Development News

Bulgaria PHP Conference 2016

PHP Announcements - Tue, 01/16/2018 - 07:07
Bulgaria PHP Conference is the premier PHP conference, gathering PHP and frontend developers and engineers from all around Europe. Co-organized by the Bulgaria PHP User Group and SiteGround web hosting, the conference is bringing internationally renowned experts from the PHP industry to talk about APIs, Frameworks, Security, Testing, Continuous Integration, and much more! Highlights: 500+ passionate attendees 27 world renowned speakers 4 practical workshops 3 actioned-packed days 1 legendary after party Games, JeoPHPardy, Hackaton Amazing food, swag and gifts inlcuded Get your discounted ticket today. Price increases to the regular one (129 EUR) on September 1, 2016. Still not convinced? Here are several reasons to head to Sofia for Bulgaria PHP Conference.
Categories: Development News, PHP, PHP News

Happy seventeenth birthday Drupal

Drupal News - Mon, 01/15/2018 - 18:30

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Seventeen years ago today, I open-sourced the software behind Drop.org and released Drupal 1.0.0. When Drupal was first founded, Google was in its infancy, the mobile web didn't exist, and JavaScript was a very unpopular word among developers.

Over the course of the past seventeen years, I've witnessed the nature of the web change and countless internet trends come and go. As we celebrate Drupal's birthday, I'm proud to say it's one of the few content management systems that has stayed relevant for this long.

While the course of my career has evolved, Drupal has always remained a constant. It's what inspires me every day, and the impact that Drupal continues to make energizes me. Millions of people around the globe depend on Drupal to deliver their business, mission and purpose. Looking at the Drupal users in the video below gives me goosebumps.

Drupal's success is not only marked by the organizations it supports, but also by our community that makes the project more than just the software. While there were hurdles in 2017, there were plenty of milestones, too:

  • At least 190,000 sites running Drupal 8, up from 105,000 sites in January 2016 (80% year over year growth)
  • 1,597 stable modules for Drupal 8, up from 810 in January 2016 (95% year over year growth)
  • 4,941 DrupalCon attendees in 2017
  • 41 DrupalCamps held in 16 different countries in the world
  • 7,240 individual code contributors, a 28% increase compared to 2016
  • 889 organizations that contributed code, a 26% increase compared to 2016
  • 13+ million visitors to Drupal.org in 2017
  • 76,374 instance hours for running automated tests (the equivalent of almost 9 years of continuous testing in one year)

Since Drupal 1.0.0 was released, our community's ability to challenge the status quo, embrace evolution and remain resilient has never faltered. 2018 will be a big year for Drupal as we will continue to tackle important initiatives that not only improve Drupal's ease of use and maintenance, but also to propel Drupal into new markets. No matter the challenge, I'm confident that the spirit and passion of our community will continue to grow Drupal for many birthdays to come.

Tonight, we're going to celebrate Drupal's birthday with a warm skillet chocolate chip cookie topped with vanilla ice cream. Drupal loves chocolate! ;-)

Note: The video was created by Acquia, but it is freely available for anyone to use when selling or promoting Drupal.

Categories: Development News, Drupal

How to decouple Drupal in 2018

Drupal News - Fri, 01/12/2018 - 14:19

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

In this post, I'm providing some guidance on how and when to decouple Drupal.

Almost two years ago, I had written a blog post called "How should you decouple Drupal?". Many people have found the flowchart in that post to be useful in their decision-making on how to approach their Drupal architectures. Since that point, Drupal, its community, and the surrounding market have evolved, and the original flowchart needs a big update.

Drupal's API-first initiative has introduced new capabilities, and we've seen the advent of the Waterwheel ecosystem and API-first distributions like Reservoir, Headless Lightning, and Contenta. More developers both inside and outside the Drupal community are experimenting with Node.js and adopting fully decoupled architectures.

Let's start with the new flowchart in full:

How to Decouple Drupal in 2018 | Flowchart in Full

All the ways to decouple Drupal

The traditional approach to Drupal architecture, also referred to as coupled Drupal, is a monolithic implementation where Drupal maintains control over all front-end and back-end concerns. This is Drupal as we've known it — ideal for traditional websites. If you're a content creator, keeping Drupal in its coupled form is the optimal approach, especially if you want to achieve a fast time to market without as much reliance on front-end developers. But traditional Drupal 8 also remains a great approach for developers who love Drupal 8 and want it to own the entire stack.

A second approach, progressively decoupled Drupal, offers an approach that strikes a balance between editorial needs like layout management and developer desires to use more JavaScript, by interpolating a JavaScript framework into the Drupal front end. Progressive decoupling is in fact a spectrum, whether it is Drupal only rendering the page's shell and populating initial data — or JavaScript only controlling explicitly delineated sections of the page. Progressively decoupled Drupal hasn't taken the world by storm, likely because it's a mixture of both JavaScript and PHP and doesn't take advantage of server-side rendering via Node.js. Nonetheless, it's an attractive approach because it makes more compromises and offers features important to both editors and developers.

Last but not least, fully decoupled Drupal has gained more attention in recent years as the growth of JavaScript continues with no signs of slowing down. This involves a complete separation of concerns between the structure of your content and its presentation. In short, it's like treating your web experience as just another application that needs to be served content. Even though it results in a loss of some out-of-the-box CMS functionality such as in-place editing or content preview, it's been popular because of the freedom and control it offers front-end developers.

What do you intend to build?

How to Decouple Drupal in 2018 | What do you intend to build?

The most important question to ask is what you are trying to build.

