Feed aggregator

Agiledrop.com Blog: AGILEDROP: Drupal Blogs from January

Planet Drupal -

And it is once again time to present you our blogs from the previous month. It's January's turn, so here's what we discovered that month. We began our tour with the best or let's say top books Drupal 8 has to offer. Besides one of the beginners guide and Cookbook, which enjoys the best feedback from the readers, we pointed out one of the books that covers front-end skills, which can be easily applied to Drupal 8. We also announced the release date of the SEO Book – now it's already out – and presented you the upcoming book, which will require the most advanced knowledge of Drupal 8. We… READ MORE

CU Boulder - Webcentral: Top 10 Contributing Higher Ed Organizations - February 2017

Planet Drupal -

Shortly after publishing our first Top 10 Contributing Higher Ed Organizations, Tim Lehnen from the Drupal association blogged about recognizing more types of contribution in the Drupal.org Marketplace. Tim shed a little light on how the ranking is currently calculated.

We now calculate the following 4 types of contribution into overall contribution credit; issue credits, Drupal 8 case studies, Drupal Association Supporter Programs/Organization Membership and number of projects supported.

While the title of the post was about the “marketplace” of vendors selling Drupal services, factoring additional types of contributions will impact the full list organizations we use to build the higher ed specific list. There have been several suggestions made in the comments on Tim's post about how to track contributions to documentation, camps, code reviews and support in forums, IRC, and Slack.  If you have additional ideas on how the DA could factor in a type of contribution you would like to see factored into these rankings, please add your feedback to Tim’s post.

Factoring in the number of projects played a role in this months ranking.  Penn State University jumped from #9 to #2 with just 1 issue credit.  What made the Difference?  They properly registered 107 projects as being supported by their organization. I know that the majority of commits and issues for those projects are being managed in GitHub, but I’m happy to see the University of Colorado Boulder drop a few spots to the habitual contributors at PSU.

The University of Waterloo managed to hang on to the top spot largely due to Liam Morland’s Webform related contributions.  Even though the University of Colorado Boulder accounts for just a handful of the more 500,000 reported installs of Webform, Liam’s contributions make running Drupal as a Service much easier for us.  If you work for a university (or really any organization) that uses Webform, please take a few minutes to thank Waterloo for supporting Liam's contributions.  

The Current Top 10 Contributing Higher Ed Organizations

  1. University of Waterloo
  2. Penn State University
  3. The University of British Columbia
  4. University of Colorado Boulder
  5. Babson College
  6. The University of Iowa
  7. University of Adelaide
  8. Stanford
  9. Indian Institute of Technology (IIT) Bombay
  10. Cornell University

Highlighted Contributions from the University of Colorado Boulder

One of the commits the University of Colorado Boulder was credited with is James Fuller’s improvement to add an exposed filter for Organization Type to https://www.drupal.org/organizations.  This allows you to see organizations that consider themselves "end users of Drupal".  We plan to continue contributing where we can ensure all organizations contributing to the Drupal project are given as much attention as the vendor marketplace.  What we'd really like to see on Drupal.org is an option to see the sector an organizational contributor to Drupal operates in vs. just the markets vendors sell to.  Once those changes are made, it will be much easier to see the full list of higher ed organizations on Drupal.org.

Last month we also picked up a few commit credits when Owen Morrill updated the Community Funded to a 1.0 release fixing issues that were brought during the Project Application Review process. Owen was able to get through PAR in record time and is the 4th developer at the University of Colorado Boulder to get their "vetted git user" permission.

Looking forward to our next month of commits and trying to take back a few spots from our friends at Waterloo, PSU and UBC, Alexander Finnarn will be working to get a stable D8 release of the Google CSE module.  I will be working on a D7 module to integrate with the Siteimprove service in a way that will allow users to manage their page scans and view their reports without needing to log into Siteimprove.  I know these services are used by other universities.  If you are using these services, I would like to invite you to get involved as a contributor.  

