Drupal

Savas Labs: How to transition your website from HTTP to HTTPS

Planet Drupal - 31 July 2018 - 5:00pm

How to move from serving your site over HTTP to HTTPS. Spoiler alert: there are some easy ways to do this with various Drupal hosting options. A quick read for guidance. Continue reading…

Categories: Drupal

Acquia Developer Center Blog: 10 Reasons Why You Should Start Your New Project in Drupal 8 (instead of Drupal 7)

Planet Drupal - 31 July 2018 - 11:02am

Sorry Drupal 7, it’s not you, but it’s time to move on... (to Drupal 8).

As developers, we sometimes forget that we live in a tech bubble. In our highly technical world we assume things that not everyone sees.

For example, there are still reasons that clients frequently cite to justify staying in an old version of Drupal, in this case Drupal 7, instead of starting a new project straight away in Drupal 8. This is true even when we are talking about starting a brand new project (as opposed to just migrating).

Tags: acquia drupal planet
Categories: Drupal

SKU prefix promotion condition

New Drupal Modules - 31 July 2018 - 10:07am

Adds a type of promotion that will try to match on SKU prefix.

Categories: Drupal

Drupal blog: Building digital backpacks for Syrian refugees

Planet Drupal - 31 July 2018 - 8:41am

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

I recently heard a heart-warming story from the University of California, Davis. Last month, UC Davis used Drupal to launch Article 26 Backpack, a platform that helps Syrian Refugees document and share their educational credentials.

Over the course of the Syrian civil war, more than 12 million civilians have been displaced. Hundreds of thousands of these refugees are students, who now have to overcome the obstacle of re-entering the workforce or pursuing educational degrees away from home.

Article 26 Backpack addresses this challenge by offering refugees a secure way to share their educational credentials with admissions offices, scholarship agencies, and potentials employers. The program also includes face-to-face counseling to provide participants with academic advisory and career development.

The UC Davis team launched their Drupal 8 application for Article 26 Backpack in four months. On the site, students can securely store their educational data, such as diplomas, transcripts and resumes. The next phase of the project will be to leverage Drupal’s multilingual capabilities to offer the site in Arabic as well.

This is a great example of how organizations are using Drupal to prioritize impact. It’s always inspiring to hear stories of how Drupal is changing lives for the better. Thank you to the UC Davis team for sharing their story, and continue the good work!

Categories: Drupal

Web Wash: Create Dropdown Menus using Superfish in Drupal 8

Planet Drupal - 31 July 2018 - 6:30am

The Superfish module allows you to create multi-level dropdown menus in Drupal 8. The module uses the JavaScript Superfish library to create and display a Superfish menu block for each menu available on your site.

With a few configuration options, you can control how it’ll behavior on mobile, turn multi-column menus, change the styling and more.

The module does come with a few styling options but you’ll have to style it yourself to match your theme. When you configure Superfish the first time the dropdown functionality will, however, it may not look good.

In this tutorial, you’ll learn how to install the module and how to configure it.

Categories: Drupal

Config Overlay

New Drupal Modules - 31 July 2018 - 6:02am

Provides a configuration filter to turn the configuration export into an overlay of the shipped configuration of all installed configuration. Installing this module and subsequently exporting configuration will leave only those configuration files in your export directory that have been added or modified relative to the shipped configuration of modules and installation profiles.

Categories: Drupal

Clockwise.MD API

New Drupal Modules - 31 July 2018 - 5:57am

This Clockwise.MD API module is for connecting and calling their API. It is a simple module, but it gives you a method and a class to work with to call the API to get results.

How to Use

Add your authorization token via the module's config page: /admin/config/services/clockwise

API CALL

The callApi method can take up to four parameters, only the endpoint is required.

Categories: Drupal

OpenSense Labs: Going All Guns Blazing: Enforce Strong Password Policies with Drupal

Planet Drupal - 31 July 2018 - 4:58am
Going All Guns Blazing: Enforce Strong Password Policies with Drupal Shankar Tue, 07/31/2018 - 17:28

Ali Baba and the Forty Thieves, invented in the 18th century by the French Orientalist Antoine Galland, portrays the literary history of the password. The invocation, “Open, Sesame!” which was used in this classic tale to open the magically sealed cave enjoys a broad currency as a catchphrase today.


