Planet Drupal

Subscribe to Planet Drupal feed
Drupal.org - aggregated feeds in category Planet Drupal
Updated: 40 min 18 sec ago

Acquia: Four Final Questions You Should Ask Your Drupal Cloud Host

Tue, 05/05/2015 - 18:48

You know how when you're buying a car, and the questions just keep on coming? And the salesperson keeps making roundtrips to the manager's desk?

It's kind of like that when you're considering where to host your website. There's always time for more questions. It's one less surprise later on.

That's why I keep adding to my list.

It started, you may recall, with just five questions. A week later, I added five more. Now, before closing out this series, I've got a final four.

Ask now, avoid unpleasant surprises later. That's my motto, and it should be yours.

1. What is your level of Drupal expertise?

Acquia offers the industry's highest level of technical Drupal expertise. Our support organization is larger than most hosting companies––over 60 professionals worldwide with over 250 years of combined experience. And Acquia’s overall level of in-house Drupal expertise is unparalleled with over 150 Drupalists, including core owners, security team members, and module contributors. Furthermore, Acquia’s wealth of Drupal knowledge is being expanded continuously. Closed loop processes between our support and engineering organizations help to drive new tools and add to our Help Center, which we then share with the Drupal community.

2. If my site turns into a volcano of errors, will you proactively notify me?

Acquia monitors the health of customers’ servers, and we proactively notify customers of the nature of any issues we detect. When the problem is server-side, we mitigate it, and when the issue is caused by something on the application side, we provide recommended steps to resolve the issue (though we do not usually implement them ourselves unless the customer cannot for some reason).

Acquia also gives customers access to advanced monitoring at the application level, via partners like New Relic or features like our Uptime Monitoring tool—both of which can be used to alert customers in a self-service fashion whenever the application is suffering. If the root cause is server-related, we will notify the customer proactively, but some issues are application-only (meaning they do not trigger server health alerts on our end), so that is why we recommend that customers utilize application-level monitoring whenever possible.

3. Do you offer advanced platform analysis tools to help ensure that my application is running at its best?

Every Acquia Cloud Subscription comes with a suite of tools that make managing your Drupal sites easier than ever before. Drupal site developers, administrators, and site owners can quickly identify problems, eliminate costly mistakes, simplify processes, and improve overall site performance. Acquia’s monitoring tools analyze and measure the quality of your site based on security and performance parameters. Dozens of tests ensure your site’s conformance with best practices for security, performance, and general Drupal and web application development. Monitoring over 50 settings, these tools provide real-time analysis and proactive alerts for issues with your Drupal code and configuration. You can identify code issues and modifications fast, easily download patch files, and view needed updates at-a-glance. You’ll receive a site score to help you improve the quality of your site. You’ll get clear, actionable recommendations to help solve problems and expand your Drupal knowledge.

Acquia provides several additional tools that help you quickly troubleshoot problems with your application. The Uptime Monitoring tool monitors your site’s uptime and responsiveness. It checks your site every minute to see if it’s online and serving pages. For a developer looking to quickly and easily get visibility into a problem, log streaming is a solution that allows for easy access to information without having to download a full day’s log file. It provides real-time access to server logs from within the UI—making troubleshooting more efficient.

4. What is your uptime Service Level Agreement (SLA), and how do you ensure that you meet it?

Acquia commits to 99.95 percent platform, infrastructure, and application uptime. To ensure this, we operate monitoring services 24x7. Acquia uses the Nagios monitoring platform to provide instant access to over 50 vital real-time and historical metrics. We also maintain robust home-grown monitoring tools to ensure performance. Our team of Cloud Operations professionals is always standing by—proactively monitoring your environment and responding to critical issue alerts. With coverage in all time zones and fluency in five languages, the team is available 24x7 for critical, site-impacting issue response.

Tags:  acquia drupal planet
Categories: Elsewhere

Drupal Watchdog: VIDEO: DrupalCon Amsterdam Interview: Cathy Theys

Tue, 05/05/2015 - 18:09

CATHY THEYS (Drupal Community Liaison, Blackmesh) runs sprints. She also mentors young Drupal sprinters. Go, Cathy!

Tags:  DrupalCon Amsterdam DrupalCon Video Video: 
Categories: Elsewhere

Drupal Watchdog: Protecting Your Drupal 8 Resources

Tue, 05/05/2015 - 16:05
Article

Drupal 8 incorporates a Modular Authentication System which, given a request, attempts to identify a Drupal user by inspecting the HTTP request headers.

Authentication comes in handy when we want to restrict access to a resource in Drupal. It can be applied to any route, although the method to implement it may differ. It is most commonly used to identify requests when we are exposing data through an API from our Drupal site.

Authentication and Authorization

Imagine you are going through airport security. The security agent asks to see your ID – a passport or driver’s license, say. The act of showing your ID is what we call Authentication. In Drupal – as in almost all websites – your authentication credentials are your username and password.

Next, the security agent checks your boarding pass to verify that you are in the right place and have clearance to get on a plane. That’s called Authorization. In Drupal your role (and therefore the permissions assigned to that role) are your Authorization credentials.

To summarize: authentication means who are you?; authorization means may you proceed?.

Enjoy your flight!

Authentication in Drupal 8

In Drupal 8, Authorization is handled by the Access System and won't be covered in this article; there is an internal system to handle Authentication, so let's start with the following statement:

Thanks to the Modular Authentication System, different Authentication Providers may extract a $user out of a given $request object.

There are a few keywords in that statement. Let's dissect them briefly:

Categories: Elsewhere

ThinkShout: Monkeying Around with D8

Tue, 05/05/2015 - 11:00
Leading the Charge

I have used A LOT of email marketing service providers over the years and my opinion of them was twofold: they were all similar and none of them were particularly great. Was it possible that this was just a category of business that would never be exciting or innovative? Was I destined to be a project manager who half-heartedly recommended whatever email service provider I was using most at the time to clients?

