los_Angeles');
-    variable_set('configurable_timezones', 1);
-    variable_set('date_format_medium', 'Y-m-d H:i T');
-
-    // Create a user account and login.
-    $web_user = $this->drupalCreateUser();
-    $this->drupalLogin($web_user);
-
-    // Create some nodes with different authored-on dates.
-    // Two dates in PST (winter time):
-    $date1 = '2007-03-09 21:00:00 -0800';
-    $date2 = '2007-03-11 01:00:00 -0800';
-    // One date in PDT (summer time):
-    $date3 = '2007-03-20 21:00:00 -0700';
-    $node1 = $this->drupalCreateNode(array('created' => strtotime($date1), 'type' => 'article'));
-    $node2 = $this->drupalCreateNode(array('created' => strtotime($date2), 'type' => 'article'));
-    $node3 = $this->drupalCreateNode(array('created' => strtotime($date3), 'type' => 'article'));
-
-    // Confirm date format and time zone.
-    $this->drupalGet("node/$node1->nid");
-    $this->assertText('2007-03-09 21:00 PST', 'Date should be PST.');
-    $this->drupalGet("node/$node2->nid");
-    $this->assertText('2007-03-11 01:00 PST', 'Date should be PST.');
-    $this->drupalGet("node/$node3->nid");
-    $this->assertText('2007-03-20 21:00 PDT', 'Date should be PDT.');
-
-    // Change user time zone to Santiago time.
-    $edit = array();
-    $edit['mail'] = $web_user->mail;
-    $edit['timezone'] = 'America/Santiago';
-    $this->drupalPost("user/$web_user->uid/edit", $edit, t('Save'));
-    $this->assertText(t('The changes have been saved.'), 'Time zone changed to Santiago time.');
-
-    // Confirm date format and time zone.
-    $this->drupalGet("node/$node1->nid");
-    $this->assertText('2007-03-10 02:00 CLST', 'Date should be Chile summer time; five hours ahead of PST.');
-    $this->drupalGet("node/$node2->nid");
-    $this->assertText('2007-03-11 05:00 CLT', 'Date should be Chile time; four hours ahead of PST');
-    $this->drupalGet("node/$node3->nid");
-    $this->assertText('2007-03-21 00:00 CLT', 'Date should be Chile time; three hours ahead of PDT.');
-  }
-}
-
-/**
- * Test user autocompletion.
- */
-class UserAutocompleteTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User autocompletion',
-      'description' => 'Test user autocompletion functionality.',
-      'group' => 'User'
-    );
-  }
-
-  function setUp() {
-    parent::setUp();
-
-    // Set up two users with different permissions to test access.
-    $this->unprivileged_user = $this->drupalCreateUser();
-    $this->privileged_user = $this->drupalCreateUser(array('access user profiles'));
-  }
-
-  /**
-   * Tests access to user autocompletion and verify the correct results.
-   */
-  function testUserAutocomplete() {
-    // Check access from unprivileged user, should be denied.
-    $this->drupalLogin($this->unprivileged_user);
-    $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
-    $this->assertResponse(403, 'Autocompletion access denied to user without permission.');
-
-    // Check access from privileged user.
-    $this->drupalLogout();
-    $this->drupalLogin($this->privileged_user);
-    $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
-    $this->assertResponse(200, 'Autocompletion access allowed.');
-
-    // Using first letter of the user's name, make sure the user's full name is in the results.
-    $this->assertRaw($this->unprivileged_user->name, 'User name found in autocompletion results.');
-  }
-}
-
-
-/**
- * Tests user links in the secondary menu.
- */
-class UserAccountLinksUnitTests extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User account links',
-      'description' => 'Test user-account links.',
-      'group' => 'User'
-    );
-  }
-
-  function setUp() {
-    parent::setUp('menu');
-  }
-
-  /**
-   * Tests the secondary menu.
-   */
-  function testSecondaryMenu() {
-    // Create a regular user.
-    $user = $this->drupalCreateUser(array());
-
-    // Log in and get the homepage.
-    $this->drupalLogin($user);
-    $this->drupalGet('<front>');
-
-    // For a logged-in user, expect the secondary menu to have links for "My
-    // account" and "Log out".
-    $link = $this->xpath('//ul[@id=:menu_id]/li/a[contains(@href, :href) and text()=:text]', array(
-      ':menu_id' => 'secondary-menu-links',
-      ':href' => 'user',
-      ':text' => 'My account',
-    ));
-    $this->assertEqual(count($link), 1, 'My account link is in secondary menu.');
-
-    $link = $this->xpath('//ul[@id=:menu_id]/li/a[contains(@href, :href) and text()=:text]', array(
-      ':menu_id' => 'secondary-menu-links',
-      ':href' => 'user/logout',
-      ':text' => 'Log out',
-    ));
-    $this->assertEqual(count($link), 1, 'Log out link is in secondary menu.');
-
-    // Log out and get the homepage.
-    $this->drupalLogout();
-    $this->drupalGet('<front>');
-
-    // For a logged-out user, expect no secondary links.
-    $element = $this->xpath('//ul[@id=:menu_id]', array(':menu_id' => 'secondary-menu-links'));
-    $this->assertEqual(count($element), 0, 'No secondary-menu for logged-out users.');
-  }
-
-  /**
-   * Tests disabling the 'My account' link.
-   */
-  function testDisabledAccountLink() {
-    // Create an admin user and log in.
-    $this->drupalLogin($this->drupalCreateUser(array('access administration pages', 'administer menu')));
-
-    // Verify that the 'My account' link is enabled.
