Drupal

Drop Guard: International PHP & JavaScript Conference - these guys sec you up!

Planet Drupal - 30 October 2017 - 6:30am
International PHP & JavaScript Conference - these guys sec you up!

Our CEO Manuel spoke at the IPC 2017 in Munich about DevSecOps automation. We took a look around and picked the two other security related sessions which struck our eyes.

 

Dip Your Toes in the Sea of Security - by James Titcumb

Drupal Planet Events Security Business
Categories: Drupal

Blazy Blurry Placeholder

New Drupal Modules - 30 October 2017 - 5:21am

Provides Blazy images with the option to show a blurred version of the original image as a placeholder while loading it. This is useful because page items no longer need to be rearranged after the original image is fully loaded because the placeholder has the same screen size.

Categories: Drupal

Flexible Daterange

New Drupal Modules - 30 October 2017 - 4:25am

Flexible Daterange provides a new field item which extends Drupal's default daterange item, having the ability to hide the time component on individual entities.

Categories: Drupal

Jacob Rockowitz: Organizing and Presenting Webform Training Materials

Planet Drupal - 30 October 2017 - 2:49am

Now that the post-DrupalCon Vienna events are in full swing and next year's pre-DrupalCon Nashville events are in the works, I’ve started organizing and creating next year’s Webform related presentations. I find presenting at DrupalCamps challenging and rewarding. The challenge is getting up in front of a large group of developers and talking about my work, but the reward is I get to meet people who use my work to build awesome forms.

Attending Drupal Camps & Events

In the past, I’ve managed to attend a bunch of events including DrupalCamp NJ, NYCCamp, DrupalCon Baltimore, Design4Drupal, and Drupal GovCon. My last camp of the year is going to be DrupalCamp Atlanta on November 2-4, 2017. I decided to go to DrupalCamp Atlanta because they are offering me the opportunity to do my first training session called Learn how to build awesome webforms and a keynote panel discussion. Yes, I am uncomfortable with public speaking, however I’ve committed myself to doing it for longer and in front of more people; this conference is pushing me to up my game. The hope is that it will prove to be a good thing for me, and hopefully will, in turn, be a good thing for others too.

Overcoming Challenges

One technique I’ve learned to overcome my weaknesses is to leverage my...Read More

Categories: Drupal

Roy Scholten: UX notes week 44

Planet Drupal - 30 October 2017 - 2:21am
30 Oct 2017 UX notes week 44

A selection of Drupal design topics and issues that are moving or should be :)

Small big win: status report pattern reuse in the migrate UI

A nice success from last week was closing a critical issue for Migrate UI. Particularly pleased that we were able to apply a new “summary” user interface element we recently introduced on the status report page.

Big one: redesign the administrative UI

There was a big interest in this over several meetings and workshops at Drupalcon Vienna and after. Seven theme hasn’t evolved much over the last years and it shows.

The right issues are not yet in place for this but I see and hear multiple people thinking about this. There’s multiple parts to this, of course:

  1. A visual update. What would the next version of this style guide look like?
  2. Improve the information architecture. Lots of solid thinking around this already.
  3. Introduce new interaction patterns. We still mostly rely on tables, select lists and other basic form elements. Experiments with JavaScript frameworks should help here but we should design these starting from user needs.
  4. Modernize the underlying theme architecture.
  5. Update and extend the user interface standards documentation.
Drupal core could use another usability test

The core feature set has grown considerably over the last couple of 8.x releases. On the one hand it would be smart if we found a way to do more smaller tests more often. On the other hand, since it’s been more than 2 years since the last big usability test we could do with one of those as well. Lets figure out what we can do. Check in here if you’re interested in helping with this.

Something to look forward to: Layout builder

The layouts-in-core team has been steadily working towards this. Looks like we are in great shape and on track to really honestly add a visual layout builder to core. There’s a patch going through the last stages of review and refine in https://www.drupal.org/node/2905922. One cool smart detail is that this will also introduce a dynamic way to dynamically generate icons for different types of layouts. Very nice indeed.