  1. If your plan is to create a single standalone website or web application, decoupling Drupal may or may not be the right choice based on the must-have features your developers and editors are asking for.
  2. If your plan is to create multiple experiences (including web, native mobile, IoT, etc.), you can use Drupal to provide web service APIs that serve content to other experiences, either as (a) a content repository with no public-facing component or (b) a traditional website that is also a content repository at the same time.

Ultimately, your needs will determine the usefulness of decoupled Drupal for your use case. There is no technical reason to decouple if you're building a standalone website that needs editorial capabilities, but that doesn't mean people don't prefer to decouple because of their preference for JavaScript over PHP. Nonetheless, you need to pay close attention to the needs of your editors and ensure you aren't removing crucial features by using a decoupled approach. By the same token, you can't avoid decoupling Drupal if you're using it as a content repository for IoT or native applications. The next part of the flowchart will help you weigh those trade-offs.

Today, Drupal makes it much easier to build applications consuming decoupled Drupal. Even if you're using Drupal as a content repository to serve content to other applications, well-understood specifications like JSON API, GraphQL, OpenAPI, and CouchDB significantly lower its learning curve and open the door to tooling ecosystems provided by the communities who wrote those standards. In addition, there are now API-first distributions optimized to serve as content repositories and SDKs like Waterwheel.js that help developers "speak" Drupal.

Are there things you can't live without?

How to Decouple Drupal in 2018 | What can't you live without?

Perhaps most critical to any decision to decouple Drupal is the must-have feature set desired for both editors and developers. In order to determine whether you should use a decoupled Drupal, it's important to isolate which features are most valuable for your editors and developers. Unfortunately, there is are no black-and-white answers here; every project will have to weigh the different pros and cons.

For example, many marketing teams choose a CMS because they want to create landing pages, and a CMS gives them the ability to lay out content on a page, quickly reorganize a page and more. The ability to do all this without the aid of a developer can make or break a CMS in marketers' eyes. Similarly, many digital marketers value the option to edit content in the context of its preview and to do so across various workflow states. These kind of features typically get lost in a fully decoupled setting where Drupal does not exert control over the front end.

On the other hand, the need for control over the visual presentation of content can hinder developers who want to craft nuanced interactions or build user experiences in a particular way. Moreover, developer teams often want to use the latest and greatest technologies, and JavaScript is no exception. Nowadays, more JavaScript developers are including modern techniques, like server-side rendering and ES6 transpilation, in their toolboxes, and this is something decision-makers should take into account as well.

How you reconcile this tension between developers' needs and editors' requirements will dictate which approach you choose. For teams that have an entirely editorial focus and lack developer resources — or whose needs are focused on the ability to edit, place, and preview content in context — decoupling Drupal will remove all of the critical linkages within Drupal that allow editors to make such visual changes. But for teams with developers itching to have more flexibility and who don't need to cater to editors or marketers, fully decoupled Drupal can be freeing and allow developers to explore new paradigms in the industry — with the caveat that many of those features that editors value are now unavailable.

What will the future hold?

In the future, and in light of the rapid evolution of decoupled Drupal, my hope is that Drupal keeps shrinking the gap between developers and editors. After all, this was the original goal of the CMS in the first place: to help content authors write and assemble their own websites. Drupal's history has always been a balancing act between editorial needs and developers' needs, even as the number of experiences driven by Drupal grows.

I believe the next big hurdle is how to begin enabling marketers to administer all of the other channels appearing now and in the future with as much ease as they manage websites in Drupal today. In an ideal future, a content creator can build a content model once, preview content on every channel, and use familiar tools to edit and place content, regardless of whether the channel in question is mobile, chatbots, digital signs, or even augmented reality.

Today, developers are beginning to use Drupal not just as a content repository for their various applications but also as a means to create custom editorial interfaces. It's my hope that we'll see more experimentation around conceiving new editorial interfaces that help give content creators the control they need over a growing number of channels. At that point, I'm sure we'll need another new flowchart.

Conclusion

Thankfully, Drupal is in the right place at the right time. We've anticipated the new world of decoupled CMS architectures with web services in Drupal 8 and older contributed modules. More recently, API-first distributions, SDKs, and even reference applications in Ember and React are giving developers who have never heard of Drupal the tools to interact with it in unprecedented ways.

Unlike many other content management systems, old and new, Drupal provides a spectrum of architectural possibilities tuned to the diverse needs of different organizations. This flexibility between fully decoupling Drupal, progressively decoupling it, and traditional Drupal — in addition to each solution's proven robustness in the wild — gives teams the ability to make an educated decision about the best approach for them. This optionality sets Drupal apart from new headless content management systems and most SaaS platforms, and it also shows Drupal's maturity as a decoupled CMS over WordPress. In other words, it doesn't matter what the team looks like or what the project's requirements are; Drupal has the answer.

Special thanks to Preston So for contributions to this blog post and to Alex Bronstein, Angie Byron, Gabe Sullice, Samuel Mortenson, Ted Bowman and Wim Leers for their feedback during the writing process.

Categories: Development News, Drupal

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Drupal Contributed Security - Wed, 01/10/2018 - 14:02
Version: 
8.x-1.x-dev
7.x-1.x-dev
Date: 
2018-January-10
Vulnerability: 
Access Bypass
Description: 

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.

This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
  • The module maintainer
Coordinated By: 

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

Drupal Contributed Security - Wed, 01/10/2018 - 13:57
Project: 
Date: 
2018-January-10
Vulnerability: 
Arbitrary PHP code execution
Description: 

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.
The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.
This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.

Solution: 

Install the latest version:

  • If you use the Stacks module for Drupal 8.x, upgrade to Stacks 8.x-1.1
Fixed By: 
  • Mauro Vigliotti the module maintainer
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Be a Database Hero with InnoDB Cluster (23 Jan 2018)

    MySQL Web Seminars - Tue, 01/09/2018 - 16:35

    Disk failures. Hardware crashes. Power outages. User errors. Now more than ever it is important to remember the true meaning of high availability. Don’t miss this InnoDB Cluster presentation and how easy it is to setup and manage. The life of your data might just depend on it.



