Drupal

James Oakley: Security and Performance: Remove old Modules

Planet Drupal - 7 June 2018 - 1:49pm

Yesterday, the Drupal Security team issued a Security Advisory for the Mollom module, SA-CONTRIB-2018-038. The module is now marked as "unsupported".

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

Blog Category: Drupal Planet
Categories: Drupal

Acro Media: Drupal with WebSockets for Real-Time Synced Displays

Planet Drupal - 7 June 2018 - 7:45am

The situation: I'm the primary maintainer of the Commerce Point of Sale module and have been building a customer facing display feature for the Commerce 2 version. So, I have two separate pages, one is a cashier interface where a cashier enters products, the second is a customer facing screen where the customer can watch what products have been scanned, review pricing, and make sure everything is correct.

The problem: Since products can be scanned through quite quickly, it was imperative that the customer facing display update very quickly. The display needs to match wha's happening in near real-time so that there is no lag. Unfortunately, AJAX is just too slow and so I needed a new solution.

The solution: WebSockets seem like a great fit.

Design

AJAX - Too slow!


WebSocket - Fast!


The socket server can either not bootstrap Drupal at all, or bootstrap it only once upon load, making it able to relay traffic very quickly.

Dependencies

I only needed one dependency for this, Ratchet, which is a PHP library for handling WebSockets and is easily installed via Composer.

Setup

The WebSocket server is actually very simple, it finds and loads up the autoload script for Drupal, similar to how Drush does it.

We bootstrap Drupal, just so we can load a few config settings.

We terminate the Drupal kernel, since we don’t need it just for ferrying traffic back and forth and it will probably leak memory or something over a long time if we use it a bunch, since Drupal isn’t really meant to run for ages. I did try it with Drupal running the whole time and it did work fine, although this wasn’t under any real load and only for a couple days.

Now all that we have to do is setup the service.

All the details of our service come from the class we pass in, which basically hooks in the different server events. I’ll leave the details of that outside of this article as none of it is Drupal specific and there are lots of tutorials on Rachet’s site: http://socketo.me/docs/hello-world

Javascript

On the JavaScript end, we connect to the WebSocket using the standard interface.

I used a few mutation observers to monitor for changes and then passed the changes to the WebSocket to relay. You could do this however you want and probably some nicely integrated JS or even a React frontend would be a lot cleaner.

Resources

Related module issue: https://www.drupal.org/project/commerce_pos/issues/2950980
Ratchet PHP Library: http://socketo.me/

Categories: Drupal

Drupal core announcements: Drupal Security team response to recent news articles relating to SA-CORE-2018-002 and SA-CORE-2018-004

Planet Drupal - 7 June 2018 - 6:51am

Various media outlets are reporting that a large number of Drupal sites are still vulnerable to the recent highly critical core vulnerabilities SA-CORE-2018-002 and SA-CORE-2018-004.

Those reports are all based on the same source. The source investigated the contents of CHANGELOG.txt of a large number of sites and assumed all sites reporting a version lower than 7.58 to be vulnerable.

Checking the contents of CHANGELOG.txt is not a valid way to determine whether a site is vulnerable to any given attack vector. Patches distributed by the Drupal security team to fix the issues were widely used, but did not touch CHANGELOG.txt or any version strings defined elsewhere. There are also other mitigations that vendors have provided which would also not affect CHANGELOG.txt but would protect the site.

We believe the presented numbers to be inaccurate. We consider it to be misleading to draw conclusions from this sparse information. The Drupal project has a long history of a reliable coordinated disclosure security program. For the past 4 years, the Drupal Security Team has provided support to journalists covering our releases and policies and is available for further enquiries.

If you are a member of the press and want the Drupal Security Team to comment, please contact security-press@drupal.org.

Categories: Drupal

Configuration Override Warn

New Drupal Modules - 7 June 2018 - 6:46am

Implements the warning message proposed by #2408549: There is no indication on configuration forms if there are overridden values from one module without needing any changes to configuration forms.