With the rapidly evolving digital space, password security is even more crucial and needs the right kind of strategic perspective with strong policies. Drupal, being one of the most secure platforms among the leading content management systems, can help in enforcing password policies with its enormous security-oriented abilities. 

Password Policy: A Close Look

Password security was brought into the computing world through the invention of the Compatible Time-Sharing System and Unics (Unix) system.  This was developed at the Massachusetts Institute of Technology and Bell Laboratories in the 1960s. The concept of the password was developed so that the users could only have the access to specific files in their allotted time of computer usage.

Source: Digital Guardian

A password policy is a particular collection of rules that enables proper storage and utilisation of passwords, helps in the creation of dependable and secure passwords and enhances computer security. Commonly, it is part of the official regulations of an organisation and might be employed as a component of security awareness training.

On what basis can you formulate password policy? One of the best collection of guidelines for password policy comes from the National Institute of Standards and Technology (NIST) which is a part of the U.S. Department of Commerce. They have framed a set of Digital Identity Guidelines that provide a great basis on which password policy can be crafted.

The guidelines provided by NIST stresses on user-friendliness. It states that excessively onerous password policies often impacts negatively. For instance, if the users are forced to change their passwords every week, many of them would wind up choosing bad passwords.

Security has always been a compromise between allaying risk and convenience.

A research from Microsoft on password strategies suggests that simple passwords, which can be easily memorised, should be used for low-risk sites. Intricate passwords should be reserved for the sites where the security risks warrant huge repercussions. This suggestion is debatable but it illustrates the trade-off.

For instance, if your site involves users sharing fields of their pet dogs, you can have a lenient approach towards your password policy. Complex passwords may be used for sites where users access sensitive financial or healthcare-related data.    

Can Drupal modules and configurations be used for implementing strong password policies?

Drupal’s rich security features for enforcing strong password policies

By default, Drupal offers guidance on how to make your password stronger. But it does not enforce any password policy out-of-the-box. In order to do that, it comes with a huge library of modules that can help in the enforcement of firm password policies.

Setting restrictions on password

Password Policy, a Drupal module, allows you to lay a set of requirements on passwords that are created by the users. These requirements comprise of length, digits, case, punctuation etc. For instance, you can set what sort of characters and in what amount could be used in a password. It also comes with a password expiration feature.

Setting composition rules

The Password Policy lets you set up intricate composition rules for the passwords. But another Drupal module, Password Strength, offers a user-friendly alternative to prescriptive composition rules. It offers real-time password strength measurement and server-side enforcement.

NIST guidelines suggest that spaces are permitted in passwords which can contribute towards more user-friendly policies when it comes to passphrases. Drupal allows spaces in passwords out-of-the-box.

In case, you do not need any special locks, you can disable the password strength check using a Drupal module called Password Strength Disabler and allow users to feel at ease while creating passcodes.

Avoiding hints and reminders

In case, your website requires hints and reminders, you can add an additional lock to the doors by incorporating security questions while logging in and resetting passwords. Security Questions, a Drupal module, helps you in achieving this numerous configurable options.

However, NIST guidelines suggest that it is better to avoid hints and reminders. Security questions which are fairly easy to guess can be used to compromise user accounts.

But Drupal offers another very useful module called Username Enumeration Prevention which can make it difficult for website hackers to find the usernames and attempt any brute-force attacks.

Leveraging authentication procedure

In case, you need more than one lock, the Two-factor Authentication module can come in handy. It provides an extra layer of security to the authentication procedure. This can be one-time passwords (OTP), codes sent through SMS, or pre-generated codes. It also allows integration with third-party services like Authy, Duo etc.

An authentication and authorisation infrastructure system, Shibboleth is capable of granting individual users with safe, anywhere, anytime access to resources which are available online. Shibboleth authentication, Drupal module, offers user authentication with Shibboleth.

This confrontation in the so-called shibboleth incident in the 12th chapter of the biblical Book of Judges delineates the earlier forms of password security:

“ ‘Say now Shibboleth’; and he said ‘Sibboleth’; for he could not frame to pronounce it right; then they laid hold on him, and slew him at the fords of the Jordan.” Implementing rate-limiting

Drupal does rate-limiting out-of-the-box. But there is no particular UI which exposes configuration that can be tweaked. Flood control, a Drupal module, allows you to limit the number of login attempts by using a convenient admin interface.