-    $this->drupalGet('admin/structure/menu/manage/user-menu');
-    $label = $this->xpath('//label[contains(.,:text)]/@for', array(':text' => 'Enable My account menu link'));
-    $this->assertFieldChecked((string) $label[0], "The 'My account' link is enabled by default.");
-
-    // Disable the 'My account' link.
-    $input = $this->xpath('//input[@id=:field_id]/@name', array(':field_id' => (string)$label[0]));
-    $edit = array(
-      (string) $input[0] => FALSE,
-    );
-    $this->drupalPost('admin/structure/menu/manage/user-menu', $edit, t('Save configuration'));
-
-    // Get the homepage.
-    $this->drupalGet('<front>');
-
-    // Verify that the 'My account' link does not appear when disabled.
-    $link = $this->xpath('//ul[@id=:menu_id]/li/a[contains(@href, :href) and text()=:text]', array(
-      ':menu_id' => 'secondary-menu-links',
-      ':href' => 'user',
-      ':text' => 'My account',
-    ));
-    $this->assertEqual(count($link), 0, 'My account link is not in the secondary menu.');
-  }
-
-}
-
-/**
- * Test user blocks.
- */
-class UserBlocksUnitTests extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User blocks',
-      'description' => 'Test user blocks.',
-      'group' => 'User'
-    );
-  }
-
-  /**
-   * Test the user login block.
-   */
-  function testUserLoginBlock() {
-    // Create a user with some permission that anonymous users lack.
-    $user = $this->drupalCreateUser(array('administer permissions'));
-
-    // Log in using the block.
-    $edit = array();
-    $edit['name'] = $user->name;
-    $edit['pass'] = $user->pass_raw;
-    $this->drupalPost('admin/people/permissions', $edit, t('Log in'));
-    $this->assertNoText(t('User login'), 'Logged in.');
-
-    // Check that we are still on the same page.
-    $this->assertEqual(url('admin/people/permissions', array('absolute' => TRUE)), $this->getUrl(), 'Still on the same page after login for access denied page');
-
-    // Now, log out and repeat with a non-403 page.
-    $this->drupalLogout();
-    $this->drupalPost('filter/tips', $edit, t('Log in'));
-    $this->assertNoText(t('User login'), 'Logged in.');
-    $this->assertPattern('!<title.*?' . t('Compose tips') . '.*?</title>!', 'Still on the same page after login for allowed page');
-
-    // Check that the user login block is not vulnerable to information
-    // disclosure to third party sites.
-    $this->drupalLogout();
-    $this->drupalPost('http://example.com/', $edit, t('Log in'), array('external' => FALSE));
-    // Check that we remain on the site after login.
-    $this->assertEqual(url('user/' . $user->uid, array('absolute' => TRUE)), $this->getUrl(), 'Redirected to user profile page after login from the frontpage');
-  }
-
-  /**
-   * Test the Who's Online block.
-   */
-  function testWhosOnlineBlock() {
-    // Generate users and make sure there are no current user sessions.
-    $user1 = $this->drupalCreateUser(array());
-    $user2 = $this->drupalCreateUser(array());
-    $user3 = $this->drupalCreateUser(array());
-    $this->assertEqual(db_query("SELECT COUNT(*) FROM {sessions}")->fetchField(), 0, 'Sessions table is empty.');
-
-    // Insert a user with two sessions.
-    $this->insertSession(array('uid' => $user1->uid));
-    $this->insertSession(array('uid' => $user1->uid));
-    $this->assertEqual(db_query("SELECT COUNT(*) FROM {sessions} WHERE uid = :uid", array(':uid' => $user1->uid))->fetchField(), 2, 'Duplicate user session has been inserted.');
-
-    // Insert a user with only one session.
-    $this->insertSession(array('uid' => $user2->uid, 'timestamp' => REQUEST_TIME + 1));
-
-    // Insert an inactive logged-in user who should not be seen in the block.
-    $this->insertSession(array('uid' => $user3->uid, 'timestamp' => (REQUEST_TIME - variable_get('user_block_seconds_online', 900) - 1)));
-
-    // Insert two anonymous user sessions.
-    $this->insertSession();
-    $this->insertSession();
-
-    // Test block output.
-    $block = user_block_view('online');
-    $this->drupalSetContent($block['content']);
-    $this->assertRaw(t('2 users'), 'Correct number of online users (2 users).');
-    $this->assertText($user1->name, 'Active user 1 found in online list.');
-    $this->assertText($user2->name, 'Active user 2 found in online list.');
-    $this->assertNoText($user3->name, "Inactive user not found in online list.");
-    $this->assertTrue(strpos($this->drupalGetContent(), $user1->name) > strpos($this->drupalGetContent(), $user2->name), 'Online users are ordered correctly.');
-  }
-
-  /**
-   * Insert a user session into the {sessions} table. This function is used
-   * since we cannot log in more than one user at the same time in tests.
-   */
-  private function insertSession(array $fields = array()) {
-    $fields += array(
-      'uid' => 0,
-      'sid' => drupal_hash_base64(uniqid(mt_rand(), TRUE)),
-      'timestamp' => REQUEST_TIME,
-    );
-    db_insert('sessions')
-      ->fields($fields)
-      ->execute();
-    $this->assertEqual(db_query("SELECT COUNT(*) FROM {sessions} WHERE uid = :uid AND sid = :sid AND timestamp = :timestamp", array(':uid' => $fields['uid'], ':sid' => $fields['sid'], ':timestamp' => $fields['timestamp']))->fetchField(), 1, 'Session record inserted.');
-  }
-}
-
-/**
- * Tests saving a user account.
