Inhalt abgleichen
Drupal.org - aggregated feeds in category Planet Drupal
Aktualisiert: vor 27 Minuten 4 Sekunden

qed42.com: Securing Cookie for 3rd Party Identity Management in Drupal

13. Februar 2018 - 13:13

We are in an era where we see a lots of third party integrations being done in projects. In Drupal based projects, cookie management is done via Drupal itself to maintain session, whether it be a pure Drupal project or decoupled Drupal project,.

But what when we have a scenario where user’s information is being managed by a third party service and no user information is being saved on Drupal? And when the authentication is done via some other third party services? How can we manage cookie in this case to run our site session and also keep it secure?

One is way is to set and maintain cookie on our own. In this case, our user’s will be anonymous to Drupal. So, we keep session running based on cookies! The user information will be stored in cookie itself, which then can be validated when a request is made to Drupal.

We have a php function to set cookie called setCookie() , which we can use to create and destroy cookie. So, the flow will be that a user login request which is made to website is verified via a third party service and then we call setCookie function which sets the cookie containing user information. But, securing the cookie is must, so how do we do that?

For this, let’s refer to Bakery module to see how it does it. It contains functions for encrypting cookie, setting it and validating it.

To achieve this in Drupal 8, we will write a helper class let’s say “UserCookie.php” and place it in ‘{modulename}/src/Helper/’. Our cookie helper class will contain static methods for setting cookie and validating cookie. Static methods so that we will be able to call them from anywhere.

Appnovation Technologies: Simple website approach using a Headless CMS: Part 2

13. Februar 2018 - 10:00
Simple website approach using a Headless CMS: Part 2 Using Cockpit CMS In my previous post, I presented some Headless CMS solutions and suggested using Drupal mostly due to the content editorial capabilities and flexibility. Drupal can be leveraged as a vanilla solution or in a distro flavor (e.g. Contenta, Reservoir). I also approached Cockpit CMS, because it's a pure Headless CM...

Jacob Rockowitz: Yes...the Contribute module is making a statement

13. Februar 2018 - 0:14

I was explaining to my 12 year old, Ben, the pushback I am getting around making the Contribute module a dependency of the Webform module and how most people agree with the Contribute module's general concept and message but are unhappy about how and where I placed it. Ben shrugged and says "So basically you are holding up a protest sign, people are agreeing with it but because it is inconveniencing them and they are upset at you and want you to remove it".

So the Contribute module is a protest/political statement; I am okay with admitting that. Many of the expressed concerns are immediately addressed by the fact that there are three different mechanisms to remove the dependency. The beauty of open source is that, if you don't like something, you have the freedom to change it.

For anyone truly worried that the Webform module will indefinitely depend on the Contribute module, it’s worth noting that all protests, political statements, revolts, and revolutions have to end at some point (aka release).

For the time being, however, I am going to keep maintaining the Webform module as well as working on (and defending) the Contribute module.

The Contribute module is not going bring down your website

A few people have expressed concerns about the Contribute module being unneeded and fear it is posing a security risk. Considering people are trusting my 10000+ lines of code in Webform module on production websites to build forms and securely collect data, this seems a bit extreme. To my mind, what seems like the biggest security risk in the Drupal community is unmaintained and unstable modules running on 100,000's of websites. The Rules module is a great example of key Drupal module that is still in alpha releases while being used on a production website....Read More

Bert Boerland: Drupal Predictions for 2018

12. Februar 2018 - 23:09

We have had a tradition since 2005. Every new year we have a posting on the predictions for the year ahead for our beloved open source CMS and community. Sometimes this posting went up in december, sometimes in January. But never in February.

Time to start a new tradition, predict the year ahead from February on :-)

Leave a comment if you do think that blogging will get hip again, RSS will gain new ground. What will the roll of the Drupal Association be in the new year? Where will the next DrupalCon be? Will the community grow and in what direction? API first, customer first, mobile first?

Polish your crystal ball and tell us what the future of Drupal wil be.

If you need some inspiration, take a look at 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015.2016 and
2017.

