Drupal Planet

Subscribe to canal de noticias Drupal Planet
Drupal.org - aggregated feeds in category Planet Drupal
Actualizado: hace 1 hora 29 mins

Jeff Geerling's Blog: NEDCamp 2018 - Keynote on DevOps

Jue, 08/02/2018 - 19:34

Over the past decade, I've enjoyed presenting sessions at many DrupalCamps, DrupalCon, and other tech conferences. The conferences are some of the highlights of my year (at least discounting all the family things I do!), and lately I've been appreciative of the local communities I meet and get to be a part of (even if for a very short time) at Drupal Camps.

The St. Louis Drupal Users Group has chosen to put off it's annual Camp to 2019, so we're guiding people to DrupalCorn Camp, which is only a little bit north of us, in Iowa.

Tandem's Drupal Blog: Lando + Envoy

Jue, 08/02/2018 - 13:34
August 03, 2018 Learn to automate deploy steps with envoy on affordable hosting. Why Envoy Envoy is a task runner put together by the Laravel team. When I can I like to use hosts like Pantheon and Platform.sh that give me a wealth of tools, containers in production, and a lot less DevOps headaches when something like Heartbleed happens 😱...

Mediacurrent: How to Build a Card Component

Jue, 08/02/2018 - 12:13

One of the most popular components on any website I've worked on is the card component.  Depending on the website, the card component is used to group various pieces of content into a container which can be used throughout your website.  Here’s an example of a card component in one of our projects.

In some instances, a card can be a user profile, content teaser/excerpt, latest news or events.  Today we will build a card component which will contain the information for the latest events.  This card can be used in the /events page to list all the latest events taking place.  The card can also be used in other pages and it may need to be displayed slightly different than the original card, this transformation is called "variations" and is usually achieved by passing a modifier CSS class to the original component which we can use to write different styles for the card.  More on this later.

Let's get started

First, let's take a look at what we are building so we have a visual of the code we will be writing.

As you can see from the images above, our card takes different shapes but the information in it remains the same or similar.  This is a common practice to modify components based on where and how they are being displayed.

Let's build the cardIdentify component's fields

Before starting to write any code, let's take a close look at the card images to identify the fields or data elements the card needs.  From the images above we can see the following fields will be needed:

  • Image
  • Title
  • Subtitle
  • Excerpt
  • Label or category
  • Label for comments
  • Label for time posted

Typically, components are built following the Atomic Design approach which basically means breaking things down into small pieces (atoms) and then combining those pieces to build more elaborate components.

In the interest of time, we are going to skip building each piece as its separate component and instead we will build the card as a whole.  I recently wrote a blog post on building flexible headings which demonstrate the approach I usually take when building components.

Architecting the component fields

We know the fields we need but it is helpful to determine what type of fields they are and what they will be called.  The table below gives us a good visual of our fields architecture.

Writing the code

1. In your components or patterns directory in your project, create a new folder called `card`

2. Inside the Card folder create two new files
          -  card.html
          -  card.css (we're using CSS to keep things simple.  Feel free to use Sass if you'd like).

3. In your card.html we'll start with the basic structure of the card

<article class="card">...</article>

So we've created an article tag as the card's container.  Why <article>  and not <div>?  Well, since the card is intended to contain an event's info, if we place a bunch of cards together it makes sense that each card is an individual event article.

4. Next we are going to create wrappers for the two types of data the card will hold.  The two types of data as we have seen from the table above are: Image/media and text or content.  Let's modify our code so it looks like this:

<article class="card">
 <div class="card__media">...</div>
 <div class="card__content">...</div>
</article>

The reason for splitting the image and the rest of the content is that this allows us to move things around independently of each other to create different variations of the card.  More on this later.

Let's pause to review how content will be laid out

If we look at the card images above, we see that some of the fields are either on the image side and others are grouped together separate from the image.  Although we could potentially place fields in the image or content wrappers, it makes sense to place them in the wrapper where they visually appear.

For example, the date and label fields (Photos), look like they belong in the same group as the image.  The rest of the fields will go in the Content wrapper.

5. Let's start with the image wrapper:

<article class="card">
 <div class="card__media">
   <img src="http://placehold.it/300x300" alt="Card image" />
   <div class="card__date">
     <span class="date--day">27</span>
     <span class="date--month">Mar</span>
   </div>
   <span class="card__category">Photos</span>
 </div>

 <div class="card__content">...</div>
</article>

So let's focus in the fields inside card__media. We see we have our image, which in this case is rendering a placeholder image.  Then we have a wrapper to hold the date fields (day and month).  Again, wrapping these two together makes it easy to manipulate them as a single item rather than two separate fields.  Lastly, we have the category for this content (Photos).  Since all these fields seem to belong together, it makes sense to place them the way we have.  Later on, we will use CSS to place each of the fields in their right position.

