OK - I'll hold my hands up. The title of this post is misleading. I'm not going to give you an ABC on how to secure a Drupal site (maybe another day). I'm responding to a post on the Reseller Club blog entitled How to Secure Your Client's Drupal Website.
There is some good advice in that article, but it's mixed in with some bad advice, and in other parts it's just plain confused. In the hope that it helps people, I'm going to try and untangle things.Blog Category: Drupal Planet
Unpublished Nodes Redirect is a simple module to allow admin users to setup redirects for each node type on their site. They can also set different types of redirects per node type. Developers can alter the node type list if required. The redirect will only effect anonymous users, if you have admin users that do not have permissions to view unpublished nodes, they will still see a 403 Access Denied for these pages.
Drupal 8 has been released more than one year ago, but Drupal 7 is still widely used: it's totally stable, feature-rich, actively maintained and has tons of available modules for functionality extension. In this article I would love to draw your attention to Drupal 7 performance only. You can find a lot of information on Drupal 7 performance over the Internet since Drupal 7 is available for a long time, but anyway things change and new options appear. Website performance is very important because it can lead to higher conversion rates, higher search ranking and hosting costs reduction. I'll focus on Drupal 7 performance on the server side, but there are other areas where website performance can and should be improved including front-end, database, etc. These options are highlighted here.
SQL databases are really fast when you need all the information stored together in a record row, but they are a bad fit when you need to search for relationship patterns that are not already stored together in your database. A significant performance penalty is incurred for every additional table that needs to be joined for a query. That is why SQL databases are notoriously bad at deducting relationships from datasets. Graph databases however are really good at this task.
I like things that work. I think most technicians do, but as a web developer I have a very serious problem. My most effective environment for doing web development is the one that exists on my own personal box. It can also be a rather impractical place to develop because most of my customers (current and historic) are on rather customized server stacks. Typically, the host has customized the environment to their own specifications. It's not uncommon to find additional services like solr or maybe a memcache server in the mix.
The monthly security release window for Drupal 8 and 7 core will take place on Wednesday, January 18.
This does not mean that a Drupal core security release will necessarily take place on that date for any of the Drupal 8 or 7 branches, only that you should watch for one (and be ready to update your Drupal sites in the event that the Drupal security team decides to make a release).
There will be no bug fix or feature release on this date. The next window for a Drupal core patch (bug fix) release for all branches is Wednesday, February 01. The next scheduled minor (feature) release for Drupal 8 will be on Wednesday, April 5.
Drupal 6 is end-of-life and will not receive further security releases.
Within weeks of introducing the contribution credit system on Drupal.org we realized we had created something powerful. Like all open source projects, Drupal has a behind-the-scenes economy of contribution in which individuals, organizations, and end users work together to maintain the software as a public good. That behind-the-scenes economy was brought to the fore when we chose to rank the Drupal Marketplace by issue credits. For the first time, Drupal.org gave businesses a direct financial incentive to contribute code.
Being good stewards of these incentives is a sobering responsibility, but also a great opportunity. We can use this system to recognize the selfless effort of our community volunteers, to reward the organizations that sponsor their employees' time to give back to the project, and to connect end-users with the organizations that are the biggest contributors.
But as we often say in this community—contribution is more than code. It is the time provided by dedicated volunteers; the talent of community organizers, documentation maintainers, and developers; and the treasure provided by organizations that sponsor Drupal events and fund the operations and infrastructure that maintain the project.What are we changing?
We’re updating the ranking algorithm for Drupal.org’s Marketplace of service providers and list of all organizations in the Drupal ecosystem. We've expanded on the issue credit system to create a more generic contribution credit system which lets us recognize more types of contribution. Each type of contribution is now weighted to give the organization an overall amount of contribution credit. We've built this system so that we can continuously evolve the incentives it creates by adjusting the weight given to each type of contribution as the project's needs change. To prevent gaming, we will not be publishing the exact weights or total contribution score, but those weights have been reviewed by the Association Board and Community Working Group.
We've carefully chosen a few new types of contribution to factor into the ranking. These were selected because they create incentives to reach specific goals: encouraging organizations to sponsor development of Drupal, gathering more Drupal 8 success stories that can be used to promote Drupal adoption, and recognizing the financial contributions that promote the fiscal health of the Drupal association.
