Planet Drupal

Subscribe to flux Planet Drupal - aggregated feeds in category Planet Drupal
Mis à jour : il y a 24 min 14 sec

David Norman: Guardr achieves point release status

lun, 10/03/2014 - 21:35

The first point release of the Guardr distribution for Drupal was released last week. Though the Guardr node wasn't created until May 2012, the project actually started about 5 years ago. The product follows much of the history of Drupal - as a collaboration between many developers across multiple different shops. The reality is that the Guardr make file is just a way to organize a crap-load of work that was done in module contrib land.

I was faced with hardening Drupal beyond the built-in controls as part of a project for a Fortune 100 company. At the time, my thoughts were to turn Drupal from a social publishing platform into a business application. One of my project requirements was to conform to business practices that would limit users' sessions - to make sure when someone shared a login at work that it could only be used by one person at a time. Shared logins break a security principle of accountability. As long as users are sharing the same account, nobody can tell for sure who updated node content or changed site configuration. That's when I started committing patches to the Session Limit project.

The Drupal Security Report, updated recently in December 2013, enumerates how Drupal is secure by default and how each of the security points match to the OWASP Top 10 vulnerabilities for web applications. The mitigations for OWASP Top 10 items haven't changed substantially over the past 5 years in Drupal core.

Though Drupal's default configuration sends seemingly harmless information, Guardr goes an extra step - it checks for security updates by default. It seems odd that I should even have to tout that as a feature. Drupal tries to be helpful by displaying errors to the screen after the installation is complete.

Guardr's install profile disables displaying error reporting by default, silently logging them instead. You should be reviewing your logs regularly anyway. Every time Drupal has to log a PHP warning, a deprecated function, or Drupal nuance, it drags down your database and extends your page load times. Even if you mess up in a big way, Guardr hides fatal PHP errors, too.

Part of Drupal's history is as a social platform. Even though the forum module has always been a joke to usefulness, the default new user rules permit new user registration without administrator approval - again, something that Guardr locks down.

While LoginTobogan was a great introduction for usability improvement, allowing users to login using their email address is a security weakness. I recently just added my real email address to the footer of my blog. If I then also allowed anyone on the Internet to login using my email address, the evil they would also have half of the credentials needed to break into my account. Guardr removes usernames from the default outgoing email texts, then combines the Realname module to help keep login usernames private. If the attacker doesn't know the username or their password, they've really got a lot of username/password combination permutations to try. Think of it like a poor man's two-factor authentication.

The Internet has several lists of modules that make Drupal sites more secure, but it's things like the pairing of modules like Realname with the removal of usernames in outgoing core emails that's what makes Guardr stand out. It's the build script. Another example - the Remove Generator module removes the META tag that displays "Drupal 7" in the HTML source of every page, but Guardr's build also removes the CHANGELOG.txt file from the root directory, another easy vector for determining both the software and the version of CMS. Why give the vulnerability scanners and penetration testers the easy way out? Let them try some Wordpress vulnerabilities first so your web application firewall and intrusion detection system can flag them well before they get to specific Drupal version exploits.

Starting with Guardr takes away a bunch of the headaches for securing your site from the start. Imagine having a password policy in place that even forces UID 1 to have a reasonably secure password or which even denies UID 1 the ability to activate the PHP input filter. Run your code through version control, test it, review it, wrap it in accountability, tag it, and don't skip the proper workflow.

Guardr's configuration keeps enough logs that you can actually go back a few weeks to review what your users have been doing, who's accountable, and pin-point events at specific times. Role watchdog module helps you track down scenarios where a user gave themselves extra access through a role change, then removed the role later - it's logged.

All this configuration and the modules to go with it are maintained by people who have studied advanced security issues, who work for companies who pursue security-conscious customers, and have proven over several years to contribute back to the Drupal security co-op.

It's my opinion that starting with Guardr and using the modules therein, sway the balance of Drupal towards being more secure without burdening administrators and users with excess annoyances and overhead. It gives you tools for maintaining uptime, auditing for accountability, injecting countermeasures for attacks, and enforcing policies to make active countermeasures less necessary.

Post categories Drupal
Catégories: Elsewhere

Drupal Association News: Drupal Association Board Meeting this Thursday

lun, 10/03/2014 - 20:25

We continue to get busier and busier at the Association, and we want to make sure that you know everything we've been up to. Although we normally hold board meetings on Wednesdays, this month we'll be hosting our meeting on Thursday to accommodate some SXSW travel.

