All RPGs and Storygames by Tod Foley are now available at DrivethruRPG and RPGnow. Bring these games to your table!
Looking for the perfect way to celebrate Cyber Monday - you could be one of the first to buy tickets to DrupalCon Nashville!
Did you see our new site? Have you clicked through the pages? Did you read the headline of this story? If you have, then you’ve heard: DrupalCon Nashville 2018 registration is OPEN - and it’s music to our ears.
Out of the box, Drupal displays code snippets that don't get highlighted.
In this blog post, you will learn how to show code snippets in Drupal content highlighted with the CKEditor CodeSnippet module and CKEditor CodeSnippet plugin.
Violinist.io is a new service that is continuously trying to update your composer dependencies. When a new update is found, a pull request is created on the github repo for the project in question, for example your Drupal site. If you have a good testing setup, this will trigger your tests, and hopefully pass. Now, if you have continuous deployment set up, you can basically merge and deploy updates while sitting in a coffee shop on your phone. Which is now something I have done several times!
I am planning to write a longer blog post about a more complete continuous deployment setup, but just wanted to share a couple of quick fun animated gifs about how Violinist.io works
A couple of weeks ago a new version of Drupal console came out. After it was tagged on Github, an update was available through composer. Since Violinist picked this up, it opened up a new pull request on all of my projects that depend on this. That looks something like this:
I captured this animation because I was fascinated about the short time window between the release and the pull request. As you can see in the animation, it was only around 10 minutes! Now all left for me was to see that the tests passed, read through the changelog (including links to all commits) and merge in the update. Minutes after it was automatically deployed to the production server. About as easy as it gets!
But it's not only other Github hosted projects, or generic php packages that gets updated. For a typical Drupal project I also depend on modules from Drupal.org, and I download these modules with composer. Violinist.io supports those as well. Here is one example (from this very site you are reading) where a new pull request with a full changelog was posted only 8 minutes after it was released on Drupal.org.
Since admin_toolbar is a module I use on many projects, I now could just navigate from pull request to pull request, and update all of my sites within minutes, while still on my phone. A real time saver!
Full disclosure: As you probably understand from the enthusiastic description, I am also the creator of the service. It is completely free for open source projects, and up to one private project. Feel free to reach out if you have any questions or comments! To finish it off, here is an animated gif about enthusiasm.
Thank you to the 1,670 people who joined us at DrupalCon Vienna!
So many volunteers! So many sandwiches! We had a wonderful time in Vienna and can't wait to see you all for DrupalCon Europe 2019.
Until then - we hope to see you in Nashville 2018.
David Rogers, Senior Front End Engineer at Pendo.io, joins Mike Anello to discuss from a Drupal-specific standpoint. They discuss the road to the Drupal community selecting React for use in Drupal core, when a typical Drupal developer should start thinking about React, and what the best first steps are for learning it.Interview
- Drupal looking to adopt React.
- Proposal to use React for building Drupal’s administrative UIs.
- Medium post on the original React license.
- Official Documentation.
- How to Learn React - A Five Step Plan blog post from Lullabot.
- Learn React.js in 8 minutes.
- Codeschool Try React course.
- Mastering Drupal Development Workflows with Pantheon - begins February 27, 2018.
- MyDropWizard.com - Long-term-support services for Drupal 6, 7, and 8 sites.
- WebEnabled.com - devPanel.
If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.
This is part two of our series processing the results of the Amazee Agile Agency Survey. In Part 1, I provided an overview of initial observations from survey results. Here, in Part 2 I would like to focus on process insights.Josef Dabernig Mon, 11/27/2017 - 10:11
In Part 1, we identified Scrum as the most important process for Drupal agencies. Kanban was stated as “somewhat in use” for the most part and also had various agencies stating it as “mostly in use”.
We also asked about “Other important processes?”. From the results, respondents mentioned “Critique, automated testing, collaborative sketching”, such as GitLab workflow, DSDM, Holacracy, Extreme Programming (XP), and Agency Agile.
When asked about how strictly the process would be implemented, the top rated option by 36.7% (on a scale from 1-5) was a “4”, which indicates these agency processes are followed rather strictly. Following this is a “3”, which indicates a balance between strict adherence and many adaptations, and a “2”, which refers to rather many adaptations. Fewer agencies still indicated an even split between either very strictly follow processes and implementing many adaptations to processes.
