Webform Query

New Drupal Modules - 17 October 2018 - 10:05pm

Query Webform Submission Data

The Webform module stores all submission data in the one table using the EAV model. This is great for performance but it can be tricky to extract submission data matching certain criteria.

Categories: Drupal

Buffer Schedule

New Drupal Modules - 17 October 2018 - 7:48pm

Buffer Schedule allows you to create a set of buffered posts that will publish over time based on your selected settings. You can set specific times between posts to publish new posts in your queue. Additionally, you can set up Buffer schedule to send you a email warning you when the buffer gets low or runs out of content to publish.

Categories: Drupal

Opigno User Reset

New Drupal Modules - 17 October 2018 - 7:23pm

Opigno User Reset is a module for the Opigno LMS Drupal profile that allows administrators or others with the requisite permissions to use a "reset" operation to clear all of a users quiz, course, and class progress. This can be useful when testing, developing a course, or in special situations when running an LMS. The operation should be used carefully as no attempt is made to preserve data for rollback.

Categories: Drupal

myDropWizard.com: Drupal 6 core security update for SA-CORE-2018-006 (and mimemail and htmlmail)

Planet Drupal - 17 October 2018 - 4:17pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-006

The following vulnerabilities mentioned in the security advisory also affect Drupal 6:

  • External URL injection through URL aliases - Moderately Critical - Open Redirect

  • Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

The first vulnerability is in Drupal 6 core, however, the 2nd is only present in the contrib modules: htmlmail, and mimemail. If you don't use those modules, you're not affected by the 2nd vulnerability.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Categories: Drupal

Development assistant

New Drupal Modules - 17 October 2018 - 3:38pm
Categories: Drupal

Template Suggester

New Drupal Modules - 17 October 2018 - 1:34pm

This module provides template suggestions for everything that Drupal doesn't. So far:

  • Block templates per region

Please make your own suggestions or requests!

For block templates per block type, use Block Type Templates.

For node templates selected by content editors on a per-node basis, see Template Whisperer.

Categories: Drupal

Jacob Rockowitz: Acknowledging individuals contributing to Drupal

Planet Drupal - 17 October 2018 - 1:20pm

In my last blog post, I explained, "Why I am one of the top contributors to Drupal?" and examined my ongoing contribution to the Webform module for Drupal 8. My post was inspired by Dries Buytaert's annual who sponsors Drupal development post. Now I want to dig into that list of who’s and acknowledge other individuals contributing to Drupal.

I am deliberately limiting the discussed contributors to people that I have had minimal or no direct interaction with online or in-person. I want to explore their contributions based on their online presence versus directly interviewing them.

The Drunken Monkey

I genuinely value Drunken Monkey's contribution to Drupal's Search API module.

We rarely appreciate an API module until we have to start using them and diving into the code. The Search API module for Drupal 8 is a magnificent example of great code which conquers one of the hardest challenges in programming: naming things.

For a recent project, I was diving into Search API's code, and Drunkey Monkey helped me out when I discovered Issue #2907518: Breakup tracking of content entities into smaller chunks to prevent memory limit issue. For the developers out there, if you read through the issue to the final patch, you will notice that Drunken Monkey manages to even improve some APIs while fixing the problem.

The Search API Guy

The first place to understand who is who in the Drupal community is people's user profiles. The most immediate thing that stands out about Drunkey Monkey is that he is…

This statement is something I can relate to because I...Read More

Categories: Drupal

Security public service announcements: Drupal 7.x and 8.x release on Oct 17th, 2018 - DRUPAL-PSA-2018-10-17

Planet Drupal - 17 October 2018 - 1:11pm

The Drupal Security team has a core and contrib release window on the 3rd Wednesday of the month. This window normally ends at 5pm Eastern (9PM UTC).

Due to unforeseen circumstances, we are extending the current window we are in by 3 hours until Oct 17th, 2018 at 8pm Eastern (11:59PM UTC).

