31 Aug 2015

feedDrupal.org aggregator

Red Crackle: Free Drupal 8 Tutorials – An Exhaustive List

If you are starting to learn Drupal 8, you are probably overwhelmed by the number of blog posts that offer free tutorials on different aspects of Drupal 8. The only way to find all these tutorials is to search online. In this post, we have created an exhaustive list of the free resources online for mastering Drupal 8, organized by categories. Use these links as a reference when starting on your next Drupal 8 learning expedition.

31 Aug 2015 7:34pm GMT

30 Aug 2015

feedDrupal.org aggregator

Steve Purkiss: Drupalaton 2015 - the memories

Steve Purkiss's picture
Sunday, 30th August 2015

Drupalaton 2015 - the memories

Chx presenting Data Storage in Drupal 8 at Drupalaton, Hungary, August 2015

"The advantages of variables in Drupal 7 is they're all loaded into memory. The disadvantages of variables in Drupal 7 is they're all loaded into memory".

With this, Károly Négyesi ('chx'), opened his Storing Data with Drupal 8 workshop at Drupalaton to a standing room only crowd - half whom chuckled knowingly, with the rest following shortly after once they'd had a little time to think about this technical juxtaposition.

It is this pull no punches attitude which made chx's workshop, for me at least, the highlight of the event - I like to know what is wrong, why it is wrong, and what we can or are doing to fix it. It was different when I'd asked the Hungarian, now living in Vancouver, to keynote our local DrupalCamp Brighton held back in January. In a departure from his normal techie talks, chx delivered a highly enjoyable and enlightening session talking about the profession of programming and how computer game music was the best type of music to listen to when coding. Here at Drupalaton though, we were back to the nitty and gritty of Drupal's internals.

Chx proceeded to give an excellent overview of the different subsystems of Drupal and how they'd changed from version 7 to 8. Drupal 8 brings together a lot of pieces which were fragmented in Drupal 7 - for example Drupal's Entity API where most of the functionality existed in a contributed module. By bringing it all together into core Drupal and providing APIs it improves maintainability through common knowledge, translation, access, performance and testing. He went on to cover the improved data stores in Drupal 8, for example the state API to store information such as when maintenance updates were last run using cron, a private tempstore for functionality like autosave data and the new quick edit functionality, and a shared tempstore for things like views.

After an intense hour and a half and a short break chx for a moment thought he'd lost half the audience but most soon filtered back in once their brains had a little more time for the coffee to take effect! The workshop continued with much information about how to use these new APIs, and how all configuration was now in YAML files then loaded into the database at runtime. In previous versions of Drupal, many settings were stored in the database and work-arounds such as using the Features module were used to extract settings. These approaches had varying results - as someone coming from an Enteprise Java world where storing settings in files is the norm I for one am very excited about this as it provides far more easier development, deployment and versioning. Features still exist in Drupal 8, but for their original purpose - to create exportable features of functionality.

Contributing to Drupal can be tiring!

Headless chx!After the workshop I made my way to the only air-conditioned room for what felt like miles around and managed to catch this picture of chx resting - with lots of talk recently about 'Headless Drupal' I thought the angle was quite funny.

I'd gone there to do some more work on Drupal 8 Rules - the fifth most popular module for Drupal which enables people to create functionality through the user interface, for example to send an email when someone adds a comment, or to apply a certain tax rate for a certain product in a certain country.

Although I'd previously worked on a few core issues for Drupal 8 like splitting up the 'password strength' and 'password matches' code and cleaning up some unused variables, I'd not really found an area I could focus on, but then I attended Drupalaton last year where there was a whole day of Rules, with a morning workshop bringing people up to speed on Rules in Drupal 8 and an afternoon spent focusing on how you could get involved and contribute.

For me, the workshop format is what makes Drupalaton so special - most other DrupalCamps have half-to-an-hour long sessions where you get an overview of something but don't really get time to delve in deep. I wanted to learn Drupal 8, and helping Rules out where I could to me seemed like a pretty good way of learning it. Since then I've helped update a few Rules Actions, Conditions, and Events to Drupal 8 and although I haven't done half as much as I've wanted to, it feels great to be learning lots and hopefully helping progress things a little bit.

Cruise Party

Drupalaton cruise partyAfter spending the afternoon learning more about exporting, importing, and deploying configuration management in Fabian Bircher's workshop (slides and a great blog post from Fabian here), it was time for the yearly Drupalaton Cruise Party.

The cruise party is an excellent chance to chill out, see a little more of Central Europe's largest lake, talk Drupal, and enjoy a most wonderful sunset!

Behold Behat!

Behat workshopThe next morning, after I'd managed to complete 30 lengths of the swimming pool and a 20km cycle for the second day in a row (yes, I know, shocker, but the Sun makes me a different person than I am in the dreary rainy grey UK!) it was workshop time again - this morning's being 'From User Story to Behat Test' with Pieter Frenssen.

