Planet Drupal

Syndicate content - aggregated feeds in category Planet Drupal
Updated: 13 min 6 sec ago

Acquia: Four Final Questions You Should Ask Your Drupal Cloud Host

Tue, 05/05/2015 - 18:48
figure class=field-item even rel= resource= class=field-item even div id=styles-2 class=styles styles-field-image styles-style-scale_width_280 styles-container-image styles-preset-scale_width_280 img typeof=foaf:Image src= alt= title= //div !-- render the title tag as caption -- /figure div class=field field-name-body field-type-text-with-summary field-label-hidden div class=field-items div property=content:encoded class=field-item evenpimg src=/sites/default/files/istock-cloud-620_1.jpg width=620 height=464 //p pYou know how when you're buying a car, and the questions just keep on coming? And the salesperson keeps making roundtrips to the manager's desk? /p pIt's kind of like that when you're considering where to host your website. There's always time for more questions. It's one less surprise later on. /p pThat's why I keep adding to my list. /p pIt started, you may recall, with just a href=/blog/5-questions-drupal-cloud-host-support target=_blankfive questions/a. A week later, I added a href=/blog/5-more-questions-ask-your-drupal-cloud-provider-about-support target=_blankfive more/a. Now, before closing out this series, I've got a final four./p pAsk now, avoid unpleasant surprises later. That's my motto, and it should be yours. /p pstrong1. What is your level of Drupal expertise?/strong/p pAcquia offers the industry's highest level of technical Drupal expertise. Our support organization is larger than most hosting companies––over 60 professionals worldwide with over 250 years of combined experience. And Acquia’s overall level of in-house Drupal expertise is unparalleled with over 150 Drupalists, including core owners, security team members, and module contributors. Furthermore, Acquia’s wealth of Drupal knowledge is being expanded continuously. Closed loop processes between our support and engineering organizations help to drive new tools and add to our Help Center, which we then share with the Drupal community./p pstrong2. If my site turns into a volcano of errors, will you proactively notify me?/strong/p pAcquia monitors the health of customers’ servers, and we proactively notify customers of the nature of any issues we detect. When the problem is server-side, we mitigate it, and when the issue is caused by something on the application side, we provide recommended steps to resolve the issue (though we do not usually implement them ourselves unless the customer cannot for some reason). /p pAcquia also gives customers access to advanced monitoring at the application level, via partners like New Relic or features like our Uptime Monitoring tool—both of which can be used to alert customers in a self-service fashion whenever the application is suffering. If the root cause is server-related, we will notify the customer proactively, but some issues are application-only (meaning they do not trigger server health alerts on our end), so that is why we recommend that customers utilize application-level monitoring whenever possible./p pstrong3. Do you offer advanced platform analysis tools to help ensure that my application is running at its best?/strong/p pEvery Acquia Cloud Subscription comes with a suite of tools that make managing your Drupal sites easier than ever before. Drupal site developers, administrators, and site owners can quickly identify problems, eliminate costly mistakes, simplify processes, and improve overall site performance. Acquia’s monitoring tools analyze and measure the quality of your site based on security and performance parameters. Dozens of tests ensure your site’s conformance with best practices for security, performance, and general Drupal and web application development. Monitoring over 50 settings, these tools provide real-time analysis and proactive alerts for issues with your Drupal code and configuration. You can identify code issues and modifications fast, easily download patch files, and view needed updates at-a-glance. You’ll receive a site score to help you improve the quality of your site. You’ll get clear, actionable recommendations to help solve problems and expand your Drupal knowledge. /p pAcquia provides several additional tools that help you quickly troubleshoot problems with your application. The Uptime Monitoring tool monitors your site’s uptime and responsiveness. It checks your site every minute to see if it’s online and serving pages. For a developer looking to quickly and easily get visibility into a problem, log streaming is a solution that allows for easy access to information without having to download a full day’s log file. It provides real-time access to server logs from within the UI—making troubleshooting more efficient./p pstrong4. What is your uptime Service Level Agreement (SLA), and how do you ensure that you meet it?/strong/p pAcquia commits to 99.95 percent platform, infrastructure, and application uptime. To ensure this, we operate monitoring services 24x7. Acquia uses the Nagios monitoring platform to provide instant access to over 50 vital real-time and historical metrics. We also maintain robust home-grown monitoring tools to ensure performance. Our team of Cloud Operations professionals is always standing by—proactively monitoring your environment and responding to critical issue alerts. With coverage in all time zones and fluency in five languages, the team is available 24x7 for critical, site-impacting issue response./p /div /div /div div class=field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix div class=field-labelTags:nbsp;/div div class=field-items div rel= class=field-item evena href=/resources/acquia-drupal-planet typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=acquia drupal planet/a/div /div /div span property=dc:title content=Four Final Questions You Should Ask Your Drupal Cloud Host class=rdf-meta element-hidden/span

Drupal Watchdog: VIDEO: DrupalCon Amsterdam Interview: Cathy Theys

Tue, 05/05/2015 - 18:09
div class=field field--body field-type-text-with-summary field-label-hidden field--rss pstrongCATHY THEYS/strong (Drupal Community Liaison, Blackmesh) runs sprints. She also mentors young Drupal sprinters. Go, Cathy!/p /div div class=field field--tags field-type-taxonomy-term-reference field-label-above field--rss div class=field-labelspan class=icon glyphicon glyphicon-tag aria-hidden=true/spanTags:nbsp;/div div class=field-items a href=/tags/drupalcon-amsterdam typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=DrupalCon Amsterdam/a a href=/tags/drupalcon typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=DrupalCon/a a href=/tags/video typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Video/a /div/div div class=field field--video field-type-video-embed-field field-label-above field--rss div class=field-labelVideo:nbsp;/div div class=embedded-video div class=player iframe width=640 height=360 src=//;height=360amp;autoplay=0amp;vq=largeamp;rel=0amp;controls=1amp;autohide=2amp;showinfo=1amp;modestbranding=0amp;theme=darkamp;iv_load_policy=1amp;start=0amp;wmode=opaque frameborder=0 allowfullscreen/iframe /div /div /div

Drupal Watchdog: Protecting Your Drupal 8 Resources

Tue, 05/05/2015 - 16:05
div class=field field--article-edit-printtype field-type-list-text field-label-hidden field--rss Article /div div class=field field--article-body field-type-text-long field-label-hidden field--rss pimg src=/sites/default/files/images/web/4.2-Protecting.jpg alt= Penrhyn Castle width=65% align=right class=img-responsive img-thumbnail margin-left / Drupal 8 incorporates a a href= Authentication System/a which, given a request, attempts to identify a Drupal user by inspecting the HTTP request headers./p p Authentication comes in handy when we want to restrict access to a resource in Drupal. It can be applied to any route, although the method to implement it may differ. It is most commonly used to identify requests when we are exposing data through an API from our Drupal site./p h3Authentication and Authorization/h3 p Imagine you are going through airport security. The security agent asks to see your ID – a passport or driver’s license, say. The act of showing your ID is what we call emAuthentication/em. In Drupal – as in almost all websites – your authentication credentials are your username and password./p p Next, the security agent checks your boarding pass to verify that you are in the right place and have clearance to get on a plane. That’s called emAuthorization/em. In Drupal your role (and therefore the permissions assigned to that role) are your Authorization credentials./p p To summarize: authentication means emwho are you?/em; authorization means emmay you proceed?/em./p p Enjoy your flight!/p h3Authentication in Drupal 8/h3 p In Drupal 8, Authorization is handled by the Access System and won't be covered in this article; there is an internal system to handle Authentication, so let's start with the following statement:/p p Thanks to the emModular Authentication System/em, different emAuthentication Providers/em may extract a span class=geshifiltercode class=php geshifilter-php$user/code/span out of a given span class=geshifiltercode class=php geshifilter-php$request/code/span object./p p There are a few keywords in that statement. Let's dissect them briefly:/p /div