We now calculate the following 4 types of contribution into overall contribution credit:
- Issue credits — helping build the Drupal software happens in the issue queues. Issue credits remain the primary factor in ranking, and continue to be shown prominently. Issue credits on more widely used projects, like Drupal Core, will also receive greater weight in the ranking. Learn how to help in the issue queue
- Drupal 8 case studies — success stories show how Drupal is used across industries and the world, helping effectively introduce Drupal to more people. Learn how to write a case study
- Drupal Association Supporter Programs and Organization Membership — our partners and members help us build and maintain Drupal.org. Learn about supporter programs and organization membership
- Projects supported — the work to maintain a project sometimes happens outside of issues. Project maintainers can credit organizations which help provide time and sponsorship. Learn more about crediting project contributions
Of course, these new factors still don't include all types of contribution. This iteration aims to add measurable factors that reward the behavior of organizations that are good Drupal citizens, and incentivize some of the most important contributions that have a big impact in moving the project forward. But there are other factors we'd like to include in the future! We're keeping track of these additional kinds of contribution, such as sponsoring local user groups, organizing training days, writing documentation, and more, in this issue: #2649100: Improve contribution statistics on user and organization profiles.
There are two factors in particular that we are not yet including that we'd like to address.
The first is project application reviews. These reviews are a critical part of the lifecycle of a new project on Drupal.org, but because we are making the Project Application Revamp a key priority for the first part of 2017, this was not our focus in this initial update. We may revisit this factor as the Project Application Revamp initiative gets underway.
The second is camp organization. We know that there are many individuals and organizations who invest heavily in Drupal Camps, and this has been a critical part of the project's success. However, at this time our data about the individuals and organizations who participate in camp organization is purely self-reported, and therefore too vulnerable to manipulation to include in the algorithm at this time. In the future we hope we can find a responsible way to measure and credit this kind of contribution.
We’ll continue to look for other good factors to add, and do our best to weigh them fairly.How often will the algorithm change? Who governs these changes?
As this is our first major change to the marketplace ranking system since the launch of issue credits, we may need to make some small adjustments in the first weeks following the launch. However, we know that too frequent changes to the incentive structure will be frustrating for the individuals and organizations who are contributing to the project. Therefore, after the initial tuning we intend to update the marketplace ranking system on a roughly 6 month cycle.
While the primary responsibility to manage the contribution credit system is ours, we have committed to vetting these and future changes with members of the Drupal Association Board and Community Working Group.
Following the previous blog post about our software engineering team culture that I wrote with my colleague Andrew Harmel-Law, I spoke about the subject at the January Drupal Show & Tell last night.
I've been meaning to speak at a meetup for a long time, and if I hadn't done it last night, I'd probably be putting it as one of my objectives for the year. The trouble was, I could never think of what to say. But conversations turned to tweets turned to blog posts, and it felt right to talk about this subject, particularly given that one of the themes of the blog post is the importance of communication between people.
I'd been to the Drupal Show & Tell meetup a couple of times before, and it's a friendly group with some familiar faces, so when I saw the call for speakers, it seemed the ideal opportunity for my first venture into public speaking.
As I rode my bike through the snow to the meetup, I was a little worried that the attendance might be a little sparse, and my blocked nose wasn't helping my confidence. After a few anxious moments where we thought there might be more speakers than people in the audience, more people arrived, and we got started, with interesting and thought-provoking talks from Anthony Seale and Nigel Milligan.
Finally, it was my turn, and despite losing my thread once or twice, I think it went fairly well for a first attempt. As I mentioned in the talk, one of the key points is about improving through iteration - I'll be tweaking the talk and delivering a new version of it at one of our internal lightning talks sessions soon.
Your browser does not support iframes. Please visit https://malcomio.github.io/presentations/how-we-work/#/ to view the presentation.Tags: Drupal Presentation development All tags
The Drupal Community Working Group is pleased to announce that nominations for the 2017 Aaron Winborn Award are now open. This annual award recognizes an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. It will include a scholarship and stipend to attend DrupalCon and recognition in a plenary session at the event.
Nominations are open to not only well-known Drupal contributors, but also people who have made a big impact in their local or regional community. If you know of someone who has made a big difference to any number of people in our community, we want to hear about it.
This award was created in honor of long-time Drupal contributor Aaron Winborn, whose battle with Amyotrophic lateral sclerosis (ALS) (also referred to as Lou Gehrig's Disease) came to an end on March 24, 2015. Based on a suggestion by Hans Riemenschneider, the Community Working Group, with the support of the Drupal Association, launched the Aaron Winborn Award.
Nominations are open until March 1, 2017. A committee consisting of the Community Working Group members and past award winners will select a winner from the submissions. Members of this committee and previous winners are exempt from winning the award.
Previous winners of the award are:
* 2015: Cathy Theys
* 2016: Gábor Hojtsy
If you know someone amazing who should benefit from this award please nominate them at https://www.drupal.org/aaron-winborn-award
Previously we talked about connecting and checking that you are connected to your sandbox project, uploading your project and checking it against Paraview.
Now, in Part 6, we're going to look at getting your theme reviewed. This is perhaps the trickiest and slowest part of the whole contribution process, so pay close attention. We're going to help you do everything possible to ensure a speedy and successful application submission.