And yes, this posting was once month late. Apologies. Feel free to predict when the new prediction posting will go up on d.o :-)

So do post your predictions at https://www.drupal.org/forum/general/news-and-announcements/2018-02-11/predictions-for-2018.

CU Boulder - Webcentral: Composer Sees Drupal Projects as Deprecated

12. Februar 2018 - 22:08

Last week, the term open source itself turned 20! While the ideals of free and open source code had been discussed before January 1998, that was when Netscape released their browser source code. 

We think it is going to change the way people actually develop these products dramatically for many, many years to come. This will be a historic day in that chain of events. - Jim Barksdale, Netscape CEO

It did. It was. But are the links this chain as strong today as 20 years ago?

Version 1 of the GNU GPL (GPL-1.0) was released in February 1989 followed by GPLv2 (GPL-2.0) in June 1991. Dries open-sourced the software behind Drop.org and released Drupal 1.0.0 in January of 2001.  

I’m not sure if there are other documents that survived the Drupal.org updates and the great Git Migration, but thanks to the Archive.org’s Way Back Machine you can still access the Drupal project’s contributor policy from 12/04/2004.

Q: What license should I use?

A: We currently require that all submissions carry the GNU/GPL license. This
may, or may not change in the future. For more information on the GNU/GPL,
point the browser of your choice to http://www.gnu.org/.

You don't have to include a LICENSE.txt in your theme or module's
directory because there is global LICENSE.txt in the top-level directory
of the contributions repository.  Furthermore, a LICENSE.txt will
automatically be added to each packaged theme or module (.tgz file) that
is offered for download at http://www.drupal.org/.

Other than getting more specific about the GPL-2.0+ policies and improving FAQ, the Drupal project's approach to licensing remained largely unchanged until 2018. 

Did you know that Drupal themes and modules can now include popular font packages like Font Awesome?

Probably not, but the DA and Dries finally approved a change that officially allows non-code assets like images, text and fonts that use licenses other than GPL-2.0 to achieve similar goals to the 4 essential freedoms the GPL protects.  WordPress made this change several years earlier.  Despite claiming to have the same general licensing policy as Drupal, they’ve actually encouraged theme developers to add assets using a variety of license for many years.  These licenses can be included in projects distributed as GPL-2.0 because things like images, text and fonts are treated as assets that aren't part of the code.

WordPress now has more than 5,300 themes available on WordPress.org.  There are even more commercially available themes that walk a strange line of GPL compliance.  I know what you are going to say.  Many of these WordPress themes are junk.  Hundreds of these aren’t fully compatible with the current WP release. They have so many themes for a single use case like a recipe site or a bed and breakfast that require specific plugins.

All true… but I'll counter with the fact that there are thousands of WordPress themes and currently, only 270 themes available for Drupal 8.

You could argue that Drupal’s themes have to be more flexible to support any content type or view a site build dreams up and that many of Drupal themes are base themes that are designed to support custom theme development.

Again. All true… but I'll counter with the fact that there are thousands of WordPress themes and currently, only 270 themes available for Drupal 8.

While licensing policies are only one of many differences between the Drupal and WordPress theming ecosystems, the negative impact the additional effort required to complete Drupal's multistep installs has on adoption is a factor.

Won't Composer fix the multistep install issue?

It will, but it introduces new challenges like keeping up with the changes happening off the island. One change is that the Software Package Data Exchange (SPDX) specification that Composer uses has deprecated the use GPL-2.0+ in favor of GPL-2.0-or-later. SPDX is standard Composer uses for licensing.

Wait... So How Exactly are Drupal Projects Deprecated?

I have to apologize.  I’ve used a clickbait title to get you to read this far.  But be honest, if I titled this post “Drupal’s Use of GPL+ in Composer.json is Deprecated in Favor of GPL-2-or-later” would you have even opened the post? 

While 2017 was a really dramatic year for open source, there are very few people in the world who really understand these licensing conflicts and even fewer members of the Drupal community.  Most of us would prefer to believe we learned everything we need to know about sharing in kindergarten and just want to write, share and use code without getting lawyers involved. 

Unfortunately for the GPL to work, someone has to understand the details and enforce them.