Catégories: Elsewhere

Mediacurrent: Meet Jonathan DeLaigle

lun, 10/03/2014 - 19:25

1.  So Jonathan, what's your role at Mediacurrent, both internally and client-related?

As a senior developer at Mediacurrent, I do anything that is necessary to make sure that the vision of the client is executed and delivered on time and in budget.  I fill gaps wherever necessary, from architecture to module updates.  Internally, I work with the devops team to charter a new evolution of local development through the use of great tools such as Vagrant, provisioning software, and virtual machines to create an easily managed and unified local development platform. 

2.  We’re so glad to have you!  Give us an idea of what professional path brought you here.

Catégories: Elsewhere

Stanford Web Services Blog: Create a Page Title From the Views Exposed Filter Term

lun, 10/03/2014 - 16:18

Suppose you're using taxomomy terms in exposed filters, and you want the resulting page to display one of the the terms as a title. Taxonomy term pages will give this to you very easily, but sometimes the taxonomy term page is not the right solution.  Here's how you can display the taxonomy term as the title of your views page.

Catégories: Elsewhere

Commerce Guys: Guest Blog: Manufacturing Ecommerce & Product Customization

lun, 10/03/2014 - 16:00

The first in a three part series of posts on "eCommerce for Manufacturers" from our Alex Salvador with Drupal Commerce Delivery Partner The Jibe

Manufacturing and wholesale is a neglected sector when it comes to optimizing for ecommerce. Most businesses use outdated online approaches to lead generation and sales in what is now a sophisticated digital retail environment. Simply providing product overviews and product order sheets online is no longer enough to make the sale. For the big, high-volume projects supplied by manufacturers, the efficiency of digital tools is invaluable.


Product Customization and Scalability   Scalability is key for enterprise level organizations with vast inventories and a large client base, in order to execute many large orders successfully. Drupal Commerce is uniquely positioned to streamline the sales experience of a large scale operation on a unified platform, avoiding the pitfalls associated with using a bolt-on store to complete sales.    Manufacturing products, when applied to retail scenarios, often come in an extensive array of variations (sizes, colours, power, speed, etc). Using the Drupal Commerce back-end, each product can be configured for these unique variations using a bulk product creation interface. Product variants are streamlined into a manageable, single product page. This eliminates the need to scroll through an endless catalogue which we often see on older, less optimal sites.

Inventory Management Drupal Commerce simplifies inventory management and speeds up product creation by providing mechanisms to display a single back-end product in a variety of contexts. In other words, it is easy to reuse a single product and to display it on its own independent product page and in product bundles – no duplication of products required.   Products that are often purchased together can be sold in a bundle as a single item. This is especially relevant to the manufacturing industry because many items have associated accessories. Bundles promote intelligent cross-sells. For example, recommending baseboards and moulding to sell with wood flooring.
  Discounting Another must have for large retailers is a flexible discounting system. Drupal Commerce uses rules to drive this functionality: website administrators can create a rule that will apply an arbitrary discount on products that match the criteria defined by the rule. For example: discount products tagged with “high performance” by 10%; or discount all products with a SKU starting with XYZ by $5. These rules allow retailers to provide bulk discounts on a large set of items, or on a very granular basis.   In conclusion, next level product customization has made manufacturing ecommerce an intuitive next step in streamlining sales systems.   Upcoming in our Ecommerce for Manufacturers series: Sales and Marketing.


Catégories: Elsewhere

Acquia: 5 Mistakes to Avoid on your Drupal Website - Number 5: Maintenance

lun, 10/03/2014 - 14:12

In the previous articles in this series, we've focused on aspects of architecture, security and performance and the choice of infrastructure.