I'm almost as excited about using Behat as I am about Drupal 8 - after many years of discussions about how functionality X worked, or whether feature X and function Y was included in the original quote, this way of defining requirements provides an excellent interface all project stakeholders can be a part of, with a solid technical backing enabling tests to be performed against sets of Plain English user stories.

The workshop was to go through setting up Behat with Drupal 8 which was great as I'd spent some time recently getting it set up but lacked in-depth understanding of the setup which Pieter's workshop helped enormously with so now I'll be using it on all my projects. There's plenty of info online about Behat so I won't go into more details here.

Grill Party
The Grill Party at Drupalaton

The afternoon was spent discussing using Drupal as a prototyping tool with Kristof Van Tomme László Csécsy and finding out about Pretotyping. This is of particular interest to me as I continue my work on abilit.es - a topic for another blog I think!

In the evening the lovely Drupalaton organising team arranged a Grill Party - this didn't happen last year but was great as was right next to the hotel and means we weren't dispersed across many different places.

As well as great food a few people had been working on some lyrics and provided lots of entertainment with a fab Drupalaton song!

So long Drupalaton, till next year!

Me, on my bike outside Hotel Helikon in HungarySunday was fairly quiet, no sessions were on but the sprint room was open so I interspersed some rules work with some cycling. After a few days of the hotel's all-inclusive menu I wasn't expecting to lose any weight, but certainly enjoyed getting the metabolism up and running again nicely!
In 36 degrees cycling was not easy but certainly fun and I'm glad I took my Brompton on its first trip abroad - I'd been wanting an opportunity to test out the Vincita Sightseer bag and it did not disappoint. I look forward to taking my bike to more places around the world - you definitely get to see a lot more of a place than just by foot and with the bag going into normal hold it doesn't cost any extra than normal baggage.
Monday finally came round and it was time to make the journy back to the UK via Budapest. The train to Budapest is always an experience - it stops *everywhere* and takes three hours to go just over a hundred miles, has no air conditioning, and wouldn't let me on without buying a 'boading pass' even though I had a ticket already. Luckily it was not much and I had a small amount of local currency to cover it otherwise I would've been stuck!
Felt great to cycle out of the hotel down to the train station the pack the bike up in its own bag (it fits on the back rack when riding) and I can't wait till I can do it all again, perhaps DrupalCon Barcelona, although I'm not a huge fan of cycling in cities & DrupalCon is quite intense so perhaps not, we'll see!
A big thank you to all those who had something to do with this lovely event, from organising to speaking, sponsoring, and of course attending, am already looking forward to next year's holiday, erm - I mean, Drupalaton!
tags:
Drupalaton
Drupal 8
Drupal Planet
Planet Drupal

30 Aug 2015 5:26pm GMT

Mpumelelo Msimanga: Creating Drupal Charts on External Views Data

Creating Drupal Charts on External Views Data

Views Charts Leading Image

This is a continuation of my series of posts on using Drupal as a data platform. In this post I show that you can create charts on data external to Drupal. I picked three modules to illustrate my point from a longer list of available contributed Drupal charting modules. There are two documentation pages that give more detailed information on Drupal charting modules. Modules related to Charts and Comparison of Charting modules.

30 Aug 2015 2:00pm GMT

DrupalOnWindows: Fixing Drupal site locks during menu rebuild

English

This is a follow up to the previous post Database Transactions in Drupal where we saw in detail how little attention transaction management has had (and still has) in Drupal.

In this article we will see:


More articles...

30 Aug 2015 5:00am GMT

Chen Hui Jing: Drupal 101: Improving the content authoring experience

Episode 101 of Jen Simmons' wonderful podcast The Web Ahead featured content strategist Eileen Webb. Good stuff from start to finish, you should really check it out. There was one particular point that resonated with me, when they talked about user experience of people whose job is to add content to the website.

Not to get super philosophical, but capitalism isn't really keen on improving working conditions for employees. It's not super excited about spending money and energy on making things nicer for the people who you are paying.
― Eileen Webb on The Web Ahead

Drupal comes with a lot of out-of-the-box functionality that can help make the content editing experience less confusing,...

30 Aug 2015 12:00am GMT

28 Aug 2015

feedDrupal.org aggregator

Wuinfo: Build a Star Software Development Team

The success of a project depends on a good development team. How to build and maintain such a good team?

As, a software developer for many years, I believed a good dev team is one of the pillars for a successful business. Here, I want to discuss how to build a dream developer team. Building a high productive, super innovative and proactive team is like cooking a meal. It needs a good ingredient, right source, and good timing in each step of cooking.

A good developer has a good academy score in math. Software developing needs the strongest logic thinking and self-validation skill. Building a software project like taking a mathematics test. The higher score in the test means fewer bugs in the code. A person who is capable of getting full scores on math tests is likely to build a project with least bugs. Finding right persons is the first step toward a great team.