Enter the chimp...

Despite its playful name, MailChimp made a serious shift in a category that had always had potential but lacked a champion. My first thought when I used the tool was that even if the feature set was identical to all its competitors, MailChimp’s user interface alone set it apart. But once I dug into its capabilities, I became a bona fide fan (dare I say ambassador) of the brand. From automated email workflows and slick segmentation capabilities, to the Chimpadeedoo tablet app that facilitates email sign-ups without an internet connection, MailChimp became the new king of the jungle.

Fast forward a few years, and here I am working at ThinkShout, MailChimp’s Drupal partner. We built and maintain the MailChimp Drupal module, which is used by nearly 22,000 websites.

If you are familiar with MailChimp’s motto - listen hard and change fast - (or if you just read the first couple paragraphs of this blog post), then it should come as no surprise that innovation is at the heart of MailChimp’s culture. With the release of Drupal 8 looming this Fall, MailChimp and ThinkShout saw a unique opportunity to lead the charge by porting one of the most popular email modules to be D8 compatible.

The Only Way Through it is Through it

Being a trailblazer isn’t easy, and MailChimp understood that pushing the envelope on D8 development would require an investment of time and resources. While the core MailChimp module is relatively simple, the bundled submodules are feature-rich and technically complex.

Let’s recap what the MailChimp module allows you to do:

  • Any “object” in Drupal that has an email address, say a User, Contact, or even a Comment, can be automatically subscribed to a list and segmented based on other attributes, like their zip code.
  • Display a list subscription status on an entity or a subscription form.
  • Map Drupal Data, such as name and address, to merge fields in MailChimp.
  • Create forms to allow site visitors to sign up for any Mailchimp List or combination of Lists.
  • Create Pages, Blocks, or both to display forms.
  • Create campaigns containing any Drupal entity, or entities, as content.
  • Send campaigns created in Drupal through MailChimp or Drupal.
  • View campaign statistics and email activity for all list subscribers.

Luckily, one of the greatest aspects of our partnership with MailChimp is our shared passion for recognizing opportunity in challenges and giving back to the community. With that spirit, a couple of ThinkShout engineers dove in head first with the goal of porting the majority of the popular D7 module’s features over to D8 in time for a beta release at DrupalCon LA. During the process, they realized that the available Drupal 8 documentation wasn’t keeping up with the speedy pace of D8 development. Over the course of several weeks, our engineers updated documentation and created examples to make life (or at least development) a little easier for the next developer looking to create something similar.

It’s a Sprint, Not a Marathon

With the conference approaching, it was time to call on the ThinkShout village to help put the polish on the new module. Since nine heads are better than two when it comes to user testing and QA, we scheduled a sprint to focus our engineering department on providing that critical perspective needed at the end of a large development project.

During our afternoon sprint, our engineering department ran a battery of tests (both human and automated) to document and resolve bugs. Our engineering staff has grown quite a bit recently, so the sprint also provided an opportunity for knowledge sharing about MailChimp and D8 development across the team. As a non-engineer fly on the wall, it was exciting to witness the energy at the sprint table, as bugs were closed and high-fives were thrown.

The Future is Now

So far, I’ve focused on what some of the challenges of early D8 development have been, and you’re surely wondering by now “So, what do you think about D8?” Short answer: we’re excited, and we think you should be, too.

Drupal 8 standardizes module development by enforcing PSR-4 compliant namespaces. Whereas D7 allows developers to dictate where a form or entity is placed, for example, D8 loads files in the correct path automatically. What does this mean for developers? Well, it means time saved by not having to search an entire codebase to find where the developer before you placed a form. And because this structure is more in line with general engineering practices, it will be easier for any developer to ramp up for Drupal development.

But the benefits aren’t just for developers. We are also excited about the efficiencies that will be created for our nonprofit clients. Not only do they stand to benefit from the streamlined development approach, but that shift in approach will also make it easier to find resources to maintain and enhance their sites.

Learn More About the New MailChimp Module

Come and see us at DrupalCon LA, where our very own Lev Tsypin will be giving a lightning talk about the evolution of MailChimp's support for Drupal, the basics of how the integration works, and a hint at what's to come for Drupal 8. Don’t worry if you can’t make it to the talk because we’ll also be hanging out in the MailChimp booth. And if you spot one of us (you’ll recognize us by our ThinkShout hoodies), stop us! We’d love to chat about what we’ve learned about D8 and why were are excited for its release. Also, be sure to check out past blogs we've written about our work on the MailChimp module.

Categories: Elsewhere

Drupal core announcements: Drupal 7 core release on Wednesday, May 6

Tue, 05/05/2015 - 07:39
Start:  2015-05-06 (All day) America/New_York Online meeting (eg. IRC meeting) Organizers:  David_Rothstein

The monthly Drupal core bug fix/feature release window is this Wednesday, May 6. Although there was a release just last month, it's a good time for another one, to fix a regression introduced in Drupal 7.36 that affected some sites as well as to get a few other fixes in. Therefore, I plan to release Drupal 7.37 this Wednesday.

The final patches for 7.37 have been committed and the code is frozen (excluding documentation fixes and fixes for any regressions that may be found in the next couple days). So, now is a wonderful time to update your development/staging servers to the latest 7.x code and help us catch any regressions in advance.

The primary purpose of this release is to fix a regression caused by Drupal 7.36 which caused content types on some existing sites to become disabled after the update (see the 7.36 release notes and the issue for further information). The fix is intended to work for sites that already upgraded to Drupal 7.36 (it should restore content types that were erroneously disabled) as well as for those that did not. More testing of this issue in particular is welcome.