Catégories: Elsewhere

Zivtech: Transitioning From a Freelance Drupal Contractor to a Drupal Shop

lun, 10/03/2014 - 14:00
Hi, my name is Jason Moore and I am a Developer here at Zivtech. I recently started working for Zivtech full time, helping their talented team continue to build and maintain awesome Drupal websites and applications for their clients. For the three years prior to joining Zivtech, I built a name for myself in the local Philadelphia Drupal community as a go-to “freelancer”, specializing in small to medium-sized projects that shops like Zivtech and Rock River Star couldn’t take on, for one reason or another. I held out for quite a while as a freelancer as things were going great. But then I got an email from Alex, co-founder of Zivtech, asking me if I was looking for full-time work. It was at that point I realized that my Drupal skills were in higher demand than I thought and that I might be selling myself short by doing it all by myself.   When I say doing it all, I really mean everything. I did all project management, billing, development, theming, QA, training, planning and deployment for every project that came through my pipeline as a Drupal freelancer. The only thing I didn’t do myself was design, so I partnered with a graphic designer early on to solve that issue. At first this all seemed easy, but as new projects continued to roll in and my schedule continued to fill up with actual development hours, time during my work day disappeared for doing all the non-development tasks associated with each client project. Being my own boss ended up producing some very long days and more stress than I anticipated.   Outside of actual time spent working on client projects and administrative overhead, I also spent a fair amount of money on the expenses required to run a small business. Many expenses were for services or other required components of running a successful Drupal development business. These included hosting costs, hardware costs and software that I needed for my day-to-day operations. The largest expense had to be my health insurance, which I paid out of pocket as an individual. My insurance premium nearly doubled during a three-year time span, starting at $151/month and increasing to $250/month.  Zivtech has a generous benefits package, which helps cover most of the cost of my health care plan. Now I am even able to cover my fiancé, which is a huge benefit since we are expecting a baby in June.   It might sound a little bit like I didn’t enjoy what I was doing as a freelancer, but that honestly was not the case. It really is a pure dose of freedom to live the American Dream working for yourself and actually succeed at it. It is the ultimate satisfaction knowing that you are making it all work without a college degree. That uncanny amount of freedom in my freelance work lead to both good and bad times during my freelancing days. It meant that I did not have a real start time to my day, which ultimately led to many late night development sprints. Many of my clients were based on the West Coast, so naturally I would modify my work schedule to be available during their work day. In the end, I believe my body thought I was located somewhere in the Southern Pacific, while my mind was busy building websites in Philadelphia.   The transition from a freelance Drupal contractor to a Drupal shop has really been quite seamless to this point, as I have been using many of Drupal’s best practices and helpful development tools for years. This general understanding of best practices and helpful tools like git helped me jump right in on Zivtech client projects and infrastructure improvements within my first few days. Generally, I had used git to control only my own code changes, but now I am working with a larger team at Zivtech. This is a bit of a change in workflow than I am used to, and it caused a few snags early on. Luckily there are great team leaders like Jody Hamilton and Howard Tyson there to point out helpful workflow best practices to make that transition less painful. There are also project managers on our team like Jeff Waldman and Michael Gubicza, who help keep the ball rolling by delegating tasks through Unfuddle’s ticketing system. This keeps us on track (and within budget!) during a particular sprint. The Unfuddle ticketing system is very similar to the Bitbucket repository and ticketing system I had been using for the past 3 years on my freelance projects. It seems I was meant to be in a team environment, rather than a solo career as a Drupal developer. Zivtech is definitely a well-oiled factory of machines compared to the small button factory I used to build sites out of.   The most noticeable change from freelancing to working in a shop is that I no longer have to follow up with clients for payment. There weren’t many occasions where I had to do this, but it was never a fun conversation and always led to some stress. Chasing clients down for payment is now ultimately not part of my daily tasks, which lets me focus on what I enjoy doing: building websites. It’s very nice to know that finding new projects is no longer part of my job description and the work just keeps coming in.   At the end of the day, my transition to working at Zivtech on a larger team of skilled developers has been both very positive and a great learning experience. It has put me in a better mood on a daily basis with less stress and I am definitely working in a more educational environment than working alone in my home office. If you’re a freelancer and can hold out until you find a great company that fits your needs, then don’t sell yourself short; see if making the transition to a shop is right for you! Terms:  Drupal Planet Drupal Drupal Contractor Freelance Developer
Catégories: Elsewhere

Web Omelette: Cool Module: Menu Token

lun, 10/03/2014 - 09:10

In the previous article I showed you how you can add menu items with wildcards to your menus in custom modules. Since then, however, I've been shown a cool module that allows to do similar things through the UI: Menu token.

Menu token allows you to define menu items that include tokens (provided by the Token module). These tokens get replaced on page load depending on the context or whatever rule you set when you created the menu. So let's take a look at how it works.

To install it, go through the normal module installation procedure. With Drush, this is simple:

drush dl menu_token token && drush en menu_token token

You'll notice that we also install the Token module as it is needed.

Before anything, navigate to admin/config/menu_token and check/uncheck the relevant boxes. These are basically the available entity types exposed by Menu Token.

Next, go to your menu and add a new link. You'll notice a new checkbox saying Use tokens in title and in path. Check that box and you'll get all the options for the token in that menu link.

Example #1: Current User ID

Let's see how we can create a menu link that goes to the user page of the currently logged in user.