    Date and Time: Tuesday, 23 Jan 2018, 09:00 US/Pacific
    Categories: Development News, MySQL

    Drupal 8 Content Migration: A Guide For Marketers

    Drupal News - Tue, 01/09/2018 - 14:28

    The following blog was written by Drupal Association Premium Supporting Partner, Phase2.

    If you’re a marketer considering a move from Drupal 7 to Drupal 8, it’s important to understand the implications of content migration. You’ve worked hard to create a stable of content that speaks to your audience and achieves business goals, and it’s crucial that the migration of all this content does not disrupt your site’s user experience or alienate your visitors.

    Content migrations are, in all honesty, fickle, challenging, and labor-intensive. The code that’s produced for migration is used once and discarded; the documentation to support them is generally never seen again after they’re done. So what’s the value in doing it at all?

    YOUR DATA IS IMPORTANT (ESPECIALLY FOR SEO!) 

    No matter what platform you’re working to migrate, your data is important. You’ve invested lots of time, money, and effort into producing content that speaks to your organization’s business needs.

    Migrating your content smoothly and efficiently is crucial for your site’s SEO ranking. If you fail to migrate highly trafficked content or to ensure that existing links direct readers to your content’s new home you will see visitor numbers plummet. Once you fall behind in SEO, it’s difficult to climb back up to a top spot, so taking content migration seriously from the get go is vital for your business’ visibility.

    Also, if you work in healthcare or government, some or all of your content may be legally mandated to be both publically available, and letter-for-letter accurate. You may also have to go through lengthy (read: expensive) legal reviews for every word of content on your sites to ensure compliance with an assortment of legal standards – HIPPA, Section 508 and WCAG accessibility, copyright and patent review, and more.  

    Some industries also mandate access to content and services for people with Limited English Proficiency, which usually involves an additional level of editorial content review (See https://www.lep.gov/ for resources).  

    At media organizations, it’s pretty simple – their content is their business!

    In short, your content is an business investment – one that should be leveraged.

    SO WHERE DO I START WITH A DRUPAL 8 MIGRATION?

    Like with anything, you start at the beginning. In this case that’s choosing the right digital technology partner to help you with your migration. Here’s a handy guide to help you choose the right vendor and start your relationship off on the right foot.

    Once you choose your digital partner content migration should start at the very beginning of the engagement. Content migration is one of the building blocks of a good platform transition. It’s not something that can be left for later – trust us on this one. It’s complicated, takes a lot of developer hours, and typically affects your both content strategy and your design.

    Done properly, the planning stages begin in the discovery phase of the project with your technology vendor, and work on migration usually continues well into the development phase, with an additional last-sprint push to get all the latest content moved over.

    While there are lots of factors to consider, they boil down to two questions: What content are we migrating, and how are we doing it?

    WHICH CONTENT TO MIGRATE

    You may want to transition all of your content, but this is an area that does bear some discussion. We usually recommend a thorough content audit before embarking on any migration adventure. You can learn more about website content audits here. Since most migration happens at a code & database level, it’s possible to filter by virtually any facet of the content you like. The most common in our experience are date of creation, type of content, and categorization.

    While it might be tempting to cut off your site’s content to the most recent few articles, Chris Anderson’s 2004 Wired article, “The Long Tail” (https://www.wired.com/2004/10/tail/) observes that a number of business models make good use of old, infrequently used content. The value of the Long Tail to your business is most certainly something that’s worth considering.

    Obviously, the type of content to be migrated is pretty important as well. Most content management systems differentiate between different ‘content types’, each with their own uses and value. A good thorough analysis of the content model, and the uses to which each of these types has been and will be used, is invaluable here. There are actually two reasons for that. First, the analysis can be used to determine what content will be migrated, and how. Later, this analysis serves as the basis of the creation of those ‘content types’ in the destination site.

    A typical analysis takes place in a spreadsheet (yay, spreadsheets!). Our planning sheet has multiple tabs but the critical one in the early stages is Content Types.

    Here you see some key fields: Count, Migration, and Field Mapping Status.

    Count is the number of items of each content type. This is often used to determine if it’s more trouble than it’s worth to do an automated content migration, as opposed to a simple cut & paste job. As a very general guideline, if there are more than 50 items of content in a content type, then that content should probably be migrated with automation. Of course, the amount of fields in a content type can sway that as well. Once this determination is made, that info is stored in the Migration field.

    The Field Mapping Status Column is a status column for the use of developers, and reflects the current efforts to create the new content types, with all their fields.  It’s a summary of the Content Type Specific tabs in the spreadsheet. More detail on this is below.

    Ultimately, the question of what content to migrate is a business question that should be answered in close consultation with your stakeholders.  Like all such conversations, this will be most productive if your decisions are made based on hard data.

    HOW DO WE DO IT?

    This is, of course, an enormous question. Once you’ve decided what content you are going to migrate, you begin by taking stock of the content types you are dealing with. That’s where the next tabs in the spreadsheet come in.

    The first one you should tackle is the Global Field Mappings. Most content management systems define a set of default fields that are attached to all content types. In Drupal, for example, this includes title, created, updated, status, and body. Rather than waste effort documenting these on every content type, document them once and, through the magic of spreadsheet functions, print them out on the Content Type tabs.

    Generally, you want to note Name, Machine Name, Field Type, and any additional Requirements or Notes on implementation on these spreadsheets.

    It’s worth noting here that there are decisions to be made about what fields to migrate, just as you made decisions about what content types. Some data will simply be irrelevant or redundant in the new system, and may safely be ignored.