You might also be interested in the tentative CHANGELOG.txt for Drupal 7.37 and the corresponding list of important issues that will be highlighted in the Drupal 7.37 release notes.

If you do find any regressions, please report them in the issue queue. Thanks!

Upcoming release windows after this week include:

  • Wednesday, May 20 (security release window)
  • Wednesday, June 3 (bug fix/feature release window)

For more information on Drupal core release windows, see the documentation on release timing and security releases, and the discussion that led to this policy being implemented.

Categories: Elsewhere

DrupalCon News: Accessibility at DrupalCon

Mon, 04/05/2015 - 23:49

Inclusivity is incredibly important to us at the Drupal Association. As part of our organizational value of respect, we state: “We respect and value inclusivity in our global community and strive to recognize, understand, and respond to its needs."

But we believe that actions speak louder than words, and that’s why we’re pleased that DrupalCon will be so friendly to our community members who may require assistance or have certain accessibility needs during the events.

Categories: Elsewhere

Drupal Association News: 2015 At-Large Election Data Released

Mon, 04/05/2015 - 22:35

It was just a few weeks ago that we welcomed Addison Berry as our new At-Large board director after a very eventful elections process. Almost as soon as we announced the news, we heard feedback via Twitter and the announcement blog post comments that there was strong interest in seeing the voting data. In our transparent community, it only seemed natural to share the aggregated voting data.

We agreed, but because we had not previously shared any of that data publicly, we decided to take it to the board for discussion before doing so. One thing we did NOT want to do is discourage candidates from further community participation by exposing voting data without their knowledge. So, at the 15 April board meeting, we discussed the requests.

The board members were all in agreement that sharing the data is a good thing. The one concern was that because this issue had not been raised before, we had not asked the candidates or shared with them that voting data would be shared. It was agreed that in future elections, we will inform candidates on the self-nomination page that their data will be shared. For sharing this election's data, we went back and asked candidates to opt-in to share their voting results.

So, what we are sharing this year is a first step toward broader transparency around elections data. This year, we can only share with you an image file with data obscured for candidates who did not opt-in. The file does show you the progression of the IRV voting runoff, but we recognize that an image file is not highly usable.

However, the discussion we had around sharing voting data was really informative and actually fun (I love data!). We have already developed a number of stories for the next iteration of the elections module that we deploy, and these will allow us to potentially track and share a lot more aggregate data. It would be great, for example, to know where the votes came from geographically. It would also be great to release the data in a more usable way, like a CSV file. Feel free to share what you would like to see from future elections in the comments below. Just know that we are committed to only share aggregated data and will never drill down to share how a particular voter voted.

With that, it's time to share the voting data. Remember that we use IRV voting, so the image below shows that process - getting to a candidate with more than 50% of the votes (as opposed to a simple majority). The result is that the candidates with the fewest #1 placements are eliminated in each round until one candidate has a majority. You can see the votes of candidates being transferred in each round. Things become much clearer in the end when you can see the final 5 candidates:

  • Ani Gupta
  • Anonymous
  • Enzo
  • Michael Schmid (not named, but he is the remaining candidate when the winner is declared)
  • Addison Berry (the winner!)

Thank you again for the push to share this data and we look forward to do even more in the next election:

Categories: Elsewhere

Drupal Easy: DrupalEasy Podcast 151: Shirtless at Drupalcon (Brett Meyer and Stephanie Gutowski - Drupal Watchdog/DrupalCon Los Angeles preview)

Mon, 04/05/2015 - 20:22
Download Podcast 151

Brett Meyer, Director of Strategy at ThinkShout, and Stephanie Gutowski, Community Engagement Organizer/Manager at ThinkShout, join Ted, Ryan, and Mike to talk about video games. Specifically, Dragon Age: Inquisition. Seriously - Brett and Stephanie have an article in the upcoming issue of Drupal Watchdog where they relate content strategy in web sites to content strategy in content-heavy videos games. We also focus on DrupalCon Los Angeles including what we're looking forward to, if sessions are still necessary, community vs. business networking, and if it's possible to only pack a single shirt.

read more

Categories: Elsewhere

Acquia: Build Your Drupal 8 Team - Skills for Tech, Non-Tech, and "Bridge" Members

Mon, 04/05/2015 - 19:12

Getting your hands on new technology is the best part of being a developer -- playing around with it, and trying out cutting-edge concepts is challenging.

But trying to meet deadlines with new tech, especially if you don't understand it fully? That can mean lots of late nights and weekend work when you'd rather be doing something else.

Fortunately, working with Drupal 8 builds on core skills your team already has. Augmenting their existing knowledge with additional skills to use the new functionality of Drupal 8 will help your team deliver that first project successfully.

The new release of Drupal integrates technology that's become industry-standard, so developing skills in these areas will have benefits beyond the Drupal ecosystem.

How to think about your Drupal 8 team: Tech, Non-Tech, and "Bridge."

Skills for the Tech Team Members

Even if you've worked with Drupal previously, upcoming architectural changes in Drupal 8 mean you'll need to spend some time to get up to speed.

For the tech folks, here's the bulletin: bone up on PHP, Symfony, and object-oriented development.

PHP underlies Drupal 8's event-listener, which is what makes its functionality work. Understanding PHP namespaces is important to coming up with a clean way of organizing your code modules and sub-modules.

Symfony is a PHP framework that's being incorporated into Drupal 8. It will help provide the routing, sessions and services container functionality. Features like dependency injection will help you develop reusable code.