ThinkShout: Monkeying Around with D8

Tue, 05/05/2015 - 11:00
h2Leading the Charge/h2 pI have used A LOT of email marketing service providers over the years and my opinion of them was twofold: they were all similar and none of them were particularly great. Was it possible that this was just a category of business that would never be exciting or innovative? Was I destined to be a project manager who half-heartedly recommended whatever email service provider I was using most at the time to clients? /p pemEnter the chimp.../em/p pDespite its playful name, a href=http://www.mailchimp.comMailChimp/a made a serious shift in a category that had always had potential but lacked a champion. My first thought when I used the tool was that even if the feature set was identical to all its competitors, MailChimp’s user interface alone set it apart. But once I dug into its capabilities, I became a bona fide fan (dare I say ambassador) of the brand. From automated email workflows and slick segmentation capabilities, to the a href= tablet app that facilitates email sign-ups without an internet connection, MailChimp became the new king of the jungle./p pFast forward a few years, and here I am working at ThinkShout, MailChimp’s Drupal partner. We built and maintain the MailChimp Drupal module, which is used by nearly 22,000 websites. /p pIf you are familiar with MailChimp’s motto - listen hard and change fast - (or if you just read the first couple paragraphs of this blog post), then it should come as no surprise that innovation is at the heart of MailChimp’s culture. With the release of Drupal 8 looming this Fall, MailChimp and ThinkShout saw a unique opportunity to lead the charge by porting one of the most popular email modules to be D8 compatible. /p h2The Only Way Through it is Through it/h2 pBeing a trailblazer isn’t easy, and MailChimp understood that pushing the envelope on D8 development would require an investment of time and resources. While the core MailChimp module is relatively simple, the bundled submodules are feature-rich and technically complex. /p pLet’s recap what the MailChimp module allows you to do:/p ul liAny “object” in Drupal that has an email address, say a User, Contact, or even a Comment, can be automatically subscribed to a list and segmented based on other attributes, like their zip code./li liDisplay a list subscription status on an entity or a subscription form./li liMap Drupal Data, such as name and address, to merge fields in MailChimp./li liCreate forms to allow site visitors to sign up for any Mailchimp List or combination of Lists./li liCreate Pages, Blocks, or both to display forms./li liCreate campaigns containing any Drupal entity, or entities, as content./li liSend campaigns created in Drupal through MailChimp or Drupal./li liView campaign statistics and email activity for all list subscribers./li /ul pLuckily, one of the greatest aspects of our partnership with MailChimp is our shared passion for recognizing opportunity in challenges and giving back to the community. With that spirit, a couple of ThinkShout engineers dove in head first with the goal of porting the majority of the popular D7 module’s features over to D8 in time for a beta release at a href= LA/a. During the process, they realized that the available Drupal 8 documentation wasn’t keeping up with the speedy pace of D8 development. Over the course of several weeks, our engineers updated documentation and created examples to make life (or at least development) a little easier for the next developer looking to create something similar./p h2It’s a Sprint, Not a Marathon/h2 pWith the conference approaching, it was time to call on the ThinkShout village to help put the polish on the new module. Since nine heads are better than two when it comes to user testing and QA, we scheduled a sprint to focus our engineering department on providing that critical perspective needed at the end of a large development project./p pimg src=/assets/images/blog/mailchimp_roadmap1.jpg alt=mailchimp_roadmap1.jpg/p pDuring our afternoon sprint, our engineering department ran a battery of tests (both human and automated) to document and resolve bugs. Our engineering staff has grown quite a bit recently, so the sprint also provided an opportunity for knowledge sharing about MailChimp and D8 development across the team. As a non-engineer fly on the wall, it was exciting to witness the energy at the sprint table, as bugs were closed and high-fives were thrown./p h2The Future is Now/h2 pSo far, I’ve focused on what some of the challenges of early D8 development have been, and you’re surely wondering by now “So, what do you think about D8?” Short answer: we’re excited, and we think you should be, too. /p pDrupal 8 standardizes module development by enforcing PSR-4 compliant namespaces. Whereas D7 allows developers to dictate where a form or entity is placed, for example, D8 loads files in the correct path automatically. What does this mean for developers? Well, it means time saved by not having to search an entire codebase to find where the developer before you placed a form. And because this structure is more in line with general engineering practices, it will be easier for any developer to ramp up for Drupal development./p pBut the benefits aren’t just for developers. We are also excited about the efficiencies that will be created for our nonprofit clients. Not only do they stand to benefit from the streamlined development approach, but that shift in approach will also make it easier to find resources to maintain and enhance their sites./p h2Learn More About the New MailChimp Module/h2 pCome and see us at a href= LA/a, where our very own a href= Tsypin/a will be giving a a href= talk/a about the evolution of MailChimp#39;s support for Drupal, the basics of how the integration works, and a hint at what#39;s to come for Drupal 8. Don’t worry if you can’t make it to the talk because we’ll also be hanging out in the MailChimp booth. And if you spot one of us (you’ll recognize us by our ThinkShout hoodies), stop us! We’d love to chat about what we’ve learned about D8 and why were are excited for its release. Also, be sure to check out a href= blogs/a we#39;ve written about our work on the MailChimp module./p

Drupal core announcements: Drupal 7 core release on Wednesday, May 6

Tue, 05/05/2015 - 07:39
div class=field field-type-datestamp field-field-start7 div class=field-items div class=field-item odd div class=field-label-inline-first Start:nbsp;/div span class=date-display-single2015-05-06 (All day) America/New_York/span /div /div /div div class=field field-type-text field-field-event-type div class=field-items div class=field-item odd Online meeting (eg. IRC meeting) /div /div /div div class=field field-type-userreference field-field-organizers div class=field-labelOrganizers:nbsp;/div div class=field-items div class=field-item odd a href=/user/14705 title=View user profile.David_Rothstein/a /div /div /div pThe monthly Drupal core bug fix/feature release window is this Wednesday, May 6. Although there was a release just last month, it's a good time for another one, to fix a regression introduced in Drupal 7.36 that affected some sites as well as to get a few other fixes in. Therefore, I plan to release Drupal 7.37 this Wednesday./p pThe final patches for 7.37 have been committed and the code is frozen (excluding documentation fixes and fixes for any regressions that may be found in the next couple days). So, now is a wonderful time to update your development/staging servers to the latest 7.x code and help us catch any regressions in advance./p pThe primary purpose of this release is to fix a regression caused by Drupal 7.36 which caused content types on some existing sites to become disabled after the update (see the a href= release notes/a and the a href= for further information). The fix is intended to work for sites that already upgraded to Drupal 7.36 (it should restore content types that were erroneously disabled) as well as for those that did not. More testing of this issue in particular is welcome./p pYou might also be interested in the tentative a href= for Drupal 7.37 and the corresponding list of important issues that will be a href= in the Drupal 7.37 release notes/a./p pIf you do find any regressions, please report them in the a href= queue/a. Thanks!/p pUpcoming release windows after this week include:/p ul liWednesday, May 20 (security release window)/li liWednesday, June 3 (bug fix/feature release window)/li /ul pFor more information on Drupal core release windows, see the documentation on a href= timing/a and a href= releases/a, and the a href= that led to this policy being implemented./p