- */
-class UserSaveTestCase extends DrupalWebTestCase {
-
-  public static function getInfo() {
-    return array(
-      'name' => 'User save test',
-      'description' => 'Test user_save() for arbitrary new uid.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Test creating a user with arbitrary uid.
-   */
-  function testUserImport() {
-    // User ID must be a number that is not in the database.
-    $max_uid = db_query('SELECT MAX(uid) FROM {users}')->fetchField();
-    $test_uid = $max_uid + mt_rand(1000, 1000000);
-    $test_name = $this->randomName();
-
-    // Create the base user, based on drupalCreateUser().
-    $user = array(
-      'name' => $test_name,
-      'uid' => $test_uid,
-      'mail' => $test_name . '@example.com',
-      'is_new' => TRUE,
-      'pass' => user_password(),
-      'status' => 1,
-    );
-    $user_by_return = user_save(drupal_anonymous_user(), $user);
-    $this->assertTrue($user_by_return, 'Loading user by return of user_save().');
-
-    // Test if created user exists.
-    $user_by_uid = user_load($test_uid);
-    $this->assertTrue($user_by_uid, 'Loading user by uid.');
-
-    $user_by_name = user_load_by_name($test_name);
-    $this->assertTrue($user_by_name, 'Loading user by name.');
-  }
-}
-
-/**
- * Test the create user administration page.
- */
-class UserCreateTestCase extends DrupalWebTestCase {
-
-  public static function getInfo() {
-    return array(
-      'name' => 'User create',
-      'description' => 'Test the create user administration page.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Create a user through the administration interface and ensure that it
-   * displays in the user list.
-   */
-  protected function testUserAdd() {
-    $user = $this->drupalCreateUser(array('administer users'));
-    $this->drupalLogin($user);
-
-    foreach (array(FALSE, TRUE) as $notify) {
-      $edit = array(
-        'name' => $this->randomName(),
-        'mail' => $this->randomName() . '@example.com',
-        'pass[pass1]' => $pass = $this->randomString(),
-        'pass[pass2]' => $pass,
-        'notify' => $notify,
-      );
-      $this->drupalPost('admin/people/create', $edit, t('Create new account'));
-
-      if ($notify) {
-        $this->assertText(t('A welcome message with further instructions has been e-mailed to the new user @name.', array('@name' => $edit['name'])), 'User created');
-        $this->assertEqual(count($this->drupalGetMails()), 1, 'Notification e-mail sent');
-      }
-      else {
-        $this->assertText(t('Created a new user account for @name. No e-mail has been sent.', array('@name' => $edit['name'])), 'User created');
-        $this->assertEqual(count($this->drupalGetMails()), 0, 'Notification e-mail not sent');
-      }
-
-      $this->drupalGet('admin/people');
-      $this->assertText($edit['name'], 'User found in list of users');
-    }
-  }
-}
-
-/**
- * Tests editing a user account.
- */
-class UserEditTestCase extends DrupalWebTestCase {
-
-  public static function getInfo() {
-    return array(
-      'name' => 'User edit',
-      'description' => 'Test user edit page.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Test user edit page.
-   */
-  function testUserEdit() {
-    // Test user edit functionality with user pictures disabled.
-    variable_set('user_pictures', 0);
-    $user1 = $this->drupalCreateUser(array('change own username'));
-    $user2 = $this->drupalCreateUser(array());
-    $this->drupalLogin($user1);
-
-    // Test that error message appears when attempting to use a non-unique user name.
-    $edit['name'] = $user2->name;
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertRaw(t('The name %name is already taken.', array('%name' => $edit['name'])));
-
-    // Repeat the test with user pictures enabled, which modifies the form.
-    variable_set('user_pictures', 1);
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertRaw(t('The name %name is already taken.', array('%name' => $edit['name'])));
-
-    // Check that filling out a single password field does not validate.
-    $edit = array();
-    $edit['pass[pass1]'] = '';
-    $edit['pass[pass2]'] = $this->randomName();
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertText(t("The specified passwords do not match."), 'Typing mismatched passwords displays an error message.');
-
-    $edit['pass[pass1]'] = $this->randomName();
-    $edit['pass[pass2]'] = '';
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertText(t("The specified passwords do not match."), 'Typing mismatched passwords displays an error message.');
-
-    // Test that the error message appears when attempting to change the mail or
-    // pass without the current password.
-    $edit = array();
-    $edit['mail'] = $this->randomName() . '@new.example.com';
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertRaw(t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => t('E-mail address'))));
-
-    $edit['current_pass'] = $user1->pass_raw;
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertRaw(t("The changes have been saved."));
-
-    // Test that the user must enter current password before changing passwords.
-    $edit = array();
-    $edit['pass[pass1]'] = $new_pass = $this->randomName();
-    $edit['pass[pass2]'] = $new_pass;
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertRaw(t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => t('Password'))));
-
-    // Try again with the current password.
-    $edit['current_pass'] = $user1->pass_raw;
-    $this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
-    $this->assertRaw(t("The changes have been saved."));
-
-    // Make sure the user can log in with their new password.
-    $this->drupalLogout();
-    $user1->pass_raw = $new_pass;
-    $this->drupalLogin($user1);
-    $this->drupalLogout();
-  }
-}
-
-/**
- * Test case for user signatures.