When asked for which adaptations were applied to their processes, agencies mentioned the following:
- Custom dashboards
- Backlog organization of “in scope” versus “out of scope”
- As scrum is all about inspect and adapt, the result will always look differently
- Scrum gets adapted to different customer needs or other stakeholders in the company asking for it
- Often clients expect fixed price offers with a fixed scope and fixed deadline, results is trying to be agile within those borders
- The best process is invisible and will feel natural once you found the best way, process needs to match individuals needs
From our experience at Amazee, I’d say we tend towards a “4” where we try to follow Scrum strictly but we also don’t want to overdo it. As mentioned in the comments, Scrum is really about the team taking ownership of the process, which requires flexibility. We constantly try to adapt our processes where we feel it helps fulfill our mission to deliver great software to our clients.
How do you structure your processes and what works best for you? Feel free to leave us a comment below. If you are interested in an Agile or Scrum training for yourself or your company, contact us.
Stay tuned for next post where we’ll look at teams: sizes, location, and team assignments.
Read more »
Drupal 8 represents some major changes to the way we work with themes. There is now Twig, asset libraries, component based CSS, to name a few of the changes. If you are used to working with themes in Drupal 7, all these changes can be overwhelming. But it is well worth the effort - building themes in Drupal 8 is a much improved experience.
As seen in the recent Uber hack, storing secrets such as API tokens in your project repository can leave your organisation vulnerable to data breaches and extortion. This tutorial demonstrates a simple and effective way to mitigate this kind of threat by leveraging Key module to store API tokens in remote key storage.by Nick Santamaria / 24 November 2017
Even tech giants like Uber are bitten by poor secret management in their applications. The snippet below describes how storing AWS keys in their repository resulted in a data breach, affecting 57 million customers and drivers.Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Uber could have avoided this breach by storing their API keys in a secret management system. In this tutorial, I'll show you how to do exactly this using the Key module in conjunction with the Lockr key management service.
This guide leverages a brand-new feature of Key module (as of 8.x-1.5) which allows overriding any configuration value with a secret. In this instance we will set up the MailChimp module using the this secure config override capability.Service Set-Up
Before proceeding with the Drupal config, you will need a few accounts:
These third-party services provide us with a simple example. Other services are available.Dependencies
There are a few modules you'll need to add to your codebase.
- Go to /admin/modules and enable the MailChimp, Lockr and Key modules.
- Go to /admin/config/system/lockr
- Use this form to generate a TLS certificate that Lockr uses to authenticate your site. Fill out the form and submit.
- Enter the email address you used for your Lockr account and click Sign up.
- You should be now be re-prompted to log in - enter the email address and password for your Lockr account.
- In another tab, log into the MailChimp dashboard
- Go to the API settings page - https://us1.admin.mailchimp.com/account/api/
- Click Create A Key
- Note down this API key so we can configure in Drupal in the next step.
- In your Drupal tab, go to /admin/config/system/keys and click Add Key
- Create a new Key entity for your MailChimp token. The important values here are:
- Key provider - ensure you select Lockr
- Value - paste the API token you obtained from the MailChimp dashboard.
- Now we need to set up the configuration overrides. Go to /admin/config/development/configuration/key-overrides and click Add Override
- Fill out this form, the important values here are:
- Configuration type: Simple configuration
- Configuration name: mailchimp.settings
- Configuration item: api_key
- Key: The name of the key you created in the previous step.
... and it is that simple.Result
The purpose of this exercise is to ensure the API token for our external services are not saved in Drupal's database or code repository - so lets see what those look like now.MailChimp Config Export - Before
If you configured MailChimp in the standard way, you'd see a config export similar to this. As you can see, the api_key value is in plaintext - anyone with access to your codebase would have full access to your MailChimp account.api_key: 03ca2522dd6b117e92410745cd73e58c-us1 cron: false batch_limit: 100 api_classname: Mailchimp\Mailchimp test_mode: falseMailChimp Config Export - After
With the key overrides feature enabled, the api_key value in this file is now null.api_key: null cron: false batch_limit: 100 api_classname: Mailchimp\Mailchimp test_mode: false
There are a few other relevant config export files - lets take a look at those.Key Entity Export
This export is responsible for telling Drupal where Key module stored the API token. If you look at the key_provider and key_provider_settings values, you'll see that it is pointing to a value stored in Lockr. Still no API token in sight!dependencies: module: - lockr - mailchimp id: mailchimp_token label: 'MailChimp Token' description: 'API token used to authenticate to MailChimp email marketing platform.' key_provider: lockr key_provider_settings: encoded: aes-128-ctr-sha256$nHlAw2BcTCHVTGQ01kDe9psWgItkrZ55qY4xV36BbGo=$+xgMdEzk6lsDy21h9j…. key_input: text_field Key Override Export
The final config export is where the Key entity is mapped to override MailChimp's configuration item.status: true dependencies: config: - key.key.mailchimp_token - mailchimp.settings id: mailchimp_api_token label: 'MailChimp API Token' config_type: system.simple config_name: mailchimp.settings config_item: api_key key_id: mailchimp_tokenConclusion
Hopefully this tutorial shows you how accessible these security-hardening techniques have become.
