I know Dreis caused a lot of smiles when he used Amazon Echo and Drupal 8 to be notified about “Awesome Sauce” going on sale. The future is bright and requires increasingly more ways of engaging with technology. But what if you wanted to start to have a conversation without Echo to do it? What if we wanted to progressively enhance the browser experience to include lessons learned from conversational input technologies.
The title kind of explains it all. Check out the screencast for a quick demo on how to do it.
This is a recording of a presentation I gave at Drupal Gov Day called Purespeed. There’s many posts on this site that are tagged with purespeed if you want to dig into deeper detail about anything mentioned in this talk. This talk consolidates a lot of lessons learned in optimizing drupal to power elms learning network. I talk through apache, php, mysql, front end, backend, module selection, cache bin management, and other optimizations in this comprehensive full-stack tuning talk.
First off, hope you are all enjoying Drupalcon, super jealous.
Its been almost three months since I wrote about Creating secure, low-level bootstraps in D7, the gist of which is skipping index.php when you make webservice calls so that Drupal doesn't have to bootstrap as high. Now that I've been playing with this, we've been starting to work on a series of simplied calls that can propagate data across the network in different ways.
Hacked! Is an extremely powerful Drupal module avalible in both Drupal 7 and 8 that allows you to check Drupal's modules and core against Drupal.org stored versions to make sure they have not been tampered with. This module is great for none coders to ensure that the modules are safe and have not been tampered with. It will not check any subthemes or custom modules that do not exist on Drupal.org.
Drupalcon is always special! Back from DrupalCon, left feeling happy, proud to be part of a caring Board, a passionate DA team and last but not least the wonderful Drupal community.
Before Drupal 8 was released, the PHP Filter module was part of Drupal core and allowed site builders and developers to create a PHP filter text format. While very convenient for developers and themers, this was also very risky as you could easily introduce security or even performance issues on your site, as a result of executing arbitrary PHP code.What's the use case for injecting PHP code in content anyway?
There never is a truly good reason to do so except when you're developing the site and willing to quickly test something. Most of the time, using PHP in content is either the result of laziness, lack of time (easiest to add raw PHP directly rather than having to build a custom module) or lack of Drupal API knowledge. PHP Filter is most often used to inject logic in nodes or blocks. As horrible as it sounds, there are very interesting (and smart!) use cases people have come up with and you have to respect the effort. But this is just not something acceptable as you should always advise a clear separation of concerns and use the Drupal API in every instance.
In the past 5 years I've seen things such as:
- Creating logic for displaying ads after the body
- Injecting theming elements on the page
- Redirecting users via drupal_goto() which was breaking cron and search indexing
- Using variable_set() to store data on node_view()
- Including raw PHP files
The list goes on and on and on.
After heated discussions, and because it was far too easy to have users shoot themselves in the foot, it was finally decided to remove the module from core for Drupal 8. But as the usage statistics for Drupal core page shows, we still have more than 1 million Drupal 6 and 7 sites out there that are potentially using it.