A good academy score will not automatically make a good developer. Building software projects are team workings. Developing software is very detail oriented. We may not be able to avoid nitpicking on something. Soft skill is important too. A good developer is willing to learn, easy to collaborate and detail oriented. A good developer will always focus on the matters but never escalate matters to a personal level. A good developer can accept criticism and change for a greater good of the team.

After we have gathered a group of talented developers, it is time to "cook". Every person can be in different states. Software developers can be in the peak productivity state or the bottom of the productivity. An encouraging and rewarding environment with a strong leadership is the key to motivating developers to reach the peak of their productivity. Reward developers with self-fulfillment and let them achieve something with their work. A leading developer with an extraordinary fellowship will help it a lot.

We might ignore the physical environment. Nice, clean, quiet offices help developers focusing on their job. Some start-up companies put a lot of effort to finding talents but did not let them work comfortably. Sometimes, offices are crowded and stuffy. What they can do is just stop looking for a smarter developer and put a little bit more effort to improve the current working condition. In such a company, even the best developer is not able to concentrate on his job. Software developing is a mind activity. The brain requires a lot of blood circulation with plenty of oxygen and energy. The importance of clean, quiet, natural and toxic-free environment will never be overestimated. A healthy environment is a basic requirement for a strong software product.

The next one is an a study oriented and encouraging setting; A company has a respectful culture and a group of open minded developers. It is where developers are very closely collaborating with each other. Developers are not afraid to make a mistake and willing to share their latest trick and newly mastered programming tactics.

28 Aug 2015 9:51pm GMT

Faichi.com: How Drupal Solves e-Publishing Challenges

28 Aug 2015 12:29pm GMT

Drupal core announcements: Recording from August 28th 2015 Drupal 8 critical issues discussion

We met again today to discuss critical issues blocking Drupal 8's release (candidate). (See all prior recordings). Here is the recording of the meeting video and chat from today in the hope that it helps more than just those who were on the meeting:

If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The meeting log is as follows (all times are CEST real time at the meeting):


[11:08am] GaborHojtsy: https://www.drupal.org/node/2555183
[11:08am] Druplicon: https://www.drupal.org/node/2555183 => Fix the filled update tests, they are broken [#2555183] => 60 comments, 10 IRC mentions
[11:08am] GaborHojtsy: https://www.drupal.org/node/2555665
[11:08am] Druplicon: https://www.drupal.org/node/2555665 => When index is added for content_translation_uid, the corresponding stored schema definition is not updated [#2555665] => 30 comments, 7 IRC mentions
[11:09am] plach: https://www.drupal.org/node/2542748
[11:09am] Druplicon: https://www.drupal.org/node/2542748 => Automatic entity updates can fail when there is existing content, leaving the site's schema in an unpredictable state [#2542748] => 184 comments, 38 IRC mentions
[11:10am] plach: https://www.drupal.org/node/2558905
[11:10am] Druplicon: https://www.drupal.org/node/2558905 => Content translation module - Information disclosure by insufficient access checking [#2558905] => 9 comments, 3 IRC mentions
[11:11am] plach: https://www.drupal.org/node/2555665
[11:11am] Druplicon: https://www.drupal.org/node/2555665 => When index is added for content_translation_uid, the corresponding stored schema definition is not updated [#2555665] => 30 comments, 8 IRC mentions
[11:13am] WimLeers: https://www.drupal.org/node/2429617#comment-10256775
[11:13am] Druplicon: https://www.drupal.org/node/2429617 => Make D8 2x as fast: SmartCache: context-dependent page caching (for *all* users!) [#2429617] => 265 comments, 34 IRC mentions
[11:13am] WimLeers: https://www.drupal.org/node/2556889
[11:13am] Druplicon: https://www.drupal.org/node/2556889 => [policy, no patch] Decide if SmartCache is still in scope for 8.0 and whether remaining risks require additional mitigation [#2556889] => 62 comments, 4 IRC mentions
[11:19am] alexpott: xjm: https://www.drupal.org/node/2558791
[11:19am] Druplicon: https://www.drupal.org/node/2558791 => !placeholder should Xss::adminFilter but not affect safeness [#2558791] => 11 comments, 1 IRC mention
[11:20am] alexpott: xjm: your issue might be a duplicate
[11:26am] WimLeers: plach: https://www.drupal.org/node/2558905#comment-10267715
[11:26am] Druplicon: https://www.drupal.org/node/2558905 => Content translation module - Information disclosure by insufficient access checking [#2558905] => 9 comments, 4 IRC mentions
[11:28am] plach: WimLeers: replied
[11:33am] jibran: https://www.drupal.org/node/2538108
[11:33am] Druplicon: https://www.drupal.org/node/2538108 => Add an API for data value updates to reliably run after data format updates [#2538108] => 19 comments, 4 IRC mentions
[11:46am] WimLeers: https://www.drupal.org/node/2557815#comment-10266477
[11:46am] Druplicon: https://www.drupal.org/node/2557815 => Automatically assign node grants cache context in node_query_node_access_alter() [#2557815] => 17 comments, 2 IRC mentions
[11:53am] jibran: https://www.drupal.org/node/2538108
[11:53am] Druplicon: https://www.drupal.org/node/2538108 => Add an API for data value updates to reliably run after data format updates [#2538108] => 19 comments, 5 IRC mentions
[11:55am] WimLeers: https://www.drupal.org/node/2464427
[11:55am] Druplicon: https://www.drupal.org/node/2464427 => Replace CacheablePluginInterface with CacheableDependencyInterface [#2464427] => 176 comments, 27 IRC mentions
[11:55am] jibran: https://www.drupal.org/node/2538108
[11:55am] Druplicon: https://www.drupal.org/node/2538108 => Add an API for data value updates to reliably run after data format updates [#2538108] => 19 comments, 6 IRC mentions
[11:56am] xjm: Is that another update path test we need? a test contrib module?
[12:05pm] • xjm finds herself wondering if plach hears churchbells again :)
[12:05pm] plach: xjm: I'm doing right now :)
[12:05pm] xjm: :D
[12:13pm] xjm: Given the complexity here, I find myself wondering how on earth it was we ever expected this to work for major version upgrades :) Thank goodness for migrate