Permissions UI

Core and contrib modules often come with their own (set of) permissions. It’s how you can configure which roles get access to do what. This permissions UI is currently an ever growing sea of checkboxes. This does not scale, for user nor machine. The current model of a grid lists all available permissions in rows and all roles in columns needs a thorough rethink. Lets figure out a plan for how to do that.

Also,

& some more pointers to where you can go to find out what’s going on.

Enjoy your week!

Tags drupalplanet
Categories: Drupal

Agiledrop.com Blog: AGILEDROP: We are not here to replace your team

Planet Drupal - 30 October 2017 - 1:26am
The history and future There is this digital agency which has specialized itself in Drupal a couple of years ago. Let’s call it Gr8 Solutions. And the business is very good, they signed some fancy contracts with some of the biggest companies in the country over the years and thus built themselves a reputation for being professional and creative. And in the process of acquiring new clients and new projects they were steadily growing. This also resulted in hiring a few new developers, a designer, and a salesperson. Fast forward to very near future, nothing memorable happened in the meantime.… READ MORE
Categories: Drupal

qed42.com: Securing Cookie for 3rd Party Identity Management in Drupal

Planet Drupal - 30 October 2017 - 1:15am
Securing Cookie for 3rd Party Identity Management in Drupal Body

We are in an era where we see a lots of third party integrations being done in projects. In Drupal based projects, cookie management is done via Drupal itself to maintain session, whether it be a pure Drupal project or decoupled Drupal project,.

But what when we have a scenario where user’s information is being managed by a third party service and no user information is being saved on Drupal? And when the authentication is done via some other third party services? How can we manage cookie in this case to run our site session and also keep it secure?

One is way is to set and maintain cookie on our own. In this case, our user’s will be anonymous to Drupal. So, we keep session running based on cookies! The user information will be stored in cookie itself, which then can be validated when a request is made to Drupal.

We have a php function to set cookie called setCookie() , which we can use to create and destroy cookie. So, the flow will be that a user login request which is made to website is verified via a third party service and then we call setCookie function which sets the cookie containing user information. But, securing the cookie is must, so how do we do that?

For this, let’s refer to Bakery module to see how it does it. It contains functions for encrypting cookie, setting it and validating it.

To achieve this in Drupal 8, we will write a helper class let’s say “UserCookie.php” and place it in ‘{modulename}/src/Helper/’. Our cookie helper class will contain static methods for setting cookie and validating cookie. Static methods so that we will be able to call them from anywhere.

We will have to encrypt cookie before setting it so we will use openssl_encrypt() php function in following manner:

/** * Encrypts given cookie data. * * @param string $cookieData * Serialized Cookie data for encryption. * * @return string * Encrypted cookie. */ private static function encryptCookie($cookieData) { // Create a key using a string data. $key = openssl_digest(Settings::get('SOME_COOKIE_KEY'), 'sha256'); // Create an initialization vector to be used for encryption. $iv = openssl_random_pseudo_bytes(16); // Encrypt cookie data along with initialization vector so that initialization // vector can be used for decryption of this cookie. $encryptedCookie = openssl_encrypt($iv . $cookieData, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); // Add a signature to cookie. $signature = hash_hmac('sha256', $encryptedCookie, $key); // Encode signature and cookie. return base64_encode($signature . $encryptedCookie); }
  1. String parameter in openssl_digest can be replaced with any string you feel like that can be used as key. You can keep simple keyword too.
  2. Key used should be same while decryption of data.
  3. Same initialization vector will be needed while decrypting the data, so to retrieve it back we append this along with cookie data string.
  4. We also add a signature which is generate used the same key used above. We will verify this key while validating cookie.
  5. Finally, we encode both signature and encrypted cookie data together.