This is where the Drupal's Licensing Working Group comes in.  Unlike the Drupal Security, Infrastructure or Community working groups, most members of the Drupal community have probably never heard of the Licensing Working Group.

To this group, Facebook’s decision to change the license of React after WordPress refused to use with the BSD + a patent clause was epic.  If you're still reading and understood why that licensing change was so important, please contact me.

The LWG currently has 3 members; Gisle Hannemyr  (University of Oslo), Shawn DeArmond (University of California Davis) and myself (University of Colorado Boulder) and we’d like to expand the group. The Drupal project faces a number of challenges as we move from the safety of our island to a very different landscape for licensing and distribution than what existed in 2001. 

The Apache-2.0 Problem

Yesterday Amazon published a WordPress plugin that integrates with their Polly service.  The fact that Amazon developers wrote the plugin is noteworthy and the functionality is interesting, but this is not what caught my attention.

If you download the plugin from WordPress.org and look in /vendor/aws/LICENSE.md, you’ll see that the Polly library is licensed as Apache-2.0.  While it’s easy to find code using a variety of licenses that are clearly not GPL-2.0 compatible in plugins available for download from WordPress.org, the WordPress uses a similar strategy to Drupal where we don't police contributions.  Both projects will only take action if someone reports the issue.  So I did.

I'm hoping that between this post and that issue, I can elicit a response from the WordPress community about how they plan to deal with the Apache-2.0 problem. 

Drupal projects are constantly running into Apache-2.0.  The popular Accelerated Mobile Pages (AMP) module requires a library Google has licensed as Apache-2.0. This currently makes it impossible to include a functional version of that module in a Drupal distribution.  Strangely, the most popular AMP plugin for WordPress reporting more than 200K installs and written by Automattic doesn't use Google's library.

In addition to becoming the license of choice for influential groups like Google, Amazon, and Mozilla, GitHub heavily promotes 3 licenses when starting a new project.

Of these, only an MIT license would allow the project to be committed to a Drupal module or theme or packaged with a Drupal distribution. This isn't only an issue with PHP library, the core Modernizing JavaScript initiative is starting to hit this as well.  

While there was once a time when developers working in Drupal could ask large project to change their licensing and actually make it happen, even then it was a Don Quixote-esque undertaking that took years.  I don't see a future where the Drupal project can get all of the projects we want included to use a different license or survive without being able to package those projects with our projects.

The LWG tries to advocate for licensing policy related changes that encourage contributions while helping to protect the DA from legally questionable activity on Drupal.org, but these aren't easy questions.  There are downsides to distributing Drupal projects as GPL-3.0 or ignoring the licensing compatibility concerns the Free Software Foundation has with Apache-2.0, but we need to find our way forward soon.

I've proposed a Core Conversation session for DrupalCon that I really hope is accepted.  How compatible the Drupal.org's policies are with the realities of collaborative development off the island will have a huge impact on the project's future as well as Drupal.org ability to remain relevant for project development and distribution.  

Developer Blog

2bits: When Memcached Slows Your Drupal Site's Performance

12. Februar 2018 - 18:09

For all of the sites we consult on, and manage, we use the excellent memcache module, which replaces the core's database caching. Database caching works for low traffic simple sites, but cannot scale for heavy traffic or complex site.

Recently we were asked to consult on the slow performance of a site with an all authenticated audience. The site is indeed complex, with over 235 enabled modules, 130 enabled rules, and 110 views.

The site was moved from a dedicated server to an Amazon AWS cluster, with the site on one EC2 instance, the database on an RDS instance, and memcache on a third instance. This move was in the hope that Amazon's AWS will improve performance.

However, to their dismay, performance after the move went from bad (~ 5 to 7 seconds to load a page) to worse (~ 15 seconds).

We recommended to the client that we perform a Drupal performance assessment server on the site. We got a copy of the site and recreated the site in our lab, and proceeded with the investigation.

After some investigation we found that by having memcached on the same server that runs PHP made a significant performance improvement. This was logical, because with a site with all users logged in, there are plenty of calls to cache_get() and cache_set(). Each of these calls have to do a round trip over the network to the other server and back, even if it returns nothing. The same goes for database queries.