Categories: Drupal

Drupal Helper

New Drupal Modules - 7 June 2018 - 6:39am

Drupal Helper is a Pack for Usual Functions to help Drupal 8 Developper Beginner

Categories: Drupal

Chromatic: Why You Should Consider Drupal – Painless Migrations

Planet Drupal - 7 June 2018 - 6:30am

Making content migrations relatively painless lowers the bar immeasurably in making the switch to a platform like Drupal.

Categories: Drupal

Visual Captcha

New Drupal Modules - 7 June 2018 - 6:26am

Module that integrates the usability of the visualCaptcha PHP library into Drupal

Categories: Drupal

Cache Refs

New Drupal Modules - 7 June 2018 - 6:25am

Automatic cache tag invalidation for referenced nodes

ie. If you have a node that contains a node reference field... the referenced node will have its cache invalidated if the node or nodes referencing it are updated.

Project supported by: Alloy Lab, LLC

Categories: Drupal

Advertising Entity: Video Intelligence

New Drupal Modules - 7 June 2018 - 5:02am

This module provides integration between the Advertising Entity module and Video Intelligence.

Categories: Drupal

JAVALI Import Media Files

New Drupal Modules - 7 June 2018 - 3:28am

This module allow users to insert or delete unattached files to Drupal file system.

Categories: Drupal

Tim Millwood: Drupal composer paranoia plugin

Planet Drupal - 7 June 2018 - 2:04am
Drupal composer paranoia plugin

Over the past few months one of my colleagues, Jean Ribeiro (jribeiro), has been working in conjunction with Florian Weber (webflo) from drupal-composer, on a composer plugin for added Drupal site security.

The Drupal Paranoia plugin works with two directories, web and app, although these can be renamed within you composer config to whatever works for you. The app directory is where all non-user facing code lives, this includes PHP, yaml, twig etc from core, contrib, and custom modules.The web directory then contains symlinks all user facing code, such as CSS, JS, and other files. It also contains stub PHP files for some items within the app directory.

Within the plugin the public files directory is assumed to contain only user facing files, so it is symlinked. The codebase is then scanned for what are considered asset files. These are a fixed list of file extensions, which are expected to be used for module themeing and themes themselves, such as css, js, png, gif, etc. There is also a set list of "front controller" files, these are PHP files that do need to be user facing. The list includes index.php, core/install.php, core/rebuild.php, and core/modules/statistics/statistics.php. These files are then added via a stub PHP file, which calls the require function to pull them in.

This plugin allows you to point your web server to the web directory without exposing any non-public files to users, giving an extra layer of security. There are no known specific security issues this will mitigate, however if there were any contrib or custom code with executable PHP code, this will update the codebase to make sure it's not remotely executable. For example in 2016 there was an issue found with coder module were one of the executable PHP files opened a security hole. If anything like that were to happen again, you would be protected by using the Drupal Parnoia plugin.

 

Thanks to Jean Ribeiro and Chad DeGoot for helping write and review this blog post.

timmillwood Thu, 07/06/2018 - 10:04 Tags drupal planet drupal-planet composer plugin drupal drupal 8 drupal8 Add new comment
Categories: Drupal

Tim Millwood: Workspace upgrade path

Planet Drupal - 7 June 2018 - 2:03am
Workspace upgrade path

We've taken some time recently to discuss how we're going to handle the upgrade from the Workspace contrib module to the Workspace core module, once it's released. In our setup we have around 20 sites, each with 4 (or more) environments, all with Workspace installed, syncing content between each environments (and sometimes between each site). Therefore this is a task we are taking very seriously and want to make sure we have a super stable approach which will result in no loss of production content.

The obvious idea is that we provide some kind of update hook that converts all of the workspaces to the new core module, along with all of their content. However, the new Workspace module is quite different in the way that it stores and handled entities, therefore this will be a lot of work. We don't have a lot of time to do a lot of work because we have to port Multiversion and Relaxed modules over to handle all the features that are not going into core. We also have "day job" work to do helping to build and support these 20+ sites.

The idea we are looking to implement is a lot more simple. Uninstall the contrib Workspace module, and install the core Workspace module.