It’s now over a year since the release of Drupal 8, the first new version of the open source content management framework in five years. It represented a significant rethinking of the platform when it launched in November 2015 and 2017 is likely to be another significant year for Drupal 8 with further updates and developments expected. As Dries Buytaert, the founder and lead developer of Drupal outlined in a blog last September:
“The only way to stay competitive is to have the best product and to help people adopt it more seamlessly. This means that we have to continue to be able to reinvent ourselves and that we need to make the resulting changes less scary and easier to absorb. We decided that we wanted more frequent releases of Drupal, with new features, API additions, and an easy upgrade path.”
One of the most common questions we get asked is, “How is Drupal 8 doing and what can we expect in the future?". Understandably, this is important to many organisations currently using previous versions and the Drupal community that has a stake in its success. But it’s also important to new users looking to migrate over.
There’s a significant amount of interest because, as with any new update, organisations have to decide whether the framework is right for them. While Drupal 8 is still maturing, adoption rates are now growing fast. This year we migrated the Ixis website to Drupal 8, which you can read more about our experience here.User growth and high profile successes
2016 saw progress in a variety of key areas including user growth, as well as a number of high-profile successes and this is likely to continue in 2017. As with all new updates, it has taken some time for Drupal 8 to gain traction in terms of the number of users but there has been a clear upward trajectory over the course of the year. There are currently 120,000 Drupal 8 projects, and while Drupal 7 is currently running more than 1 million, this still represents significant growth one year in, especially with adoption rates starting to increase, as outlined on drupal.org.
The wide range of prominent Drupal 8 projects that have launched in the past year have helped to showcase the power of the new platform. These include:
NBA.com - Millions of fans around the globe rely on the NBA's Drupal 8 website to livestream games, read stats and standings, and stay up to date on their favourite team.
- Nasdaq - Drupal 8 is used as the basis for its next generation Investor Relations Website Platform. IR websites are where public companies share their most sensitive and critical news and information with their shareholders, institutional investors, the media and analysts.
Although the Drupal 7 user base remains solid and the platform will be supported for a long time, there is an end-of-life in sight for it. This is expected to be in two to three years time but might be even sooner, with some sources predicting an end to Drupal 7 development as soon as October 2017. Either way, Drupal 8 promising a host of further improvements, with Drupal 8.2 already available, many organisations are beginning to look at early migration. The good thing about Drupal 8 is that it comes bundled with a suite of tools to assist with the migration of your content from previous versions, making the task less daunting than it might initially seem. With its ‘continuous innovation’ mission statement a migration to Drupal 8 in 2017 will provide the best possible access to the latest functionality and improvements, helping to unlock the framework’s true potential.
For more information about Drupal 8 contact us on firstname.lastname@example.org or call 01925 320 041.
Appointment scheduling is a configurable module that lets you set a calendar (days and active hours) and receive reservations requests for the available dates, for different offices.
The Simplify_menu module uses a TwigExtension to gain access to Drupal's main menu's (or any other menu for that matter), render array so it can be accessed from a twig template. Among the many advantages of having full control of the menu's render array in a twig template is the ability to customize the markup for your menus to ensure they are accessible and comply with standards.
Once your site's database dump file gets to be 1GB or more, phrases like "oh, just download and import a DB dump" can't really be taken for granted anymore. So here are some tips for dealing with large databases, especially those of the Drupal variety.Exporting
Before we can import, we must export. With a big DB, you don't want to just do a regular old mysqldump > outfile.sql and call it a day. Here are some tips.Find the size before exporting
It can sometimes be useful to see how big the export is going to be before you actually export anything. That way, you can know ahead of time if you need to be doing this or that to reduce the size, or if it won't matter since the whole thing won't be that big anyway.
Here's a query you can run to see the size per DB table:SELECT TABLE_SCHEMA, TABLE_NAME, DATA_LENGTH / POWER(1024,1) Data_KB, DATA_LENGTH / POWER(1024,2) Data_MB, DATA_LENGTH / POWER(1024,3) Data_GB FROM information_schema.tables WHERE table_schema NOT IN ('information_schema','performance_schema','mysql') ORDER BY DATA_LENGTH;
And here's another query you can run to see what the total size for the entire DB is:SELECT Data_BB / POWER(1024,1) Data_KB, Data_BB / POWER(1024,2) Data_MB, Data_BB / POWER(1024,3) Data_GB FROM (SELECT SUM(data_length) Data_BB FROM information_schema.tables WHERE table_schema NOT IN ('information_schema','performance_schema','mysql')); Dump without unnecessary data
For those cases where you need the database structure for all of the tables, but you don't need the data for all of them, here's a technique you can use. This will grab the entire DB structure, but lets you exclude data for any tables that you want. For example, search_index, cache_*, or sessions tables will be good places to cut out some fat.# First we export the table structure. mysqldump --no-data database_name > /export.sql # Grab table data, excluding tables we don't need. mysqldump --no-create-info --ignore-table=database_name.table_name1 --ignore-table=database_name.table_name2 database_name >> export.sql
Just replace "table_name1" and "table_name2" with the tables that you want to skip, and you're golden. Also note that you can use the % character as a wildcard, so for example, you could ignore "cache%" for all cache tables.