Instead of 29.0, 15.8, 15.9, and 15.5 seconds for different pages on the live site, the page loads in our lab on a single medium server were: 3.6, 5.5, 1.4, 1.5 and 0.6 seconds.

However, this victory was short lived. Once we put load on the web site, other bottlenecks were encountered.

We started with 200 concurrent logged in users on our lab server, and kept investigating and tweaking, running a performance test after each tweak to assess its impact.

The initial figures were: an average response time of 13.93 seconds, and only 6,200 page load attempts for 200 users (with 436 time outs).

So, what did we find? We found that the culprit was memcache! Yes, the very thing that helps site be scaleable was severely impeding scalability!

Why is this so? Because of the way it was configured for locking and stampede protection.

The settings.php for the site had these two lines:

$conf['lock_inc'] = 'sites/all/modules/memcache/memcache-lock.inc';
$conf['memcache_stampede_protection'] = TRUE;

Look at the memcache.inc, lines 180 to 201, in the valid() function:

if (!$cache) {
  if (variable_get('memcache_stampede_protection', FALSE) ... ) {
    static $lock_count = 0;
    $lock_count++;
    if ($lock_count <= variable_get('memcache_stampede_wait_limit', 3)) {
      lock_wait(..., variable_get('memcache_stampede_wait_time', 5));
      $cache = ...;
    }
  }
}

The above is for version 7.x of the module, and the same logic is in the Drupal 8.x branch as well.

If memcache_stampede_protection is set to TRUE, then there will be up to three attempts, with a 5 second delay each. The total then can be as high as 15 seconds when the site is busy, which is exactly what we were seeing. Most of the PHP processes will be waiting for the lock, and no free PHP processes will be available to serve requests from other site visitors.

One possible solution is to lower the number of attempts to 2 (memcache_stampede_wait_limit = 2), and the wait time for each attempt to 1 second (memcache_stampede_wait_time = 1), but that is still 2 seconds of wait!

We did exactly that, and re-ran our tests.

The figures were much better: for 200 concurrent logged in users, the the average response time was 2.89 seconds, and a total of 10,042 page loads, with 100% success (i.e. no time outs).

But a response time of ~ 3 seconds is still slow, and there is still the possibility of a pile up condition when all PHP processes are waiting.

So, we decided that the best course of action is not to use memcache's locking at all, nor its stampede protection, and hence deleted the two lines from settings.php:

//$conf['lock_inc'] = 'sites/all/modules/memcache/memcache-lock.inc';
//$conf['memcache_stampede_protection'] = TRUE;

The results were much better: for 200 concurrent logged in users, the average response time was 1.09 seconds, and a total of 11,196 pages with 100% success rate (no timeouts).

At this point, the server's CPU utilization was 45-55%, meaning that it can handle more users.

But wait! We forgot something: the last test was run with xhprof profiler left enabled by mistake from profiling the web site! That causes lots of CPU time being used up, as well as heavy writes to the disk as well.

So we disabled xhprof and ran another test: and the results were fantastic: for 200 concurrent logged in users, the average response time was just 0.20 seconds, and a total of 11,892 pages with 100% success rate (no timeouts).

Eureka!

Note that for the above tests, we disabled all the rules, disabled a couple of modules that have slow queries, and commented out the history table update query in core's node.module:node_tag_new(). So, these figures are idealized somewhat.

Also, this is a server that is not particularly new (made in 2013), and uses regular spinning disks (not SSDs).

For now, the main bottleneck has been uncovered, and overcome. The site is now only limited by other factors, such as available CPU, speed of its disks, complexity of modules, rules and views ...etc.

So, check your settings.php to see if you have memcache_stampede_protection enabled, and disable it if it is.

Contents: Tags: 

DrupalEasy: DrupalEasy Podcast 205 - Fatima Khalid - First time sprinter's guide

12. Februar 2018 - 13:47

Direct .mp3 file download.

Fatima Khalid (sugaroverflow), web developer with Digital Echidna, and DrupalCon Nashville track chair and sprint mentor joins Mike Anello to talk about how to be a first-time sprinter at a local Drupal event or a DrupalCon and how she came for the community and stayed for the code. Along the way, we talk about Canadian Cheerios, the importance of issue queue triage, and (alleged) creepy monkey guy.