DrupalCon News: Accessibility at DrupalCon

Mon, 05/04/2015 - 23:49
div class=field field--name-body field--type-text-with-summary field--label-hiddendiv class=field__itemsdiv class=field__item evenpInclusivity is incredibly important to us at the Drupal Association. As part of our organizational value of respect, we state: “We respect and value inclusivity in our global community and strive to recognize, understand, and respond to its needs./p pBut we believe that actions speak louder than words, and that’s why we’re pleased that DrupalCon will be so friendly to our community members who may require assistance or have certain accessibility needs during the events./p/div/div/div

Drupal Association News: 2015 At-Large Election Data Released

Mon, 05/04/2015 - 22:35
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenpimg alt= src= style=width: 240px; height: 188px; border-width: 0px; border-style: solid; margin: 10px; float: left; /It was just a few weeks ago that we welcomed Addison Berry as our new At-Large board director after a very eventful elections process. Almost as soon as we announced the news, we heard feedback via Twitter and the a href= blog post/a comments that there was strong interest in seeing the voting data. In our transparent community, it only seemed natural to share the aggregated voting data./p pWe agreed, but because we had not previously shared any of that data publicly, we decided to take it to the board for discussion before doing so. One thing we did NOT want to do is discourage candidates from further community participation by exposing voting data without their knowledge. So, at the a href= April board meeting/a, we discussed the requests./p pThe board members were all in agreement that sharing the data is a good thing. The one concern was that because this issue had not been raised before, we had not asked the candidates or shared with them that voting data would be shared. It was agreed that in future elections, we will inform candidates on the self-nomination page that their data will be shared. For sharing this election's data, we went back and asked candidates to opt-in to share their voting results./p pSo, what we are sharing this year is a first step toward broader transparency around elections data. This year, we can only share with you an image file with data obscured for candidates who did not opt-in. The file does show you the progression of the IRV voting runoff, but we recognize that an image file is not highly usable./p pHowever, the discussion we had around sharing voting data was really informative and actually fun (I love data!). We have already developed a number of stories for the next iteration of the elections module that we deploy, and these will allow us to potentially track and share a lot more aggregate data. It would be great, for example, to know where the votes came from geographically. It would also be great to release the data in a more usable way, like a CSV file. Feel free to share what you would like to see from future elections in the comments below. Just know that we are committed to only share aggregated data and will never drill down to share how a particular voter voted./p pWith that, it's time to share the voting data. Remember that we use a href= voting/a, so the image below shows that process - getting to a candidate with more than 50% of the votes (as opposed to a simple majority). The result is that the candidates with the fewest #1 placements are eliminated in each round until one candidate has a majority. You can see the votes of candidates being transferred in each round. Things become much clearer in the end when you can see the final 5 candidates:/p ulli Ani Gupta/li li Anonymous/li li Enzo/li li Michael Schmid (not named, but he is the remaining candidate when the winner is declared)/li li Addison Berry (the winner!)/li /ulpThank you again for the push to share this data and we look forward to do even more in the next election:/p pimg alt= src= style=width: 647px; height: 2052px; border-width: 0px; border-style: solid; margin: 10px; float: left; //p /div/div/div

Drupal Easy: DrupalEasy Podcast 151: Shirtless at Drupalcon (Brett Meyer and Stephanie Gutowski - Drupal Watchdog/DrupalCon Los Angeles preview)

Mon, 05/04/2015 - 20:22
div class=field field-type-link field-field-embed a href= rel=enclosureDownload Podcast 151/a /div pBrett Meyer, a href= of Strategy at ThinkShout/a, and Stephanie Gutowski, a href= Engagement Organizer/Manager at ThinkShout/a, join Ted, Ryan, and Mike to talk about video games. Specifically, a href= Age: Inquisition/a. Seriously - Brett and Stephanie have an article in the upcoming issue of a href=https://drupalwatchdog.comDrupal Watchdog/a where they relate content strategy in web sites to content strategy in content-heavy videos games. We also focus on DrupalCon Los Angeles including what we're looking forward to, if sessions are still necessary, community vs. business networking, and if it's possible to only pack a single shirt./p pa href= target=_blankread more/a/pdiv class=feedflare a href= src= border=0/img/a a href= src= border=0/img/a /divimg src= height=1 width=1 alt=/

Acquia: Build Your Drupal 8 Team - Skills for Tech, Non-Tech, and Bridge Members

Mon, 05/04/2015 - 19:12
figure class=field-item even rel= resource= class=field-item even div id=styles-3 class=styles styles-field-image styles-style-scale_width_280 styles-container-image styles-preset-scale_width_280 img typeof=foaf:Image src= alt= title= //div !-- render the title tag as caption -- /figure div class=field field-name-body field-type-text-with-summary field-label-hidden div class=field-items div property=content:encoded class=field-item evenpimg src=/sites/default/files/blog/drupal8teamillo.png width=620 height=620 //p pGetting your hands on new technology is the best part of being a developer -- playing around with it, and trying out cutting-edge concepts is challenging. /p pBut trying to meet deadlines with new tech, especially if you don't understand it fully? That can mean lots of late nights and weekend work when you'd rather be doing something else./p pFortunately, working with Drupal 8 builds on core skills your team already has. Augmenting their existing knowledge with additional skills to use the new functionality of Drupal 8 will help your team deliver that first project successfully. /p pThe new release of Drupal integrates technology that's become industry-standard, so developing skills in these areas will have benefits beyond the Drupal ecosystem. /p pfigureimg src=/sites/default/files/default/drupal8teams.png width=620 height=251 alt=drupal8teams.png /figcaptionHow to think about your Drupal 8 team: Tech, Non-Tech, and Bridge./figcaption/figure/p h2Skills for the Tech Team Members/h2 pEven if you've worked with Drupal previously, upcoming architectural changes in Drupal 8 mean you'll need to spend some time to get up to speed. /p pFor the tech folks, here's the bulletin: bone up on PHP, Symfony, and object-oriented development./p pstrongPHP/strong underlies Drupal 8's event-listener, which is what makes its functionality work. Understanding PHP namespaces is important to coming up with a clean way of organizing your code modules and sub-modules./p pstrongSymfony/strong is a PHP framework that's being incorporated into Drupal 8. It will help provide the routing, sessions and services container functionality. Features like dependency injection will help you develop reusable code./p pDrupal 8 implements its fields, views, entities and nodes in an strongobject-oriented/strong fashion. This brings the benefits of object-oriented development, like inheritance and encapsulating functionality, but means you need to understand concepts like polymorphism. Focus on understanding key design patterns like dependency injection -- you'll want to leverage those patterns in speed-building your site./p pThat sounds like a lot of learning, but you don't need to become experts in all of it -- you just need to get a deep enough understanding of the concepts and how to use them to speed your Drupal 8 development./p h2Skills for the Non-Tech Team Members/h2 pThe non-tech members of the team don't get a free pass while developers hit the books. /p pEveryone on the team should understand the capabilities of Drupal 8 so they know what they can reasonably ask you to develop. /p pFinally, your team needs a bridge member -- a team lead or project manager who understands both the technical capability of Drupal 8 and the needs and wants of the business to mediate when there is a conflict between them. /p pA bridge member who is fluent in technology and business is key to making sure project commitments are realistic and achievable, allowing you to get the project done while having weekends to yourself./p pNext: We'll drill down into the technical roles and required skills your team needs for Drupal 8./p pSources:/p pa href= pa href= pa href= pa href= /div /div /div div class=field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix div class=field-labelTags:nbsp;/div div class=field-items div rel= class=field-item evena href=/resources/acquia-drupal-planet typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=acquia drupal planet/a/div /div /div span property=dc:title content=Build Your Drupal 8 Team - Skills for Tech, Non-Tech, and quot;Bridgequot; Members class=rdf-meta element-hidden/span