Drupal 8 implements its fields, views, entities and nodes in an object-oriented fashion. This brings the benefits of object-oriented development, like inheritance and encapsulating functionality, but means you need to understand concepts like polymorphism. Focus on understanding key design patterns like dependency injection -- you'll want to leverage those patterns in speed-building your site.

That sounds like a lot of learning, but you don't need to become experts in all of it -- you just need to get a deep enough understanding of the concepts and how to use them to speed your Drupal 8 development.

Skills for the Non-Tech Team Members

The non-tech members of the team don't get a free pass while developers hit the books.

Everyone on the team should understand the capabilities of Drupal 8 so they know what they can reasonably ask you to develop.

Finally, your team needs a "bridge member" -- a team lead or project manager who understands both the technical capability of Drupal 8 and the needs and wants of the business to mediate when there is a conflict between them.

A bridge member who is fluent in technology and business is key to making sure project commitments are realistic and achievable, allowing you to get the project done while having weekends to yourself.

Next: We'll drill down into the technical roles and required skills your team needs for Drupal 8.

Sources:

https://www.drupal.org/drupal-8.0

http://buytaert.net/why-the-big-architectural-changes-in-drupal-8

http://www.sitepoint.com/symfony-drupal-8/

http://stackoverflow.com/questions/1068556/how-drupal-works

Tags:  acquia drupal planet
Categories: Elsewhere

Acquia: Jumpstart Your Drupal Project with a Technical Project Manager

Mon, 04/05/2015 - 17:46


Is your Drupal project stalled?

Perhaps you don't know exactly what's wrong, but for some reason the project is just stuck.

You're eager to take the next step -- if only you knew what that was. If you find yourself in this situation often enough, you might want to consider hiring a technical project manager.

What is a Technical Project Manager?

Simply put, a technical project manager is your liaison between your technical team and the non-technical people you are working with. Technical managers are familiar with technical jargon and processes, and most importantly, they understand the culture of IT professionals. Thus, they can communicate well and help motivate members of the IT team that aren't performing at their maximum capacity, help managers delegate work appropriately and jump-start project leadership.

Technical project managers do a whole host of things on any given day to help move projects into the next stage of completion. For example, they might:

  • Write emails to members of the IT team to assign tasks, check in on project completion or resolve problems.
  • Discuss the project one-on-one with technicians to make sure they are staying on track and are moving towards project completion.
  • Write status reports
  • Lead IT team meetings
  • Help technicians brainstorm solutions to severe technical problems.
How to Work With a Technical Project Manager

The key to working with a technical project manager is to communicate often about the project. Here's some specifics to keep in mind:

  • Share your vision for the project. Technical project managers are as prone to assumptions about what the project entails as other IT team members are. It's important to begin by ensuring everyone's on the same page. When the technical project manager is brought on board, have a team meeting where everybody shares what they think the project is meant to accomplish and what their role is. That way, the technical project manager understands what's needed and can make sure that everybody on the team knows what they are supposed to be doing.
  • Collaborate on a timeline. One of the biggest problems with IT projects involves timelines. It can be tempting to get sucked into side projects when researching or working on the main project, and this can push deadlines back -- especially if those deadlines aren't clear to begin with. Sit down with the technical project manager to discuss the timeline for the project, including deadlines for each step. Together, the team can come up with a timeline that feels comfortable for everybody and the technical project manager can more easily help everybody stay on task.
  • Have regular check-ins. Now that there's a technical project manager on board, IT team members can talk about technical difficulties or problems with completing their tasks as scheduled because the project manager will understand what they're talking about. Team members should get in the habit of checking in regularly with the technical project manager and sharing any concerns or technical problems that are interfering with progress.
  • Use technology for check-ins and discussion. Reporting tools should be updated, and internal social media, instant messaging and conference calls should be utilized to quickly provide status updates for each member of the team.

Bringing a technical project manager on board can help bridge the gap between IT professionals and management.

Technical project managers have an IT background as well as a management background, so they are in a unique position to help projects get off the ground and moving towards completion.

Tags:  acquia drupal planet
Categories: Elsewhere

J-P Stacey: Unicode, accented characters, Drupal Views Data Export and Excel

Mon, 04/05/2015 - 17:00

If you need to assemble listings of content in Drupal, Views is what you use. And if you need to export such a listing, into offline formats like CSV, Views Data Export is a definite contender for how to do it. However, when you open the output in Microsoft Excel, you can end up—intentionally or otherwise—learning a great deal about the internals of Unicode encoding.

Read more of "Unicode, accented characters, Drupal Views Data Export and Excel "

Categories: Elsewhere

NEWMEDIA: How to Prevent SQL Injections in Drupal

Mon, 04/05/2015 - 15:04
How to Prevent SQL Injections in DrupalDrupal is an incredibly powerful open source CMS that allows you to create, manage, and serve content. Unfortunately, so can others if you don't properly sanitize all user input in order to prevent a malicious attack! Here are some tips on how to stop one of the most common vulnerabilities: SQL injections.Motivation: Why CMS Security Matters

Regardless of whether your site is a simple blog or a top 50 web property, they all represent an investment of time, money, and creative energy. And, just like any investment of value, it’s important to secure it in order to maintain its integrity.

Now, imagine a situation where all of your hard work can be compromised from a single, well-crafted attack. As a member of the Drupal security team, I can assure you that we’re still receiving email reports every week regarding websites that were hacked from the now infamous “Drupageddon”. Notonly was such an attack possible, it was exploited worldwide within hours of the published disclosure. Of course, this is a particularly extreme example that happened to affect Drupal core. It’s far more common to find vulnerabilities in custom code written by individuals that did not have the time and/or expertise to address.

That’s the doom and gloom. Now let’s imagine a different scenario in which you can sanitize all user input to ensure that you’re protected how a user tries to interact with your website. This is exactly what we’re about to go over for one of the most common forms of attack: a SQL injection.