Several New Organizations

There are still several high profile universities without organization nodes on Drupal.org.  It's still not clear if this is because they are better known for how they use Drupal rather than for what they contribute--or if they are just so busy contributing that they haven't made creating an organization node a priority.  The following organizations have all entered the contributor competition by creating organization nodes in January;

Higher Education Contributions in Aggregate 

Together the top 10 contributing higher education organizations share and support 182 projects and have been creditted with contributions to 82 issues in the last 90 days.

Missed Opportunities for Recognition

In the great case study Palantir wrote for the University of Minnesota that was published last month, they stated that Palantir made significant contributions to Panels, Zen, Workbench, and Workbench Moderation as part of the project.  I'm not sure when those improvements were made, but I can't find any place where credit was given to the University of Minnesota for funding the development.  Organizations hiring vendors to make customizations and improvements to Drupal should request that the organization be creditted in the commits.

Developers from both Middlebury and Amherst Colleges are actively working on Monster Menus, but looking at the commits they aren't giving their organizations credit. While it's possible to "free hand" the structure of the commit messages Drupal.org requires for credit, it's much easier to generate the recommended message from an issue.  

Of course to do this, you'd need create more issues.  I'm not going to advocate creating issues for every commit, but not creating a single issue for dozens of commits is equally troublesome.  Drupal.org recently added the Plan issue type.  I haven't written a line of code for Siteimprove yet, but I have added Plan issues that I will use to credit the University of Colorado when I do start writing the code.  Plan issues are also really helpful if someone gets pulled off a project to work on something else.  If I don't get back to Siteimprove right away, someone else can look at the issue queue and get some inisght into how I was planning on approach the project.


Developer Blog

DrupalCon News: Our Call for Papers Has Closed

Planet Drupal -

On February 1, 2017 at the stroke of midnight, we turned off our CFP which included session submissions, training proposals, and grant and scholarship applications.  We are pumped up about the stellar content offered up by a diverse set of individuals which will make DrupalCon Baltimore an engaging and exciting event.

Protecting everyone from WordPress Content Injection

Cloudflare Blog -

Today a severe vulnerability was announced by the WordPress Security Team that allows unauthenticated users to change content on a site using unpatched (below version 4.7.2) WordPress.

CC BY-SA 2.0 image by Nicola Sap De Mitri

The problem was found by the team at Sucuri and reported to WordPress. The WordPress team worked with WAF vendors, including Cloudflare, to roll out protection before the patch became available.

Earlier this week we rolled out two rules to protect against exploitation of this issue (both types mentioned in the Sucuri blog post). We have been monitoring the situation and have not observed any attempts to exploit this vulnerability before it was announced publicly.

Customers on a paid plan will find two rules in WAF, WP0025A and WP0025B, that protect unpatched WordPress sites from this vulnerability. If the Cloudflare WordPress ruleset is enabled then these rules are automatically turned on and blocking.

Protecting Everyone

As we have in the past with other serious and critical vulnerabilities like Shellshock and previous issues with JetPack, we have enabled these two rules for our free customers as well.

Free customers who want full protection for their WordPress sites can upgrade to a paid plan and enable the Cloudflare WordPress ruleset in the WAF.

OSTraining: 5 Ways to Tell if a Site is Built in Drupal

Planet Drupal -

One of the most common questions we get at Drupal beginner classes is, "How can I tell if a site is built in Drupal?"

We get that question because it's just not possible to know the answer without a few tips and tricks.

If you look at a website such as WhiteHouse.gov, there is no way of telling if it's built Drupal. The design of a site is completely independent from the platform it uses.

We're going to give you 5 ways to tell if a site is built in Drupal. Not all of these suggestions will work on all Drupal sites, but taken together they should give you a clear answer.

Acquia Developer Center Blog: Acquia Cloud Edge: Six Best Practices For Setup and Go-Live

Planet Drupal -

Acquia Cloud Edge powered by Cloudflare provides a global content delivery network (CDN), DDOS protection and web application firewall (WAF) for Acquia Cloud Enterprise and Site Factory customers.

Plan for a successful launch with Acquia Cloud Edge by following these 6 best practices to ensure your setup is both secure and performant.