28 Aug 2015 12:01pm GMT

Drupal core announcements: Recording from August 21st 2015 Drupal 8 critical issues discussion

We met again last Friday to discuss critical issues blocking Drupal 8's release (candidate). (See all prior recordings). Here is the recording of the meeting video and chat from last Friday in the hope that it helps more than just those who were on the meeting:

If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The meeting log is as follows (all times are GMT real time at the meeting):


10:12 plach entity updates issue: https://www.drupal.org/node/2542748
10:12 Druplicon https://www.drupal.org/node/2542748 => Automatic entity updates can fail when there is existing content, leaving the site's schema in an unpredictable state [ #2542748] => 152 comments, 31 IRC mentions

10:25 alexpott https://www.drupal.org/node/2554151
10:25 Druplicon https://www.drupal.org/node/2554151 => Test content/configuration in update database dump [#2554151] => 23 comments, 2 IRC mentions

10:32 WimLeers https://www.drupal.org/node/2554233
10:32 Druplicon https://www.drupal.org/node/2554233 => Port Cross-site Request Forgery - Form API fixes from SA-CORE-2015-003 to Drupal 8 [#2554233] => 26 comments, 1 IRC mention

10:33 larowlan plach: https://www.drupal.org/node/2542748#comment-10244733 point 2 - I think that's a c/p error
10:33 Druplicon https://www.drupal.org/node/2542748 => Automatic entity updates can fail when there is existing content, leaving the site's schema in an unpredictable state [#2542748] => 152 comments, 33 IRC mentions

10:34 plach larowlan: definitely :)
10:34 plach thanks for catching that

10:42 alexpott https://www.drupal.org/node/2497243
10:42 Druplicon https://www.drupal.org/node/2497243 => Replace Symfony container with a Drupal one, stored in cache [#2497243] => 245 comments, 53 IRC mentions

10:44 WimLeers dawehner: "we're in the middle of nowhere of the DrupalKernel" - that sounds bizarre :D

10:53 alexpott https://www.drupal.org/node/2464427
10:53 Druplicon https://www.drupal.org/node/2464427 => Replace CacheablePluginInterface with CacheableDependencyInterface [#2464427] => 175 comments, 25 IRC mentions

10:59 dawehner jibran: new \Drupal\views\Entity\View();
11:03 jibran UpgradePath--
11:03 jibran UpgradePath--
11:03 jibran UpgradePath--
11:03 jibran UpgradePath--
11:09 WimLeers jibran: hahahaha
11:09 WimLeers jibran++
11:09 pfrenssen jibran: lol :D
11:10 WimLeers alexpott: amazingly, *during* our call, pretty much every SafeMarkup issue has been updated!
11:10 WimLeers stefan_r++

28 Aug 2015 11:54am GMT

InternetDevels: 6 Reasons Why Google Loves Drupal Websites and So Should You

6 Reasons Why Google Loves Drupal Websites and So Should You

Let's talk about Drupal web development with love :) Check out the blog post from our guest blogger Daniel Mattei about why Google loves Drupal.

Read more

28 Aug 2015 7:26am GMT

Savas Labs: Sassy Drupal theming: a lighter version of SMACSS

It takes some forethought, but a well-organized theme means code that is modular and easy to maintain or pass off to another developer. SMACSS principles are becoming more and more widespread and can be applied to a Drupal theme. At Savas we've picked out what we love from SMACSS and simplified the rest, creating a stylesheet organization method that works for us. In this post (part 2 of my three-part series on Drupal theming with Sass) I'll go through our version of SMACSS and link to real examples.