To take rate-limiting a step further, Login security module can be beneficial. It helps in limiting the number of invalid login attempts before blocking accounts or denying access by IP address temporarily or even permanently.

To facilitate the login attempts limitation by blocking out the sources of malicious requests, Fail2ban Firewall Integration module offers an automated firewall tool.

Enhancing login features

If your website is available via both HTTP and HTTPS, Secure Login module can ensure that your user login forms or other pages are transmitted via HTTPS. This keeps the passwords hidden from the prying eyes of hackers.

It is always appreciated when the user is given the convenience of using an all-in-one login. OneAll Social Login module allows users to sign in on your website using their social network accounts like Facebook, LinkedIn Twitter, Instagram etc.

In case, an user types an email address incorrectly in a sign-up form, he will not get any confirmation emails which can be troublesome. Email Verify module verifies whether the email address typed by the user exists or not.

Doing away with passwords altogether

What if you do not want to enter a password at all? The Passwordless module gives a possibility of logging in without using a password at all. So if a user has to log in, only the email address would be required. A login link will be sent to that email address which will be valid for 24 hours.

Outlining best practices of password policy

While Drupal is very efficacious in enforcing strong password policies, it is imperative to understand the best practices that can be adopted for incorporating intelligent password policy.

Source: Dashlane
  • Adopting the 8 + 4 rule can be beneficial. You can use 8 characters with 1 upper-case and 1 lower-case, a special character like an asterisk and a number. Make it as random as possible. Also, make sure the numbers and symbols are spread out through the password to foil hackers.
  • Avoid using personal information like your birth date or last name etc.
  • Use different passwords for different accounts. This can be helpful if there are numerous computers in the same department.
  • Adopting passphrases in combination with symbols and numbers can be useful. For example, The Sun Will Rise Again Tomorrow. Also, keep the characters less in the passwords that are easier to remember.
  • You may consider not changing the passwords frequently and it is safer not to write them down anywhere.
  • Do not share the password over electronic media.
  • Add other barriers like two-factor authentication and multi-factor authentication.
  • Set a number that will lock the user out after few unsuccessful attempts.
Conclusion

Password security has evolved over the years in the digital arena. It is significant to have a strong set of rules while deploying password policies. They should not only assist users in avoiding bad passwords but aid in employing high entropy secure passwords. Drupal provides a superb platform to enforce strong password policies with its amazing set of modules.
 
Not only we aid in Drupal development, we also provide continuous support and maintenance services, Contact us at hello@opensenselabs.com to for the enforcement of strong password policies in your business environment.

blog banner blog image drupal security password password security password policy cyber security website security Drupal 8 Drupal module authentication two-factor authentication multi-factor authentication Security Modules Blog Type Articles Is it a good read ? On
Categories: Drupal

Drush Content

New Drupal Modules - 31 July 2018 - 4:53am

Programmatically create, update, delete and deploy content with simply JSON and custom Drush commands.

Categories: Drupal

Violinist projects

New Drupal Modules - 31 July 2018 - 4:30am

This is the module that does some of the work related to projects on violinist.io

Categories: Drupal

Element class formatter

New Drupal Modules - 31 July 2018 - 3:26am

Coming soon!

Overview

A collection of field formatters which add classes to various elements (as opposed to the wrapper markup).

Categories: Drupal

DvG Search Overheid.nl

New Drupal Modules - 31 July 2018 - 3:07am

The Open data webservice for Overheid.nl allows you to search and reuse regulations, announcements and other datacollections of the Dutch government.

The DvG Search Overheid.nl module uses this api to store the results for publications on Overheid.nl in Drupal, so they can be added for example to a search index to make the publications searchable trough your website. The publications are updated twice a day, by default on 10am and 2pm.

Documentation on the overheid.nl API can be found on koopoverheid.nl.