Interview DrupalEasy News Upcoming events Sponsors Follow us on Twitter Subscribe

Subscribe to our podcast on iTunes, Google Play or Miro. Listen to our podcast on Stitcher.

If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.

Lucius Digital: Drupal 8 development: always redirect all logged out visitors to the login page

12. Februar 2018 - 13:11
Login or get out!

Currently we are busy constructing the production of a realtime messaging platform in Drupal and NodeJS, look at it as a ‘WhatsApp for Business’. This Drupal system works like a web app; logging in is mandatory. How do you make sure that logged out visitors must log in to Drupal 8 before they are allowed to continue?

Drupal has many out-of-the-box functionalities, as well as a powerful API, but because it has so many functions many tracks are standardly available for anonymous visitors. We’d want to make all paths unreachable, until you log in.

That means that visitors always will be redirected to the login screen as long as they aren’t logged in. You wouldn’t want an anonymous user reaching internal news on the homepage.

Redirect URL in Drupal 8

Basically, we want all url’s / paths be made unavailable for non-logged in visitors, except explicitly specified pages like:

  • Login (/user)
  • Forgot password (/user/password)
  • Login link (user/reset/login)

in Drupal 7 you could use the module Logintoboggan for that purpose. You could also easily work around it in hook_init() or hook_boot() in a custom Drupal 7 module.

Quest

This was quite a puzzle, and we soon found some examples as well as exceptions. Everytime it didn’t work how we wanted it to. This example was the most useful.

Implementation in Drupal 8

Eventually, we got it working with the help of following code in a custom Drupal 8 module:

services.yml

put this file in your module root, and format yourmodulename.services.yml:

https://medium.com/media/20c294c1890ad778074f8276d5febad1/hrefRedirectAnonymousSubscriber.php

Put the file RedirectAnonymousSubscriber.php in folder /src/EventSubscriber/ and do your custom thing:

https://medium.com/media/1723313a8d58061c5f36a77f32dac0e9/href

This code builds on symfony’s EventSubscriber, the framework on which Drupal8 has been built.

Wrap up

Alright, that’s it. I hope the information as described will help you to always redirect visitors to the login page. Questions or feedback? Let me know!

Drupal 8 development: always redirect all logged out visitors to the login page was originally published in Lucius Digital | Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

OSTraining: Should I Re-use Existing Drupal Fields?

12. Februar 2018 - 7:14

Sometimes we're able to give really clear advice: "Do this!" or "Don't do that!"

This is not going to be one of those blog posts.

Drupal gives you the ability to re-use fields. If you have an "Image" field, you could choose to use that same field on every content type on your site.

However, it's not always clear whether re-using fields is a good idea. Sometimes it is, sometimes it isn't.

Here's an overview of the advantages and disadvantages to consider before re-using Drupal fields.

ADCI Solutions: Top Design Trends for 2017-2018

11. Februar 2018 - 4:39

Development and design always go hand in hand, and our Drupal development team pays a lot of attention to design trends so that we can visualize our solutions in the most beneficial way.

Our lead web designer has come up with a cool review on design trends for 2018. Read and implement!

 

Check design trends for 2018

 

DrupalCon News: You should stay at a DrupalCon partner hotel. Here’s why.

10. Februar 2018 - 1:12

The hotels we chose are a perfect hub connecting you to a rewarding DrupalCon experience. It’s also a great way to show up for the community.

Valuebound: How to debug Drupal 8 website performance using Web Profiler

9. Februar 2018 - 16:31

Over the period of time, website performance degrades significantly affecting the business in terms of traffic, sales, marketing etc. And there can be n-number of reasons for the poor performance of the website. In this scenario, performance enhancement is one of the solutions to keep your website as well as the business running efficiently.