- */
-class UserSignatureTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User signatures',
-      'description' => 'Test user signatures.',
-      'group' => 'User',
-    );
-  }
-
-  function setUp() {
-    parent::setUp('comment');
-
-    // Enable user signatures.
-    variable_set('user_signatures', 1);
-
-    // Prefetch text formats.
-    $this->full_html_format = filter_format_load('full_html');
-    $this->plain_text_format = filter_format_load('plain_text');
-
-    // Create regular and administrative users.
-    $this->web_user = $this->drupalCreateUser(array());
-    $admin_permissions = array('administer comments');
-    foreach (filter_formats() as $format) {
-      if ($permission = filter_permission_name($format)) {
-        $admin_permissions[] = $permission;
-      }
-    }
-    $this->admin_user = $this->drupalCreateUser($admin_permissions);
-  }
-
-  /**
-   * Test that a user can change their signature format and that it is respected
-   * upon display.
-   */
-  function testUserSignature() {
-    // Create a new node with comments on.
-    $node = $this->drupalCreateNode(array('comment' => COMMENT_NODE_OPEN));
-
-    // Verify that user signature field is not displayed on registration form.
-    $this->drupalGet('user/register');
-    $this->assertNoText(t('Signature'));
-
-    // Log in as a regular user and create a signature.
-    $this->drupalLogin($this->web_user);
-    $signature_text = "<h1>" . $this->randomName() . "</h1>";
-    $edit = array(
-      'signature[value]' => $signature_text,
-      'signature[format]' => $this->plain_text_format->format,
-    );
-    $this->drupalPost('user/' . $this->web_user->uid . '/edit', $edit, t('Save'));
-
-    // Verify that values were stored.
-    $this->assertFieldByName('signature[value]', $edit['signature[value]'], 'Submitted signature text found.');
-    $this->assertFieldByName('signature[format]', $edit['signature[format]'], 'Submitted signature format found.');
-
-    // Create a comment.
-    $langcode = LANGUAGE_NONE;
-    $edit = array();
-    $edit['subject'] = $this->randomName(8);
-    $edit['comment_body[' . $langcode . '][0][value]'] = $this->randomName(16);
-    $this->drupalPost('comment/reply/' . $node->nid, $edit, t('Preview'));
-    $this->drupalPost(NULL, array(), t('Save'));
-
-    // Get the comment ID. (This technique is the same one used in the Comment
-    // module's CommentHelperCase test case.)
-    preg_match('/#comment-([0-9]+)/', $this->getURL(), $match);
-    $comment_id = $match[1];
-
-    // Log in as an administrator and edit the comment to use Full HTML, so
-    // that the comment text itself is not filtered at all.
-    $this->drupalLogin($this->admin_user);
-    $edit['comment_body[' . $langcode . '][0][format]'] = $this->full_html_format->format;
-    $this->drupalPost('comment/' . $comment_id . '/edit', $edit, t('Save'));
-
-    // Assert that the signature did not make it through unfiltered.
-    $this->drupalGet('node/' . $node->nid);
-    $this->assertNoRaw($signature_text, 'Unfiltered signature text not found.');
-    $this->assertRaw(check_markup($signature_text, $this->plain_text_format->format), 'Filtered signature text found.');
-  }
-}
-
-/*
- * Test that a user, having editing their own account, can still log in.
- */
-class UserEditedOwnAccountTestCase extends DrupalWebTestCase {
-
-  public static function getInfo() {
-    return array(
-      'name' => 'User edited own account',
-      'description' => 'Test user edited own account can still log in.',
-      'group' => 'User',
-    );
-  }
-
-  function testUserEditedOwnAccount() {
-    // Change account setting 'Who can register accounts?' to Administrators
-    // only.
-    variable_set('user_register', USER_REGISTER_ADMINISTRATORS_ONLY);
-
-    // Create a new user account and log in.
-    $account = $this->drupalCreateUser(array('change own username'));
-    $this->drupalLogin($account);
-
-    // Change own username.
-    $edit = array();
-    $edit['name'] = $this->randomName();
-    $this->drupalPost('user/' . $account->uid . '/edit', $edit, t('Save'));
-
-    // Log out.
-    $this->drupalLogout();
-
-    // Set the new name on the user account and attempt to log back in.
-    $account->name = $edit['name'];
-    $this->drupalLogin($account);
-  }
-}
-
-/**
- * Test case to test adding, editing and deleting roles.
- */
-class UserRoleAdminTestCase extends DrupalWebTestCase {
-
-  public static function getInfo() {
-    return array(
-      'name' => 'User role administration',
-      'description' => 'Test adding, editing and deleting user roles and changing role weights.',
-      'group' => 'User',
-    );
-  }
-
-  function setUp() {
-    parent::setUp();
-    $this->admin_user = $this->drupalCreateUser(array('administer permissions', 'administer users'));
-  }
-
-  /**
-   * Test adding, renaming and deleting roles.
-   */
-  function testRoleAdministration() {
-    $this->drupalLogin($this->admin_user);
-
-    // Test adding a role. (In doing so, we use a role name that happens to
-    // correspond to an integer, to test that the role administration pages
-    // correctly distinguish between role names and IDs.)
-    $role_name = '123';
-    $edit = array('name' => $role_name);
-    $this->drupalPost('admin/people/permissions/roles', $edit, t('Add role'));
-    $this->assertText(t('The role has been added.'), 'The role has been added.');
-    $role = user_role_load_by_name($role_name);
-    $this->assertTrue(is_object($role), 'The role was successfully retrieved from the database.');
-
-    // Try adding a duplicate role.