Acquia: Jumpstart Your Drupal Project with a Technical Project Manager

Mon, 05/04/2015 - 17:46
figure class=field-item even rel= resource= class=field-item even div id=styles-2 class=styles styles-field-image styles-style-scale_width_280 styles-container-image styles-preset-scale_width_280 img typeof=foaf:Image src= alt= title= //div !-- render the title tag as caption -- /figure div class=field field-name-body field-type-text-with-summary field-label-hidden div class=field-items div property=content:encoded class=field-item evenpimg src=/sites/default/files/istock_000035083202_double.jpg width=620 height=422 alt=istock_000035083202_double.jpg /br / Is your Drupal project stalled?/p pPerhaps you don't know exactly what's wrong, but for some reason the project is just stuck./p pYou're eager to take the next step -- if only you knew what that was. If you find yourself in this situation often enough, you might want to consider hiring a technical project manager./p h2What is a Technical Project Manager?/h2 pSimply put, a technical project manager is your liaison between your technical team and the non-technical people you are working with. Technical managers are familiar with technical jargon and processes, and most importantly, they understand the culture of IT professionals. Thus, they can communicate well and help motivate members of the IT team that aren't performing at their maximum capacity, help managers delegate work appropriately and jump-start project leadership./p pTechnical project managers do a whole host of things on any given day to help move projects into the next stage of completion. For example, they might:/p ulliWrite emails to members of the IT team to assign tasks, check in on project completion or resolve problems./li liDiscuss the project one-on-one with technicians to make sure they are staying on track and are moving towards project completion./li liWrite status reports/li liLead IT team meetings/li liHelp technicians brainstorm solutions to severe technical problems./li /ulh2How to Work With a Technical Project Manager/h2 pThe key to working with a technical project manager is to communicate often about the project. Here's some specifics to keep in mind:/p ullistrongShare your vision for the project./strong Technical project managers are as prone to assumptions about what the project entails as other IT team members are. It's important to begin by ensuring everyone's on the same page. When the technical project manager is brought on board, have a team meeting where everybody shares what they think the project is meant to accomplish and what their role is. That way, the technical project manager understands what's needed and can make sure that everybody on the team knows what they are supposed to be doing./li listrongCollaborate on a timeline./strong One of the biggest problems with IT projects involves timelines. It can be tempting to get sucked into side projects when researching or working on the main project, and this can push deadlines back -- especially if those deadlines aren't clear to begin with. Sit down with the technical project manager to discuss the timeline for the project, including deadlines for each step. Together, the team can come up with a timeline that feels comfortable for everybody and the technical project manager can more easily help everybody stay on task./li listrongHave regular check-ins./strong Now that there's a technical project manager on board, IT team members can talk about technical difficulties or problems with completing their tasks as scheduled because the project manager will understand what they're talking about. Team members should get in the habit of checking in regularly with the technical project manager and sharing any concerns or technical problems that are interfering with progress./li listrongUse technology for check-ins and discussion./strong Reporting tools should be updated, and internal social media, instant messaging and conference calls should be utilized to quickly provide status updates for each member of the team./li /ulpBringing a technical project manager on board can help bridge the gap between IT professionals and management. /p pTechnical project managers have an IT background as well as a management background, so they are in a unique position to help projects get off the ground and moving towards completion./p /div /div /div div class=field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix div class=field-labelTags:nbsp;/div div class=field-items div rel= class=field-item evena href=/resources/acquia-drupal-planet typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=acquia drupal planet/a/div /div /div span property=dc:title content=Jumpstart Your Drupal Project with a Technical Project Manager class=rdf-meta element-hidden/span

J-P Stacey: Unicode, accented characters, Drupal Views Data Export and Excel

Mon, 05/04/2015 - 17:00
pIf you need to assemble listings of content in Drupal, a href= is what you use. And if you need to export such a listing, into offline formats like CSV, a href= Data Export/a is a definite contender for how to do it. However, when you open the output in Microsoft Excel, you can end up—intentionally or otherwise—learning a great deal about the internals of Unicode encoding./p pa href= more of Unicode, accented characters, Drupal Views Data Export and Excel /a/p