With this solution implemented, an attacker can not take control of your MailChimp account simply by gaining access to your repository or a database dump. Also remember that this exact technique can be applied to any module which uses the Configuration API to store API tokens.
Why? Here are a few examples of ways popular Drupal modules could harm your organisation if their configs were exposed (tell me about your own worst-case scenarios in the comments!).
- s3fs - An attacker could leak or delete all of the data stored in your bucket. They could also ramp up your AWS bill by storing or transferring terabytes of data.
- SMTP - An attacker could use your own SMTP server against you to send customers phishing emails from a legitimate email address. They could also leak any emails the compromised account has access to.
What other Drupal modules could be made more securing in this way? Post your ideas in the comments!
Go forth, and build secure Drupal projects!
Tagged DrupalSouth, Drupal Security, Security, APIs
Systems Operations Developer
Dated 24 November 2017Add new comment
Is your commerce site ready for the big time? We're talking about Black Fridays, product launches, back-to-school weeks, and any other time you are going to get exponentially more traffic than you would normally get. A lot of people just assume their site/server/staff can handle such increased volume, but unless you've tested it by running 10 or 20 or 50 times the traffic through it, you really don't know.
The problem is that scaling doesn't work in a linear way. Let's say you're currently using 10 percent of your server's capacity. Simple math would indicate that you could handle 10 times as much traffic and be at 100% of capacity, so you should be fine.
But it doesn't necessarily work that way in the real world. It could be that there is some sort of hidden flaw that flares up when that volume of traffic comes through: maybe you hit some sort of race condition, or a caching system starts to cycle too fast, or you get a database bottleneck and everything gets backed up behind it. It could be some little glitch that's easily fixed and everything goes back to normal—but if you fix it halfway through the biggest sales day of the year, it's too late.
So how can you get ready?1. Do performance testing.
Your goal should be to mimic live as much as possible. You don't just want to run the test on your local server. You want to spin up a similar environment, or maybe spin something up at 1/10th of the scale and hit it hard with lots of capacity. Or do it through Amazon and only run it for an hour or something to save on cost.
Once you have your environment, you have to try to simulate actual traffic. You don't want to just hit the home page repeatedly, because that's not how your customers interact with your site. They go through the checkout, and click around on product pages, and search, and log in to their account. They do a whole bunch of random stuff, and you have to try to mimic that. You can't do it perfectly, but you want to hit all the parts of your site and throw a bit of randomness in there to try to get as close to the real experience as possible.
In a perfect world, you would have gone through a similar event like Black Friday already and learned from it. But maybe you're a first-timer. Or maybe you're launching a big new product unlike anything you've had before, and it's backed by a TV spot, and you're expecting a massive volume of sales to follow. So test your site and be sure.2. Prepare for stock issues.
Stock problems can obviously be much worse in a high-volume situation. On a slow day, if an order goes through when you are out of stock, maybe you could just call that person and say oops, sorry, but it's going to take a couple days to fill that order.
But if you have a huge burst of traffic, you might sell 20 items when you only have two in stock. And you can't even get 18 on your next order, and it's going to take six weeks to get that many, and now you have a real problem.
So if that happens, what do you do? How are you handling out-of-stock issues? Do you have messaging to say this is going to be delayed? Are you going to shift customers to alternate recommended products? These are all things you need to consider.3. Set staffing levels appropriately.