Well, there are various tools to debug the performance of web applications. In case your website is running on Drupal 8, then you need not worry as there are various contributed modules that help to identify the reasons and debug the site. Here we will explore how Web profiler helps in enhancing Drupal 8 site performance.…

Amazee Labs: A brand new website for Zürich Tourismus

9. Februar 2018 - 14:30
A brand new website for Zürich Tourismus

Zürich Tourismus is responsible for the local and international marketing of the city of Zurich and the surrounding region. They aim to showcase the region as both a fascinating tourist destination and the perfect place to hold meetings and congresses.

Nicole Blum Fri, 02/09/2018 - 13:30 The Challenge

The goal of the website was to increase conversion rates and user retention. This required a new structure on the individual pages and the integration of user-generated content.
The website's authenticity is reinforced by offering users the option to show off the best sides of the city on the social channels. Lastly, our offer also included a quick and easy-to-use search function with a map and the option to search within a certain radius.

Our Idea

The new CI/CD would be integrated into all of the content and design elements on the website. The website should have a lot of empty white space which draws the user's focus to the images and videos. The left-justified design and uniform teaser layout create a feeling of order on each individual page. A specially designed company font and the predefined colour palette were used for the website's design. A cluster of topics and the colours used as an additional branding element in the navigation would also be implemented.

The Result

With an immersive video as the point of entry, supplemented by user-generated content, the website not only inspires trust in the user but also builds an emotional connection with them. Interactive options such as the option to send enquiries to service providers (hotels, restaurants, etc.) or share content allow for and inspire additional user interaction, eliminate obstacles which could discourage users from booking services, and let the user know that they are fully informed, have chosen the best activities for their stay in Zurich, and have not missed anything.

With the new branding, which moves from playful to minimalist, the new website is timeless and modern with a touch of "Swissness" thanks to the references to the heyday of Zurich-based design in the 1960s. The website's appearance is rounded out by the specially designed company font - based on Helvetica - and the expanded colour palette, which is inspired by the tram lines that run through Zurich.

Lullabot: The Layout Initiative

9. Februar 2018 - 5:06
Mike and Matt talk to Acquia's Tim Plunkett and Emilie Nouveau about the Layout Initiative, which aims to build layout building functionality into Drupal core similar to Panels / Display Suite. Note that the Layout Initiative did officially make it into Drupal 8.5!

Agiledrop.com Blog: AGILEDROP: How you can try Commerce 2 for Drupal 8

9. Februar 2018 - 4:13
I always felt that any website should be a tool for driving sales. And there is no better way than enabling customers to make a purchase right there on your website. Anf now you can do it with Drupal 8. TLDR: Acro Media created a demo Drupal 8 demo site with Drupal Commerce 2 and made it available on Github. Building commerce websites is not easy. The only way to make it easier is to use a service like Shopify, where there are presets available that will cover requirements for 80% of entrepreneurs doing their first online commerce venture.  Sooner or later things get complicated ...… READ MORE

MidCamp - Midwest Drupal Camp: Call for Volunteers

8. Februar 2018 - 4:33
Call for Volunteers We need you!

Want to give back to the Drupal Community without writing a line of code? Volunteer to help out at MidCamp 2018.  We’re looking for people to help with all kinds of tasks including: 

Setup/Teardown
  • For setup, we need help making sure registration is ready to roll, getting T-shirts ready to move, and getting the rooms prepped for our amazing sessions.

  • For teardown, we need to undo all the setup including packing up all the rooms, the registration desk, cleaning signage, and making it look like we were never there.

Registration and Ticketing
  • We need ticket scanners, program dispersers, and people to answer questions.

Room Monitors
  • Pick your sessions and count heads, make sure the speakers have what they need to survive, and help with the in-room A/V.

If you’re interested in volunteering or would like to find out more, please contact us.

Sign up to Volunteer!

MidCamp - Midwest Drupal Camp: Call for Volunteers

8. Februar 2018 - 4:33
Call for Volunteers We need you!

Want to give back to the Drupal Community without writing a line of code? Volunteer to help out at MidCamp 2018.  We’re looking for people to help with all kinds of tasks including: 

Setup/Teardown
  • For setup, we need help making sure registration is ready to roll, getting T-shirts ready to move, and getting the rooms prepped for our amazing sessions.

  • For teardown, we need to undo all the setup including packing up all the rooms, the registration desk, cleaning signage, and making it look like we were never there.