-    $this->drupalPost(NULL, $edit, t('Add role'));
-    $this->assertRaw(t('The role name %name already exists. Choose another role name.', array('%name' => $role_name)), 'Duplicate role warning displayed.');
-
-    // Test renaming a role.
-    $old_name = $role_name;
-    $role_name = '456';
-    $edit = array('name' => $role_name);
-    $this->drupalPost("admin/people/permissions/roles/edit/{$role->rid}", $edit, t('Save role'));
-    $this->assertText(t('The role has been renamed.'), 'The role has been renamed.');
-    $this->assertFalse(user_role_load_by_name($old_name), 'The role can no longer be retrieved from the database using its old name.');
-    $this->assertTrue(is_object(user_role_load_by_name($role_name)), 'The role can be retrieved from the database using its new name.');
-
-    // Test deleting a role.
-    $this->drupalPost("admin/people/permissions/roles/edit/{$role->rid}", NULL, t('Delete role'));
-    $this->drupalPost(NULL, NULL, t('Delete'));
-    $this->assertText(t('The role has been deleted.'), 'The role has been deleted');
-    $this->assertNoLinkByHref("admin/people/permissions/roles/edit/{$role->rid}", 'Role edit link removed.');
-    $this->assertFalse(user_role_load_by_name($role_name), 'A deleted role can no longer be loaded.');
-
-    // Make sure that the system-defined roles cannot be edited via the user
-    // interface.
-    $this->drupalGet('admin/people/permissions/roles/edit/' . DRUPAL_ANONYMOUS_RID);
-    $this->assertResponse(403, 'Access denied when trying to edit the built-in anonymous role.');
-    $this->drupalGet('admin/people/permissions/roles/edit/' . DRUPAL_AUTHENTICATED_RID);
-    $this->assertResponse(403, 'Access denied when trying to edit the built-in authenticated role.');
-  }
-
-  /**
-   * Test user role weight change operation.
-   */
-  function testRoleWeightChange() {
-    $this->drupalLogin($this->admin_user);
-
-    // Pick up a random role and get its weight.
-    $rid = array_rand(user_roles());
-    $role = user_role_load($rid);
-    $old_weight = $role->weight;
-
-    // Change the role weight and submit the form.
-    $edit = array('roles['. $rid .'][weight]' => $old_weight + 1);
-    $this->drupalPost('admin/people/permissions/roles', $edit, t('Save order'));
-    $this->assertText(t('The role settings have been updated.'), 'The role settings form submitted successfully.');
-
-    // Retrieve the saved role and compare its weight.
-    $role = user_role_load($rid);
-    $new_weight = $role->weight;
-    $this->assertTrue(($old_weight + 1) == $new_weight, 'Role weight updated successfully.');
-  }
-}
-
-/**
- * Test user token replacement in strings.
- */
-class UserTokenReplaceTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User token replacement',
-      'description' => 'Generates text using placeholders for dummy content to check user token replacement.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * Creates a user, then tests the tokens generated from it.
-   */
-  function testUserTokenReplacement() {
-    global $language;
-    $url_options = array(
-      'absolute' => TRUE,
-      'language' => $language,
-    );
-
-    // Create two users and log them in one after another.
-    $user1 = $this->drupalCreateUser(array());
-    $user2 = $this->drupalCreateUser(array());
-    $this->drupalLogin($user1);
-    $this->drupalLogout();
-    $this->drupalLogin($user2);
-
-    $account = user_load($user1->uid);
-    $global_account = user_load($GLOBALS['user']->uid);
-
-    // Generate and test sanitized tokens.
-    $tests = array();
-    $tests['[user:uid]'] = $account->uid;
-    $tests['[user:name]'] = check_plain(format_username($account));
-    $tests['[user:mail]'] = check_plain($account->mail);
-    $tests['[user:url]'] = url("user/$account->uid", $url_options);
-    $tests['[user:edit-url]'] = url("user/$account->uid/edit", $url_options);
-    $tests['[user:last-login]'] = format_date($account->login, 'medium', '', NULL, $language->language);
-    $tests['[user:last-login:short]'] = format_date($account->login, 'short', '', NULL, $language->language);
-    $tests['[user:created]'] = format_date($account->created, 'medium', '', NULL, $language->language);
-    $tests['[user:created:short]'] = format_date($account->created, 'short', '', NULL, $language->language);
-    $tests['[current-user:name]'] = check_plain(format_username($global_account));
-
-    // Test to make sure that we generated something for each token.
-    $this->assertFalse(in_array(0, array_map('strlen', $tests)), 'No empty tokens generated.');
-
-    foreach ($tests as $input => $expected) {
-      $output = token_replace($input, array('user' => $account), array('language' => $language));
-      $this->assertEqual($output, $expected, format_string('Sanitized user token %token replaced.', array('%token' => $input)));
-    }
-
-    // Generate and test unsanitized tokens.
-    $tests['[user:name]'] = format_username($account);
-    $tests['[user:mail]'] = $account->mail;
-    $tests['[current-user:name]'] = format_username($global_account);
-
-    foreach ($tests as $input => $expected) {
-      $output = token_replace($input, array('user' => $account), array('language' => $language, 'sanitize' => FALSE));
-      $this->assertEqual($output, $expected, format_string('Unsanitized user token %token replaced.', array('%token' => $input)));
-    }
-  }
-}
-
-/**
- * Test user search.