    In addition to content types, you also want to document any supporting data – most likely users and any categorization or taxonomy. For a smooth migration, you usually want to actually start the development with them.

    The last step we’ll cover in this post is content type creation. Having analyzed the structure of the data in the old system, it’s time to begin to recreate that structure in the new platform. For Drupal, this means creating new content type bundles, and making choices about the field types. New platforms, or new versions of platforms, often bring changes to field types, and some content will have to be adapted into new containers along the way. We’ll cover all that in a later post.

    Now, many systems have the ability to migrate content types, in addition to content. Personally, I recommend against using this capability. Unless your content model is extremely simple, the changes to a content type’s fields are usually pretty significant. You’re better off putting in some labor up front than trying to clean up a computer’s mess later.

    In our next post, we’ll address the foundations of Drupal content migrations – Migration Groups, and Taxonomy and User Migrations. Stay tuned!

    Written by Joshua Turton

    https://www.phase2technology.com/blog/drupal-8-content-migration-guide-marketers

    Categories: Development News, Drupal

    PHP 5.6.33 Released

    PHP Announcements - Thu, 01/04/2018 - 16:21
    The PHP development team announces the immediate availability of PHP 5.6.33. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version. For source downloads of PHP 5.6.33 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
    Categories: Development News, PHP, PHP News

    PHP 7.1.13 Released

    PHP Announcements - Thu, 01/04/2018 - 11:27
    The PHP development team announces the immediate availability of PHP 7.1.13. This is a security release. Several security bugs were fixed in this release. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.13 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
    Categories: Development News, PHP, PHP News

    PHP 7.2.1 Released

    PHP Announcements - Thu, 01/04/2018 - 11:26
    The PHP development team announces the immediate availability of PHP 7.2.1. This is a security release. Several security bugs were fixed in this release. All PHP 7.2 users are encouraged to upgrade to this version. For source downloads of PHP 7.2.1 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
    Categories: Development News, PHP, PHP News

    PHP 7.0.27 Released

    PHP Announcements - Thu, 01/04/2018 - 10:00
    The PHP development team announces the immediate availability of PHP 7.0.27. This is a security release. Several security bugs were fixed in this release. All PHP 7.0 users are encouraged to upgrade to this version. This release marks the end of the two years active support period for the 7.0 branch. The further releases of the 7.0 branch will be issued on demand and contain only critical security relevant bug fixes. The security support is provided till December 3rd, 2018. It is a good time to plan the migration to PHP 7.1 or 7.2. For source downloads of PHP 7.0.27 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
    Categories: Development News, PHP, PHP News

    me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

    Drupal Contributed Security - Wed, 12/20/2017 - 14:47
    Project: 
    Date: 
    2017-December-20
    Vulnerability: 
    Arbitrary code execution
    Description: 

    'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

    The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

    Solution: 

    Install the latest version:

    • If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3
    Reported By: 
    Fixed By: 
  • Camilo Bravo
  • nohup
  • Michael Hess of the Drupal Security Team
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096

    Drupal Contributed Security - Wed, 12/20/2017 - 11:06
    Date: 
    2017-December-20
    Vulnerability: 
    Unsupported
    Description: 

    This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the Directory based organisational layer tag module for Drupal you should uninstall it.

    Reported By: 
    Fixed By: 

    N/A

    ComScore direct tag - Critical - Unsupported - SA-CONTRIB-2017-095

    Drupal Contributed Security - Wed, 12/20/2017 - 11:00
    Date: 
    2017-December-20
    Vulnerability: 
    Unsupported
    Description: 

    A simple module to add in the JS for the comScore Direct tag to your Drupal site.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the ComScore Direct tag module for Drupal you should uninstall it.

    Reported By: 
    Fixed By: 

    N/A

    Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

    Drupal Contributed Security - Wed, 12/20/2017 - 10:12
    Date: 
    2017-December-20
    Vulnerability: 
    Unsupported
    Description: 

    The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the link click count module for Drupal you should uninstall it.

    Reported By: 
    Fixed By: 

    N/A

    Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

    Drupal Contributed Security - Wed, 12/13/2017 - 14:24
    Project: 
    Version: 
    7.x-1.x-dev
    Date: 
    2017-December-13
    Vulnerability: 
    Cross Site Scripting
    Description: 

    This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium.

    The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled.

    This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content.

    Solution: 

    Install the latest version:

    Reported By: 
    Fixed By: 
    Coordinated By: 

    Kia ora DrupalSouth - stories, insights, Drupal

    Drupal News - Wed, 12/13/2017 - 00:37

    DrupaSouth badges photo by Dreamcoat PhotographyThis month’s Drupal Spotlight is a Q&A snapshot from some amazing speakers and organisers behind the recent DrupalSouth in Auckland, New Zealand. We look in and beyond the code at the voices and perspectives of people  building in Drupal and influencing our community, including how they got into technology, and vision for the future.

    Please note: videos of the DrupalSouth presentations will be up in the New Year - we will let you know when they are up so you can come back and watch!

    Katie Graham

    Code | Lego | cats (or for a second opinion) Interested | introverted | innovator

    How did you get your start in technology?

    As a kid I was always interested in finding out how things worked so I was obsessed with computers from when I first encountered one when I was four or five. We got dial up internet when I was about 14 and I soon figured out how to create websites, later learning PHP and MySQL. I never wanted to get paid for developing websites as I thought it might make it less fun, but a few years later I ended up doing a design degree and it was there that everything came together and I realised that development is what I should be doing. I started using Drupal in the final year of my degree and haven’t looked back!

    As one of the organisers of this years DrupalSouth what is the number one tip you could give to people running Drupal events?