What is a SQL Injection?

A SQL Injection is similar to “riders” in the US Federal government. A “rider” is a somewhat frustrating legislative procedure where an unrelated provision is attached to another piece of legislation. This tactic is often used to sneak in something unpopular or controversial onto an otherwise legitimate piece of legislation.

Similarly, a SQL injection is where a legitimate operation (e.g. insert a piece of content) has a malicious instruction added to it (e.g. create a new user and give it root access).

Here is a basic example that could theoretically come from a form submission:

$user_input = “JohnDoe”; $SQL = “Select * FROM {users} WHERE username = ” . $user_input; // Resulting query = “Select * FROM {users} WHERE username = JohnDoe”;

Now most users submitting the form would cause no harm. However, it doesn’t take much for a knowledgeable individual to create a malicious payload.

$user_input = "JohnDoe"; $SQL = "Select * FROM {users} WHERE username = " . $user_input; // Resulting query = "Select * FROM {users} WHERE username = JohnDoe";

Notice that the hacker can essentially create any arbitrary command by following this pattern. All an attacker needs to do is place any arbitrary command after the semicolon and they are off to the races. And because a CMS like Drupal relies heavily on the database, an attacker is then able to change just about anything (content, users, configuration, etc).

Sanitizing Data

The key principle to follow in preventing SQL attackes is to not trust user input. Instead, all user input should be sanitized such that no additional or unintentional database changes can be introduced.

With Drupal, there are a few ways to achieve this:

  • Manually Sanitize
  • Drupal’s Database Abstraction Layer (db_query())
  • Drupal Query Builder (DBTNG)

Let’s review each.

Manually Sanitize

Even though this is the first approach we discuss, it is not a recommended approach. In this scenario you are either going around Drupal’s database abstraction layer; OR, you are creating queries as strings of text and performing your own sanitation to remove riders (e.g. additional commands appended to the end of a legitimate command) as well as changes in logic (e.g. alterations to the existing query’s logic to make it pass or fail).

The challenge here is you’re essentially replicating what Drupal provides out of the box with its database abstraction layer. Worse, if you haven’t thought through all the possible attack vectors, you may miss something important.

Bottom line, proceed at your own risk if you decide to go it alone.

Drupal Database Abstraction Layer

Here we use placeholders that properly escape portions of the user input that could add an additional payload/rider or change its intended logic. Returning to our previous example:

$user_input = “JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”; db_query(“SELECT * FROM {users} WHERE username = :name”, array(“:name” => $user_input)); // Resulting query = “Select * FROM {users} WHERE username = ‘JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1’“;

You’ll notice a major difference in that last line. Now the user input is no longer appending a new query to the end of an existing query. Instead, Drupal is ensuring the entirety of the user input is being used where it’s supposed to be used (i.e. as a comparison to find a record within the user table). And since there is no username that matches this arbitrary SQL command, the query will return NULL. More importantly, it will do nothing more than what it was designed to do.

It’s also important to note that it is still possible to introduce vulnerabilities when using commands from the database abstraction layer. If one doesn’t use placeholders, the malicious code can be easily reintroduced. For example:

$user_input = “JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”; db_query(“Select * FROM {users} WHERE username = ” . $user_input); // Resulting query = “Select * FROM {users} WHERE username = JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”;

The takeaway message is to always use placeholders when passing in variables into a query regardless of if they came from user input or from the system. Not only will it ensure consistency within your code, but it will significantly reduce the risk of a SQL injection.

Drupal Query Builder (DBTNG)

One of the new features in Drupal 7 core is the introduction of DBTNG (Database The Next Generation). In this new feature, placeholders are essentially mandatory based on how they are constructed. Let’s rework the example we’ve been using:

$user_input = “JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1”; $query = db_select(‘users’, ‘u’); $query->condition(‘name’, $user_input); $results = $query->execute(); // Resulting query = “Select * FROM {users} WHERE username = ‘JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1’“;

By using DBTNG we are getting user input sanitizing out of the box (SA-CORE-2014-005 aside). And similar to using the existing database abstraction layer, this can be used to ensure a consistent, secure codebase.

Detecting Trouble Spots

Reviewing an existing codebase for vulnerabilities can be a daunting task. Luckily, the coder review module can make that process a lot easier. It scans for common patterns and flags them by severity. This includes db_query() statements that attempt to insert variables directly into the query parameter instead of using placeholders.

If you don’t already use the coder review module as part of your workflow, I can’t recommend it enough. The module also scans for other vulnerabilities (e.g. XSS), coding standards, comment standards, and more. At a minimum, it will help you keep your codebase tidy. If used consistently, it will make you a better developer!

Finally, if you ever find a potential issue in a contrib module in your CMS, please file an issue with the Drupal security team! Or, if you need help with your Drupal, don’t hesitate to contact the newmedia team for a Drupal security audit.

Categories: Elsewhere

Drupalize.Me: Help Drupal 8 and Win!

Mon, 04/05/2015 - 15:02

We're kicking off a campaign to help the Drupal 8 Accelerate Fund. If you donate $50 or more to the community fund, you have a chance to win a free annual membership and if you donate $100, you can choose a new video for us to create.

Categories: Elsewhere

Chromatic: Working with Vim: Never Leave Your Terminal

Mon, 04/05/2015 - 14:56

Recently, Ryan blogged about a few CLI utilities that can really help improve your productivity. If I had to add one additional utility to his list, it’d be Vim. Vim is, the notoriously difficult-to-use, but remarkably powerful text editor that runs in a terminal (and of course the famous rival of Emacs).