NEWMEDIA: How to Prevent SQL Injections in Drupal

Mon, 05/04/2015 - 15:04
span class=field field-node--title field-name-title field-type-text field-label-hidden data-edit-field-id=node/180/title/en/rssHow to Prevent SQL Injections in Drupal/spandiv class=field field-node--field-intro field-name-field-intro field-type-text-long field-label-hidden data-edit-field-id=node/180/field_intro/en/rssdiv class=field-itemsdiv class=field-itemDrupal is an incredibly powerful open source CMS that allows you to create, manage, and serve content. Unfortunately, so can others if you don#039;t properly sanitize all user input in order to prevent a malicious attack! Here are some tips on how to stop one of the most common vulnerabilities: SQL injections./div/div/divdiv class=field field-node--body field-name-body field-type-text-with-summary field-label-hidden data-edit-field-id=node/180/body/en/rssdiv class=field-itemsdiv class=field-itemh2 id=motivation-why-cms-security-mattersMotivation: Why CMS Security Matters/h2 pRegardless of whether your site is a simple blog or a top 50 web property, they all represent an investment of time, money, and creative energy. And, just like any investment of value, itrsquo;s important to secure it in order to maintain its integrity./p pNow, imagine a situation where all of your hard work can be compromised from a single, well-crafted attack. As a member of the Drupal security team, I can assure you that wersquo;re still receiving email reports every week regarding websites that were hacked from the now infamous a href=;Drupageddonrdquo;/a. Notonly was such an attack possible, it was exploited worldwide a href= hours of the published disclosure/a. Of course, this is a particularly extreme example that happened to affect Drupal core. Itrsquo;s far more common to find vulnerabilities in custom code written by individuals that did not have the time and/or expertise to address./p pThatrsquo;s the doom and gloom. Now letrsquo;s imagine a different scenario in which you can sanitize all user input to ensure that yoursquo;re protected how a user tries to interact with your website. This is exactly what wersquo;re about to go over for one of the most common forms of attack: a href= SQL injection/a./p h2 id=what-is-a-sql-injectionWhat is a SQL Injection?/h2 pA SQL Injection is similar to ldquo;ridersrdquo; in the US Federal government. A a href=;riderrdquo;/a is a somewhat frustrating legislative procedure where an unrelated provision is attached to another piece of legislation. This tactic is often used to sneak in something unpopular or controversial onto an otherwise legitimate piece of legislation./p pSimilarly, a SQL injection is where a legitimate operation (e.g. insert a piece of content) has a malicious instruction added to it (e.g. create a new user and give it root access)./p pHere is a basic example that could theoretically come from a form submission:/p pre code class=language-php$user_input = ldquo;JohnDoerdquo;; $SQL = ldquo;Select * FROM {users} WHERE username = rdquo; . $user_input; // Resulting query = ldquo;Select * FROM {users} WHERE username = JohnDoerdquo;;/code/pre pNow most users submitting the form would cause no harm. However, it doesnrsquo;t take much for a knowledgeable individual to create a malicious payload./p pre code class=language-php$user_input = quot;JohnDoequot;; $SQL = quot;Select * FROM {users} WHERE username = quot; . $user_input; // Resulting query = quot;Select * FROM {users} WHERE username = JohnDoequot;; /code/pre pNotice that the hacker can essentially create any arbitrary command by following this pattern. All an attacker needs to do is place any arbitrary command after the semicolon and they are off to the races. And because a CMS like Drupal relies heavily on the database, an attacker is then able to change just about anything (content, users, configuration, etc)./p h2 id=sanitizing-dataSanitizing Data/h2 pThe key principle to follow in preventing SQL attackes is to a href= trust user input/a. Instead, all user input should be sanitized such that no additional or unintentional database changes can be introduced./p pWith Drupal, there are a few ways to achieve this:/p ul liManually Sanitize/li liDrupalrsquo;s Database Abstraction Layer (db_query())/li liDrupal Query Builder (DBTNG)/li /ul pLetrsquo;s review each./p h3 id=manually-sanitizeManually Sanitize/h3 pEven though this is the first approach we discuss, it is not a recommended approach. In this scenario you are either going around Drupalrsquo;s database abstraction layer; OR, you are creating queries as strings of text and performing your own sanitation to remove riders (e.g. additional commands appended to the end of a legitimate command) as well as changes in logic (e.g. alterations to the existing queryrsquo;s logic to make it pass or fail)./p pThe challenge here is yoursquo;re essentially replicating what Drupal provides out of the box with its database abstraction layer. Worse, if you havenrsquo;t thought through all the possible attack vectors, you may miss something important./p pBottom line, proceed at your own risk if you decide to go it alone./p h3 id=drupal-database-abstraction-layerDrupal Database Abstraction Layer/h3 pHere we use a href= that properly escape portions of the user input that could add an additional payload/rider or change its intended logic. Returning to our previous example:/p pre code class=language-php $user_input = ldquo;JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1rdquo;; db_query(ldquo;SELECT * FROM {users} WHERE username = :namerdquo;, array(ldquo;:namerdquo; =gt; $user_input)); // Resulting query = ldquo;Select * FROM {users} WHERE username = lsquo;JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1rsquo;ldquo;; /code/pre pYoursquo;ll notice a major difference in that last line. Now the user input is no longer appending a new query to the end of an existing query. Instead, Drupal is ensuring the entirety of the user input is being used where itrsquo;s supposed to be used (i.e. as a comparison to find a record within the user table). And since there is no username that matches this arbitrary SQL command, the query will return NULL. More importantly, it will do nothing more than what it was designed to do./p pItrsquo;s also important to note that it is still possible to introduce vulnerabilities when using commands from the database abstraction layer. If one doesnrsquo;t use placeholders, the malicious code can be easily reintroduced. For example:/p pre code class=language-php $user_input = ldquo;JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1rdquo;; db_query(ldquo;Select * FROM {users} WHERE username = rdquo; . $user_input); // Resulting query = ldquo;Select * FROM {users} WHERE username = JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1rdquo;; /code/pre pThe takeaway message is to always use placeholders when passing in variables into a query regardless of if they came from user input or from the system. Not only will it ensure consistency within your code, but it will significantly reduce the risk of a SQL injection./p h3 id=drupal-query-builder-dbtngDrupal Query Builder (DBTNG)/h3 pOne of the new features in Drupal 7 core is the introduction of DBTNG (Database The Next Generation). In this new feature, placeholders are essentially mandatory based on how they are constructed. Letrsquo;s rework the example wersquo;ve been using:/p pre code class=language-php$user_input = ldquo;JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1rdquo;; $query = db_select(lsquo;usersrsquo;, lsquo;ursquo;); $query-gt;condition(lsquo;namersquo;, $user_input); $results = $query-gt;execute(); // Resulting query = ldquo;Select * FROM {users} WHERE username = lsquo;JohnDoe; UPDATE {users} SET pass = qwerty WHERE uid = 1rsquo;ldquo;;/code/pre pBy using DBTNG we are getting user input sanitizing out of the box (SA-CORE-2014-005 aside). And similar to using the existing database abstraction layer, this can be used to ensure a consistent, secure codebase./p h2 id=detecting-trouble-spotsDetecting Trouble Spots/h2 pReviewing an existing codebase for vulnerabilities can be a daunting task. Luckily, the coder review module can make that process a lot easier. It scans for common patterns and flags them by severity. This includes db_query() statements that attempt to insert variables directly into the query parameter instead of using placeholders./p pIf you donrsquo;t already use the coder review module as part of your workflow, I canrsquo;t recommend it enough. The module also scans for other vulnerabilities (e.g. XSS), coding standards, comment standards, and more. At a minimum, it will help you keep your codebase tidy. If used consistently, it will make you a better developer!/p pFinally, if you ever find a potential issue in a contrib module in your CMS, please file an issue with the a href= security team/a! Or, if you need help with your Drupal, donrsquo;t hesitate to contact the a href=/contactnewmedia team/a for a Drupal security audit./p /div/div/div

Drupalize.Me: Help Drupal 8 and Win!

Mon, 05/04/2015 - 15:02
div class=field field-name-body field-type-text-with-summary field-label-hidden text-content text-secondarydiv class=field-itemsdiv class=field-item evenpWe're kicking off a campaign to help the Drupal 8 Accelerate Fund. If you donate $50 or more to the community fund, you have a chance to win a free annual membership and if you donate $100, you can choose a new video for us to create./p /div/div/divdiv id=comment-wrapper-nid-2190/div