    There were certain areas that were a lot more work than I anticipated, for example, we received so many more session submissions than we were expecting, so it was quite overwhelming.

    I think it’s really important to have a solid core team organising the conference and a lot of helpers for things that need to be done closer to and during the conference. Shout out to the other organisers and everyone who helped us! I’d also say try to relax and enjoy the event itself if you can...

    You are the technical director for a New Zealand web company, looking forward how do you expect to see the skill set of the people you need to hire changing over the next five years?

    That’s a tricky one as it depends on the direction that technology heads in, as well as what our clients are after. These days we’re hiring people with much different skill sets than we were five years ago as we’ve moved from primarily creating websites to creating apps and business systems too, plus we’re using front end frameworks like Vue.js which didn’t exist five years ago. I think what will stay consistent is that I’ll be looking for people who want to continue learning and are happy to try new things.

    Drupal South Organising team
    DrupalSouth organising team (and @Schnitzel!) Nicole Kirsch | Dave Sparks |  Michael Schmid | Pam Clifford  | Katie Graham | Morten Kjelstrup
    Rebecca Rodgers

    Rebecca Rodgers photo by Dreamcoat PhotographyPassionate | honest | energetic 

    How did you get your start in technology?

    I kind of fell into it as a HR professional, I was the only one in my team that could translate what the users needed to the tech guys so they could understand it.  That led to a post-grad in online education before moving on to designing great employee experiences.

    You specialise in intranets, on day one of looking at an intranet build, what’s the most important advice you give to organisations and their staff when preparing for the journey?

    Don't try to tackle too much.  Take a user centred design approach by understanding your employee needs, create a strategy that takes those needs and the needs of the organisation into account and go from there.  Let the needs and strategy drive the project rather than the technology. 

    What’s a trend in intranets and adoption of digital transformation that Drupal builders should keep in mind when planning for the future platform needs?

    Employees are facing more challenges than ever with the introduction of many information systems in the employee landscape which is making it harder for them to find the information they need.  It is essential to consider the whole Digital Workplace and the Digital Employee Experience which considers how employees work in the digital world rather than just looking at the intranet.

    Rebecca's DrupalSouth talk was: Put the employee experience at the heart of the digital workplace

    Laura Munro

    Laura Munro photo by Dreamcoat PhotographyNerdy | organised | creative 

    How did you get your start in technology?

    I got my start in technology through a social enterprise called DesignGel. When I graduated design school in 2013 my friend Denny Ford & I took over as company directors, and along with traditional design work, I would build Wordpress sites for small businesses, teaching myself along the way. Then about 3 years later I got pinched to work at Xequals after talking at a CSS Meetup. 

    At DrupalSouth you shared the site https://policy.nz. How important is it for developers to stretch their skills by taking on passion projects from time to time?

    I think developers are given a bit of a hard time on this point, because we're continuously learning on the job as it is. Doing passion projects from time to time is fantastic to keep inspiring you to try new things, especially if you're getting bogged down by more boring-ish projects at work.

    But I don't think developers should be expected to be coding every waking hour of their day, it makes us less productive and leads to burn out very quickly. I only work a 30 hour week at most, and it's great for productivity and my general well-being.

    You are all about the front end. What is your advice on the emerging techniques or frameworks to master for the future of Drupal front end?

    Get involved in the community! Drupal and front-end has a great community, in Wellington anyway. Go check out your local tech Meetups and find out what other people are getting excited about, or what their pain points are. My session at DrupalSouth featured the new CSS display properties flexbox and CSS grids, two new features in front-end that I'm really excited about.

    Laura's DrupalSouth talk was: Theming Drupal in 2017: A New Hope

    Kristy Devries

    Kristy Devries photo by Dreamcoat PhotographySassy | passionate | conscientious 

    How did you get your start in technology?
     
    My whole life I have always wanted to do everything, especially when it came to creative industries. When I was young, I did not have motivation to keep pursuing hobbies, apart from playing rollercoaster tycoon (which has resulted in me now being a bit cautious around theme parks). I was around fourteen years old when I randomly decided that I wanted to learn how to make websites. So I bought two books, one on HTML and the other on PHP and spent hours everyday after school learning. I initially used my HTML and CSS knowledge to spruce up my MySpace profile page and then I bought a domain name and installed the very first version of WordPress, I did not know about Drupal back then (so sorry), and started a blog. I don’t remember what I wrote about but I remember I had random internet blogger friends, I would list their website on my site and vice versa. Those were the days. 
     
    After high school, I did a year of an interdisciplinary creative industries bachelor, before deferring and spending the next few years working in hospitality and traveling around the world.  One morning, while working in a coffee shop in Europe, I decided that I wanted to pursue a career in technology. I came back to Brisbane with a plan to study and concentrate on my career. After dedicating many nights on an application, making a website resume and sending it off, revamping my website resume, sending that off again and numerous calls later, I landed a job as a junior web developer at a local agency in Brisbane - my first job in this tech industry. 

    Support can be one of the toughest and sometimes even least rewarding gigs in tech, you seem to really enjoy it… why?
     
    While it can certainly be tough sometimes, the people I work with are a big part of why I enjoy it. There’s a real sense of comradery, especially within Acquia Support. If you’re stuck on a puzzling problem, there’s a global group of amazing people ready to jump in to help you. And provide banter of course. 
     
    I also get a chance to work on projects, for example presenting at Drupal South, as part of my role within Support. These projects can involve front end web development, user experience, design, strategy, event planning, which gives me a chance to dabble in a few areas of interest. While we do have an office in Brisbane, we have the flexibility work from home, or work remotely from another country (I spent 2 months in USA this year) so I get to travel as well as develop my career, which one of the reasons I wanted to work in the tech industry. 