Everything you’ve heard about Vim is true: it’s very difficult to learn, and it’s insanely powerful. These two characteristics almost balance each other out. You can probably do anything with Vim that you can do with another editor and do it faster and more efficiently. But you’ll need to take the time to learn it.

I can’t teach you much about Vim in a blog post. But there’s another reason for developers and programmers to bother with Vim: if you use it, you can almost work the whole day in your terminal. Most of the tools I need excepting browsers and other communications tools run in the terminal, so the more time I can spend in the terminal, the more efficiently I can work. Here’s how I do it.

Browsing files with NERDTree

I use Janus--a "Vim distribution"--to set up Vim. Janus provides a huge number of useful tools and a lot of default configuration on top of stock Vim (line numbers, commenting utilities, and much more), but the one I want to draw attention to here is NERDTree, a file browser for Vim (which, of course, can be installed without Janus).

For me this is an essential feature, and it really helped with my adoption of Vim. With it enabled, opening a project is as simple as navigating to a directory and typing vim .. As with conventional editors, this file browser can be configured to toggle on or off. And as with everything else in Vim this functionality is accessed and used via the keyboard. What’s more, NERDTree offers a one-keystroke menu (just type m) for creating, moving, deleting, and copying files.

Running terminal commands from inside Vim

The editor is where I spend most of my time, so running Vim in a terminal is a first step. But sometimes we have to run perform tasks on the command-line such as, for example, using drush to clear a Drupal site’s caches. Vim provides a neat little solution that you can use to do this without even leaving Vim. Type :! plus the command you need to run:

:! drush cc all

This will run the drush command in a shell, display the output of the command, and prompt you to type ENTER to resume editing.

Leaving and returning to Vim without losing your place

Sometimes while you’re working, you need to run multiple commands or do something more involved than running a single command. Fortunately, there is a way to do this in the bash shell:

CTRL-z

This will actually move the Vim process into the background, returning you to your prompt to run whatever commands you need. To return to Vim--exactly as you left it--type:

fg

This returns Vim to the foreground so you can continue working.

Opening files

Everything else I’ve mentioned in this post should work on Linux systems of all sorts, but OSX has one nice command that I haven’t encountered elsewhere. The "open" command can be used to open files with the application of your choice. So if you’re working on a file that you need to try out in a browser, you can type something like:

open -a Firefox test-document.html Transferring files with SCP

Since Git has become so popular not only as a way to manage, but also to deploy code, I find I transfer a lot fewer files than I used to. Nevertheless, it still happens that we need to move the occasional file up or down to a remote server. For this, I like to use SCP (SFTP is a good option for this too, but avoid FTP, it’s insecure).

Again, a full tutorial on SCP is far too involved for a blog post, but the basic syntax is like this:

scp path/to/local/file server:/path/to/remote/file

There are two things that make scp tricky to use (and which might take you away from your terminal!): the file paths and the authentication. I can’t help with the file paths, but you can stay in the terminal getting your work done by using SCP without usernames and passwords.

Authenticating SSH without passwords

This will change your life. It is possible to set up safe, secure SSH authentication without passwords. Even more exciting, once you have done this, it’s no longer necessary to use usernames and passwords with SCP. Once you’ve set up passwordless SSH access to a client server (under the host name e.g. ‘clientserver’), you can SCP a file to it as follows:

scp /path/to/local/file clientserver:/path/to/remote/file

No passwords or usernames required!

Editing files on remote servers

Last of all, we come to the reason that I decided to start using Vim in the first place. Simply put, Vim, or its predecessor Vi is installed on virtually every web server running Linux anywhere in the world.

This means that, on those occasions where it’s necessary for me to edit a remote file, I can usually use something similar to my usual editor. The version of Vi(m) on the remote server is usually much more stripped-down than my local development environment, but if you know how to use Vim, you usually find an editor installed on the server that you can use instead of having to SCP/SFTP transfer files up and down. Combine this with the passwordless SSH authentication, and it’s not only convenient, but very, very fast.

Is it worthwhile?

It can be. If you already use many command-line tools, and if you find that constantly needing to switch applications, or switching back and forth from mouse to keyboard interferes with your productivity, then Vim might be worth a shot. Conversely, if you already use Vim in the terminal and you’re not using command-line tools for almost everything else you can think of, you might want to start.

Now back to your terminal!

Categories: Elsewhere

Deeson: Deeson is an official G-Cloud 6 agency

Mon, 04/05/2015 - 11:48

It's official, Deeson is a G-Cloud approved agency (and have been for some time!) 

This means we're formally recognised as one of the partners working with the public sector to develop user-centered digital services. 

What's it all about? 

The government's G-Cloud framework contract aims to provide an easy way for public sector bodies to access digital services across a whole host of fields.

It does this through providing a number of pre-vetted suppliers, so there's no need for a lengthy pitch or procurement process. 

You can find out all about the services we provide under G-Cloud in the Digital Marketplace (previously the Cloudstore) - a digital procurement resouce for the public sector. 

Our work under G-Cloud

We're a Drupal-led digital agency and we've built all sorts of sites, big, beautiful and complicated- from online communities to searchable art collections.

But that's not all we do. We have an established user experience and creative practice too.

That means we also deliver discovery and scoping projects under the G-Cloud framework too - helping you understand more about your users and what it takes to develop a digital experience that they'll really want to use.

Getting started with G-Cloud

The G-Cloud set-up aims to make life easier if you work in the public sector, yet it may be daunting to some who are unfamiliar with how things work.

