Lullabot: The Blue Drop and the Red Pill

Planet Drupal - 25. April 2018 - 22:20
In this episode, Matthew Tift discusses DrupalCon Nashville, the movie *The Matrix*, and various ways to understand the Drupal community. He plays clips from the Driesnote and Steve Francia's keynote, describes some of his experiences at DrupalCon, and offers ideas for what it might mean to understand "the real" Drupal.

roomify.us: Tutorial: using BEE for Tours, Classes and Appointments

Planet Drupal - 25. April 2018 - 20:33
BEE makes it easy to quickly implement all kinds of booking & reservation use cases. We've created a new video that walks you through setting up reservations for classes using BEE and Drupal 8.

Valuebound: Visualising Drupal Security Advisory Data

Planet Drupal - 25. April 2018 - 20:30
Drupalgeddon 2.0 brought a lot of focus on the Drupal security initiative and its practices. The way the security team was proactive with respect to disclosure,  the way it was communicated to the developers, community and press was commendable. In addition to all these the communication was continuous.

The vulnerability which started off with a risk score of 21/25 on March 28th was upgraded to 22/25 on April 13th and was finally marked as 24/25 on April 14th. If you are interested in what changed across these days for the score to vary you can checkout the revisions and…

Platform.sh: Another Drupal security update: We've still got you covered

Planet Drupal - 25. April 2018 - 19:54
Another Drupal security update: We've still got you covered Crell Wed, 04/25/2018 - 17:54 Blog

The Drupal project today released another security update to Drupal 7 and 8 core, SA-CORE-20108-004. It is largely a refinement of the previous fix released for SA-CORE-2018-002 a few weeks ago, which introduced a Drupal-specific firewall to filter incoming requests. The new patch tightens the firewall further, preventing newly-discovered ways of getting around the filters, as well as correcting some deeper issues in Drupal itself.

We previously added the same logic to our own network-wide WAF to address SA-CORE-2018-002. With the latest release we've updated out WAF rules to match Drupal's updates, and the new code is rolling out to all projects and regions as we speak.

The upshot?

  1. You really need to update Drupal to 7.59 or 8.5.3 as soon as possible. We believe that some of the attack vectors fixed in the latest patch cannot be blocked by a WAF. See our earlier post for quick and easy instructions to update your Drupal 7 or 8 sites on Platform.sh in just a few minutes.

  2. Still, most of the attack vectors fixed in the latest release are covered by the WAF. That should help keep your site safe from most attacks until you can update. But please, update early and often.

Stay safe out there on the Internet!

Larry Garfield 25 Apr, 2018

myDropWizard.com: Critical Drupal core security update for SA-CORE-2018-004 (including Drupal 6!)

Planet Drupal - 25. April 2018 - 18:53

Today, there is a Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004

This issue also affects Drupal 6 (although, less severely than Drupal 7 or 8). So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core and the Filefield module.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

This fix is both for Drupal 6 core and the Filefield module. This is because the Drupal 7 & 8 fixes include changes to the core 'file' module, which isn't in Drupal 6 core, but an equivalent fix applies to the Filefield module.

Here you can download:

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install security updates for contrib modules (even though they won't necessarily have a release on Drupal.org).

Lullabot: Should you Decouple?

Planet Drupal - 25. April 2018 - 18:44

One of the major topics of discussion in the Drupal community has been decoupled (or headless) Drupal. Depending on who you ask, it’s either the best way to build break-through user experiences, or nothing short of a pandemic. But what exactly is a decoupled architecture?

A decoupled content store splits the content of a website from how it is displayed into multiple independent systems. Decoupled sites are the logical evolution of splitting content from templates in current CMSs. Decoupled architectures started to become mainstream with the publication of NPR’s Create Once, Publish Everywhere (COPE) series of articles. Other media organizations including Netflix have seen great benefits from a decoupled approach to content.

Like many other solutions in computer science, decoupling is simply adding a layer of technical abstraction between what content producers create and what content consumers see.