Tags: acquia drupal planet

TLS 1.3 explained by the Cloudflare Crypto Team at 33c3

Cloudflare Blog -

Nick Sullivan and I gave a talk about TLS 1.3 at 33c3, the latest Chaos Communication Congress. The congress, attended by more that 13,000 hackers in Hamburg, has been one of the hallmark events of the security community for more than 30 years.

You can watch the recording below, or download it in multiple formats and languages on the CCC website.

The talk introduces TLS 1.3 and explains how it works in technical detail, why it is faster and more secure, and touches on its history and current status.

.fluid-width-video-wrapper { margin-bottom: 45px; }

The slide deck is also online.

This was an expanded and updated version of the internal talk previously transcribed on this blog.

TLS 1.3 hits Chrome and Firefox Stable

In related news, TLS 1.3 is reaching a percentage of Chrome and Firefox users this week, so websites with the Cloudflare TLS 1.3 beta enabled will load faster and more securely for all those new users.

You can enable the TLS 1.3 beta from the Crypto section of your control panel.

Deeson: Drupal 8 - Guide to config and state, goodbye variables!

Planet Drupal -

In Drupal 7, modules used variables for storing data in configuration rather than storing it in a database. This made it very easy for developers to override these data variables within the settings.php files to set environment specific settings etc.

When Drupal 8 was released variables were replaced with config and state.

What is Config?

According to the config documentation,‘By default, Drupal stores configuration data in the database, but it can be exported to YAML files, allowing the configuration to be managed by version control’ (https://www.drupal.org/docs/8/api/configuration-api/configuration-api-overview).

This means that anything that has been defined as a config variable will be exported to YAML files, when using configuration management (CM) to manage the site’s configuration across environments.

This is very useful for exporting your site’s configuration (content types, views, image styles, module settings etc) across environments, but this does rely on the data for these always being the same across environments.

This is also a vast improvement for dealing the configuration about your site’s structure from Drupal 7 and you can override these settings within your settings.php file if you wish to set settings based upon environment etc.

However, if you have defined a configuration setting in a module that is to be environment specific (eg set by an administrator user), then this data could be changed at any time and so would be overridden by CM when doing a configuration import, which is not what you would want!

This is where the State API can be useful.

What is State API?

Accordingly to the State API documentation,‘The State API provides a place for developers to store information about the system's state’ (https://www.drupal.org/docs/8/api/state-api/overview).

Anything defined using the State API won’t be exported by CM so the data is stored specific to environment that the you are in.

One of the worrying things about the State API documentation is the statement:‘use State API to store transient information, that is okay to lose after a reset’.

I read this as being ‘if you reset your entire database’, which is fairly unlikely for a production environment, and in fact if your entire production database gets reset then you probably have bigger issues to deal with.

So as long as you have a default set of values defined (if needed) for your state values within your module (so that if the database is reset your site will still work), then I don’t see an issue with using it.

That said, something else to be aware of in the above statement are the key words ‘transient information’. Drupal stores the state data as a key value pair, which means that out of the box Drupal will use the database. Most production sites would use a cache like Memcache or Redis to store the cache data rather than the database. Due to the transient state of these services though, they could be restarted or cleared out at any time. If this were to happen then you would lose the data that was stored in this and your site would be ‘reset’ with any data that you had stored in this cache.

Although potentially unlikely, this is something to consider when deciding to use states.

What about environment specific config?

When we build our sites, we usually want to be able to specify various config specific for each environment.

As mentioned above, developers can override the config values in the settings.php file, but this only applies to data values, not specifying particular modules for instance, that you might want available.

Typically, you would not want modules such as devel, field_ui and views_ui enabled for a production (and probably stage) environment, but CM doesn’t allow you to determine which environment these modules should be enabled on.

While CM itself doesn’t provide this level of granularity, there is a module for that! In step Configuration Split. This allows you to export configuration on an environment specific basis.

In my next blog post I will explorer Configuration Split in more detail.

MidCamp - Midwest Drupal Camp: Sprints and Training at MidCamp 2017

Planet Drupal -

We are putting together some great programming for you here at MidCamp 2017 headquarters.  In addition to the impressive session proposals were are busy reading, we have teams working hard to put together Code Sprints and Full Day Training sessions.