Continue reading…

28 Aug 2015 12:00am GMT

27 Aug 2015

feedDrupal.org aggregator

Viktor Bán: GSoC 2015 - Security Review D8 - Wrap up

I've spent most of this summer working on the Drupal module called Security Review. My project was porting it to Drupal 8 as part of Google Summer of Code 2015. I'm happy to say that the requirements have been met long before the end of the programme, so there was no rush at the end of the coding period.

How it all started

It all started with a simple Facebook post in my faculty's FB group. I didn't even notice it as I was too busy learning for a midterm, but thankfully my friends were kind enough to procrastinate at the time and showed me the link to GSoC. It didn't take long until I found that Drupal would be a perfect candidate for me, even without any experience related to it. So I took a leap of faith and started writing a proposal for the project that I liked most, "Port security_review to Drupal 8". I liked the cause (eliminate security vulnerabilites from misconfiguration), the freedom of designing a new architecture from scratch and the GSoC t-shirt I hope I will soon receive.

Preparation for GSoC

Drupal requires GSoC student candidates to complete the ladder called Getting Started with Drupal for GSoC Students. This is really a necessity as it teaches the basics which students will need numerous times during working on Drupal.

Finishing the ladder, I've tried to get a mentor for my project as it didn't have one, and who could be better than the module's owner!? So I went ahead and contacted coltrane, who then shortly accepted to be the mentor of the project. He is pretty awesome and helpful, I really enjoyed working with him.

Writing a good proposal might have been the hardest part of the whole project, so I advise every future student to take their time to work out a really good one. There are links to a lot of resources in the Google Summer of Code Drupal group that were really helpful, so I highly recommend future students to read everything they can find there.

After the proposal

Days went by and finally the accepted projects were announced and I could see my name in the list. Of course I celebrated the event properly, but soon I had to realize that all of this won't be easy. Finals here in Hungary started on 25th May... yes, the same as the coding period. So I went ahead and did a little work on the module before finals so that I would be able to concentrate on my studies on the first week. I was soon ready with some parts of the module that meant 1-2 weeks worth of work according to my proposal, so all I had to focus on were my finals. Writing 4 exams in 1 week and passing all of them is very hard and I don't recommend it to anyone as the stress levels get way too high, but I somehow managed to do it.

Starting the work on the second week I was so relieved that my summer had finally started and I could do what I was waiting for: coding. Of course GSoC is not just programming, there are meetings students have to attend: one every week with the organization admins (we could choose from 2 meetings, whichever worked best in our timezone) and one or more with our mentor(s). I've had all my meetings on tuesdays so that I could work more flexibly on the other days. Another thing that is required that does not involve coding is maintaining a blog. Students have to write a blog post every week about their progress in a way that anyone who is not familiar with their project or GSoC will be able to understand it, also it should be written in a Drupal Planet compatible way, so the word about GSoC can be spread.

My task was mostly doing what I wrote in the proposal's timeline, but sometimes I had to solve issues posted on my GitHub (by my mentor) and also in the Drupal.org issue queue (by the community). In the first couple of weeks I did 10-12 hours of work a day and needless to say that got me ahead of my schedule fast. Soon came the midterm evaluation and I was about 75% done with the project. The evaluation itself didn't require much interaction from my part, I just had to fill a short questionnaire about my progress and my thoughts about the project and my mentor.

The second coding period went much slower. On average I think it's safe to say that I did no more 20-30 hours of work per week. Slow weeks may sound nice at first, but aren't actually enjoyable. Still, the module got finished around week 9 or 10 and the last few weeks were spent with polishing it and looking for ways to improve it.

The results

What I learnt

Before GSoC I had, let's say, pretty limited knowledge about Drupal. All I knew is that it exists. Now I'm familiar with how to operate a Drupal website, how to write modules for Drupal 7 and 8 that don't just work, but also use the technologies provided by Drupal. By learning Drupal 8 one can learn a bit about Symfony 2 too, as D8 uses a lot of S2 components.

After GSoC 2015

I have plans for Security Review 8.x-2.x, I also wish to have time to make a Drupal based website for myself to get familiar with site building using Drupal. So in conclusion I will definitely keep working with and on Drupal in the future.

Thanks

I would like to thank Slurpee and cs_shadow for dedicating their valuable times for the weekly check-in meetings that sometimes took hours and a huge thanks for Ben Jeavons (coltrane) for providing fast and valuable help and an amazing summer! Also I would like to thank drupalize.me for the free membership, it was pretty useful, I wish I started to use it sooner. And last but not least I would like to thank the Google Summer of Code organizers for the opportunity and the amazing experience.

27 Aug 2015 6:05pm GMT

Axelerant Blog: DrupalCamp London 2015 - Inspiration, Challenge, and Passion

I happened to attend the DrupalCamp London 2015 held between 27th February to 1st March and was honoured to be invited for presenting a session during CXO Day.

CXO Day

The event was a huge success with around 500 attendees and a plethora of engaging sessions and workshops. The venue was quite brilliant from its modern facilities and central location perspective at City University London in Northampton Square. As in previous years, City University hosted DrupalCamp London, its location is quite apt for such a community focused event. Sessions took place in various breakout rooms while the auditorium Oliver Thompson Lecture Theatre remained reserved for keynote and other larger gathering sessions.