Uninstalling the Workspace module (and all dependencies) will delete all workspaces, and all content in them. Therefore what you will be left with, effectively, is the live workspace and all live content. Installing the new module will recreate a live (and stage) workspace, and all content will be associated with the live workspace. There will be some kind of check available to see if all content has been synced up to the live workspace to prevent real data loss, but we see workspaces as disposable anyway.

Another option we are looking into is being able to replicate content off to another Drupal site (or CouchDB database), then do the uninstall / reinstall process, and sync content back. This will work well because the HTTP API used will be the same on both versions of Relaxed module. However, because of the number of moving parts here we feel the straight uninstall / reinstall process, dropping all non-live content, might actually provide better stability.

This process will be fully documented in release notes and on Drupal.org when the time comes.

It'd be great to hear any feedback from users of the contrib Workspace module if this approach would work.

timmillwood Thu, 07/06/2018 - 10:03 Tags drupal planet drupal-planet drupal drupal8 drupal 8 drupal core workspace Add new comment
Categories: Drupal

Child Entity

New Drupal Modules - 7 June 2018 - 1:35am

This module helps you to create Entities which creating them depends on a parent entity.

Consider a Room entity which only can be created on House entity. In this example Room is child and House is parent entity.

Categories: Drupal

Appnovation Technologies: Drupal Service ID Collectors

Planet Drupal - 7 June 2018 - 12:00am
Drupal Service ID Collectors Since the arrival of Drupal 8, we've had services. This also brought the concept of a service collector or tagged services. This allows services to be tagged with a specific tag, then a service collector can collect all services with the a given tag and use whichever service "applies". As you could imagine loaded all of these tagged services when load...
Categories: Drupal

Pagination Page Titles

New Drupal Modules - 6 June 2018 - 6:56pm

This module addresses an SEO issue involving duplicate titles created by Drupal on pages that are derived from pagination. For example /blog?page=1, /blog?page=2 both have the same page title and gets flagged by Google, SEM Rush, etc.

The Pagination Page Titles module adds unique text to page titles on paginated lists to avoid issues with duplicate title tags to perform better in SEO. Titles are updated to have the original title tag with the addition of some text with URI information in it along with the word page and page number.

Categories: Drupal

orkjerns blogg: Creating services with optional dependencies in Drupal 8

Planet Drupal - 6 June 2018 - 1:54pm
Creating services with optional dependencies in Drupal 8 admin Thu, 06/07/2018 - 11:08

Today I encountered a problem I did not think about earlier. After I pushed a fix to a project I am working on, the CI builds started showing errors. And the problem was coming from a message like this:

The service "mymodule.attachments_manager" has a dependency on a non-existent service "metatag.manager".

In many cases when you see that, it probably means your module was installed before a module it depends on. For example, in this case, it would seem that this module depends on metatag, and so declaring it as a dependency would fix the issue. And for sure, it would. But sometimes dependencies are not black and white.

This particular service does some handling of the attachments when used together with metatag. It does so, because it is a module we use across projects, and we can not be sure metatag is used in any given project. So it's only used in a way that is something like this:

/** * Implements hook_page_attachments(). */ function mymodule_page_attachments(array &$attachments) { if (!\Drupal::moduleHandler()->moduleExists('metatag')) { return; } \Drupal::service('mymodule.attachments_manager')->handlePageAttachments($attachments); }

Now, what this means, is that for the attachments manager to be useful, we need metatag. If we do not have metatag, we do not even need this service. So basically, the service depends on metatag (as it uses the service metatag.manager), but the module does not (as it does not even need its own service if metatag is not installed).

Now, there are several ways you could go about fixing this for a given project. Creating a new module that depends on metatag could be one way. But today, let's look at how we can make this service have an optional dependency on another service.