For setting cookie:
 

/** * Set cookie using user data. * * @param string $name * Name of cookie to store. * @param mixed $data * Data to store in cookie. */ public static function setCookie($name, $data) { $data = (is_array($data)) ? json_encode($data) : $data; $data = self::encrypt($data); setcookie($name, $cookieData,Settings::get('SOME_DEFAULT_COOKIE_EXPIRE_TIME'), '/'); }

Note: You can keep 'SOME_COOKIE_KEY' and 'SOME_DEFAULT_COOKIE_EXPIRE_TIME' in your settings.php. Settings::get() will fetch that for you.
Tip: You can also append and save expiration time of cookie in encrypted data itself so that you can also verify that at time of decryption. This will stop anyone from extending the session by setting cookie timing manually.

Congrats! We have successfully encrypted the user data and set it into a cookie.

Now let’s see how we can decrypt and validate the same cookie.

To decrypt cookie:

/** * Decrypts the given cookie data. * * @param string $cookieData * Encrypted cookie data. * * @return bool|mixed * False if retrieved signature doesn't matches * or data. */ public static function decryptCookie($cookieData) { // Create a key using a string data used while encryption. $key = openssl_digest(Settings::get('SOME_COOKIE_KEY'), 'sha256'); // Reverse base64 encryption of $cookieData. $cookieData = base64_decode($cookieData); // Extract signature from cookie data. $signature = substr($cookieData, 0, 64); // Extract data without signature. $encryptedData = substr($cookieData, 64); // Signature should match for verification of data. if ($signature !== hash_hmac('sha256', $encryptedData, $key)) { return FALSE; } // Extract initialization vector from data appended while encryption. $iv = substr($string, 64, 16); // Extract main encrypted string data which contains profile details. $encrypted = substr($string, 80); // Decrypt the data using key and // initialization vector extracted above. return openssl_decrypt($encrypted, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); }
  1. We generate the same key using same string parameter given while encryption.
  2. Then we reverse base64 encoding as we need extract signature to verify it.
  3. We generate same signature again as we have used the same key which was used to creating signature while encryption. If doesn’t signatures doesn’t matches, validation fails!
  4. Else, we extract initialization vector from the encrypted data and use to decrypt the data return to be utilized.
/** * Validates cookie. * * @param string $cookie * Name of cookie. * * @return boolean * True or False based on cookie validation. */ public static function validateCookie($cookie) { if (self::decryptCookie($cookieData)) { return TRUE; } return FALSE; }

We can verify cookie on requests made to website to maintain our session. You can implement function for expiring cookie for simulating user logout. We can also use decrypted user data out of cookie for serving user related pages.

navneet.singh Mon, 10/30/2017 - 13:45
Categories: Drupal

Beautifier

New Drupal Modules - 29 October 2017 - 11:29pm
Categories: Drupal

Simple Entity Import

New Drupal Modules - 29 October 2017 - 10:46pm

Provides entity importing. Simpler than Feeds. Check examples for users importing.

Categories: Drupal

Content Mgr

New Drupal Modules - 29 October 2017 - 7:43pm

Helps Site Administrators, Web and Content Managers by localizing various content structure and content management features into one place. Quicktabs and Bootstrap Quicktabs are dependencies. Planning to make the module more flexible and able to rely on other core functionality to display various forms and interfaces via ajax.

Categories: Drupal

Matt Glaman: Using JSON API to query your Search API indexes

Planet Drupal - 28 October 2017 - 8:18pm
Using JSON API to query your Search API indexes mglaman Sat, 10/28/2017 - 22:18 The JSON API module is becoming wildly popular for in Drupal 8 as an out of the box way to provide an API server. Why? Because it implements the {json:api} specification. It’s still a RESTful interface, but the specification just helps bring an open standard for how data should be represented and requests should be constructed. The JSON API module exposes collection routes, which allows retrieving multiple resources in a single request.
Categories: Drupal

Pages

Subscribe to As If Productions aggregator - Drupal