DrupalCamp London opened on Friday February 25th with CXO Day. While I attended most of the talks at CXO day, I mostly especially liked the sessions by Mark Taylor, CEO of Sirius, Mike Meyers - VP Large Scale Drupal, and the ever enchanting JAM, Open Source Evangelist, Acquia at his best.
Piyush Poddar, presentation India's consumption to contributions, DrupalCamp 2015

I took the opportunity of presenting a session on Consumption to Contribution - Lessons from India. The presentation was centered around India's Drupal journey since 2010 and how organisations and individuals have evolved from being code consumers to being active contributors and participants in the Drupal project and the local community at large. I described how some of the biggest Drupal projects are being developed in part or full by Indian developers and companies. The session attracted some very interesting Q&A discussions. I had some very insightful conversations with CXOs, Business Leaders based in the UK and European regions who attended the CXO Day

Another interesting session during the DrupalCamp London 2015 - CXO day was an unconference about things which keeps CXOs up at night. All participants organised themselves into small groups and focused on discussions around topics like Hiring, EU Drupal Association, Project Management, Sales & Marketing, etc. Afterward, one representative of each group present the findings or summary of the discussion to all the participants.

CXO day ended with a reception on the campus followed by people heading towards Slaughtered Lamb for food and wine.

DrupalCamp London Itself

The main days of the DrupalCamp London were on Saturday and Sunday with a variety of knowledge sessions, workshops, exhibit corridor, etc.

On the first day, I was Interviewed by Janis Janovskis, friend and owner of Passive Management, London about the way we have built and been maintaining a distributed work culture at Axelerant. The interview was for an event called No Pants that Janis was going to present at later. His slides 35-37 mention specific takeaways of the interview.

I felt honoured when Jeffrey McGuire approached me for recording an interview with me for his infamous Acquia Podcast as part of multi-series podcast titled Karma and the journey from Consumption to Contribution - Drupal in India.

There were quite a few Interesting talks that I attended during DrupalCamp London that I thoroughly enjoyed such as:

CXO Day small group discussions

Both days of DrupalCamp London ended with event socials at The Slaughtered Lamb on Great Sutton Street. The place was buzzing with energy all this time and some very interesting conversations flowed along with a nice collection of beers.

A Wrap.

Overall it was a great DrupalCamp London 2015! And, well worth round tripping over 10,000 kilometers from India to attend.

My special thanks go to sponsors BBC and City University London. Further applause to volunteers like Ben Wilding, Tim Deeson, George Hazlewood, Alex Burrows, Della Deme, John Kennedy, and all others for having worked so hard and to pull together such a brilliant event.

In having made some good friends, met old ones, and having interesting conversations along with insightful takeaways I am already looking forward to the 2016 DrupalCamp London.

Be sure to comment below and share of your experience at this camp.

The post DrupalCamp London 2015 - Inspiration, Challenge, and Passion first appeared on Axelerant.

27 Aug 2015 6:00pm GMT

Drupal Association News: Global Training Days - August 2015 Summary

Global Training Days last weekend was a great success. There were 33 hosts from 21 countries who stepped up to introduce new people to Drupal in both half and full day sessions.

Drupal Global Training Day, Drupak, Peshawar Pakistan from Azmat Shah on Vimeo.

Thank you to the training companies, local groups, and site hosts who made the event possible. We were particularly excited to host a training at the Drupal Association office and we have to thank Gregory Boggs of ThinkShout for leading the full day training. Thanks to Gregory's good work, I started my week with a note from an attendee that said "I learned a lot, all while having a wonderful time!" It doesn't get much better than that.

Check out the photos and updates at #DrupalGTD on Twitter. See the full list on our GTD 2015 page along with reports from the trainers as they come in.

We have one more GTD weekend this year: November 14th-15th. Join the 17 hosts who have already committed to train new Drupalers at https://assoc.drupal.org/sign-participate-drupal-global-training-days. Give a training in your community to get everyone started off in the right direction with Drupal.

Personal blog tags:
Drupal Global Training Day

27 Aug 2015 5:15pm GMT

Drupal Watchdog: When Howard Met Ronnie

Photo by Myles Brawer

As it says on the t-shirt, I'M NOT HIM.

Okay, I know I look a lot like Howard Stern.

And yes, I spent a pleasant hour chatting with him and Robin on his show that one time. (The video is somewhere on YouTube, but don't ask.)

And yes, I auditioned for America's Got Talent. (Three thumbs-up votes, one thumbs-down.)

And okay, yes, I've obligingly posed for thousands of selfies with Stern-fans.

But I'M NOT HIM! I'm not leading a double-life as Drupal Watchdog editor and the King of All Media.

Yes, but what if...?

So here's a spoof Bob Williams and I made during DrupalCon Los Angeles. Yeah, I know, the audio on the elevator kinda sucks, but the acting!