You don't want to be in a situation where your website can handle the traffic, but your human workers cannot. In a physical store, everyone knows they need to up the number of sales staff to deal with a huge crush of shoppers. But when it comes to the website, sometimes people forget that someone still needs to put 10 times as many items in boxes, and deal with 10 times as many email complaints, and talk to 10 times as many customers via live chat.
How does your current process scale? How fast does it take you to do an order? Maybe you need to think about automated shipping, or standardized box sizes, or any one of a number of other things that will make your staff's lives easier during high-volume times.Conclusion
As you can see, there are quite a few things that you can do to make sure your opperating smoothly during those peak sales days throughout the year. Some of these things you can do yourself. Some of them you might need some technical support. If support is what you need, or you'd like to discuss this further, contact us. We've been through it all before and can share our experience.
As mentioned in my previous post, I’ll be sharing the videos of the various talks by Amazees at Drupal Camp Cape Town 2017, over the upcoming weeks.Jason Lewis Thu, 11/23/2017 - 14:55
First up we have Head of Global Maintenance at Amazee Labs, Bryan Gruneberg, who spoke about "Maintainability and Longevity - Keeping customers and developers happy". Maintaining strong, robust sites that evolve with the client’s needs is of utmost importance to us and was a topic that received a lot of interest from Camp attendees.
Enjoy the Video!
Developers often come across a situation where they are required to reduce database load by caching DB objects in RAM. Here Memcache improves Drupal application performance by moving standard caches out of the database and by caching the results of other expensive database operations.
Note that Drupal doesn’t support Memcache by default, and for this, we need to install it on the server. Let’s see how to install Memcache on the server and configure it with Drupal 8 to reduce the load on the database with every page load.Let’s see how to install Memcache on server
Open the terminal on your local machine and run the following codes:Step 1: sudo apt-get…
When you think of training, perhaps you remember an event that you were sent to where you had to learn something boring for your job. The word training does not usually make people smile and jump for joy, that is unless you are talking about Drupal training. These gatherings spread the Drupal knowledge and increase diversity in the community of Drupal developers.
Join us for Global Training Day on November 29th. It will be help online from 9 AM to 4 PM EST. - https://groups.drupal.org/node/517886
A link to the live workshop on Zoom will be provided when you sign up!
The Drupal Association coordinates four dates each year as Global Training Days, designed to offer free and low-cost training events to new-to-Drupal developers and to create more Drupal talent around the world. The community is growing exponentially as more people learn how fun and easy it is to get involved and be productive. Volunteer trainers host these global events in person and online. In 2016, a Global Training Days Working Group was established to run this program. There is a Global Training Days group on Drupal.org that lists trainings around the world - https://groups.drupal.org/global-training-days
Coming up, we have Global Training Day on November 29th. Mauricio Dinarte will be leading the training online. As an introduction to Drupal a person needs to learn certain things that are specific to Drupal and some are not that intuitive. It is important to cover the very basics in terminology and process. An introductory class can include many things, but this list is what Mauricio covers during the day long event:
- Drupal installation requirements and process
- Content types
- Theme regions
- User and permissions
The outcome of a day of training is that everyone walks away understanding the main moving parts of Drupal and a bit about what they do. Of course you will not become a developer overnight, but you will have enough information to build a simple site and then explore more of Drupal on your own. You can follow up with many online tutorials and by joining the Drupal group in your area and attending the meetings. At meetings you will connect with other people at different levels of skill and you will be helped and helpful at the same time! If there is no Drupal group in your area, I suggest you start one. It can start as easily as posting online that you will be at a specific location doing Drupal at a certain time of day - you will be surprised at who may show up. If no one shows up the first time, try again or try a different location. One of the best things about Drupal is the community and how large and connected we are. If you start a group, people will usually help it grow. Bringing new people to Drupal is not only good for increasing the size of the member base, it also brings diversity and reaches people that may never have had an opportunity or access to a free training. The trainings are usually held at a University in or near a city which attracts people from different backgrounds and cultures. We can also reach people that are not in a city or near a school by sharing online.
Have you ever thought about volunteering at a Global Training Days event? We have a blog about organizing your own Global Training Days workshop that can get you started. This is a great way to get to know the people in the community better, up your skills and perhaps share something you have learned. I learned much about programming by assisting developers at sprints and trainings. This is where the real fun begins. Learning does not have to be stressful, and in the Drupal community people are friendly and welcoming. No question is stupid and even those with no experience have valuable skills. Developers love people without prior experience because they make the perfect testing candidates for UI and UX. The down side is that Drupal is so captivating that you will probably not remain a newbie for very long, so enjoy it while it lasts.