- */
-class UserUserSearchTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'User search',
-      'description' => 'Tests the user search page and verifies that sensitive information is hidden from unauthorized users.',
-      'group' => 'User',
-    );
-  }
-
-  function testUserSearch() {
-    $user1 = $this->drupalCreateUser(array('access user profiles', 'search content', 'use advanced search'));
-    $this->drupalLogin($user1);
-    $keys = $user1->mail;
-    $edit = array('keys' => $keys);
-    $this->drupalPost('search/user/', $edit, t('Search'));
-    $this->assertNoText($keys);
-    $this->drupalLogout();
-
-    $user2 = $this->drupalCreateUser(array('administer users', 'access user profiles', 'search content', 'use advanced search'));
-    $this->drupalLogin($user2);
-    $keys = $user2->mail;
-    $edit = array('keys' => $keys);
-    $this->drupalPost('search/user/', $edit, t('Search'));
-    $this->assertText($keys);
-
-    // Create a blocked user.
-    $blocked_user = $this->drupalCreateUser();
-    $edit = array('status' => 0);
-    $blocked_user = user_save($blocked_user, $edit);
-
-    // Verify that users with "administer users" permissions can see blocked
-    // accounts in search results.
-    $edit = array('keys' => $blocked_user->name);
-    $this->drupalPost('search/user/', $edit, t('Search'));
-    $this->assertText($blocked_user->name, 'Blocked users are listed on the user search results for users with the "administer users" permission.');
-
-    // Verify that users without "administer users" permissions do not see
-    // blocked accounts in search results.
-    $this->drupalLogin($user1);
-    $edit = array('keys' => $blocked_user->name);
-    $this->drupalPost('search/user/', $edit, t('Search'));
-    $this->assertNoText($blocked_user->name, 'Blocked users are hidden from the user search results.');
-
-    $this->drupalLogout();
-  }
-}
-
-/**
- * Test role assignment.
- */
-class UserRolesAssignmentTestCase extends DrupalWebTestCase {
-  protected $admin_user;
-
-  public static function getInfo() {
-    return array(
-      'name' => 'Role assignment',
-      'description' => 'Tests that users can be assigned and unassigned roles.',
-      'group' => 'User'
-    );
-  }
-
-  function setUp() {
-    parent::setUp();
-    $this->admin_user = $this->drupalCreateUser(array('administer permissions', 'administer users'));
-    $this->drupalLogin($this->admin_user);
-  }
-
-  /**
-   * Tests that a user can be assigned a role and that the role can be removed
-   * again.
-   */
-  function testAssignAndRemoveRole()  {
-    $rid = $this->drupalCreateRole(array('administer content types'));
-    $account = $this->drupalCreateUser();
-
-    // Assign the role to the user.
-    $this->drupalPost('user/' . $account->uid . '/edit', array("roles[$rid]" => $rid), t('Save'));
-    $this->assertText(t('The changes have been saved.'));
-    $this->assertFieldChecked('edit-roles-' . $rid, 'Role is assigned.');
-    $this->userLoadAndCheckRoleAssigned($account, $rid);
-
-    // Remove the role from the user.
-    $this->drupalPost('user/' . $account->uid . '/edit', array("roles[$rid]" => FALSE), t('Save'));
-    $this->assertText(t('The changes have been saved.'));
-    $this->assertNoFieldChecked('edit-roles-' . $rid, 'Role is removed from user.');
-    $this->userLoadAndCheckRoleAssigned($account, $rid, FALSE);
-  }
-
-  /**
-   * Tests that when creating a user the role can be assigned. And that it can
-   * be removed again.
-   */
-  function testCreateUserWithRole() {
-    $rid = $this->drupalCreateRole(array('administer content types'));
-    // Create a new user and add the role at the same time.
-    $edit = array(
-      'name' => $this->randomName(),
-      'mail' => $this->randomName() . '@example.com',
-      'pass[pass1]' => $pass = $this->randomString(),
-      'pass[pass2]' => $pass,
-      "roles[$rid]" => $rid,
-    );
-    $this->drupalPost('admin/people/create', $edit, t('Create new account'));
-    $this->assertText(t('Created a new user account for !name.', array('!name' => $edit['name'])));
-    // Get the newly added user.
-    $account = user_load_by_name($edit['name']);
-
-    $this->drupalGet('user/' . $account->uid . '/edit');
-    $this->assertFieldChecked('edit-roles-' . $rid, 'Role is assigned.');
-    $this->userLoadAndCheckRoleAssigned($account, $rid);
-
-    // Remove the role again.
-    $this->drupalPost('user/' . $account->uid . '/edit', array("roles[$rid]" => FALSE), t('Save'));
-    $this->assertText(t('The changes have been saved.'));
-    $this->assertNoFieldChecked('edit-roles-' . $rid, 'Role is removed from user.');
-    $this->userLoadAndCheckRoleAssigned($account, $rid, FALSE);
-  }
-
-  /**
-   * Check role on user object.
-   *
-   * @param object $account
-   *   The user account to check.
-   * @param string $rid
-   *   The role ID to search for.
-   * @param bool $is_assigned
-   *   (optional) Whether to assert that $rid exists (TRUE) or not (FALSE).
-   *   Defaults to TRUE.