The acting - and Ronnie Ray's Drupal expertise.

(Photo by Myles Brawer)

Images:
I'M NOT HIM
Video:

27 Aug 2015 4:40pm GMT

Acquia Developer Center Blog: 10 Ways Drupal 8 Will Be More Secure

Security is very hard to bolt on to any software or product after it has been built. Building it into the core of the code helps to avoid mistakes, and thus the upcoming release of Drupal 8 tries to build in more security by default, while still being usable for developers and site builders. This list of 10 security improvements is not exhaustive - some are just a line or two to handle an edge case, and there are others I may have overlooked. I've contributed to a number of these improvements, but they reflect overall the community consensus as well as reactions to problems that required security releases for Drupal core or contributed modules in the past. For each point I've tried to include a link or two, such as the Drupal core change record, a documentation page, or a presentation that provides more information. Some of these may also be possible to back-port to Drupal 7, to benefit you even sooner. A "7.x back-port" link indicates that.

For context on why these 10 improvements are important, I looked at past security advisories (SAs) as well as considering the kind of questions we get here at Acquia from companies considering adopting Drupal. In terms of past SAs, cross-site scripting (XSS) is the most commonly found vulnerability in Drupal core and contributed modules and themes.

  1. Twig templates used for html generation

    This is probably first on the list of anyone you ask about Drupal 8 security. This is also one of the most popular features with themers.



    One security gain from this is that it enforces much stricter separation of business logic and presentation - this makes it easier to validate 3rd party themes or delegate pure presentation work. You can't run SQL queries or access the Drupal API from Twig. 




    

In addition, Drupal 8 enables Twig auto-escaping, which means that any string that has not specifically flagged as safe will be escaped using the PHP function htmlspecialchars() (e.g. the same as Drupal 7 check_plain()). Auto-escaping of variables will prevent many XSS vulnerabilities that are accidentally introduced in custom site themes and custom and contributed modules. That fact is why I ranked this as number one. XSS is the most frequent security vulnerability found in Drupal code. We don't have a lot of hard data, but based on past site audits we generally assume that 90% of site-specific vulnerabilities are in the custom theme.


    To see why themers love Twig, compare the Drupal 7 block.tpl.php code to the Drupal 8 Twig version.

    Drupal 7 block.tpl.php:

    Drupal 7 block.tpl.php

    Drupal 8 block.html.twig:

    Drupal 8 block.html.twig

  2. Removed PHP input filter and the use of PHP as a configuration import format

    OK, maybe this should have been number one. Drupal 8 does not include the PHP input format in core. In addition to encouraging best practices (managing code in a revision control system like git), this means that Drupal no longer makes it trivial to escalate an administrator login to being able to execute arbitrary PHP code or shell commands on the server. 


    For Drupal 7, importing something like a View required importing executable PHP code, and for certain custom block visibility settings, etc. you would need to enter a PHP snippet. These uses of evaluated PHP (exposing possible code execution vulnerabilities) are all gone - see the next point about configuration management.


    Now that we have covered the top two, the rest of the 10 are in rather arbitrary order.

  3. Site configuration exportable, manageable as code, and versionable

    The Configuration Management Initiative (CMI) transformed how Drupal 8 manages things that would have been represented in Drupal 7 as PHP code. Things like Drupal variables or ctools exportables (e.g. exported Views).



    CMI uses YAML as the export and import format and the YAML files can be managed together with your code and checked into a revision control system (like git). 


    Why is this a security enhancement? Well, in addition to removing the use of PHP code as an import format (and hence possible code execution vulnerability), tracking configuration in code makes it much easier to have an auditable history of configuration changes. This will make Drupal more appealing and suitable for enterprises that need strict controls on configuration changes in place. In addition, configuration can be fully tested in development and then exactly replicated to production at the same time as any corresponding code changes (avoiding mistakes during manual configuration).
 Finally, it is possible to completely block configuration changes in production to force deployment of changes as code.


  4. User content entry and filtering improved

    While the integration of a WYSIWYG editor with Drupal core is a big usability improvement, extra care was taken that to mitigate poor practices that adding a WYSIWYG editor encouraged in past Drupal versions. In particular, users with access to the editor were often granted access to the full html text format, which effectively allowed them to execute XSS attacks on any other site user.



    To encourage the best practice of only allowing the use of the filtered HTML format, the Drupal 8 WYSIWYG editor configuration is integrated with the corresponding text filter. When a button is added to the active configuration, the corresponding HTML tag is added to the allowed list for the text filter.


    Drag a new button from the available to enabled section in the editor configuration:

    WYSIWYG editor configuration adding underline button

    The corresponding HTML tag (the U tag) is added to the allowed list:

    U tag is allowed in the filter

    An additional security improvement is that the core text filtering supports limiting users to using only images local to the site which helps prevent cross-site request forgery (CSRF) and other attacks or abuses using images.