At first the service definition looked like this:

mymodule.attachments_manager: class: Drupal\mymodule\MyModuleAttachmentsManager arguments: ['@current_route_match', '@module_handler', '@metatag.manager', '@entity.repository']

This would contruct a class instance of MyModuleAttachmentsManager with the following function signature:

public function __construct(RouteMatchInterface $route_match, ModuleHandlerInterface $module_handler, MetatagManager $metatag_manager, EntityRepositoryInterface $entity_repo) { }

Now, this could never work if this module was installed before metatag (which it very well could, since it does not depend on it). A solution then would be to make the metatag.manager service optional. Which is something we can do by removing it from the constructor and create a setter for it.

public function __construct(RouteMatchInterface $route_match, ModuleHandlerInterface $module_handler, EntityRepositoryInterface $entity_repo) { // Constructor code. } /** * Set meta tag manager. * * @param \Drupal\metatag\MetatagManager $metatagManager * Meta tag manager. */ public function setMetatagManager(MetatagManager $metatagManager) { $this->metatagManager = $metatagManager; }

OK, so far so good. It can now be constructed without having a MetaTagManager. But how do we communicate this in the service definition? Turns out the documentation for Symfony service container has the answer.

When you define a service, you can specify calls to be made when creating the service, which would be ignored if the service does not exist. Like so:

mymodule.attachments_manager: class: Drupal\mymodule\MyModuleAttachmentsManager arguments: ['@current_route_match', '@module_handler', '@entity.repository'] calls: - [setMetatagManager, ['@?metatag.manager']]

So there we have it! The service can be instantiated without relying on the metatag.manager service. And if it is available in the service container, the method setMetatagManager will be called with the service, and our service will have it available in the cases where we need it.

Now let's finish off with an animated gif related to "service container".

Categories: Drupal

Vardot: Why Choose Drupal 8 to Migrate from your Legacy CMS?

Planet Drupal - 6 June 2018 - 1:21pm
Ahmed Jarrar June 6, 2018

If your business has been around for a while, there’s a fair chance that your site is running on a Legacy CMS. These outdated frameworks were a step above hardcoding (literally writing the entire site using, say, HTML), but don’t do the modern business any favors in the way of swift and cost-effective site design.

The challenge for enterprises still running on a Legacy framework is clear: “Which modern CMS will help us make things easier for ourselves?”

This article will cover what seems to us like the clear contender for the best of today’s CMS solutions --Drupal 8. We’ll cover the ease with which companies can migrate their content to Drupal 8, the thriving community around it, and other reasons why leading companies across various industries trust the platform to power their websites.

 

Top Organizations Run with Drupal 8

 

Drupal 8 is the preferred framework for a significant number of the world’s most influential brands. Pinterest, The Economist, Tesla, Al Jazeera --and countless other industry leaders prefer Drupal 8 for its agility and scalability.

If belonging to a wide group of peers isn’t enough to prove the platform’s reliability, then trust in the fact that the open market is more than happy to throw its weight behind the product-of-choice for its biggest spenders. Thanks to its prominence among elite organizations and businesses, over a million developers have flocked to Drupal --making Drupal-based designs highly accessible for those with a relatively smaller pool of resources.

 

Drupal 8 is Supported by a Thriving Community

 

Thanks to the framework’s prominence among big businesses, migrating to Drupal 8 means gaining access to a wide network of developers and innovators building additions to a single product. As a result, the options available to a business are staggering: e-commerce sites can choose from thousands of templates for their online storefronts, news sites can integrate chatbots, and services can manage volumes of content across multiple channels.

Since its foundation, Vardot has been an active member of this community. We can say with confidence that the platform has been crucial in our mission: to help the world’s most influential companies accomplish their own missions.

 

Drupal 8 Offers Risk-Free Migration

 

A major concern for people and organizations looking to modernize their digital assets is the fear of losing content while switching to a new CMS. The process is supposed to reduce cost and boost convenience --so it’s only natural to worry about having to restructure an entire network of websites or reproduce existing content.

This concern is a thing of the past for Drupal users since the platform was designed for high flexibility. Essentially, it allows users to import vast and complex site architecture from legacy systems, removing the need to play around with a sales funnel that already works for you, or rebuild your site’s blog from scratch.

If anything, making the move might actually increase the performance of your website. It takes the liberty of mapping out your existing URLs and updating them to meet the standards of the best SEO practices --meaning users will have a much easier time discovering your content and, hopefully, develop into sales-ready leads. Likewise, it eliminates redundant modules left over from your initial infrastructure and offers a clean database system right out of the box, meaning your site load times will be faster than ever (great for SEO, and great for generating conversions!)