-   */
-  private function userLoadAndCheckRoleAssigned($account, $rid, $is_assigned = TRUE) {
-    $account = user_load($account->uid, TRUE);
-    if ($is_assigned) {
-      $this->assertTrue(array_key_exists($rid, $account->roles), 'The role is present in the user object.');
-    }
-    else {
-      $this->assertFalse(array_key_exists($rid, $account->roles), 'The role is not present in the user object.');
-    }
-  }
-}
-
-
-/**
- * Unit test for authmap assignment.
- */
-class UserAuthmapAssignmentTestCase extends DrupalWebTestCase {
-  public static function getInfo() {
-    return array(
-      'name' => 'Authmap assignment',
-      'description' => 'Tests that users can be assigned and unassigned authmaps.',
-      'group' => 'User'
-    );
-  }
-
-  /**
-   * Test authmap assignment and retrieval.
-   */
-  function testAuthmapAssignment()  {
-    $account = $this->drupalCreateUser();
-
-    // Assign authmaps to the user.
-    $authmaps = array(
-      'authname_poll' => 'external username one',
-      'authname_book' => 'external username two',
-    );
-    user_set_authmaps($account, $authmaps);
-
-    // Test for expected authmaps.
-    $expected_authmaps = array(
-      'external username one' => array(
-        'poll' => 'external username one',
-      ),
-      'external username two' => array(
-        'book' => 'external username two',
-      ),
-    );
-    foreach ($expected_authmaps as $authname => $expected_output) {
-      $this->assertIdentical(user_get_authmaps($authname), $expected_output, format_string('Authmap for authname %authname was set correctly.', array('%authname' => $authname)));
-    }
-
-    // Remove authmap for module poll, add authmap for module blog.
-    $authmaps = array(
-      'authname_poll' => NULL,
-      'authname_blog' => 'external username three',
-    );
-    user_set_authmaps($account, $authmaps);
-
-    // Assert that external username one does not have authmaps.
-    $remove_username = 'external username one';
-    unset($expected_authmaps[$remove_username]);
-    $this->assertFalse(user_get_authmaps($remove_username), format_string('Authmap for %authname was removed.', array('%authname' => $remove_username)));
-
-    // Assert that a new authmap was created for external username three, and
-    // existing authmaps for external username two were unchanged.
-    $expected_authmaps['external username three'] = array('blog' => 'external username three');
-    foreach ($expected_authmaps as $authname => $expected_output) {
-      $this->assertIdentical(user_get_authmaps($authname), $expected_output, format_string('Authmap for authname %authname was set correctly.', array('%authname' => $authname)));
-    }
-  }
-}
-
-/**
- * Tests user_validate_current_pass on a custom form.
- */
-class UserValidateCurrentPassCustomForm extends DrupalWebTestCase {
-
-  public static function getInfo() {
-    return array(
-      'name' => 'User validate current pass custom form',
-      'description' => 'Test that user_validate_current_pass is usable on a custom form.',
-      'group' => 'User',
-    );
-  }
-
-  /**
-   * User with permission to view content.
-   */
-  protected $accessUser;
-
-  /**
-   * User permission to administer users.
-   */
-  protected $adminUser;
-
-  function setUp() {
-    parent::setUp('user_form_test');
-    // Create two users
-    $this->accessUser = $this->drupalCreateUser(array('access content'));
-    $this->adminUser = $this->drupalCreateUser(array('administer users'));
-  }
-
-  /**
-   * Tests that user_validate_current_pass can be reused on a custom form.
-   */
-  function testUserValidateCurrentPassCustomForm() {
-    $this->drupalLogin($this->adminUser);
-
-    // Submit the custom form with the admin user using the access user's password.
-    $edit = array();
-    $edit['user_form_test_field'] = $this->accessUser->name;
-    $edit['current_pass'] = $this->accessUser->pass_raw;
-    $this->drupalPost('user_form_test_current_password/' . $this->accessUser->uid, $edit, t('Test'));
-    $this->assertText(t('The password has been validated and the form submitted successfully.'));
-  }
-}
diff --git a/profiles/minimal/minimal.info b/profiles/minimal/minimal.info
index d6647cf5..26b86610 100755
--- a/profiles/minimal/minimal.info
+++ b/profiles/minimal/minimal.info
@@ -5,8 +5,8 @@ core = 7.x
 dependencies[] = block
 dependencies[] = dblog
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/profiles/standard/standard.info b/profiles/standard/standard.info
index 3b91c6a5..54b5b917 100755
--- a/profiles/standard/standard.info
+++ b/profiles/standard/standard.info
@@ -24,8 +24,8 @@ dependencies[] = field_ui
 dependencies[] = file
 dependencies[] = rdf
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/profiles/standard/standard.install b/profiles/standard/standard.install
index 1d563a48..ae34eafa 100755
--- a/profiles/standard/standard.install
+++ b/profiles/standard/standard.install
@@ -275,13 +275,10 @@ function standard_install() {
 
   // Create a default vocabulary named "Tags", enabled for the 'article' content type.