    All in all, I feel like working in Support is a mixture of feverishly putting out fires and being on a treasure hunt. There is definitely always something to learn, and sometimes I feel like after two years in support, I don’t know anything. However, this blend of problems means there’s never really a dull moment! 

    You have leadership aspirations, what makes a good leader in the technology industry?
     
    A good leader has your back. A good leader gives you challenges and enables you to grow your career. A good leader is transparent and humble. A good leader leverages the frustrations of the team and customers and finds ways to turn that into solutions. A good leader hires the right people because he/she knows that having good coworkers is important for creating a fun and supportive culture. 
     

    Kristy's DrupalSouth talk was: How to be a self rescuing Princess

    Laura Bell

    Laura Bell photo by Dreamcoat PhotographySecurity | cat | herder

    How did you get your start in technology?

    At age 16 I found myself homeless and needing a job. My home town doesn't have many options so I applied to a junior/apprentice software role doing COBOL development. I didn't know much about computers and I'd never coded before but I needed a job and this looked like it had a future (hehe irony). I then went on to study AI and work a range of software and operations jobs before ending up in Security.

    You attended DrupalGov in Washington DC this year, what was your main takeaway?

    That the challenges we all face require a community to solve them. No single vendor or product can keep us safe or solve our needs so we need to start working together with authenticity and openness.

    Looking forward, what’s a piece of security advice or insight Drupal developers and site builders should be thinking about?

    80% of our problems can be solved by fixing 20% of our vulnerabilities in security. Pick simple behaviours and changes and try and change them one after another.... it soon adds up. 

    Laura's DrupalSouth talk was: Fear itself

    Hannah Del Porto

    Hanna del Porto photo by Dreamcoat PhotographyDisciplined | organized | a little bit silly

    How did you get your start in technology?

    It was an accident. I needed a job in college and ended up doing front-end development to pay the rent. I actually meant to be a lawyer!

    At DrupalSouth you talked about the difficulty in making changes to technology once a build is underway, considering the flexibility of Drupal what are some strategies for locking down scope?

    Putting scope in writing is extremely important to make sure both sides are on the same page and have a reference for what was agreed on. In my experience there are a lot of situations where you can't lock down scope before you've started work. That's where sprints are helpful so you can review and make adjustments as early as possible.

    It's also important to be as up-front as possible. If scope is not settled, be specific about what is undefined and how that may affect timeline and budget. Even for projects with a formal scope, building in a 10% budget and timeline reserve can make changes less painful for everyone.

    As a Chief Operating Officer where do you think future trends will evolve over the next couple of years? And how does this shape your forward planning?

    10 years ago I took an online Anatomy class which involved having a dead rat sent to my house then uploading photos of its dissected body to our class website. Every day there are new ways to have online experiences that used to require physical presence. At Brick Factory we focus on non-profits, so the future is about looking at how stakeholders interact with organizations and bringing those experiences online in ways that were previously reserved for "real life".

    Hannah's DrupalSouth talk was: How to Win Friends and Influence People (on the Programming Team)

    Aimee Whitcroft

    Aimee WhitcroftOpen | inquisitive | incorrigible

    How did you get your start in data?

    I wandered into the open data / open government space over a period of years, starting during my work with the National Institute of Water and Atmospheric Research (NIWA) and continuing through my work with GovHack NZ and various government departments and civil initiatives.

    In your talk you have a slide combining open data, open gov and open source equalling civic technology. Why is civic technology important for society?

    Civic technology is about "using technology to help empower the public in its dealings with government(s), though better information-generating/sharing, decision-making and accountability."  It's more than just "hacking for social good - it’s about hacking civic issues, and finding ways to directly help people."

    Medium post: Why we keep going on about CivicTechTowards a more open NZ (DrupalSouth Speech notes)

    If you could control the trends and data was open by default, would sort of web projects would we be building in the future?

    Gosh - that's an impossible question to answer! It would totally depend on the individual communities' needs. I think a great place to look for ideas is at previous GovHack projects (govhack.org.nz and govhack.org). My request would be that technologists (and I don't just mean developers!) find ways to reach out, respectfully and responsibly, into communities - especially our most vulnerable - to ask what they need and want, and then work with them to create those products and services.

    Aimee's DrupalSouth talk was: How can open source contribute to a stronger, kinder, more resilient NZ?

    Heike Theis

    Heike TheisStrangely | optimistic | human

    How did you get your start in technology?

    When I was about 4 years old, I took a pair of scissors and cut through the cable of my radio to see what electricity looks like. The cable was plugged in, the radio was on, and the scissors had metal handles ... it was an interesting experience. But the incident did not take away an overwhelming desire to understand how things work and to find out if you can make them better. 

    During your DrupalSouth talk you shared examples of how you get customers to take control of their content. How important is it to build sites for publishers and digital marketers?

    Content is language and language is communication. A site that does not allow 'communicators' to take control of the dialogue (or monologue) with their customers is not a website at all. 

    You have been involved in an internal transformation and as a result your team has built a distribution, how does this approach help future proof your company's development needs?

    Streamlining and consolidating coding and configuration allows every member of our teams - thinkers, planners, designers, writers, and coders - to concentrate on the ... let's call them 'special' ... features. The things that are not already part of the Distro. The boring bits vanish. E.g. how many times do you want to decide (or discuss) which buttons to show in a minimal WYSIWYG editor profile? The Distro makes this decision for you: it presents you with 11 buttons we decided we want in 'general'. 10 buttons will be right for your specific site, and you might want to remove one and add two others. Still, that leaves you with 9 buttons you don't have to think about every single time. Does that make people happy ... maybe not. But having to add 11 buttons every single time makes most people unhappy. Making people less unhappy in this industry is a big win in my book, and yes I think that helps to 'future proof our team's needs'. 