Technical decision makers face an important choice when evaluating Drupal 8. When an existing site is upgraded to Drupal 8, how do we decide if we should decouple the site or not? Before we decide to work on a decoupled implementation, it’s critical that everyone, from developers and project managers, to content editors and business leaders, understand what decoupling is and how to ensure a decoupled effort is worth the technical risk.

Why Decouple?

I’ve seen many people jump to the conclusion that decoupling will solve problems unrelated to a decoupled architecture. Decoupling doesn’t mean a website will have a cleaner content model or a responsive design. Those are separate (though relevant) solutions for separate problem sets.

These are the specific advantages of a decoupled architecture for a large organization:

  • Clean APIs for mobile apps: Since the website front-end is consuming the same APIs as mobile apps, app developers know that they aren’t a second-tier audience.
  • Independent upgrades: When the content API is decoupled from the front-end, the visual design of a website can be completely rebuilt without back-end changes. Likewise, the back-end systems can be rebuilt without requiring any front-end changes. This is a significant advantage in reducing the risk of replatforming projects, but requires strict attention to be paid to the design of the content APIs.
  • APIs can grow to multiple, independent consumers: New mobile apps can be created without requiring deep access to the back-end content stores. APIs can be documented and made available to third parties or the public at large with little effort.
  • Less reliance on Drupal specialists: Drupal is a unique system in that front-end developers need to have relatively deep understanding of the back-end architecture to be effective. By defining a clear line between back-end and front-end programming, we broaden our pool of potential developers.
  • Abstraction and constraints reduce individual responsibilities while promoting content reuse: Content producers are freed from needing to worry about exact presentation on every single front-end that consumes content. Style and layout tweaks are solely the responsibility of each front-end. Meanwhile, front-end developers can trust the semantics of content fields and the relationships between content as determined by the content experts themselves.
Here Be Dragons

At the beginning of a decoupled project, the implementation will seem simple and straight-forward. But don’t be fooled! Decoupled architectures enable flexibility at the cost of simplicity. They aren’t without risk.

  • One system becomes a web of systems: A decoupled architecture is more complex to understand and debug. Figuring out why something is broken isn’t just solving the bug, but sorting out whether the problem lies in the request or in the API itself.
  • Strict separation of concerns is required to gain tangible benefits: As front-end applications grow and change, care has to be taken to ensure that front-end display logic isn’t encoded in the API. Otherwise, decoupled systems can slowly create circular dependencies. This leads to systems with all of the overhead of a decoupled architecture and none of the benefits.
  • Drupal out-of-the-box functionality only works for the back-end: Many contributed modules provide pre-built functionality we rely on for Drupal site builds. For example, the Google Analytics module provides deep integration with Drupal users and permissions, "page not found" tracking, and link tracking. In a decoupled architecture, this functionality must be rewritten. Site preview (or even authenticated viewing of content) has to be built from scratch in every front-end, instead of using the features we get for free with Drupal. Need UI localization? Get ready for some custom code. Drupal has solved a lot of problems over the course of its evolution so you don’t have to—unless you decouple.
  • The minimum team size is higher for efficient development: A Drupal site with a small development team is not a good candidate for decoupling unless content is feeding a large number of other applications. In general, decoupling allows larger teams to work concurrently and more efficiently, but doesn't reduce the total implementation effort.
  • Abstraction and constraints affect the whole business: The wider web publishing industry still has the legacy of the "webmaster". Editors are used to being able to tweak content with snippets of CSS or JavaScript. Product stakeholders often view products as a unified front-end and back-end, so getting the funding to invest in building excellent content APIs is an uphill battle. Post-launch support of decoupled products can lead to short-term fixes that are tightly coupled, negating the original investment in the first place.
The Heuristic

To help identify when decoupling is a good fit for a client, Lullabot uses the following guidelines.

Decoupled architectures may be appropriate when:

  1. The front-end teams require full freedom to structure and display the data.
  2. The front-end team does not have Drupal expertise.
  3. More than one content consumer (such as a website and multiple mobile apps) is live at the same time.
  4. Display front-ends combine data from multiple distinct API sources like CMSs, video management systems, and social media.
  5. A project consists of multiple development teams.