Categories: Drupal

Security advisories: Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Planet Drupal - 17 October 2018 - 9:42am
  • Advisory ID: DRUPAL-SA-CONTRIB-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by


Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

Categories: Drupal


New Drupal Modules - 17 October 2018 - 7:20am
Categories: Drupal

Dynamic Entity List

New Drupal Modules - 17 October 2018 - 7:20am
Categories: Drupal

TEN7 Blog's Drupal Posts: Episode 041: Steve Persch

Planet Drupal - 17 October 2018 - 6:01am
It is our pleasure to welcome to the TEN7 podcast Steve Persch, lead developer advocate at Pantheon. Here's what we're discussing in this podcast: Steve's background; Celebrating a Drupal birthday; Theater background and blogging; WordPress experience; Improv comedy and Comedy Sports gaining self confidence; Experience at Palantir in Chicago; Contributing to Workbench; Discovering Git; Teaching WordPress' Guttenberg editor; What the WordPress & Drupal communities can learn from each other; The 2018 Twin Cities Open Source CMS Unconference; WordPress, Drupal & Joomla; Supporting Backdrop; Alexander Hamilton; Steve Vector (alias)
Categories: Drupal

Hook 42: September Accessibility (A11Y) Talks - Love thy Keyboard

Planet Drupal - 16 October 2018 - 6:08pm

Keyboard accessibility is vital, as many assistive devices emulate the keyboard. Using semantic HTML one can achieve an accessible User Interface (UI) with less code than non-semantic markup.

By managing and guiding focus with semantic HTML, developing an accessible UI is rather easy. Semantic HTML plays an important role in not only accessibility but SEO (Search Engine Optimization) as well. Although we are aware of it, it's often overlooked.

In September’s accessibility talk, Sarbbottam Bandyopadhyay shared the trade-offs of using semantic vs non-semantic markup with an everyday example. He also shared how to manage and guide focus. It was a brief presentation emphasizing the various aspects of keyboard accessibility. He concluded with a brief introduction to WAI-ARIA.

Sarbbottam is a frontend engineer, with more than 14 years experience. He currently works at LinkedIn. He is part of LinkedIn's core accessibility team, focusing primarily on web accessibility. He’s been involved with web accessibility since his Yahoo days.

Categories: Drupal

Configuration Normalizer

New Drupal Modules - 16 October 2018 - 5:08pm

Configuration Normalizer processes configuration to prepare it for comparison.

Developer usage

This module can be used to wrap any configuration storage, creating a read-only version of the storage for which any data read will be returned in a normalized form.

The most common usage would be to minimize non-meaningful differences when comparing configuration data from different sources.

Categories: Drupal

DrupalCon News: DrupalCon Seattle: Where cutting-edge content, networking & contributing come together.

Planet Drupal - 16 October 2018 - 5:06pm

As you’re performing a cost-benefit analysis about attending DrupalCon Seattle — and the days tick closer to the early-bird registration deadline of October 31 — we have valuable feedback from DrupalCon attendees to share.

Categories: Drupal

agoradesign: Using a cart event subscriber to automatically add order items in Drupal Commerce

Planet Drupal - 16 October 2018 - 1:59pm
This time I'm showing you, how you can automatically add another order item after a product has been added to the cart in Drupal Commerce 2.x. The most important info here is, how you can pass the pitfall of possible transient data problems here.
Categories: Drupal

Webform Mail ID

New Drupal Modules - 16 October 2018 - 11:21am

Enable this module to append the subject to the message ID of mail sent via Webform submissions. This can help you better categorize your mail in Mailgun as the tags will be more specific and not just "webform_submission."

Categories: Drupal

agoradesign: Remove or replace the add to cart message in Drupal Commerce 2.x

Planet Drupal - 16 October 2018 - 9:49am
Commerce ships with a default success message after adding a product to the shopping cart. This is done via an event subscriber, in order to be easy customizable. However, removing, replacing or extending existing services in Drupal 8 is a thing, not every developer is used to do. I'll show you, how easy this is.
Categories: Drupal

Homebox OG

New Drupal Modules - 16 October 2018 - 8:33am

Integrates Homebox with the Organic groups module.

You have the option to have a Homebox page reside as a group homepage tab, or become the new group homepage itself. If your site is using Panels and you set a Homebox page to act as a group homepage, it will automatically disable any Panels that override node views.

Categories: Drupal

Commerce Decoupled Checkout

New Drupal Modules - 16 October 2018 - 8:11am

The modules provides REST endpoints for remote order creation & payments.

TODO: Better description & integration examples.

Categories: Drupal


Subscribe to As If Productions aggregator - Drupal