We've put together five handy tips to help you make the most of G-Cloud: 

  1. Be open and willing to try a different approach: to take full advantage of G-Cloud, it helps to have a more ‘open’ attitude - and be open to experimentation. Make sure you're familiar with the Service Design Manual (we love it!) and what it means for your project.  
  2. Clearly identify and understand your user or audience: this will drive what your needs are - what you want to achieve and what ‘success’ looks like. This in turn will help lead to the best solution, and help you deliver a meaningful product.  
  3. Establish who your key business owners are: make them central to the project; they are the enablers, the advocates and the ones that will drive the projects forward.  
  4. Use a natural opportunity to try G-Cloud: often it's best to outsource a small piece of work to test the water and help build your organisation's understanding of how to buy digital services under G-Cloud and how to work collaboratively with digital partners.  
  5. Network like there's no tomorrow. There's a thriving and supportive network of people working with digital in the public sector - get out there and meet them at events and meet-ups to boost your knowledge and see what's going on across the sector.

 Want a bit more help?

Find out more about all the G-Cloud services we offer here or just drop us a line - we're always happy to provide friendly advice and have a chat.

 

Categories: Elsewhere

Triquanta Web Solutions: SEO and CDN

Mon, 04/05/2015 - 11:12

So you decided to start using a CDN provider for your website. A good idea! But a lot of CDN providers use a custom URL that you should CNAME when everything is set up properly.

For instance Fastly and Cloudfront two big CDN providers.

When I want to add this website to Fastly they will give me the URL: www.triquanta.nl.global.prod.fastly.net
For Cloudfront it will be something like: d67something714.cloudfront.net

Once you CNAME'd these people will most likely not see these. But it can happen that these domains are going to be indexed by search engines.

And there you have it.... Duplicate content.
This means that your CDN provider is concurring the actual main domain. You don't want this, because it is a bad thing for your Search Engine Optimization (SEO)

To prevent this use the Canonical meta tag for all of your content pages. ( see https://support.google.com/webmasters/answer/139066?hl=en&rd=1 for more info)
In Drupal this can be done using the metatag module https://www.drupal.org/project/metatag this module can add the canonical and a lot of other desired meta-tags (see https://groups.drupal.org/node/229413 for the full list).

Now your content is okay but what about your files (images, pdf, word, etc).....
Since 2011 Google (and the rest followed Google) also support the canonical when it is used in the response headers. The next step is to add the header to the files. This can be done on your own server.
Apache .htaccess example with mod rewite and mod headers enabled.

  1. <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|webp|html)(\.gz)?(\?.*)?$">
  2.     <IfModule mod_rewrite.c>
  3.        RewriteEngine On
  4.        RewriteCond %{HTTPS} !=on
  5.        RewriteRule .* - [E=CANONICAL:http://www.triquanta.nl%{REQUEST_URI},NE]
  6.        RewriteCond %{HTTPS} =on
  7.        RewriteRule .* - [E=CANONICAL:https://www.triquanta.nl%{REQUEST_URI},NE]
  8.     </IfModule>
  9.     <IfModule mod_headers.c>
  10.        Header set Link "<%{CANONICAL}e>; rel=\"canonical\""
  11.     </IfModule>
  12.  </FilesMatch>

Ngnix example.

  1. location ~ \.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|webp|html)(\.gz)?(\?.*)?$ {
  2.   add_header Link "<$scheme://www.triquanta.nl$request_uri>; rel=\"canonical\"";
  3. }

When a file is being accessed using the CDN URL it will add the proper Canonical headers,  and you will not have any duplicate content issues.

Categories: Elsewhere

Four Kitchens: API Design: The Musical - Live from Drupalcon LA

Mon, 04/05/2015 - 05:01

We are just a few sweet days away from the power that is Drupalcon, Los Angeles. If you’re going I hope you are ready for another great conference.

Drupal
Categories: Elsewhere

Chen Hui Jing: Drupal 101: Creating an iTunes podcast feed

Mon, 04/05/2015 - 02:00

Podcast listenership has been steadily increasing in recent years, and some are even predicting that we’re on the verge of a podcasting explosion. With that being said, it’s pretty likely you’ll get tasked with creating an iTunes podcast feed. Luckily, it’s quite simple to create one on your Drupal site with Views.

Required modules

Create/Modify content type for feed
  1. Install and enable the required modules. drush en views views_ui views_rss views_rss_core views_rss_itunes libraries getid3 -y
    • Create a new folder in your libraries folder like so:...
Categories: Elsewhere

DrupalOnWindows: Drupal: Fields or Properties (or something else)

Sun, 03/05/2015 - 19:00
Language English

Making Drupal scale is hard. It is even harder if you application is big and complex. And one of the main problems is that usually not enough attention is paid to data storage. But let me tell you that the storage model you pick is the backspine of your application, its heart, its soul. 

No fancy UI is ever going to compensate for a slow, unmaintainable and crappy engineered piece of software. 

More articles...
Categories: Elsewhere

orkjerns blogg: Drupal and IoT. Code examples, part 1

Sun, 03/05/2015 - 15:39
Drupal and IoT. Code examples, part 1 Body

As promised, I am posting the code for all the examples in the article about Drupal and the Internet of Things. Since I figured this could be also a good excuse to actually examplify different approaches to securing these communication channels, I decided to do different strategies for each code example. So here is the disclaimer. These posts (and maybe especially this one) would not necessarily contain the best-practices of establishing a communication channel from your "thing" to your Drupal site. But this is one example, and depending on the use-case, who knows, this might be easiest and most practical for you.