If a project meets some of these criteria, then we’ll begin a deep-dive into what decoupling would require.

  • Does decoupling also require a complete content rewrite, such as when migrating from legacy "full-page" CMS’s? We’ve encountered sites that haven’t made the move to structured data yet and still consist primarily of HTML “blobs.” This scenario presents a significant hurdle to decoupling, though it’s a separate problem from decoupling.
  • Does the development team have the time needed to build and document a content API with something like Swagger? Or is using Drupal as a site building (but coupled) development framework a better fit?
  • Does the web team consist primarily of Drupal developers, and will those developers continue to support the website in the future? Would the front-end team be better served by Views, Panels and the theme layer, or by a pure front-end solution like React or Angular?
  • Is there enough value in decoupling that the business is willing to change how they work to see it’s benefits?

Decoupled architectures are a great solution - but they’re not the only solution. Some of the best websites are built with a completely coupled Drupal implementation. It’s up to us as technical leaders and consultants to ensure we don’t let our excitement over an updated architecture get in between us and what a client truly needs.

Header image by Daniel Schwen CC BY-SA 4.0, from Wikimedia Commons

IT-Jobtag Leipzig: Bewerber treffen am 26. April in Leipzig auf Arbeitgeber

heise online Newsticker - 25. April 2018 - 18:30
Am Donnerstag können Bewerber in Leipzig die Gelegenheit mit Arbeitgebern in Kontakt kommen. Begleitet wird der Jobtag von einem Rahmenprogramm.

Security advisories: Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004

Planet Drupal - 25. April 2018 - 18:13
Project: Drupal coreDate: 2018-April-25Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. While SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: Fixed By: 

Jakarta EE: Eclipse Foundation übernimmt die Verantwortung für Enterprise Java

heise online Newsticker - 25. April 2018 - 17:30
Optimierungen für Microservice-Architekturen und eine tiefere Integration von Kubernetes, Docker & Co. für Cloud-Native-Applikationen stehen auf der Community-Wunschliste für künftige Enterprise-Java-Versionen.

Linux-Entwickler: Kernel-Community wird unter eigener Bürokratie zusammenbrechen

heise online Newsticker - 25. April 2018 - 17:30
Die Maintainer des Linux-Kernels werden in ein paar Jahren nicht mehr nachkommen, eingereichte Patches zu bearbeiten. Das System stehe vor dem Kollaps, falls sie es nicht schafften, die Arbeitslast zu verteilen, behauptet Kernel-Entwickler Daniel Vetter.

Web Wash: Easily Link to Content using Linkit in Drupal 8

Planet Drupal - 25. April 2018 - 17:11

The Linkit module allow site editors to work in a more comfortable way when linking to internal entities (i.e. content, users, taxonomy terms, files, comments, etc.) and when linking to external content as well.

The benefit of the module is that your editors won’t have to copy and paste URLs of content they're linking to, instead the module provides an autocomplete field, which they can use to search for content.

Linkit works based on a profile system. You can choose as many or as few plugins (linking options) for each profile and then assign each profile to a particular text format. This provides an extra layer of granularity, because the linking permissions are granted in the text editor and not within Linkit. That way you can add multiple roles or just one role to a Linkit profile.

Patientenschützer fordern einheitliche Standards bei elektronischer Gesundheitsakte

heise online Newsticker - 25. April 2018 - 16:30
Die elektronische Gesundheitsakte soll es behandelnden Ärzten erleichtern, den Krankheitsverlauf nachzuvollziehen und bessere Diagnosen zu stellen. Patientenschützer fordern einheitliche Sicherheitsstandards – und rufen nach dem Staat.

NASA-Teleskop Neowise: Hunderte erdnahe Objekte entdeckt, auch potenziell gefährliche

heise online Newsticker - 25. April 2018 - 16:30
Seit seiner Reaktivierung scannt das Weltraumteleskop Neowise der NASA den Himmel unter anderem nach potenziell gefährlichen Objekten ab, die auf die Erde stürzen könnten. In den Daten zu Zehntausenden Himmelskörpern gibt es einige.