 

Drupal 8 Offers Easy-to-Use Solutions

 

Legacy CMS platforms often demand much from users looking to update their websites. Since most new tools don’t bother aiming for compatibility with legacy systems, organizations looking to take advantage of AI, voice search, and other top-of-the-line innovations will have to build them up from scratch.

Drupal 8, on the other hand, offers plenty of valuable features right out of the box. These core features allow businesses and organizations of all kinds design powerful and functional websites suited to achieve whatever goals they’ve set. Even better, Drupal is open to 3rd party integrations like Salesforce, chatbots, and tools for both social media and customer support.

Businesses shouldn’t have to fall behind in an age when software is growing exponentially. With all the technology available to grow your sales and revenue, you don’t want to lag behind for a second.

 

Drupal is Perfect for Your Non-Technical Staff

 

We’ve mentioned that Drupal is scalable --meaning it can grow as big as your company needs it to grow in as fast of a time as your company needs. The developers you’ve hired are guaranteed a simple time with it, and so are the people responsible for populating your site: your marketers, writers, and designers.

The best websites are mentally and visually stimulating, which is why people pay so much to keep them looking pretty. Migrating to Drupal 8 allows you to scale back on training hours (no more need for your new hires to learn clunky, outdated systems) and put your I.T. team to more productive use.

 

Case Study - American University of Cairo (AUC)

 

The AUC website was first to build using the iAPPS CMS: a Sharepoint content hub for microsites OpenAm, and other features. The result was a confusing hodgepodge of unnecessary applications that clashed to produce a fractured website. AUC, as you can imagine, didn’t thrive in the digital world under these conditions.

When Vardot helped AUC migrate from Sharepoint to Drupal, the institution felt the changes instantly. Their website had a much stronger impact from that point forward and stopped being a headache for the university’s administrators to update. In short, migrating to Drupal helped AUC run a much better website.

 

Conclusion

Drupal 8 is, by all accounts, vastly superior to legacy CMS platforms. It’s arguably superior to CMS platforms that came much later --and the thriving community behind it is unlikely to stop broadening the limits of what the framework is capable of any time soon.

For a good investment in your organization’s future, make the move away from your legacy system and switch to Drupal. You’ll find it highly secure, cost-effective, and easy to set up.

Categories: Drupal

Field Pager

New Drupal Modules - 6 June 2018 - 12:37pm

A pagination system for the element of multiple values fields.

Categories: Drupal

Community: Looking back at the first-ever DrupalCon Teamwork and Leadership Workshop

Planet Drupal - 6 June 2018 - 11:59am

The Drupal Community Working Group (CWG), with support from the Drupal Association, organized and held the first-ever Teamwork and Leadership Workshop at DrupalCon Nashville on April 10, 2018. The goal of the three-hour workshop was to explore teamwork, leadership, and followership in the context of the Drupal community as well as to help provide support and resources for people in the Drupal community who work alongside others in teams and/or may find themselves in positions of responsibility or leadership. Additionally, we hoped to expand the base of people who can step into leadership positions in the Drupal community, and to help those who may already be in those positions be more effective.

The workshop was led by Drupal Association board chair Adam Goodman, who generously donated his time. Adam is the head of Northwestern University’s Center for Leadership, and he works as an executive coach and advisor to senior executives and boards of directors at dozens of companies and organizations around the world. 

As part of the planning for the workshop, Adam asked us to enlist a number of facilitators to help with the various workshop exercises. In addition to three CWG members (Jordana Fung, George Demet, and Mike Anello), the following community members also facilitated: Donna Benjamin, Shyamala Rajaram, Gábor Hojtsy, Angie Byron, and Tiffany Farriss. The facilitators met with Adam prior to the workshop to understand what would be expected of them. 

We wanted to make sure that we invited a diverse range of people to the workshop who are doing awesome work with Drupal around the world, including those whose efforts may not be as well-known or recognized (yet).  We set an internal goal of at least 50% of attendees to be from populations historically underrepresented at DrupalCon, including those who self-identify as women, non-gender binary, people of color, and/or people who are not from Europe, the United States, or Canada.. To this end, prior to the public registration period, we sent out invitations to 64 community members, 75% of whom were from an under-represented cohort. We invited people who are involved in all aspects of the community including (but not limited to) event organizers, sprint organizers, project maintainers, as well as past and current Aaron Winborn Award nominees. At the workshop, there were a total of 50 attendees (there were a total of 60 seats available), with approximately 64% from underrepresented cohorts. 