Categories: Drupal

Agiledrop.com Blog: AGILEDROP: Rachel Lawson on the road with Drupal

Planet Drupal - 31 July 2018 - 2:57am
Agiledrop is highlighting active Drupal community members through a series of interviews. Learn who are the people behind Drupal projects.  This week we talked with Rachel Lawson. Learn how did she first came across Drupal, what change she just saw that she was working on and on what contributors she is most proud of.   1. Please tell us a little about yourself. How do you participate in the Drupal community and what do you do professionally? Well, I did spend a few years as a Drupal site-builder and maybe-developer and got involved in core contribution and mentoring, but recently I took… READ MORE
Categories: Drupal

S. M. Bjørklund: PHP method chaining - Fluent interface

Planet Drupal - 31 July 2018 - 2:36am

If you have used ever used Drupal or any other frameworks like Symfony, Laravel and so on have you probably come across code that look something like:

Categories: Drupal

Gizra.com: WebdriverIO Tests with Multiple Browsers

Planet Drupal - 30 July 2018 - 10:00pm

Everything was working great… and then all the tests broke.

This is the story of how adding a single feature into an app can break all of your tests. And the lessons can be learned from it.

The Feature that Introduced the Chaos

We are working on a Drupal site that makes uses of a multisite approach. In this case, it means that different domains are pointed at the same web server and the site reacts differently depending on which domain you are referencing.

We have a lot of features covered by automatic tests in Webdriver IO – an end to end framework to tests things using a real browser. Everything was working great, but then we added a new feature: a content moderation system defined by the workflow module recently introduced in Drupal 8.

The Problem

When you add the Workflow Module to a site – depending on the configuration you choose – each node is no longer published by default until a moderator decides to publish it.

So as you can imagine, all of the tests that were expecting to see a node published after clicking the save button stopped working.

A Hacky Fix

To fix the failing test using Webdriver you could:

  1. Login as a user A.
  2. Fill in all the fields on your form.
  3. Submit the node form.
  4. Logout as user A.
  5. Login as user B.
  6. Visit the node page.
  7. Publish the node.
  8. Logout as user B.
  9. Login back as user A.
  10. And make the final assertions.

Here’s a simpler way to fix the failing test:

You maintain your current test that fills the node form and save it. Then, before you try to check if the result is published, you open another browser, login with a user that can publish the node, and then with the previous browser continue the rest of the test.

Multiremote Approach

To achieve this, Webdriver IO has a special mode called multiremote:

WebdriverIO allows you to run multiple Selenium sessions in a single test. This becomes handy when you need to test application features where multiple users are required (e.g. chat or WebRTC applications). Instead of creating a couple of remote instances where you need to execute common commands like init or url on each of those instances, you can simply create a multiremote instance and control all browser at the same time.

The first thing you need to do is change the configuration of your wdio.conf.js to use multiple browsers.

export.config = { // ... capabilities: { myChromeBrowser: { desiredCapabilities: { browserName: 'chrome' } }, myFirefoxBrowser: { desiredCapabilities: { browserName: 'firefox' } } } // ... };

With this config, every time you use the variable browser it will repeat the actions on each browser.

So, for example, this test:

var assert = require('assert'); describe('create article', function() { it('should be possible to create articles.', function() { browser.login('some user', 'password'); browser.url('http://example.com/node/add/article') browser.setValueSafe('#edit-title-0-value', 'My new article'); browser.setWysiwygValue('edit-body-0-value', 'My new article body text'); browser.click('#edit-submit'); browser.waitForVisible('.node-published'); }); });

will be executed multiple times with different browsers.

Each step of the test is executed for all the browsers defined.

Instead of using browser you can make use of the keys defined in the capabilities section of the wdio.conf.js file. Replacing browser with myFirefoxBrowser will execute the test only in the Firefox instance, allowing you to use the other browser for other types of actions.

Using the browser name, you can specify where to run each step of the test. The Custom Command Problem

If you take a deeper look at previous code, you will notice that there are three special commands that are not part of the WebdriverIO API. login, setValueSafe and setWysiwygValue are custom commands that we attach to the browser object.

You can see the code of some of those commands in the drupal-elm-starter code.

The problem is – as @amitai realized some time ago – that custom commands don’t play really well with the multiremote approach. A possible solution to keep the custom commands available in all of the browsers is to use some sort of class to wrap the browser object. Something similar to the PageObject pattern.