One of the true highlights of Global Training Days is seeing all the people around the world gain valuable skills and share knowledge. We hope you can join us.
Last week I switch from years of using Chrome to Firefox 57 because of all the hype about it being fast, and that I'd been suffering from Chrome using up to 10GB of ram. The big issue I hit though was I didn't have Dreditor and there seemed to be no way to install it. I decided to go on using Firefox without Dreditor, and loading Chrome every time I needed to do an in depth patch review.
Then yesterday I saw the latest Commit Strip cartoon, where in a reply @williambl suggested Chrome Store Foxified for converting Chrome plugins to Firefox. First thing I thought was to try the Dreditor Chrome plugin, and it worked.
This morning Berdir suggested "maybe someone will release that thing as a public extension". So I went digging on addons.mozilla.org and found I could download the XPI file Chrome Store Foxified created during the conversion.
So here it is:
Download Dreditor for Firefox now!
GraphQL is becoming more popular every day. Now that we have a beta release of the GraphQL module (mainly sponsored and developed by Amazee Labs) it's easy to turn Drupal into a first-class GraphQL server. In this second post of the series, we'll describe they way Drupal fields are represented in GraphQL and look at a few examples.Blazej Owczarczyk Thu, 11/23/2017 - 09:59
Last week we talked about the new structure of the GraphQL package. We have also looked at the tools bundled with the module - the explorer and the voyager - and we've explored how to fetch a username. Now let's use GraphiQL to assemble queries that are a bit more complex.The Naming
GraphQL naming conventions are slightly different than Drupal's.
- Fields and properties are in camelCase. This means that field_image in Drupal becomes fieldImage in GraphQL and the revision_log property becomes revisionLog.
- Entity types and bundles use camelCase with the first letter capitalized so taxonomy_term becomes TaxonomyTerm and the tags vocabulary becomes TaxonomyTermTags. As we can see bundles are prefixed with the entity type name.
While fields and properties both translate to the same GraphQL structure called Field, entity types and bundles, despite sharing the naming convention, don't. The former is implemented as GraphQL Interfaces and the latter are GraphQL Types (implementing these Interfaces). As an example:
This query contains fields from 3 different GraphQL structures that build upon one another.
- entityId and entityCreated come from the Entity Interface. These fields are available for all entity objects. nodeById query returns a Node Interface which extends Entity Interface.
- title and status are defined in the Node Interface and are available for all nodes, regardless of their content type.
- fieldSubtitle is a field (field_subtitle in Drupal) that has been added to the Article content type. It's not a part of neither Node nor Entity Interfaces, it is only available in the NodeArticle Type. nodebyId can return any node, not just Article, so we need to wrap the fieldSubtitle in a GraphQL Fragment.
If we paste the query into GraphiQL (/graphql/explorer) we'll get a result similar to this one:The Fragments
GraphQL Fragments, as the name implies, are just pieces of a query. They mostly serve two purposes:
- Executing part of a query conditionally - only when the result is of a specified type. In the example above fieldSubtitle will be evaluated only when the node with id 1 is an Article. If it turns out to be a Basic Page, the fragment will be omitted and the response will just be one field shorter without raising any exceptions.
- Reusability. A fragment can be given a name and be used more than once.
There are two fragments in this query. The first one starting on line 3 is an inline fragment. We need it because fieldCategory and fieldTags are only attached to Articles and nodeById can return any node.
The other one, defined on line 18, is a named fragment thanks to which we don't need to repeat the sub-queries for fieldCategory and fieldTags.
This is how the result could look like. Node 1 is an Article, it has 2 tags in one category term.The Aliases
There might be situations when we want to use the same field more than once in a single query, to fetch node 1 and 2 simultaneously for instance. We can do that thanks to GraphQL Aliases
Here we're calling nodeById twice, each time with different arguments and aliases. The former will appear under nodeOne key in the result and the latter will be available under nodeTwo. We've also transformed the inline fragment holding the article fields into a named fragment and used it in both queries to reduce unnecessary repetition.
That's it for this post. In the next one, we'll see how to retrieve the values of Drupal fields and properties.