Sprinting at MidCamp 2017

At MidCamp 2016, the Sprint room was always abuzz with activity.  There was so much activity on those who work on the Frontend of Drupal, and a concentrated effort to get Drupal Commerce to it's first Release candidate.

What will be worked on, discussed, built, and fixed at this year's MidCamp?  You can have a say.  We are currently looking for Sprint leads and mentors.  

Sprint leads are mentor to mentors; coordinate with the community, and helps organize what gets sprinted on.

Mentors help new contributors get setup, find issues, and assist them in their sprinting.

If you are interested in being a Sprint lead, or mentor, please email us at [email protected].

Training at MidCamp 2017

We have lined up 4 great training for Thurday, March 30th, 2017.  Joining us will be a great group of amazing, professional trainers who will be offering full day training sessions.

Introduction to Drupal 8

Lead by Jorge Diaz, Acquia Certified Grand Master Developer, Drupal Front-end Developer & Themer at Evolving Web

Drupal is known for being a powerful platform with a steep learning curve. This course will give you an introduction to the world of Drupal and soften that learning curve so you can get up-to-speed with Drupal quickly. We'll cover fundamental Drupal concepts and terminology, and give you the hands-on experience you need to dive deeper.

Theming Drupal 8

Blake Hall, Senior Developer & Trainer and Joe Schindelar, Lead Developer & Lead Trainer, Drupalize.me

Themes combine HTML, CSS, JavaScript, and Drupal in order to make beautiful websites. Creating truly unique themes requires knowing how to use the Twig template language to manipulate HTML, how to add CSS and JavaScript assets in a way that's compatible with Drupal's caching, all while maintaining the flexibility that Drupal is known for.

Drupal Development Best Practice Workflows on Pantheon

David Needham, Agency & Community Training Manager at Pantheon

Pantheon is a website management platform for Drupal & WordPress that provides lightning-fast hosting and best-in-breed web development tools for your team. Learn how to use Pantheon like a seasoned Drupal developer and level up your Drupal development game.

What Am I Getting Myself Into? A Drupal Crash Course for Non-developers

Are you responsible for project management, content, or vendor selection and preparing to work with Drupal? This one-day training delivers all of the tools you need to get started. Delivered by an Acquia Certified Drupal Developer, this training will answer the questions you didn’t even know to ask!

Space is limited, so be sure to visit our training page and purchase your tickets today.  Please note, training tickets are for Thursday only and are in addition to camp tickets.

Sponsor MidCamp

We're currently seeking Lunch and Coffee sponsors for MidCamp 2017.  Lunch is the perfect opportunity to get your name in front of all of the attendees!  Drupalers like coffee. Some might even say Drupalers love coffee!  Earn the gratitude of our attendees by having your name and logo associated with the liquid refueling station! We are looking to four sponsors for each day to cover the costs.  

Find out more info about sponsoring

Join Us Stay connected:

Acquia Developer Center Blog: Drupal 8 Module of the Week: Group

Planet Drupal -

This week: Group // Drupal 8 has more and more features available practically every day. Alongside module migrations and new projects, the Drupal community’s latest major release also offers new ways of solving common problems. Some functionality has moved to Drupal core and new modules have taken up the torch along the way. In this series, the Acquia Developer Center is profiling useful solutions--modules, themes, distros, and more--available for Drupal 8.

Tags: acquia drupal planetgroupmicrositepermissionsaccess control

myDropWizard.com: My security resolutions for 2017! #SecurityResolutions

Planet Drupal -

I'm a member of the Drupal Security Team, and many of the services offered by myDropWizard involve assisting our customers to improve the security of their Drupal sites -- so, I know quite a lot about security and try to be mindful about my own computer use.

However, computer security is an on-going process: it can always be improved and so you're never truly done.

In this article, I'm going to share my personal list of security resolutions for 2017!

Maybe you'll find something you'd like to implement as well?

Or perhaps you'd like to share your own security resolutions for this year?

Please share your thoughts in the comments (or on Twitter)!

lakshminp.com: DIY Drupal hosting: Aegir

Planet Drupal -

I had started this series with a post about what features will be evaluated when selecting DIY Drupal hosting solutions. We shall start with the most simplest and earliest solution of them all, Aegir. First, the nomenclature. Aegir is the God of seas and oceans in Norse folklore, much like Varuna in the Hindu pantheon.