An example of the code is below:

class Page { constructor(browser = null) { this._browser = browser; } get browser() { if (this._browser) { return this._browser; } // Fallback to some browser. return myChromeBrowser; } visit(path) { this.browser.url(path); } setWysiwygValue(field_name, text) { this.browser.execute( 'CKEDITOR.instances["' + field_name + '"].insertText("' + text + '");' ); } login(user, password) { this.visit('/user/login'); this.browser.waitForVisible('#user-login-form'); this.browser.setValue('#edit-name', user); this.browser.setValue('#edit-pass', password); this.browser.submitForm('#user-login-form'); this.browser.waitForVisible('body.user-logged-in'); } } module.exports = Page;

So now, you have a wrapper class that you can use in your tests. You can create multiple instances of this class to access the different browsers while you are running a test.

var assert = require('assert'); var Page = require('../page_objects/page'); describe('create article', function() { it('should be possible to create articles.', function() { let chrome = new Page(myChromeBrowser); let firefox = new Page(myFirefoxBrowser); chrome.login('some user', 'password'); firefox.login('admin', 'admin'); chrome.visit('http://example.com/node/add/article') chrome.setValueSafe('#edit-title-0-value', 'My new article'); chrome.setWysiwygValue('edit-body-0-value', 'My new article body text'); chrome.browser.click('#edit-submit'); // Here is where the second browser start to work. // This clicks the publish button of the workflow module firefox.visit('/my-new-article'); firefox.browser.click('#edit-submit'); // Once the node was published by another user in another browser // you can run the final assertions. chrome.browser.waitForVisible('.node-published'); }); }); What About Automated Tests?

You may be also wondering, does this work seemlessly for automated tests? And the answer is: yes. We have only tried it using the same browser version in different instances. This means that we trigger several chrome browser instances that acts as independent browsers.

If you have limitations in how many cores you have availble to run tests, it should not limit how many browsers you can spawn. They will just wait their turn when a core becomes available. You can read more on how we configure travis to optimize resources.

As you can see, having multiple browsers available to run tests simplifies their structure. Even if you know that you will not need a multiremote approach at first, it may be a good idea to structure your tests using this browser wrapper, as you don’t know if you will need to refactor all of your tests to run things differently in the future.

This approach also can help to refactor the ideas provided by one of our prior posts. Using JSON API with WebdriverIO Tests so you don’t need to worry about login in with the right user to make the json requests.

Continue reading…

Categories: Drupal

Ben's SEO Blog: Topic Clusters Are Old News to Drupal SEO

Planet Drupal - 30 July 2018 - 10:00pm

Topic clusters has been a hot topic in the SEO community lately. They move the emphasis in SEO away from individual keywords to broader categories. Instead of optimizing a page for a keyword like “reduced fat mozzarella cheese”, the goal is to create valuable content for a strategic category such as “cheese”. By focusing on multiple topics within categories and linking these pages to the main topic page, businesses gain authority and performance for the entire topic cluster.

I agree that it’s a great idea, I’m just not so sure that it’s a “new” one. Organizing by topic clusters is old news for Drupal; it has had this capability for years. If you have a Drupal website, you may be ahead of the trend and well positioned for changing SEO strategies. Even if you haven’t designed your... Read the full article: Topic Clusters Are Old News to Drupal SEO

Categories: Drupal

User Login Logout History

New Drupal Modules - 30 July 2018 - 7:16pm

The module tracks user login and logout. If you want to track that when User was logged in and what time it was logged out.

Support: Autologout

Categories: Drupal

Promet Source: The Path to Migration

Planet Drupal - 30 July 2018 - 6:12pm
When it’s time for a new site, the word “migration” is often dropped in conversations. Every organization looking at a migration in the future will have their own reasons for doing so, their own history, their own future goals. In this article, we will present the following topics as a means to empower you to recognize aspects of website migration you might otherwise overlook.
Categories: Drupal

Workbench 404 Redirection

New Drupal Modules - 30 July 2018 - 5:29pm

Workbench 404 redirection provides basic support for content entities. That is, it allows
site administrators to configure the define States (that content can be in), for default redirection from 403 access denied to 404 Page not found.

Benefits:

Categories: Drupal

Node Layout builder

New Drupal Modules - 30 July 2018 - 11:29am
Categories: Drupal

Pages

Subscribe to As If Productions aggregator - Drupal