Veröffentlichter Boot-Exploit knackt alle Nintendo-Switch-Konsolen

heise online Newsticker - 25. April 2018 - 16:30
Mehrere Hacker-Gruppen zeigen, wie sie in Nintendos Switch einsteigen und beispielsweise Linux mit offensichtlich vollem Hardwarezugriff auf der Spielkonsole laufen lassen.

Lycos stellt kostenlosen Mail-Service ein

heise online Newsticker - 25. April 2018 - 16:00
Der Internet-Veteran Lycos stellt seinen kostenlosen Mail-Service ein. Künftig gibt es nur noch eine Bezahlversion – doch wer braucht die eigentlich noch?

Xbox-One-Update im Mai bringt 120-Hz-Ausgabe

heise online Newsticker - 25. April 2018 - 16:00
120 Hz sollen Xbox One, Xbox One S und Xbox One X ab Mai an geeigneten Displays ausgeben können. Dazu kommen Gruppen, vereinfachte Jugendschutzeinstellungen und Videobearbeitung vor dem Upload.

Vergleich Gamepads: Sieben Controller ab 6 Euro im Test

heise online Newsticker - 25. April 2018 - 15:30
Gute Controller sind teuer? Von wegen. Techstage vergleicht sieben Gamepads von No-Name bis Marke, von knapp 6 bis knapp 70 Euro. Der Preis-Leistungssieger kostet weniger als 7 Euro.

YouTube löscht über acht Millionen problematische Videos

heise online Newsticker - 25. April 2018 - 15:30
YouTube hat seine Bemühungen verstärkt, die Plattform von Inhalten zu befreien, die gegen interne Richtlinien verstoßen. Im letzten Quartal 2017 konnten mehr als acht Millionen Videos mit Unterstützung einer Künstlichen Intelligenz gelöscht werden.

Entwickler löschen VLC Media Player vom Fire TV

heise online Newsticker - 25. April 2018 - 15:30
Die Entwickler des VLC Media Players haben ihre App aus dem Store des Fire TV entfernt. Amazon hatte sich zuvor geweigert, die neue Version der Anwendung abzunicken.

mark.ie: Showing Fields in a Referenced Node Depending on the Value of a Boolean in a Paragraph Bundle

Planet Drupal - 25. April 2018 - 15:18
Showing Fields in a Referenced Node Depending on the Value of a Boolean in a Paragraph Bundle

Mission: you have 2 fields in a Drupal paragraph bundle, one a node reference field and one a boolean field. Show certain fields in the referenced node depending on the value of the boolean field.

markconroy Wed, 04/25/2018 - 14:18

That's a question that popped up today in the DrupalTwig Slack. Here's my response, which I implemented a version of recently.  (In that particular case, we had an 'Event' content type with fields for 'address', 'phone number', etc and also a reference field for 'Amenity'. If the fields were filled in in the event content type, they were to be presented, but if they were left blank on the event content type, we had to pull in the corresponding fields for address, phone number, etc from the referenced amenity.) Anyway, my response:

{# Check the value of the boolean field #}
{% if paragraph.field_boolean.value === 'on' %}
  {# Just render the title of the referenced node #}
  {{ paragraph.field_reference.0.entity.label }}

{% else %}
  {# Render the title and the image field #}
  {{ paragraph.field_reference.0.entity.label }}
 
{% endif %}

{# Ensure that the cache contexts can bubble up by rendering the {{ content }} variable #}
{{ content|without('field_boolean', 'field_reference') }}

Just for clarity - variables in that code snippet are simply made up off the top of my head (this is what happens when answering questions on Slack). I'm sure I have things slightly wrong and you'll need to play with them to get them to work correctly.

Also, the reason for the cache contexts bit? Say thanks to Lee Rowlands from Previous Next for his blog post Ensuring Drupal 8 Block Cache Tags bubble up to the Page