After you do that, you'll have a single export.sql file that contains the DB structure for all tables and the DB data for all tables except the ones you excluded. Then, you'll probably want to compress it...Compress all the things
This one may go without saying, but if you're not compressing your database dumps then either they're really tiny, or you're dumber than a dummy.drush sql-dump --gzip --result-file=db.sql
Compare that with the regular old:drush sql-dump --result-file=db.sql
...and you're going to see a huge difference.
Or if you already have the SQL dump that you need to compress, you can compress the file directly using:gzip -v db.sql
That will output a db.sql.gz file for you.Importing
Now you have a nice clean compressed DB dump with everything you need and nothing you don't, and you're ready to import. Here are a few ways to ease the pain.Import a compressed dump directly
Instead of having to decompress the dump before importing, you can do it inline:gunzip -c db.sql.gz | drush sqlc Exclude data when importing
If you receive a DB dump that has a lot of data you don't need (caches, sessions, search index, etc.), then you can just ignore that stuff when importing it as well. Here's a little one-liner for this:gunzip -c db.sql.gz | grep -Ev "^INSERT INTO \`(cache_|search_index|sessions)" | drush sqlc
What this is doing is using "grep" as a middleman and saying "skip any lines that are insertion lines for these specific tables we don't care about". You can edit what's in the parenthesis to add/remove tables as needed.Monitor import progress
There's nothing worse than just sitting and waiting and having no idea how far along the import has made it. Monitoring progress makes a long import seem faster, because there's no wondering.
If you have the ability to install it (from Homebrew or apt-get or whatever), the "pv" (Pipe Viewer) command is great here:pv db.sql | drush sqlc
Or if your database is compressed:pv db.sql.gz | gunzip | drush sqlc
Using "pv" will show you a progress bar and a completion percentage. It's pretty awesome.
If you don't have "pv" then you can settle for the poor man's version:watch "mysql database_name -Be 'SHOW TABLES' | tail -n2"
That slick little guy will show you the table that is currently importing, and auto-updates as it runs, so you can at least see how far through the table list it has gone.Tools and Resource
In this post I tried to focus on commands that everyone already has. If this just isn't cutting it for you, then look into these tools which could help even more:
In this five-part series, every Monday in January we’ll explore a New Year’s resolution and how it can apply to your web project.
Stay connected with the latest news on web strategy, design, and development.Sign up for our newsletter.
Surrounding oneself with a community of friends and family that offer needed support is important to us all. Palantir spent twenty years building our own culture and community right here at the office! But we’ve also been active members in the Drupal community for 12 years:
- We’ve made contributions to every facet of the Drupal project: Core development, contributed modules, themes, financial assistance, training, documentation, conference organizing, and one Palantiri is a member of the Drupal Board.
- This means we have a long history of helping organizations level up so they can become Drupal contributors and participants as well.
- The collaboration in the open source community is one of the reasons Palantiri love Drupal so much.
Are you looking to get involved in the Drupal community? Some ideas:
- Join a Drupal MeetUp group. There are 332 worldwide!
- Check out MidCamp, March 30 – April 2 in Chicago, IL.
- Attend DrupalCon Baltimore in April 24 – 28 in Baltimore, MD.
- Not sure where to get started? Cathy Theys from BlackMesh has some information on that.
Besides the Drupal and Open Source communities, Palantir works in some specific verticals that have their own rich and robust communities. We’re still finalizing exactly where we’ll be in 2017, but we know for sure you’ll find us at the following conferences so we can connect with friends in those industries and offer them support as needed:
- The HighEdWeb Conference in Hartford, CT, October 8 – 11
- The HealthCare Internet Conference in Austin, TX, October 23 – 25
Next week’s resolution: get organized.
We'd love to help you keep your 2017 resolution.Let's chat.
Yesterday I presented Drupal VM Tips & Tricks at the DrupalDC meetup, remotely. I didn't have a lot of time to prepare anything for the presentation, but I thought it would be valuable to walk through some of the neat features of Drupal VM people might not know about.
Here's the video from the presentation:*/
Some relevant links mentioned during the presentation:
And it is finally 2017! New year, new projects, new challenges and, of course, a lot of Drupal events.
On this short post, I'll go through a few Drupal events in North America that we'll be either attending or be sponsoring on the first quarter of the year.
If you are planning to attend, feel free to get in touch with us in advance. We love hanging around and meeting with fellow community members, potential business partners, and people just interested in getting to know us.read more