Attendees were seated at round tables of approximately 10 people per table. The first half of the workshop was focused on large group exercises that focused on helping attendees think about what it meant to be a leader and a team member. We talked about keeping perspective as team members and not jumping to conclusions about each other's behaviors based on an often (extremely) limited set of data. The second half of the workshop focused on smaller group exercises in which individuals responded to various prompts and then discussed them as a small (table-sized) group. 

A few days after the workshop, we asked the attendees to complete an 11-question follow-up survey. Of the 50 attendees, we had 17 responses for a 33% response rate. We asked what their expectations were for the workshop; representative responses included:

I thought it would be a workshop on leadership, but I was surprised by the approach to the Drupal community.

Didn't know what to expect. So...none

The fact that we had multiple responses indicating that the expectations were not clear tells us that we need to do a better job in communicating exactly what the goals and activities of the workshop will be in the future. 

On a scale of 1-5, 73% of respondents indicated that the workshop met their expectations (via a rating of 4 or 5). 

We also asked respondents to share an insight from the workshop. Responses included:

Transition planning for responsibilities you take on and having a plan in place before even taking on the responsibility.

The need to know why each person on the team is present (their motivation) and the importance of unified movement toward a goal.

I hadn't written out what leadership looked like to me before, so I found that part of the exercise to be quite helpful.

The survey also found that the attendees found more value in the smaller group exercises than the large group exercises (81.3% vs. 60%), with 81.3% indicated they'd be interested in attending future similar workshops.

Many of the open ended responses indicated that some attendees were hoping for more practical, hands-on advice for specific situations. In addition, several of the responses felt that parts of the exercises felt rushed, and wished there was more time. Finally, several attendees commented on the appropriateness of some of the imagery used in one of the workshop exercises, for which the CWG made a public apology following the event. We have gone through all of the comments relating to aspects of the event that were considered negative or unhelpful and will take this into consideration on how we can improve the workshop for the future.

Overall, we feel the workshop was a success, and something that has been long overdue for the Drupal community. We've been discussing how we can make similar content available to everyone in the community, not just DrupalCon attendees. We're open to ideas for future workshops on these topics (and format), let us know if you have any ideas.
 

Categories: Drupal

Drupal blog: Virtual reality on campus with Drupal

Planet Drupal - 6 June 2018 - 9:16am

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

One of the most stressful experiences for students is the process of choosing the right university. Researching various colleges and universities can be overwhelming, especially when students don't have the luxury of visiting different campuses in person.

At Acquia Labs, we wanted to remove some of the complexity and stress from this process, by making campus tours more accessible through virtual reality. During my presentation at Acquia Engage Europe yesterday, I shared how organizations can use virtual reality to build cross-channel experiences. People that attended Acquia Engage Europe asked if they could have a copy of my video, so I decided to share it on my blog.

The demo video below features a high school student, Jordan, who is interested in learning more about Massachusetts State University (a fictional university). From the comfort of his couch, Jordan is able to take a virtual tour directly from the university's website. After placing his phone in a VR headset, Jordan can move around the university campus, explore buildings, and view program resources, videos, and pictures within the context of his tour.

All of the content and media featured in the VR tour is stored in the Massachusetts State University's Drupal site. Site administrators can upload media and position hotspots directly from within Drupal backend. The React frontend pulls in information from Drupal using JSON API. In the video below, Chris Hamper (Acquia) further explains how the decoupled React VR application takes advantage of new functionality available in Drupal 8.

It's exciting to see how Drupal's power and flexibility can be used beyond traditional web pages. If you are interesting in working with Acquia on virtual reality applications, don't hesitate to contact the Acquia Labs team.

Special thanks to Chris Hamper for building the virtual reality application, and thank you to Ash Heath, Preston So and Drew Robertson for producing the demo videos.

Categories: Drupal

Pages

Subscribe to As If Productions aggregator - Drupal