  5. Hardened user session and session ID handling

    There are three distinct improvements to session and session cookie handling.

    First, the security of session IDs has been greatly improved against exposure via database backups or SQL injection (7.x back-port ). Previously in Drupal, the session ID is stored and checked directly against the incoming session cookie from the browser. The risk from this is that the value from the database can be used to populate the cookie in the browser and thus assume the session and identity of any user who has a valid session in the database. In Drupal 8, the ID is hashed before storage, which prevents the database value from being used to assume a user's session, but the incoming value from the value is simply hashed in order to verify the value.


    Next, mixed-mode SSL session support was added to core to support sites that, for example, used contributed modules to serve the login page over SSL while other pages unencrypted. You will have to replace the session handling service if you really need this. This encourages serving your entire site over SSL (which is also a search engine ranking boost).



    The final change is that the leading "www." is no longer stripped from the session cookie domain since that causes the session cookie to be sent to all subdomains (7.x back-port)

  6. Automated CSRF token protection in route definitions

    Links (GET requests) that cause some destructive action or configuration change need to be protected from CSRF, usually with a user-specific token in the query string that is checked before carrying out the action.

    

This change improves the developer experience and security by automating a process frequently forgotten or done incorrectly in contributed modules. In addition, centralizing the code makes it easier to audit and provide test coverage.

    Drupal 8 makes it easy. A developer merely needs to specify that a route (a system path in Drupal 7 terms) require a CSRF token. Here is an example of the YAML route definition for a protected link in Drupal 8 entity.

    entity.shortcut.link_delete_inline:
      path: '/admin/config/user-interface/shortcut/link/{shortcut}/delete-inline'
      defaults:
        _controller: 'Drupal\shortcut\Controller\ShortcutController::deleteShortcutLinkInline'
      requirements:
        _entity_access: 'shortcut.delete'
        _csrf_token: 'TRUE'
    

    Only the one line in the requirements: section needs to be added to protect shortcut deletion from CSRF.

    Shortcut inline delete link and corresponding URL with a token in the query string:

    Drupal page showing shortcut

  7. Trusted host patterns enforced for requests

    Many Drupal sites will respond to a page request using an arbitrary host header sent to the correct IP address. This can lead to cache poisoning, bogus site emails, bogus password recovery links, and other problems with security implications.

    For earlier versions of Drupal, it can be a challenge to correctly configure the webserver for a single site that uses sites/default as its site directory to prevent these host header spoofing attacks. Drupal 8 ships with a simple facility to configure expected host patterns in settings.php and warns you in the site status report if it's not configured.

  8. PDO MySQL limited to executing single statements

    If available, Drupal 8 will set a flag that limits PHP to sending only a single SQL statement at a time when using MySQL. This change would have reduced the severity of SA-CORE-2014-005 (a SQL injection vulnerability that was easily exploited by anonymous users) (7.x back-port)
. Getting this change into Drupal 8 meant I first had to contribute a small upstream change to the PHP language itself, and to the PDO MySQL library that is available in PHP versions 5.5.21 or 5.6.5 and greater.

    There is also a patch in progress to try to enforce this protection regardless of which specific database driver is being used.

  9. Clickjacking protection enabled by default

    A small change, but Drupal 8 sends the X-Frame-Options: SAMEORIGIN header in all responses by default. This header is respected by most browsers and prevents the site from being served inside an iframe on another domain. This blocks so-called click-jacking attacks (e.g. forms or links on the site being presented in a disguised fashion on an attacker's site inside an iframe), as well as blocking the unauthorized re-use of site content via iframes. (7.x back-port).

  10. Core JavaScript API Compatible with CSP

    Support for inline JavaScript was removed from the #attached property in the Drupal render API. In addition, the Drupal javascript settings variables are now added to the page as JSON data and loaded into a variable instead of being rendered as inline JavaScript. This was the last use of inline JavaScript by Drupal 8 core, and means that site builders can much more easily enable a strict content security policy (CSP) - a new web standard for communicating per-site restrictions to browsers and mitigating XSS and other vulnerabilities.

A final note of caution: The substantial code reorganization and refactoring in Drupal 8 as well as the dependence on third party PHP components does present a certain added risk. The code reorganization may have introduced bugs that were missed by the existing core tests. The third party components themselves may have security vulnerabilities that affect Drupal, and at the very least, we need to track and stay up to date with them and fix our integration for any corresponding API changes. In order to try to mitigate the risk, the Drupal Association has been conducting the first Drupal security bug bounty that has been run for any version of Drupal core. This has uncovered several security bugs and means they will be fixed before Drupal 8 is released.

I am excited that we've added more "security by default" to Drupal 8, and I hope you download and try it out so you are ready to start using it for new projects as soon as it's released.

Blog series:
Drupal 8
Workflow:
Published
Featured:
No
Tags:
acquia drupal planet
Security
Drupal 8 related:
Yes
Author:
Peter Wolanin

27 Aug 2015 4:20pm GMT