Web Omelette: Advanced techniques for route access control in Drupal 8

Planet Drupal -

Drupal 8 is very flexible when it comes to controlling access to your routes. It inherits quite a bit from the Symfony routing system, but adds its own flavour on top of that. In this article we are going to look at an example of a complex access requirement. In doing so, we won't cover the simpler use cases which are already described in the Drupal.org docs, but we will sure make use of some of them.

The requirement

So let's imagine this scenario: we have two types of users (employees and managers) whose persona is not determined by a user role. Let's say their "role" is determined on the fly as a result of an API call or some dynamic thing.

Now, let's say we have 3 routes: Route A (accessible for employees only), Route B (accessible for managers only) and Route C (accessible for both).

Finally, imagine we have a service called UserType which we can ask what type of person the current user is.


One of the cool things about the Route access control in Drupal 8 is the ability, as the docs show, to delegate the access checking to a service. So a basic implementation for Route A and Route C can be something like this.

my_module.route_a: path: 'route-a' defaults: _controller: '\Drupal\my_module\Controller\DefaultController::buildRouteA' _title: 'Route A' requirements: _company_access_check_employee: 'true'

This is the route definition. As you can see, as per the docs, we have a requirement for the company_access_check access service to return the access result. So let's quickly see that service:

my_module.company_access_check: class: Drupal\my_module\Access\CompanyAccessCheck arguments: [[email protected]_type'] tags: - { name: access_check, applies_to: _company_access_check_employee }

A simple tagged service definition with a dependency to our fictitious UserType service that tells us the type of person the current user is. Additionally, we specify that this access checking service should be applied to all routes with the requirement _company_access_check_employee.

I am not going to show you this class because an example is already covered in the docs. However, it has one method called access() which by default gets passed the AccountInterface of the current user. So with the help of our UserType service we can determine whether the current user is an employee. Then we can return either AccessResult::forbidden() or AccessResult::allowed().

For managers, we do the same: create a new service and apply it to Route C.

So where does the complication come? Well, you guessed it: Route B which requires both. If we add two requirements to the route, let's say something like this:

my_module.route_b: path: 'route-b' defaults: _controller: '\Drupal\my_module\Controller\DefaultController::buildRouteB' _title: 'Route B' requirements: _company_access_check_employee: 'true' _company_access_check_manager: 'true'

It will check for both but grant access only if both return positive. So in our case this won't be very helpful since we need to check if the user is either. For the purposes of this article, please forgive the implication that managers are not also employees.

The solution

What we can do is create another access service called something like company_access_check_both which is responsible for determining if the current user is of one of the user roles. This is fine if our requirements are as simple as we described them. But what happens when we have multiple user types and a bunch of different routes where we have to mix and match the user types which have access to them? Creating a service for all these different types of combinations is not very efficient.

So instead, let's create a generic service called company_access_check_multiple AND specify in the route the type of user that has access to it in the form of a custom option. For example, the route definition can be something like this:

my_module.route_b: path: 'route-b' defaults: _controller: '\Drupal\my_module\Controller\DefaultController::buildRouteB' _title: 'Route B' requirements: _company_access_check_multiple: 'true' options: _company_access_users: - Employee - Manager

In this route we created a custom option called _company_access_users in which we list the types of users that should have access to it.

But how can we make use of this inside our service? Well, the Route object can be inspected and the list of allowed user types can be retrieved:

$types = $route->getOption('_company_access_users');

So if the route has that option, $types will tell us what type the current user needs to be in order to have access.

However, where do we get the Route object? As we know, the access() method of the service only receives the user account as a parameter. We might be tempted to inject the current route match service into our own. This does the trick, but only when the route in question is being checked upon a user actually going to it. It will miserably fail when a given route is being checked for access from another one (for example when building menu links).

If we dig deep and look closely, before our access() method is called, an arguments resolver is employed via the AccessArgumentsResolverFactory. This allows for the current user account to be passed to the access() method. But what not many people know is that if we type hint our access() method with either Route, RouteMatchInterface or Request, we will be getting those parameters as well. And in this case, the Route object is that of the route being checked for access rather than the current route.