Registration and Ticketing
  • We need ticket scanners, program dispersers, and people to answer questions.

Room Monitors
  • Pick your sessions and count heads, make sure the speakers have what they need to survive, and help with the in-room A/V.

If you’re interested in volunteering or would like to find out more, please contact us.

Sign up to Volunteer!

Tandem's Drupal Blog: Migrating a Drupal 7 Body Field to a Drupal 8 Paragraph

8. Februar 2018 - 2:00
February 08, 2018 Migrating A Drupal 7 long text field to a Drupal 8 nested text field in a paragraph is a two step process. It is quick and easy once you get the basic grasp of the mechanisms involved. Why are we doing this? We were hired on as to help consult with one of our University clients migration from Drupal 7 to Drupal 8. One of the ...

Roy Scholten: An experiment in removing friction

8. Februar 2018 - 0:28
07 Feb 2018 /sites/default/files/styles/large/public/form-display.png?itok=sKIMMJvv An experiment in removing friction

An experiment triggered by Dries’s blog post To PESOS or to POSSE? and my comment there about the friction in the UI’s for the POSSE approach. The Drupal content creation UI is not as optimized as the ones in native, mobile apps for Twitter, Instagram and the like.

I was curious how far I could take things just by stripping down the default Drupal content creation UI, optimizing it for posting an image + caption as an entry to this here blog.

What I did:
  1. Create a custom, stripped down content creation form
  2. Use evil CSS to hide superfluous items
Custom form mode

The first step was to remove most of the fields that are not required to create a post. The Form Mode Manager module lets you do just that. I set up a “Minimal piece” form mode which hides the fields for inputs like a separate summary, tags, file attachments, url alias, author, date, sticky and the “promoted” checkbox. These are optional (not required) fields that can be left empty or provide sensible defaults (me as the author, use “now” for the publishing date).

This alternative form comes with its own URL I can go to to create that new post.


Evil CSS

The stripped down form still shows bits and pieces I don’t really need to be reminded of every time I go to post something. Nothing a few display: none; CSS staments couldn’t fix. But, I’m using the default Seven admin theme here, which does not provide a body class to uniquely identify a specific page. I couldn’t add my CSS hacks to that theme’s (or sub theme’s) stylesheet because those would then apply to all admin pages.

I use the Firefox browser on my Android phone. Stylish to the rescue. We’re definately in proof-of-concept territory now! Stylish lets you define custom styling for all sites, a site or one or more specific URLs. I made one specifically for the URL where the minimal entry form lives to clean up that screen even more: hiding the header, breadcrumbs, form field descriptions, etc.


And, does it work?

Yes. It’s far from elegant but it’s already a much more focussed and faster experience. I think I already knew but was happily surprised to see that the regular image field does provide access to both the camera (for taking a new picture) and the gallery (for choosing an existing image).


What could be next

One thing that makes the Drupal approach feel old school is the required title field. Twitter, Instagram, Tumblr all let you just type something into what basically amounts to a “body text” field. In Drupal it has to at least be just like email: a subject and a message: a title + a body. I can make the body optional but I want my text to go in there. Hiding the title field is not straightforward, I think because it is tightly coupled with the unique ID for that content item. There’s modules that let you hide the title input field but those still automatically generate a (gibberish) title.

Still, my focus was on smoothing the path for posting an image to my blog from my phone. That “Browse…” button is old school too, but it does provide access to camera and camera roll. Saving a bookmark for this comes with the option to create a shortcut icon for it on the phone home screen for quick access. Not bad for an hour or two of experimenting without coding :)

A couple of years ago swentel created Drupoid, an Android app that let you save an image from your phone as a content item on a Drupal site. It would be an interesting exercise to recreate something like it with React, Drupal’s (future) JavaScript toolkit of choice and figure out how smooth and snappy we can make it there.

Tags Drupal drupalplanet ux process

myDropWizard.com: Drupal 6 security update for FileField Sources!

7. Februar 2018 - 22:23

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the FileField Sources module to fix an Access Bypass vulnerability.

This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control on the autocomplete for reference sources.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the FileField Sources module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).