Chromatic: Working with Vim: Never Leave Your Terminal

Mon, 05/04/2015 - 14:56
div class=field field-name-body field-type-text-with-summary field-label-hidden pRecently, a href= blogged about a few CLI utilities that can really help improve your productivity/a. If I had to add one additional utility to his list, it’d be a href=; Vim is, the notoriously a href=, but remarkably powerful text editor that runs in a terminal (and of course the famous rival of a href=; pEverything you’ve heard about Vim is true: it’s very difficult to learn, and it’s insanely powerful. These two characteristics almost balance each other out. You can probably do anything with Vim that you can do with another editor and do it faster and more efficiently. But you’ll need to take the time to learn it./p pI can’t teach you much about Vim in a blog post. But there’s another reason for developers and programmers to bother with Vim: if you use it, emyou can almost work the whole day in your terminal/em. Most of the tools I need excepting browsers and other communications tools run in the terminal, so the more time I can spend in the terminal, the more efficiently I can work. Here’s how I do it./p h2Browsing files with NERDTree/h2 pI use a href= Vim distribution--to set up Vim. Janus provides a huge number of useful tools and a lot of default configuration on top of stock Vim (line numbers, commenting utilities, and much more), but the one I want to draw attention to here is a href=, a file browser for Vim/a (which, of course, can be installed without Janus)./p pimg src= alt=Screenshot of NERDTree //p pFor me this is an essential feature, and it really helped with my adoption of Vim. With it enabled, opening a project is as simple as navigating to a directory and typing codevim ./code. As with conventional editors, this file browser can be configured to toggle on or off. And as with everything else in Vim this functionality is accessed and used via the keyboard. What’s more, NERDTree offers a one-keystroke menu (just type codem/code) for creating, moving, deleting, and copying files./p h2Running terminal commands from inside Vim/h2 pThe editor is where I spend most of my time, so running Vim in a terminal is a first step. But sometimes we have to run perform tasks on the command-line such as, for example, using a href= to clear a Drupal site’s caches. Vim provides a neat little solution that you can use to do this without even leaving Vim. Type code:!/code plus the command you need to run:/p precode:! drush cc all /code/pre pThis will run the drush command in a shell, display the output of the command, and prompt you to type codeENTER/code to resume editing./p h2Leaving and returning to Vim without losing your place/h2 pSometimes while you’re working, you need to run multiple commands or do something more involved than running a single command. Fortunately, there is a way to do this in the bash shell:/p precodeCTRL-z /code/pre pThis will actually move the Vim process into the background, returning you to your prompt to run whatever commands you need. To return to Vim--exactly as you left it--type:/p precodefg /code/pre pThis returns Vim to the foreground so you can continue working./p h2Opening files/h2 pEverything else I’ve mentioned in this post should work on Linux systems of all sorts, but OSX has one nice command that I haven’t encountered elsewhere. a href= open command/a can be used to open files with the application of your choice. So if you’re working on a file that you need to try out in a browser, you can type something like:/p precodeopen -a Firefox test-document.html /code/pre h2Transferring files with SCP/h2 pSince a href=http://www.git-scm.comGit/a has become so popular not only as a way to manage, but also to deploy code, I find I transfer a lot fewer files than I used to. Nevertheless, it still happens that we need to move the occasional file up or down to a remote server. For this, I like to use a href= (a href= is a good option for this too, but avoid FTP, it’s insecure)./p pAgain, a full tutorial on SCP is far too involved for a blog post, but the basic syntax is like this:/p precodescp path/to/local/file server:/path/to/remote/file /code/pre pThere are two things that make scp tricky to use (and which might take you away from your terminal!): the file paths and the authentication. I can’t help with the file paths, but you can stay in the terminal getting your work done by using SCP without usernames and passwords./p h2Authenticating SSH without passwords/h2 pThis will change your life. a href= is possible to set up safe, secure SSH authentication without passwords/a. Even more exciting, once you have done this, it’s no longer necessary to use usernames and passwords with SCP. Once you’ve set up passwordless SSH access to a client server (under the host name e.g. ‘clientserver’), you can SCP a file to it as follows:/p precodescp /path/to/local/file clientserver:/path/to/remote/file /code/pre pNo passwords or usernames required!/p h2Editing files on remote servers/h2 pLast of all, we come to the reason that I decided to start using Vim in the first place. Simply put, Vim, or its predecessor Vi is installed on virtually every web server running Linux anywhere in the world./p pThis means that, on those occasions where it’s necessary for me to edit a remote file, I can usually use something similar to my usual editor. The version of Vi(m) on the remote server is usually much more stripped-down than my local development environment, but if you know how to use Vim, you usually find an editor installed on the server that you can use instead of having to SCP/SFTP transfer files up and down. Combine this with the passwordless SSH authentication, and it’s not only convenient, but very, very fast./p h2Is it worthwhile?/h2 pIt can be. If you already use many command-line tools, and if you find that constantly needing to switch applications, or switching back and forth from mouse to keyboard interferes with your productivity, then Vim might be worth a shot. Conversely, if you already use Vim in the terminal and you’re not using command-line tools for almost everything else you can think of, you might want to start./p pNow back to your terminal!/p /div

Deeson: Deeson is an official G-Cloud 6 agency

Mon, 05/04/2015 - 11:48
pIt's official, Deeson is a G-Cloud approved agency (and have been for some time!) /p pThis means we're formally recognised as one of the partners working with the public sector to develop user-centered digital services. /p h3strongWhat's it all about? /strong/h3 pThe government's G-Cloud framework contract aims to provide an easy way for public sector bodies to access digital services across a whole host of fields./p pIt does this through providing a number of pre-vetted suppliers, so there's no need for a lengthy pitch or procurement process. /p pYou can find out all about the services we provide under G-Cloud in the a href= Marketplace/a (previously the Cloudstore) - a digital procurement resouce for the public sector. /p h3strongOur work under G-Cloud/strong/h3 pWe're a Drupal-led digital agency and we've built all sorts of sites, big, beautiful and complicated- from online communities to searchable art collections./p pBut that's not all we do. We have an established user experience and creative practice too./p pThat means we also deliver a href= and scoping projects/a under the G-Cloud framework too - helping you understand more about your users and what it takes to develop a digital experience that they'll really want to use./p h3strongGetting started with G-Cloud/strong/h3 pThe G-Cloud set-up aims to make life easier if you work in the public sector, yet it may be daunting to some who are unfamiliar with how things work./p pWe've put together five handy tips to help you make the most of G-Cloud: /p olliBe open and willing to try a different approach: to take full advantage of G-Cloud, it helps to have a more ‘open’ attitude - and be open to experimentation. Make sure you're familiar with the a href= Design Manual/a (we love it!) and what it means for your project.  /li liClearly identify and understand your user or audience: this will drive what your needs are - what you want to achieve and what ‘success’ looks like. This in turn will help lead to the best solution, and help you deliver a meaningful product.  /li liEstablish who your key business owners are: make them central to the project; they are the enablers, the advocates and the ones that will drive the projects forward.  /li liUse a natural opportunity to try G-Cloud: often it's best to outsource a small piece of work to test the water and help build your organisation's understanding of how to buy digital services under G-Cloud and how to work collaboratively with digital partners.  /li liNetwork like there's no tomorrow. There's a thriving and supportive network of people working with digital in the public sector - get out there and meet them at events and meet-ups to boost your knowledge and see what's going on across the sector./li /olp Want a bit more help?/p pFind out more about all the G-Cloud services we offer a href= or just a href= us a line/a - we're always happy to provide friendly advice and have a chat./p p /p