    Mind, working with Distros will not work for every company, every team, or every team member. If you want to re-invent the wheel every time or only do things 'your way', this is not going to work for you. 

    Heike's DrupalSouth talk was: From Content Strategy to Modular Design: Kick starting your Drupal Projects

    Ruth McDavitt

    Ruth McDavittHe tangata | he tangata | he tangata  translation/context (or less poetic English words) Connect | inspire | facilitate

    How did you get your start in technology/connecting people into technology?

    I've always been a connector, but was working on the business side, helping tech companies connect with customers and global markets. 

    Connecting people to technology careers evolved from that, my growing realisation that there's a huge disconnect between what people are learning & exposed to through mainstream education, and the growing need for more relevant & diverse skills to support the development of technology & enterprise & people.

    In your DrupalSouth talk you were firm in the need to create opportunities for people to gain experience in technology. Why is this important?

    We used to go to school to learn how to do things. with the current pace of technological change, we now have to DO things to learn about them. 

    It's always been difficult to get experience without a job, and a job without experience, but the rapid change in tools, processes and technologies means that it's harder than ever for teachers to keep up. 

    People (of all ages, backgrounds and experience) are creating, adapting, rejecting and inventing technology, and exposing them to the possibilities & tools is the best way I know to support them to create the future. 

    What’s a future trend or opportunity that you think the Drupal community could miss out on if we don’t increase diversity and make space for new people?

    Sustaining the Drupal community will only be possible through welcoming newcomers, and supporting their growth and needs. DrupalSouth was my first experience with your community and it felt very healthy! 

    For the aspiring tech people I work with though, I don't know what to tell them. Are there good pathways in, for people from all walks of life? Once you're a newbie, is there support & oopportunity to grow? Do you retain diverse senior & experienced people or are they moving on? Do all people feel valued, supported & celebrated? 

    I don't know the answers, but DrupalSouth felt open, welcoming, and I had great conversations with a diverse range of people. If you're thinking about these things then I reckon you're on the right track. The value of communities is the people in them, their passion and commitment for doing, sharing and making more awesomeness possible.

    Ruth's DrupalSouth talk was: Developing Developers: finding & growing new tech talent

    Fonda Le

    Fonda Le photo by Dreamcoat PhotographyPassionate | goofy | hyperempathetic 

    How did you get your start in technology?

    At the last minute, I changed my degree from Design to Media. After uni, I happened to fall into a web production role and (despite still having great interest in the design industry) I haven't looked back since - working in IT/Digital has offered me a variety of opportunities which I'm grateful for.

    Why did you choose to talk about the benefits of being an introvert scrum master at DrupalSouth? What do you want people to realise/understand? 

    To be honest, I wanted to submit something left of field so I was very surprised to find out my talk was accepted! After working for a bank where mainly extroverts were appreciated and/or promoted and after leading teams with so many introverts, I thought it'd be worth my while to look into generalisations around introversion and there's a bunch of material around on it these days. I feel like the (competent) introvert scrum master works really hard in the background and never asks for anything in return from the team or anyone really so I was keen for people to recognise this. I also wanted to highlight just how interesting the servant leader role is and how much of an influence the role has on a team.

    Project management approaches change over time. Is agile here to stay or can you foresee a shift that will be needed for projects of the future as organisational capacity changes?

    While agile feels like it's trendy at the minute, I don't think it's going anywhere as there are different 'flavours' that will suit different teams, projects and organisations ie. Scrum shouldn't necessarily be the go-to method for every company.

    Having a range of project management methodologies allows us all to be pragmatic - we should be using an approach that makes the most sense for what we're working on (considering what sort of experience or buy-in we have from the team members, company execs, etc) and anything within that approach which doesn't have value can be discarded.

    Fonda's DrupalSouth talk was: Benefits of an introvert Scrum Master

    Donna Benjamin

    Donna Benjamin photo by Dreamcoat PhotographyCurious | connected | caffeinated

    How did you get your start in technology?

    We had an apple IIe when I was a kid, I wanted to be a hacker after seeing War Games, I was a Sysop on a couple of telnet BBSes, and I made my first webpage in 1995, I ran my own business for 20 years.  I think I was always a nerd, who loved the shiny glint of technology, so I feel blessed I managed to make it my job! I believe tech helps us change things, make them better. I know it can also be used for less wonderful stuff.  It's on all of us to harness technology's power for good.

    ‘Being human’ is a stream that is often popular at Drupal conferences, why is it important to focus on the human side of code and tech?

    So important. So, so sooo important! Oh goodness me. Why? We make stuff for humans, we are humans. When we forget this, bad things happen.

    We must always bring our humanity to the table whenever we make things, and we must acknowledge our collective fragility when we work together. Tech can be high stakes and stressful, and that sometimes brings out the worst in people, but the flipside of this is we can always practice being better humans. And we should. And we should share tips and tricks on how to do so!

    You’ve been around Drupal for a while and seen some changes, if you could control the future where will Drupal be in five years’ time? How will it be being used?

    Drupal has consistently led the way when it comes to democratising technology that was only available to megacorps.  I hope it continues to do that.  In 5 years time? I reckon Drupal will still be used in ways it's being used right now, just as we see sites created in 2012 still working pretty much the way they did then. But we'll also continue to innovate. Omnichannel digital experiences, extending the web beyond the browser into conversational, kinaesthetic, tactile and mindpowered UIs will stretch us all. Re-imagining content itself, and addressing the challenge of personalisation without facilitating mass surveillance will really test our mettle. The march forward for Drupal is about embracing change, empowering the community, and maintaining our careful balance of commerce and community - it's one of the things I've always thought is special about the DrupalVerse.