  1. Under Method for users, select User from context.
  2. Best to also check the box Remove token if replacement is not present to avoid problems if the token is not available on a given page
  3. Browse the available tokens and look for this one: [current-user:uid]. This is the token for the currently logged in user account ID.
  4. Add your menu title and for the path specify: user/[current-user:uid].
  5. Save

Now if you go somewhere your menu is visible, you'll notice a new link that leads to your user account page. Neat. We have't done anything that isn't already available in Drupal core, but still neat. The reason I'm saying this is that you can create a menu link with the path user/ that will lead the same place. But for illustrating the power of Menu Token, it's a good example.

Example #2: Current Node Type

Let's say you have a View that displays nodes of two different content types: Article and Basic Page. This View has a contextual filter to show nodes of the type article when the first parameter after the path to the view is article. And same for the Basic Page (with page being the machine name). The view path is nodes.

Let's create a menu link for the main menu that will link to this view and pass to the URL the content type of the currently viewed node.

  1. Under Method for nodes, select Node from context.
  2. Best to also check the box Remove token if replacement is not present to avoid problems if the token is not available on a given page
  3. Browse the available tokens and look for this one: [node:content-type:machine-name]. This is the token for the currently loaded node content type.
  4. Add you menu title and the following path: nodes/[node:content-type:machine-name]
  5. Save

Now if you navigate to an article page, you'll notice in your main menu a new link to the following path: nodes/article. If you go to a Basic page, it'll be nodes/page. And clicking on these will of course take you to your View page with the filtering applied.


These are a couple of simple examples of how you might use Menu Token. Of course you can use it in other situations depending on what you need and what tokens are available.

Hope this helps.

In Cool Modules | Drupal var switchTo5x = true;stLight.options({"publisher":"dr-8de6c3c4-3462-9715-caaf-ce2c161a50c"});
Catégories: Elsewhere

Damien McKenna: Convention plans for the year

dim, 09/03/2014 - 20:26

While I'm not going to Drupalcon, missing my second 'con in a row, I am hoping to attend some regional camps this year:

Catégories: Elsewhere

SystemSeed: Panopoly 1.2 released

sam, 08/03/2014 - 19:20
Panopoly 1.2 released

We are pleased to announce that the Panopoly 1.2 release is now available on Once again, thank you to all those that contributed.

Catégories: Elsewhere

Deeson Online: Deeson Online 2014 DrupalCamp London round up

sam, 08/03/2014 - 17:24
Deeson Online 2014 DrupalCamp London round upBy Lizzie Hodgson | 8th March 2014

Running from Friday February 28 to Sunday March 2, DrupalCamp London was the second largest DrupalCamp ever seen in Europe: Attended by over 600 people, it included a CxO day, over 30 sessions and Bofs, and high-caliber keynotes from organisations ranging from Cancer Research and Government Digital Service to Drupal Association and Acquia.

Drupal's growing up

The event itself had more of a DrupalCon feel than a Camp - emphasising the view that Drupal community is 'growing up', something that Associate Director at Drupal Association, Megan Sanicki, also hit home in her keynote. We were lucky enough to catch up with Megan where she expanded on topics covered in her speech.

Expanding the Drupal talent pool


Talent was also very much part of the focus of DrupalCamp London. This was not only reflected in the attendance of a group of Drupal Apprentices (above) who met with potential employees at a special Bof, but also with the inclusion of Eric Gaffen, Global Manager, Talent Acquisition at Acquia. Eric travelled over from Boston to be at the event, and in this great short video told us why nurturing great Drupal talent is important for the whole of the Drupal ecosystem.

Networking, sessions... and swag!

Deeson Online not only sponsored it, MD Tim Deeson was also one of the organisers. And as this Vine proves, was also king of networking...

Deeson Online Developer Annika Clarke gave a session entitled Introducing Demo Framework, a distribution that aims to make the process of pitching Drupal to new clients a lot easier, while Solutions Architect John Ennew delivered his session on concurrent programming in Drupal. We'll be putting up their well-attended presentations very soon - so watch this space.

But as is the case with anything vaguely Drupaly... it's the swag that people really love, and our We Are Smarter Than Me tees went down a storm again!

2014 DrupalCamp London definitely upped the game, and next year's event will no doubt build on the great foundations set down last weekend. We're looking forward to it already!

Catégories: Elsewhere

Deeson Online: DrupalCamp London: Interview with Megan Sanicki

sam, 08/03/2014 - 15:12
DrupalCamp London: Interview with Megan SanickiBy Lizzie Hodgson | 8th March 2014

While at DrupalCamp London, we caught up with Associate Director at Drupal Association, Megan Sanicki, for a quick video interview.