If you're still building Drupal 7 sites or if you're taking over maintaining a Drupal 6 or 7 site, it's thus your responsibility to ensure no PHP code is being executed in nodes, blocks, comments, views, etc.Determine if the PHP text format is in use
So, before you start wondering if you have an issue to fix, let's find out if the PHP module is enabled.mysql> SELECT name FROM system WHERE name = 'php'; +------+ | name | +------+ | php | +------+ 1 row in set (0.00 sec)
Now, we need to confirm there is indeed a PHP filter text format on your site. You can use the Security Review module, navigate through the Drupal UI, or query MySQL, which is preferred here and later on because it gives us the granularity we need.mysql> SELECT format,name,status FROM filter_format WHERE format="php_code"; +----------+----------+--------+ | format | name | status | +----------+----------+--------+ | php_code | PHP code | 1 | +----------+----------+--------+ 1 row in set (0.00 sec)
When you do have the php_code text format in use on a site, then you need to start your investigation. In this post we'll focus only on nodes. But the same logic applies for all entities.Audit all nodes with the php_code text format
In the below example we only have 4 nodes. This means php_code was used only when it was required. But it might very well be that all nodes on a site would use the PHP text filter by default. Tracking down issues would then become more challenging. Worse, removing the text filter entirely would be a very time-consuming task in terms of site auditing, as you might not know what is or isn't going to break when you do the change.mysql> SELECT nid,title,bundle,entity_type FROM field_data_body LEFT JOIN node ON node.nid=field_data_body.entity_id WHERE body_format='php_code'; +------+-----------------------+----------+-------------+ | nid | title | bundle | entity_type | +------+-----------------------+----------+-------------+ | 7571 | Test nid 7571 | article | node | +------+-----------------------+----------+-------------+ | 538 | Test nid 538 | page | node | +------+-----------------------+----------+-------------+ | 5432 | Test nid 5432 | article | node | +------+-----------------------+----------+-------------+ | 1209 | Test nid 1209 | article | node | +------+-----------------------+----------+-------------+ Find PHP code in nodes
Now that we know which nodes have the php_code text filter set, it's easy to find out if there's indeed PHP code in them, and if it's breaking the site in any way, causing performance troubles, or introducing a security hole.mysql> SELECT body_value FROM field_data_body WHERE entity_id=7571; +--------------------------------------------------------------+ | body_value | +--------------------------------------------------------------+ | Thank you for participating! Your results can be found below. <?php include path_to_theme()."/calculator-results.php"; ?> | +--------------------------------------------------------------+ What about Drupal 8?
As we said in the introduction, the PHP Filter module now lives in contrib instead of Drupal core. And it's very good like that, because it'll prevent the vast majority of Drupal users from installing it. Because, you know, if they can, they will.
If it does exist in production though, then you're in for the same investigation. Fortunately, with Drupal 8 it's even easier to determine when a node is using the php_code text format as you only need one MySQL query and no JOIN.mysql> SELECT entity_id,bundle,body_value,body_format FROM node__body WHERE body_format = 'php_code'; +-----------+---------+----------------------------+-------------+ | entity_id | bundle | body_value | body_format | +-----------+---------+----------------------------+-------------+ | 1 | article | <?php echo 'hi there!'; ?> | php_code | +-----------+---------+----------------------------+-------------+ 1 row in set (0.00 sec)
Now that you know how to find PHP code in nodes, it's your job to review the code and fix it if necessary, then find ways to remove it completely (custom / contrib module? Theming?). You'll feel a sense of joy when you can switch back to Basic HTML, Markdown, or any other controlled and secure text format.
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the Elysia Cron module to fix a Cross-Site Scripting (XSS) vulnerability.
You can download the patch for Elysia Cron 6.x-2.x.
If you have a Drupal 6 site using the Elysia Cron module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
This year was special for me, for the first time since DrupalCon Copenhagen (back in 2010), I was able to attend a DrupalCon, thanks to Appnovation.
Modules Unraveled: 163 Easy Local Development Using Kalabox with Mike Pirog - Modules Unraveled Podcast
- What is Kalabox?
- Brief story on history Kalabox
- Is there a plan to use the “official” Docker for mac backend instead of VirtualBox?
- Current update on state of Kalabox
- How does Kalabox compare with other local dev tools like Mamp, DrupalVM etc.?
- Specifically: Speed, flexibility
- Is Kalabox, or will it be usable with server environments other than Pantheon? Ie: Acquia, VPS, PlatformSH
- Team standardization
- Fast local dev
- Automated repeatable tasks
- Github workflow?
- Composer based workflow?
- Our three month roadmap
- You mentioned Tandem in the into, and you gave me a brief description before the show, but can you expand a little bit on what that is?
YAML is a data serialisation format that is both powerful and easy for us humans to read and understand. In Drupal 8 it's used where Drupal needs a list but doesn’t need to execute PHP. One of the reasons why YAML was chosen for Drupal 8 is because it is already used in Symfony.