So, the first example we will look at is how to turn on and off your Drupal site with a TV remote control. If you did not read the previous article, or if you did not see the example video, here it is:

Overview of technology and communication flow

This is basically what is happening:

  • I click the on/off button on my TV remote.
  • A Tessel microcontroller reads the IR signal
  • The IR signal is analyzed to see if it indeed is the "on/off" button
  • A request is sent to my Drupal site
  • The Drupal site has enabled a module that defines an endpoint for toggling the site maintenance mode on and off
  • The Drupal site is toggled either on or off (depending on the previous state).
See any potential problems? Good. Let's start at the beginning Receiving IR and communicating with Drupal

OK, so this is a Drupal blog, and not a microcontroller or javascript blog. I won't go through this in detail here, but the full commented source code is at github. If you want to use it, you would need a tessel board though. If you have that, and want to give it a go, the easiest way to get started is probably to read through the tests. Let's just sum it up in a couple of bullet points, real quick:

  • All IR signals are collected by the Tessel. Fun fact: There will be indications of IR signals even when you are not pressing the remote.
  • IR signals from the same button are rarely completely identical, so some fuzzing is needed in the identification of a button press
  • Figuring out the "signature" of your "off-button" might require some research.
  • Configure the code to pass along the config for your site, so that when we know we want to toggle maintenance mode (the correct button is pressed), we send a request to the Drupal site.
Receiving a request to toggle maintenance mode

Now to the obvious problem. If you exposed a URL that would turn the site on and off, what is to stop any random person from just toggling your site status just for the kicks? Here is the part where I want to talk about different methods of authentication. Let us compare this to the actual administration form where you can toggle the maintenance mode. What is to stop people from just using that? Access control. You have to actually log in and have the correct permission (administer site configuration) to be able to see that page. Now, logging in with a micro controller is of course possible, but it is slightly more impractical than for a human. So let's explore our options. In 3 posts, this being the first. Since this is the first one, we will start with the least flexible. But perhaps the most lo-fi and most low-barrier entry. We are going to still use the permission system.

Re-using your browser login from the IR receiver

These paragraphs are included in case someone reading this needs background info about this part. If this seems very obvious, please skip ahead 2 paragraphs

Web apps these days do not require log-ins on each page (that would be very impractical), but actually uses a cookie to indicate you are still trusted to be the same user as when you logged in. So, for example, when I am writing this, it is because I have a session cookie stored in my browser, and this indicates I am authorised to post nodes on this site. So when I request a page, the cookie is passed along with it. We can also do the same passing of a cookie on a micro controller.

Sending fully authenticated requests without a browser

So to figure out how to still be authenticated as an admin user you can use your browser dev tools of your choice. Open a browser where you are logged in as a user allowed to put the site into maintenance mode. Now open your browser dev-tools (for example with Cmd-Alt-I in Chrome on a Mac). In the dev tools there will be a network tab. Keep this active while loading a page you want to get the session cookie from. You can now inspect one of the requests and see what headers your browser passed on to the server. One of these things is the header Cookie. It will include something along the lines of this (it starts with SESS):

SESS51337Tr0lloll110l00l1=acbdef123abc1337H4XX

Since I am a fan of animated gifs, here is the same explanation illustrated:

This is the session cookie for you session as an authenticated user on your site. Since we now know this, we can request the path for the toggle functionality from our microcontroller, passing this cookie along as the header, and toggle the site as we were just accessing it through the browser.

The maintenance_mode_ir module

As promised, I also posted the Drupal part of the code. It is a module for Drupal 8, and can be found on github

So what is happening in that module? It is a very basic module actually mostly generated by the super awesome Drupal console. To again sum it up in bullet points:

  • It defines a route in maintenance_mode_ir.routing.yml (example.com/maintenance_mode_ir)
  • The route requires the permission "administer site configuration"
  • The route controller checks the StateInterface for the current state of maintenance mode, toggles it and returns a JSON response about the new state
  • The route (and so the toggling) will never be accessible for anonymous users (unless you give the anonymous users the permission "administer site configuration", in which case you probably have other issues anyway)
  • There are also tests to make sure this works as expected
When do you want to use this, and what is the considerations and compromises

Now, your first thought might be: would it not be even simpler to just expose a route where requests would turn the site on and off? We wouldn't need to bother with finding the session cookie, passing that along and so on? Legitimate question and of course true in the sense that it is simpler. But this is really the core of any communications taking place between your "things" and Drupal (or any other backend) - you want to make sure they are secured in some way. Of course being able to toggle the maintenance mode is probably not something you would want to expose anyway, but you should also use some sort of authentication if it only was a monitoring of temperature. Securing it through the access control in Drupal gives you a battle tested foundation for doing this.

Limitations and considerations

This method has some limitations. Say for example you are storing your sessions in a typical cache storage (like redis). Your session will expire at some point. Or, if you are using no persistence for redis, it will just be dropped as soon as redis restarts. Maybe you are limited by your php session lifetime settings. Or maybe you just accidentally log out of the session where you "found" the cookie. Many things can make this authenticated request stop working. But if all you are doing is hooking up a remote control reader to make a video and put on your blog, this will work.

Another thing to consider is the connection of your "thing". Is your site served over a non-secure connection and you are sending requests with your "thing" connected through a public wifi? You might want to reconsider your tactics. Also, keep in mind that if your session is compromised, it is not only the toggling of maintenance mode that is compromised, but the actual administrator user. This might not be the case if we were to use another form of authentication.

Now, the next paragraph presented to you will actually be the comments section. The section where you are encouraged to comment on inconsistencies, forgotten security concerns or praise about well chosen gif animations. Let me just first remind you of the disclaimer in the first paragraph, and the fact that this a serie of posts exploring different forms of device authentications. I would say the main takeaway from this first article is that exposing different aspects of your Drupal site to "the physical world", be it remote controlled maintenance mode or temperature logging, requires you to think about how you want to protect these exposed endpoints. So please do that, enjoy this complementary animated gif (in the category "maintenance"), and then feel free to comment.

admin Sun, 05/03/2015 - 13:39 Image Tags:
Categories: Elsewhere

Pages