So something like this:

public function access(AccountInterface $account, Route $route) { $types = $route->getOption('_company_access_users'); // etc }

So there you have it. A neat little trick that opens the door to some complex access restriction rules on your routes.

Agiledrop.com Blog: AGILEDROP: Virtual Drupal Camps

Planet Drupal -

Drupal events have a lot of positive things for Drupal users. We highlighted them in the previous blog post. But there are many Drupalistas around the world, who can't attend such events, due to the expenses, time, work responsibilities, and many other reasons including the fact that many don't live near any of the available Drupal Camps. With that, they are automatically deprived for knowledge about Drupal. And that knowledge may come in hand for them, especially if they professionally work with Drupal. Luckily, organizers came up with one of the solutions. It's online or virtual Drupal Camp… READ MORE

Aten Design Group: Drupal 101 at General Assembly Denver

Planet Drupal -

Presents 3-hour class Drupal 101 General Assmbly Training: February 8, 2017, 6pm - 9pm MT Register Now

Get a crash course in the basics of building a website using Drupal.

In this 3-hour training, we'll dive into the world of Drupal and learn about content types, views, blocks & themes as we build a site together.

This webinar is ideal for those with experience working with content management systems like Drupal, Wordpress, Joomla, or Craft.

Brought to you in partnership with

Reserve your spot today

February 8, 2017, 6pm - 9pm MT Register Now

Firebolt: the fastest, safest ads on the web

Cloudflare Blog -

Cloudflare’s mission is to help build a better Internet. That means a faster, more secure, open Internet world-wide. We have millions of customers using our services like free SSL, an advanced WAF, the latest compression and the most up to date security to ensure that their web sites, mobile apps and APIs are secure and fast.

One vital area of web technology has lagged behind in terms of speed and security: online ads. And consumers have been turning to ad blocking technology to secure and speed up their own web browsing.

Today, Cloudflare is introducing a new product to make web ads secure, fast and safe. That product is Firebolt.


With Firebolt, ad networks can instantly speed up and secure their ads, resulting in happy consumers and better conversion rates.

Firebolt delivers:

Lightning fast ad delivery

Cloudflare's global network of 102 data centers in 50 countries, combined with routing and performance technologies, makes the delivery of online ads to any device up to five times faster.

Free, simple SSL

Adding SSL to ad serving has been challenging for some ad networks. Cloudflare has years of experience providing free, one click SSL for our customers. Firebolt ads are automatically available over SSL with no complex process of getting and maintaining SSL certificates.

Firebolt includes AMP for Ads

Firebolt enables any independent ad network to leverage the new AMP ad format easily. This makes it possible for ads to appear in AMP content served by Google and an increasing number of sites. Firebolt is the only independent way to serve the newly announced AMP for Ads outside of Google’s advertising network.

Cryptographically signed ads

All ad content delivered by Firebolt for AMP for Ads is cryptographically signed to ensure that it meets the required format and security standards. Signed ads reduce the risk of malware and increase confidence in ads for consumers.

The most advanced browser security

Firebolt ads take advantage of web browser security features including CORS, X-Content-Type-Options and Strict-Transport-Security to ensure the integrity of ads delivered to browsers.

A faster, safer Internet for everyone

Firebolt takes us one step closer to making the Internet a better place by benefitting everyone in the ad ecosystem, including the consumer.

During a recent test, ad platform TripleLift used Cloudflare's Firebolt to serve AMP ads on Time Inc.'s properties. Ads loaded six times faster and Time Inc. saw 13 percent more revenue relative to traditional ads. “Cloudflare was easy to set up, and we saw an impressive difference in the speed of ad delivery with Firebolt's support for AMP for Ads," said Shaun Zacharia, co-founder and President of TripleLift. "AMP Ads loaded six times faster and were three times lighter than comparable standard ads."

If you are an ad network or publisher, please reach out to [email protected] to learn more about Firebolt and how Cloudflare can help you monetize the Internet content we all rely on.


Subscribe to Cruiskeen Consulting LLC aggregator