In this blog post I will provide an example of a method I use to deploy changes on the projects that I work on my own time. This method is very useful when there is a need to make a lot of manual changes to the site when there is a new release. You could use this method to automate deployment process of your Drupal sites. In fact this method can be used for any other non-Drupal sites too.
For this blog post I am using Drush commands.
Lets start form a very simple example. I will use Acquia's directory structure to descibe where I am storing release scripts.
Sooper Drupal Themes: Beautiful New Header Designs, Exciting New Portfolio Features, New Landcsaping & Gardening Demo!
Before jumping into the release blog post I wanted to repond to the recent Drupal Planet blog posts about the fact that Drupal 8 has so few themes. In my opinion the short answer is: Drupal 8 adoption is very slow.
The slightly longer answer is that Drupal also faces more competition in the lower end of the market, where themes are most often used. WordPress' growth has been great and is now stagnating, but online site builders like Wix, Weebly, and squarespace are growing and their products are maturing. Another factor that I think relates to Drupal 8's slow adoption especially in the lower end of the market is that Drupal 8 will rely more on distributions due to increased complexity of assembling a fully featured site. As someone who manage a Drupal distribution full time I can tell you it's not as easy as it should be.Glazed 2.5.3 Release
Today we release what is just the start of a new class of Drupal themes. Over the past year our Glazed theme and Carbide Builder combo has stabilized and proven it's capabilities. With our latest Landscaping Theme Demo we are showing that our framework theme is capable of so much more than your average Multipurpose WordPress theme or Bootstrap template. With refined design options and microinteractions we are pushing our Glazed framework theme forward to make way for a future full of beautiful, effective Drupal theme designs. New header options were added, our main menu system got some improvements..
- Added pull-down header design
- Improved overlay menu style
- Support for transparent and full-width menus
- New minimalistic form theming
- New design for portfolio pages
- Image Compare
- Lightbox Gallery for portfolio pages
- Next / Previous node pager
- CHANGELOG Glazed Theme
- CHANGELOG Carbide Builder
As you can see on our roadmap SooperThemes is currently focussing on designing a large collection of Business niche themes based on our Glazed framework Drupal theme and Carbide Drag and Drop Builder. Our most recent addition is Landscaping and Gardening theme. We are not in the business of designing generic niche themes, we aim to release the best niche themes. We developed additional features for this theme including a unique new header and main menu design, an image comparison widget and a lightbox gallery option for portfolio pages.
Check out the Landscaping & Gardening live demo to view our latest niche theme!
While designing new niche theme I quickly realised that our generic bootstrap navbar layout was the most important bottleneck preventing us from producing truly great niche business website designs. The Glazed Settings for the header were refactored, optimized and extended with new style options and 11 new color options. These options are now also made available in our Glazed Content Design field collection so that you can customize headers for specific landing pages and match your creative content.
You can now view all these header in our live demo under the new Headers Dropdown menu!
For a landscaping business it's important to showcase your best work to potential customers. The portfolio content type was extended with additional layout options. New features include a Next / Previous node pager at the bottom, an advanced lightbox gallery system for viewing portfolio images and last but not least: an image comparison widget. The comparison widget really makes your case studies stand out, providing an effective and fun way to demonstrate the awesome service your business provided to your customer.
The comparison widget is touchscreen compatible and responsive.
The default Bootstrap 3 forms already started looking dated. We replaced it with a minimalistic new design. Forms now blend in perfectly with any design. Form elements are sublty colored only when interacted with. The selectbox now features are custom themed dropdown icon that is themed using the default font that you configured in Glazed Settings. The selectbox also sports are a subtle microinteraction animation when hovered.
In the future look forward to more Drupal Niche Business themes, as well as our move into Magazine themes. WordPress magazine themes have seen a surge in sales on themeforest recently and I think there is oppurtunity for Drupal to shine in this growing market. After all, Drupal is naturally best at managing large amounts of structured content and magazines are just that. Combine that with the capability of our drag and drop builder to easily generate attractive creative content and there you have a basis for best-in-class magazine themes. If you are interested in joining our little theme shop you can join now for just $48.