In it Megan highlighted key elements from her keynote speech including how:

  • Drupal Association is stepping up their mission to further the project and help expand the community
  • They plan to grow from 3% to 10 % of the web
  • They're investing £850k to improve including marketing to help people understand why they should adopt Drupal 8.
A call to action

In the video, Megan also emphasises that Drupal Association want to know how they can better serve the UK Drupal community - so tell them @drupalassoc or contact them via their website.

Megan's DrupalCamp London keynote

You can also see the slide deck from her DrupalCamp London keynote below. In it Megan shares in more detail the Association's vision and the programs being implemented to help make that happen.

Drupal Camp London Drupal Association Keynote 2014 from Drupal Association
Catégories: Elsewhere

Jackson River: Jackson River Earns 2013 inc5000 Honors

ven, 07/03/2014 - 21:22

When we started Jackson River in 2008 we had a simple business plan.  It wasn't filled with lofty goals for things like revenue, number of employees or market share. Those things are important in business but can also lead to the tail wagging the dog.  Instead we had one simple idea: figure out the problems progressive nonprofits face and solve them...and that became our business plan.

read more

Catégories: Elsewhere

Nextide Blog: Maestro - Drupal 8 - Road map

ven, 07/03/2014 - 18:43

With Drupal 8 emerging on the horizon, we've started to delve in to our core modules, Maestro and Filedepot, beginning the process of porting them from Drupal 7 to 8.

For our Drupal 8 version of Maestro, I have some immediate concerns that I would like addressed, but also some "wish list" items which I feel would bring a great deal of flexibility.

A condensed road map, of sorts, for Maestro's first release on Drupal 8 would be:

Catégories: Elsewhere

Drupal Easy: X Marks the Spot: A Beginner's Guide to Online Maps in Drupal

ven, 07/03/2014 - 16:18

Mapping address data in Drupal can be confusing, if only because of the great number of contributed modules available that involve online maps. Picking the right module (or combination of modules) is challenging - especially for site builders who are new to mapping in Drupal. In this tutorial, we'll utilize the popular and well-supported Geofield module as one of the key ingredients in the common task of entering address data and having it displayed on an interactive map.

This tutorial contains step-by-step instructions for accomplishing this task, as well as a screencast demonstrating all of the steps.


read more

Catégories: Elsewhere

InternetDevels: Drupal themes

ven, 07/03/2014 - 09:13

Each site has its own design. Good-looking design will help attract users, they will stay on the portal longer and most likely will visit it again.

There are lots of Drupal themes that will help you to develop your own theme from scratch, to create a simple and beautiful catalogue website, or to make a useful site that will have a lot of helpful materials.

Read more
Catégories: Elsewhere

Code Drop: Writing a Drupal 8 Image Effect Plugin for Image Styles

ven, 07/03/2014 - 05:48

Recently at Drupal South I had the opportunity to upgrade the Image Style Quality module to Drupal 8. I was lucky enough to be surrounded by some of Australia's top Drupal contributors who were more than happy to lend a hand with the ins and outs. In this blog post I will run through the entire processes of writing an image effect plugin for Drupal 8.

Catégories: Elsewhere

Advantage Labs: Baking our cake and eating it too: an uncamp FTW

jeu, 06/03/2014 - 22:05

In the past 3 years the Twin Cities Drupal community has organized one of the best annual Drupal camps in the country. But still we find learning gaps -- people new to Drupal looking for help answering questions they haven't yet formed; advanced developers seeking challenges; self-taught site-builders wanting to understand if they've put the pieces together correctly. Staring at another 7 months before our next DrupalCamp Twin Cities, this past Saturday we hosted the first ever Twin Cities Drupal Open House (TCD'OH!) in an effort to address the difficulty of being everything for everybody every time.

Catégories: Elsewhere

Modules Unraveled: How to use multiple logos in responsive design

jeu, 06/03/2014 - 19:14

When re-designing my site, I needed to make the logo responsive so that it could stay out of the way, and not take up more screen real estate than needed. Here's my (debatably hacky) solution to creating a responsive logo using css and display:none.

Show Different Logos Based On Window Size Tags: 
Catégories: Elsewhere

Lullabot: Creating a Simple Chrome Extension

jeu, 06/03/2014 - 19:00

As a front-end developer there are a lot of different technologies to keep up with. Whether I’m working with AngularJS or trying to set up Grunt tasks, I find myself having to look up a lot of things. To make that easier on myself, I decided to write Google Chrome extensions to simplify the process. It turns out that’s pretty darn easy! In this article, I’ll show you how to create a simple one that hooks into Chrome's Omnibar to search the Drupal API with a simple keyword.

Catégories: Elsewhere