   $description = st('Use tags to group articles on similar topics into categories.');
-  $help = st('Enter a comma-separated list of words to describe your content.');
   $vocabulary = (object) array(
     'name' => st('Tags'),
     'description' => $description,
     'machine_name' => 'tags',
-    'help' => $help,
-
   );
   taxonomy_vocabulary_save($vocabulary);
 
@@ -301,12 +298,13 @@ function standard_install() {
   );
   field_create_field($field);
 
+  $help = st('Enter a comma-separated list of words to describe your content.');
   $instance = array(
     'field_name' => 'field_' . $vocabulary->machine_name,
     'entity_type' => 'node',
     'label' => 'Tags',
     'bundle' => 'article',
-    'description' => $vocabulary->help,
+    'description' => $help,
     'widget' => array(
       'type' => 'taxonomy_autocomplete',
       'weight' => -4,
diff --git a/profiles/testing/modules/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info b/profiles/testing/modules/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
index b51837fe..4503565c 100755
--- a/profiles/testing/modules/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
+++ b/profiles/testing/modules/drupal_system_listing_compatible_test/drupal_system_listing_compatible_test.info
@@ -6,8 +6,8 @@ core = 7.x
 hidden = TRUE
 files[] = drupal_system_listing_compatible_test.test
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/profiles/testing/modules/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info b/profiles/testing/modules/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
index 0bfcd899..6d2954cb 100755
--- a/profiles/testing/modules/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
+++ b/profiles/testing/modules/drupal_system_listing_incompatible_test/drupal_system_listing_incompatible_test.info
@@ -8,8 +8,8 @@ version = VERSION
 core = 6.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/profiles/testing/testing.info b/profiles/testing/testing.info
index 07bcf475..f5c4d2ae 100755
--- a/profiles/testing/testing.info
+++ b/profiles/testing/testing.info
@@ -4,8 +4,8 @@ version = VERSION
 core = 7.x
 hidden = TRUE
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/themes/bartik/bartik.info b/themes/bartik/bartik.info
index b80138b3..343664c8 100755
--- a/themes/bartik/bartik.info
+++ b/themes/bartik/bartik.info
@@ -34,8 +34,8 @@ regions[footer] = Footer
 settings[shortcut_module_link] = 0
 
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/themes/bartik/css/style.css b/themes/bartik/css/style.css
index 8e952021..c40755b1 100755
--- a/themes/bartik/css/style.css
+++ b/themes/bartik/css/style.css
@@ -53,7 +53,7 @@ kbd,
 samp,
 var {
   padding: 0 0.4em;
-  font-size: 0.77em;
+  font-size: 0.857em;
   font-family: Menlo, Consolas, "Andale Mono", "Lucida Console", "Nimbus Mono L", "DejaVu Sans Mono", monospace, "Courier New";
 }
 code {
diff --git a/themes/garland/garland.info b/themes/garland/garland.info
index fc252f68..ee3b8202 100755
--- a/themes/garland/garland.info
+++ b/themes/garland/garland.info
@@ -7,8 +7,8 @@ stylesheets[all][] = style.css
 stylesheets[print][] = print.css
 settings[garland_width] = fluid
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/themes/seven/seven.info b/themes/seven/seven.info
index 30ac6d54..3cb21af1 100755
--- a/themes/seven/seven.info
+++ b/themes/seven/seven.info
@@ -13,8 +13,8 @@ regions[page_bottom] = Page bottom
 regions[sidebar_first] = First sidebar
 regions_hidden[] = sidebar_first
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/themes/seven/style.css b/themes/seven/style.css
index 8bb80265..56a6094f 100755
--- a/themes/seven/style.css
+++ b/themes/seven/style.css
@@ -475,6 +475,12 @@ table th {
   border-color: #bebfb9;
   padding: 3px 10px;
 }
+/**
+ * Force browsers to calculate the width of a 'select all' TH element.
+ */
+table th.select-all {
+  width: 1px;
+}
 table th.active {
   background: #bdbeb9;
 }
diff --git a/themes/stark/stark.info b/themes/stark/stark.info
index 519539a0..d8bdd339 100755
--- a/themes/stark/stark.info
+++ b/themes/stark/stark.info
@@ -5,8 +5,8 @@ version = VERSION
 core = 7.x
 stylesheets[all][] = layout.css
 
-; Information added by drupal.org packaging script on 2013-08-08
-version = "7.23"
+; Information added by Drupal.org packaging script on 2014-05-08
+version = "7.28"
 project = "drupal"
-datestamp = "1375928238"
+datestamp = "1399522731"
 
diff --git a/update.php b/update.php
index 331e6324..d7927030 100755
--- a/update.php
+++ b/update.php
@@ -178,7 +178,8 @@ function update_results_page() {
     $output = '<p>Updates were attempted. If you see no failures below, you may proceed happily back to your <a href="' . base_path() . '">site</a>. Otherwise, you may need to update your database manually.' . $log_message . '</p>';
   }
   else {
-    list($module, $version) = array_pop(reset($_SESSION['updates_remaining']));
+    $updates_remaining = reset($_SESSION['updates_remaining']);
+    list($module, $version) = array_pop($updates_remaining);
     $output = '<p class="error">The update process was aborted prematurely while running <strong>update #' . $version . ' in ' . $module . '.module</strong>.' . $log_message;
     if (module_exists('dblog')) {
       $output .= ' You may need to check the <code>watchdog</code> database table manually.';
@@ -467,13 +468,13 @@ if (update_access_allowed()) {
     // update.php ops.
 
     case 'selection':
-      if (isset($_GET['token']) && $_GET['token'] == drupal_get_token('update')) {
+      if (isset($_GET['token']) && drupal_valid_token($_GET['token'], 'update')) {
         $output = update_selection_page();
         break;
       }
 
     case 'Apply pending updates':
-      if (isset($_GET['token']) && $_GET['token'] == drupal_get_token('update')) {
+      if (isset($_GET['token']) && drupal_valid_token($_GET['token'], 'update')) {
         // Generate absolute URLs for the batch processing (using $base_root),
         // since the batch API will pass them to url() which does not handle
         // update.php correctly by default.