Triquanta Web Solutions: SEO and CDN

Mon, 05/04/2015 - 11:12
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even pSo you decided to start using a CDN provider for your website. A good idea! But a lot of CDN providers use a custom URL that you should CNAME when everything is set up /br / For instance Fastly and Cloudfront two big CDN /br / When I want to add this website to Fastly they will give me the URL: a href= / For Cloudfront it will be something like: d67something714.cloudfront.netbr /br / Once you CNAME'd these people will most likely not see these. But it can happen that these domains are going to be indexed by search /br / And there you have it.... Duplicate / This means that your CDN provider is concurring the actual main domain. You don't want this, because it is a bad thing for your Search Engine Optimization (SEO)br /br / To prevent this use the Canonical meta tag for all of your content pages. ( see a href=;rd=1;rd=1/a for more info)br / In Drupal this can be done using the metatag module a href= this module can add the canonical and a lot of other desired meta-tags (see a href= for the full list).br /br / Now your content is okay but what about your files (images, pdf, word, etc) / Since 2011 Google (and the rest followed Google) also support the canonical when it is used in the response headers. The next step is to add the header to the files. This can be done on your own / Apache .htaccess example with mod rewite and mod headers enabled./p prediv class=geshifilterpre class=text geshifilter-textolli class=li1div class=de1lt;FilesMatch \.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|webp|html)(\.gz)?(\?.*)?$gt; /div/lili class=li1div class=de1    lt;IfModule mod_rewrite.cgt; /div/lili class=li1div class=de1       RewriteEngine On /div/lili class=li1div class=de1       RewriteCond %{HTTPS} !=on /div/lili class=li2div class=de2       RewriteRule .* - [E=CANONICAL:{REQUEST_URI},NE] /div/lili class=li1div class=de1       RewriteCond %{HTTPS} =on /div/lili class=li1div class=de1       RewriteRule .* - [E=CANONICAL:{REQUEST_URI},NE] /div/lili class=li1div class=de1    lt;/IfModulegt; /div/lili class=li1div class=de1    lt;IfModule mod_headers.cgt; /div/lili class=li2div class=de2       Header set Link lt;%{CANONICAL}egt;; rel=\canonical\ /div/lili class=li1div class=de1    lt;/IfModulegt; /div/lili class=li1div class=de1 lt;/FilesMatchgt;/div/li/ol/pre/div/pre pNgnix example./p pre /pre prediv class=geshifilterpre class=text geshifilter-textolli class=li1div class=de1location ~ \.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|webp|html)(\.gz)?(\?.*)?$ { /div/lili class=li1div class=de1  add_header Link lt;$scheme://$request_urigt;; rel=\canonical\; /div/lili class=li1div class=de1} /div/li/ol/pre/div/pre pWhen a file is being accessed using the CDN URL it will add the proper Canonical headers,  and you will not have any duplicate content issues./p /div/div/div ul class=field field-name-field-blog-tags field-type-taxonomy-term-reference field-label-hidden li a href=/onderwerp/drupal-planetDrupal-planet/a /li li a href=/blog-tags/seoSEO/a /li li a href=/blog-tags/cdnCDN/a /li /ul

Four Kitchens: API Design: The Musical - Live from Drupalcon LA

Mon, 05/04/2015 - 05:01
div class=field-body pWe are just a few sweet days away from the power that is a href=, Los Angeles. If you’re going I hope you are ready for another great conference./p /div div class=field-blog-categories-term-tree a href=/topics/drupal typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Drupal/a /div

Chen Hui Jing: Drupal 101: Creating an iTunes podcast feed

Mon, 05/04/2015 - 02:00
pPodcast listenership has been steadily increasing in recent years, and some are even predicting that we’re on the verge of a a href= explosion/a. With that being said, it’s pretty likely you’ll get tasked with creating an iTunes podcast feed. Luckily, it’s quite simple to create one on your Drupal site with Views./p p class=no-marginstrongRequired modules/strong/p ul li class=no-margina href= li class=no-margina href= RSS/a/li li class=no-margina href= RSS: iTunes Elements/a/li li class=no-margina href= (dependency for getID3())/em/li lia href= (dependency for Views RSS: iTunes Elements)/em/li /ul h3 id=createmodify-content-type-for-feedCreate/Modify content type for feed/h3 ol liInstall and enable the required modules. precode class=language-bashdrush en views views_ui views_rss views_rss_core views_rss_itunes libraries getid3 -y/code/pre ul liCreate a new folder in your libraries folder like so:...

DrupalOnWindows: Drupal: Fields or Properties (or something else)

Sun, 05/03/2015 - 19:00
div class=form-item form-type-item labelLanguage /label English /div div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodedpMaking Drupal scale is hard. It is even harder if you application is big and complex. And one of the main problems is that usually not enough attention is paid to data storage. But let me tell you that the storage model you strongpick is the backspine of your application, its heart, its soul. /strong/p pNo fancy UI is ever going to compensate for a slow, unmaintainable and crappy engineered piece of software. /p/div/div/divdiv class=view view-read-more view-id-read_more view-display-id-entity_view_1 view-dom-id-527ad839d23e4cc452c946f5b5d8e18b div class=view-header hr/ h2More articles.../h2 /div div class=view-content div class=item-list ul li class=views-row views-row-1 views-row-odd views-row-first div class=views-field views-field-title span class=field-contenta href=/en/blog/distinct-options-views-exposed-filter-views-selective-filters-moduleDistinct options in a views exposed filter: The Views Selective Filters Module/a/span /div/li li class=views-row views-row-2 views-row-even div class=views-field views-field-title span class=field-contenta href=/en/blog/build-git-windows-sourcesBuild GIT on Windows from Sources/a/span /div/li li class=views-row views-row-3 views-row-odd div class=views-field views-field-title span class=field-contenta href=/en/blog/php-7-nightlies-windowsPHP 7 nightlies for Windows/a/span /div/li li class=views-row views-row-4 views-row-even div class=views-field views-field-title span class=field-contenta href=/en/blog/when-php-crashes-how-collect-meaningful-information-and-what-do-itWhen PHP crashes: how to collect meaningful information and what to do with it/a/span /div/li li class=views-row views-row-5 views-row-odd div class=views-field views-field-title span class=field-contenta href=/en/blog/setting-code-syntax-higlighting-drupalSetting up Code Syntax Higlighting with Drupal/a/span /div/li li class=views-row views-row-6 views-row-even div class=views-field views-field-title span class=field-contenta href=/en/blog/installing-drupal-windows-and-sql-serverInstalling Drupal on Windows and SQL Server/a/span /div/li li class=views-row views-row-7 views-row-odd div class=views-field views-field-title span class=field-contenta href=/en/blog/adding-native-json-storage-support-drupal-7-or-how-mix-rdbms-nosqlAdding native JSON storage support in Drupal 7 or how to mix RDBM with NoSQL/a/span /div/li li class=views-row views-row-8 views-row-even div class=views-field views-field-title span class=field-contenta href=/en/blog/hiding-fact-your-site-runs-drupalHiding the fact that your site runs Drupal/a/span /div/li li class=views-row views-row-9 views-row-odd div class=views-field views-field-title span class=field-contenta href=/en/blog/drupal-iis-or-apacheDrupal on IIS or Apache/a/span /div/li li class=views-row views-row-10 views-row-even views-row-last div class=views-field views-field-title span class=field-contenta href=/en/blog/only-update-changed-fields-or-properties-entity-drupalOnly update changed fields or properties for an entity in Drupal/a/span /div/li /ul/div /div /div