    Donna's DrupalSouth talk was: Communication skills for everyone

    Rikki Bochow

    Rikki Bochow photo by Dreamcoat PhotographyHappy | quiet | focused 

    How did you get your start in technology?

    I studied graphic design at uni, and always enjoyed the web class (table based html and flash) that was included. I'd applied for a range of design positions afterwards but was particularly keen on web design, so was more than happy when a small web agency called me in for an interview. Unfortunately, I didn't get the job as I didn't have the technical abilities they were after.

    I went home and did some online tutorials around the kind of tech they were using, built a one page html/css (with divs!) thank you letter and sent it through, asking, if they had any work experience positions to please let me know! A couple of weeks later they called me in for work experience, which shortly turned into a full time position.

    I learnt more and more development languages and started enjoying coding way more than designing.

    What’s your favourite thing about the front end changes in Drupal 8 compared to 7?

    Twig is probably the one that stands out the most. The fact that there is less Drupalism in the theme layer, so we could hire front end developers who didn't necessarily have Drupal experience was a huge win. I also really like the improvements made to the Asset Library system (surprise!), making adding, overriding and extending core/module and base theme css/js so easy, it's really great.

    What advice do you have for a graphic designer wanting to make the leap into Drupal front end development?

    Don't let anyone, ever, tell you you can't or shouldn't bother (I was often told that UX would be better for me than development and I'm glad I ignored them)! Coding is the ultimate design tool and I think that's a nice way to think about it - it's not so scary, it's just a new tool. Designing in the browser is heaps of fun, as are animations and transitions (interaction design). You'll always be a designer, you don't have to stop. The two disciplines fit so well together you'll be so much better at both for having knowledge of the other.

    Rikki's DrupalSouth talk was: Front-end performance improvements with Drupal 8 Asset Libraries

    Next month the Community Spotlight will pay tribute to the life an impact of valued community member J-P Stacey whom recently passed away. We invite you to use this form to share thoughts and memories of J-P for us to share.

    Thanks to Dreamcoat Photography for the DrupalSouth images, visit the DrupalSouth Flickr page for more

    Some scheduling conflicts mean we will be bringing you the Spotlight article for Fatima Sarah Khalid @sugaroverflow very early in the new year.

    Drupal version: 
    Categories: Development News, Drupal

    Accelerate Drupal 8 by funding a Core Committer

    Drupal News - Tue, 12/12/2017 - 12:44

    This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

    Core fingers flying

    We have ambitious goals for Drupal 8, including new core features such as Workspaces (content staging) and Layout Builder (drag-and-drop blocks), completing efforts such as the Migration path and Media in core, automated upgrades, and adoption of a JavaScript framework.

    I met with several of the coordinators behind these initiatives. Across the board, they identified the need for faster feedback from Core Committers, citing that a lack of Committer time was often a barrier to the initiative's progress.

    We have worked hard to scale the Core Committer Team. When Drupal 8 began, it was just catch and myself. Over time, we added additional Core Committers, and the team is now up to 13 members. We also added the concept of Maintainer roles to create more specialization and focus, which has increased our velocity as well.

    I recently challenged the Core Committer Team and asked them what it would take to double their efficiency (and improve the velocity of all other core contributors and core initiatives). The answer was often straightforward; more time in the day to focus on reviewing and committing patches.

    Most don't have funding for their work as Core Committers. It's something they take on part-time or as volunteers, and it often involves having to make trade-offs regarding paying work or family.

    Of the 13 members of the Core Committer Team, three people noted that funding could make a big difference in their ability to contribute to Drupal 8, and could therefore help them empower others:

    • Lauri 'lauriii' Eskola, Front-end Framework Manager — Lauri is deeply involved with both the Out-of-the-Box Experience and the JavaScript Framework initiatives. In his role as front-end framework manager, he also reviews and unblocks patches that touch CSS/JS/HTML, which is key to many of the user-facing features in Drupal 8.5's roadmap.
    • Francesco 'plach' Placella, Framework Manager — Francesco has extensive experience in the Entity API and multilingual initiatives, making him an ideal reviewer for initiatives that touch lots of moving parts such as API-First and Workflow. Francesco was also a regular go-to for the Drupal 8 Accelerate program due to his ability to dig in on almost any problem.
    • Roy 'yoroy' Scholten, Product Manager — Roy has been involved in UX and Design for Drupal since the Drupal 5 days. Roy's insights into usability best practices and support and mentoring for developers is invaluable on the core team. He would love to spend more time doing those things, ideally supported by a multitude of companies each contributing a little, rather than just one.

    Funding a Core Committer is one of the most high-impact ways you can contribute to Drupal. If you're interested in funding one or more of these amazing contributors, please contact me and I'll get you in touch with them.

    Note that there is also ongoing discussion in Drupal.org's issue queue about how to expose funding opportunities for all contributors on Drupal.org.

    Categories: Development News, Drupal

    Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

    Drupal Contributed Security - Wed, 12/06/2017 - 15:02
    Project: 
    Version: 
    7.x-1.2
    Date: 
    2017-December-06
    Vulnerability: 
    Access Bypass
    Description: 

    This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
    The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.

    Solution: 

    Install the latest version:

    Also see the Node feedback project page.

    Reported By: 
    Fixed By: 
    Coordinated By: 

    Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

    Drupal Contributed Security - Wed, 12/06/2017 - 14:44
    Version: 
    8.x-1.4
    Date: 
    2017-December-06
    Vulnerability: 
    Cross Site Request Forgery (CSRF)
    Description: 

    The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

    This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

    This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

    Solution: 

    Install the latest version:

    Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.

    Also see the Configuration Update Manager project page.

    Reported By: 
    Fixed By: 
    Coordinated By: 
    Syndicate content