orkjerns blogg: Drupal and IoT. Code examples, part 1

Sun, 05/03/2015 - 15:39
span data-quickedit-field-id=node/65/title/en/rss class=field field-node--title field-name-title field-type-string field-label-hiddenDrupal and IoT. Code examples, part 1/span div data-quickedit-field-id=node/65/body/en/rss class=clearfix field field-node--body field-name-body field-type-text-with-summary field-label-above div class=field-labelBody/div div class=field-items div property=schema:text class=field-itempAs promised, I am posting the code for all the examples in the article about a href=/drupal-internet-of-thingsDrupal and the Internet of Things/a. Since I figured this could be also a good excuse to actually examplify different approaches to securing these communication channels, I decided to do different strategies for each code example. So here is the disclaimer. These posts (and maybe especially this one) would not necessarily contain the best-practices of establishing a communication channel from your thing to your Drupal site. But this is one example, and depending on the use-case, who knows, this might be easiest and most practical for you./p pSo, the first example we will look at is how to turn on and off your Drupal site with a TV remote control. If you did not read a href=/drupal-internet-of-thingsthe previous article/a, or if you did not see the example video, here it is:/p iframe allowfullscreen= frameborder=0 height=315 src= width=100%/iframe h2Overview of technology and communication flow/h2 pThis is basically what is happening: /pulliI click the on/off button on my TV remote./li liA a href=https://tessel.ioTessel/a microcontroller reads the IR signal/li liThe IR signal is analyzed to see if it indeed is the on/off button/li liA request is sent to my Drupal site/li liThe Drupal site has enabled a module that defines an endpoint for toggling the site maintenance mode on and off/li liThe Drupal site is toggled either on or off (depending on the previous state)./li /ul See any potential problems? Good. Let's start at the beginning h2Receiving IR and communicating with Drupal/h2 pOK, so this is a Drupal blog, and not a microcontroller or javascript blog. I won't go through this in detail here, but the a href= commented source code is at github./a If you want to use it, you would need a tessel board though. If you have that, and want to give it a go, the easiest way to get started is probably to read through the tests. Let's just sum it up in a couple of bullet points, real quick: /pulliAll IR signals are collected by the Tessel. Fun fact: There will be indications of IR signals even when you are not pressing the remote./li liIR signals from the same button are rarely completely identical, so some fuzzing is needed in the identification of a button press/li liFiguring out the signature of your off-button might require some research./li liConfigure the code to pass along the config for your site, so that when we know we want to toggle maintenance mode (the correct button is pressed), we send a request to the Drupal site./li /ulh2Receiving a request to toggle maintenance mode/h2 pNow to the obvious problem. If you exposed a URL that would turn the site on and off, what is to stop any random person from just toggling your site status just for the kicks? Here is the part where I want to talk about different methods of authentication. Let us compare this to the actual administration form where you can toggle the maintenance mode. What is to stop people from just using that? Access control. You have to actually log in and have the correct permission (administer site configuration) to be able to see that page. Now, logging in with a micro controller is of course possible, but it is slightly more impractical than for a human. So let's explore our options. In 3 posts, this being the first. Since this is the first one, we will start with the least flexible. But perhaps the most lo-fi and most low-barrier entry. We are going to still use the permission system. /p h2Re-using your browser login from the IR receiver/h2 p style=font-size: 0.7emThese paragraphs are included in case someone reading this needs background info about this part. If this seems very obvious, please skip ahead 2 paragraphs/p pWeb apps these days do not require log-ins on each page (that would be very impractical), but actually uses a cookie to indicate you are still trusted to be the same user as when you logged in. So, for example, when I am writing this, it is because I have a session cookie stored in my browser, and this indicates I am authorised to post nodes on this site. So when I request a page, the cookie is passed along with it. We can also do the same passing of a cookie on a micro controller. /p h2Sending fully authenticated requests without a browser/h2 pSo to figure out how to still be authenticated as an admin user you can use your browser dev tools of your choice. Open a browser where you are logged in as a user allowed to put the site into maintenance mode. Now open your browser dev-tools (for example with Cmd-Alt-I in Chrome on a Mac). In the dev tools there will be a network tab. Keep this active while loading a page you want to get the session cookie from. You can now inspect one of the requests and see what headers your browser passed on to the server. One of these things is the header Cookie. It will include something along the lines of this (it starts with SESS):/p preSESS51337Tr0lloll110l00l1=acbdef123abc1337H4XX/pre pSince I am a fan of animated gifs, here is the same explanation illustrated:/p img src=/sites/default/files/cookies.gif /pThis is the session cookie for you session as an authenticated user on your site. Since we now know this, we can request the path for the toggle functionality from our microcontroller, passing this cookie along as the header, and toggle the site as we were just accessing it through the browser./p h2The maintenance_mode_ir module/h2 pAs promised, I also posted the Drupal part of the code. a href= is a module for Drupal 8, and can be found on github/a/p pSo what is happening in that module? It is a very basic module actually mostly generated by the super awesome a href= console./a To again sum it up in bullet points: /pulliIt defines a route in maintenance_mode_ir.routing.yml ( liThe route requires the permission administer site configuration/li liThe route controller checks the StateInterface for the current state of maintenance mode, toggles it and returns a JSON response about the new state/li liThe route (and so the toggling) will never be accessible for anonymous users (unless you give the anonymous users the permission administer site configuration, in which case you probably have other issues anyway)/li liThere are also tests to make sure this works as expected/li /ulh2When do you want to use this, and what is the considerations and compromises/h2 pNow, your first thought might be: would it not be even simpler to just expose a route where requests would turn the site on and off? We wouldn't need to bother with finding the session cookie, passing that along and so on? Legitimate question and of course true in the sense that it is simpler. But this is really the core of any communications taking place between your things and Drupal (or any other backend) - you want to make sure they are secured in some way. Of course being able to toggle the maintenance mode is probably not something you would want to expose anyway, but you should also use some sort of authentication if it only was a monitoring of temperature. Securing it through the access control in Drupal gives you a battle tested foundation for doing this./p h2Limitations and considerations/h2 pThis method has some limitations. Say for example you are storing your sessions in a typical cache storage (like redis). Your session will expire at some point. Or, if you are using no persistence for redis, it will just be dropped as soon as redis restarts. Maybe you are limited by your php session lifetime settings. Or maybe you just accidentally log out of the session where you found the cookie. Many things can make this authenticated request stop working. But if all you are doing is hooking up a remote control reader to make a video and put on your blog, this will work. /p pAnother thing to consider is the connection of your thing. Is your site served over a non-secure connection and you are sending requests with your thing connected through a public wifi? You might want to reconsider your tactics. Also, keep in mind that if your session is compromised, it is not only the toggling of maintenance mode that is compromised, but the actual administrator user. This might not be the case if we were to use another form of authentication./p pNow, the next paragraph presented to you will actually be the comments section. The section where you are encouraged to comment on inconsistencies, forgotten security concerns or praise about well chosen gif animations. Let me just first remind you of the disclaimer in the first paragraph, and the fact that this a serie of posts exploring different forms of device authentications. I would say the main takeaway from this first article is that exposing different aspects of your Drupal site to the physical world, be it remote controlled maintenance mode or temperature logging, requires you to think about how you want to protect these exposed endpoints. So please do that, enjoy this complementary animated gif (in the category maintenance), and then feel free to comment./p/div /div /div span data-quickedit-field-id=node/65/uid/en/rss class=field field-node--uid field-name-uid field-type-entity-reference field-label-hiddenspan lang= about=/user/1 typeof=schema:Person property=schema:name datatype=admin/span/span span data-quickedit-field-id=node/65/created/en/rss class=field field-node--created field-name-created field-type-created field-label-hiddenSun, 05/03/2015 - 13:39/span div data-quickedit-field-id=node/65/field_image/en/rss class=field field-node--field-image field-name-field-image field-type-image field-label-above div class=field-labelImage/div div class=field-items div class=field-item img property=schema:image src= width=101 height=94 alt=Construction worker typeof=foaf:Image / /div /div /div div class=clearfix field-type-taxonomy-term-reference h3Tags: /h3 ul class=links field-items li property=schema:aboutplanet drupal/li li property=schema:aboutiot/li li property=schema:aboutdrupal 8/li /ul /div