6. Now let's place the remaining fields inside the .card__content wrapper.  We will temporarily hide the fields in the .card__media wrapper to focus on the other fields.  Modify your markup to look like this:

<article class="card">
 <div class="card__media">...</div>

 <div class="card__content">
   <header class="card__header">
     <h2 class="card__title">City Lights in New York</h2>
     <div class="card__subtitle">The city that never sleeps</div>
   </header>
   <p class="card__excerpt">New York, the largest city in the U.S., is an architectural marvel with plenty of historic monuments, magnificent buildings and countless dazzling skyscrapers.</p>

   <footer class="card__meta" role="contentinfo">
     <span class="card__post-date">6 min ago</span>
     <span class="card__comments">39 comments</span>
   </footer>
 </div>
</article>

So the first thing we did was add a `<header>` tag to wrap the title and subtitle fields.  The header tag is a great way to indicate the role content plays in our component.  In addition, using semantically correct markup makes this component SEO friendly as well as accessible.  Next we have the teaser content wrapped in a <p> tag and finally, we add another semantic tag which is `footer` to wrap the publish date and comments fields.

Why this markup?

I'd like to bring up a couple of things to your attention regarding how I arrived at the markup above.  First, we are using BEM for naming CSS classes (card__title, card__comments, etc.).  BEM is great for creating associations on your component fields.  By looking at the markup you know where each field belongs.  This makes it easier to identify where you would find the styles or other assets for the component within your project when you have tons and tons of components.  The class card and all the other field classes are unique not only to this component but in the entire project.  This gives us the peace of mind that our styles will not inadvertently affect other areas of the website.

Notice I created two containers within the card (`card__media` and `card__content`). This allows me to split the card content into groups I can manipulate individually and independently of each other.  This will come in handy when we need to create a long or wide card.  In addition, by grouping multiple fields into a single container it is easier to manipulate the fields with CSS as a group rather than individually.

Atomic Design

If you are familiar with Atomic Design, you know the recommended way for building components is to break things down into the smallest pieces possible.  For example, in the card structure above, each of the fields that make up the card can actually be its own individual component.  Then we would combine them all into a whole new component (card).  In the interest of time/work, I am not breaking the card component into atoms. However, if I were building the card for a project I would definitely do that as this allows for components to be reused and save time/work in the long road.

Putting the entire card together

Now that we have built each piece of the card, your **card.thml** file should look like this:

<article class="card">
 <div class="card__media">
   <img src="http://placehold.it/300x300" alt="Card image" />
   <div class="card__date">
     <span class="date--day">27</span>
     <span class="date--month">Mar</span>
   </div>
   <span class="card__category">Photos</span>
 </div>

 <div class="card__content">
   <header class="card__header">
     <h2 class="card__title">City Lights in New York</h2>
     <div class="card__subtitle">The city that never sleeps</div>
   </header>
   <p class="card__excerpt">New York, the largest city in the U.S., is an architectural marvel with plenty of historic monuments, magnificent buildings and countless dazzling skyscrapers.</p>

   <footer class="card__meta" role="contentinfo">
     <span class="card__post-date">6 min ago</span>
     <span class="card__comments">39 comments</span>
   </footer>
 </div>
</article>

Card Styles

Now that we have the markup ready for the card component, we can begin writing our Sass/CSS to style it.  I am not going to go into detail about the styles as I have commented the parts that may need some explanation and should be easy to understand.  The main take away from writing styles for components with unique names is that there is little to no CSS nesting.  This makes overriding styles an easy task if there is ever a need to do so.  In addition, styles written for a component like this, don't run into the risk of leaking into other areas of the website.

That's a lot of CSS but it's all necessary to achieve the look and feel of the card.  It is important to know that your markup file (card.html), needs to reference your styles file (card.css) for things to work.  This may be obvious but if you are following along that's an extra step that needs to be done.
Creating a card variation

If  you would like to see the card displayed wide or horizontally, modify your card wrapper to look like this:

<article class="card card--wide">...</article>
 

Notice that by passing the CSS class of `card--wide` to the original card component we are able to change the orientation of the card from long to wide giving us an alternative variation to use without having to rebuild the card from scratch.  These variations are pretty powerful and present many advantages.

If you look at the styles, you will notice there is a block of CSS in which the card--wide is changed to move the card's content to the right of the image.  This is a great way to provide alternative views of a component without having to recreate the markup or styles for a component.

In closing

Building components is one of my favorite things to do as a developer and there are many advantages to this style of theming.  It's important to think through how components will be used so you can plan ahead how to best build a component that can be reused.  Rushing through building components without having a full understanding of where and how a component may be used can lead to duplicating code or redoing your work to accommodate new project requirements.

Agiledrop.com Blog: AGILEDROP: How to Embed Videos in Drupal 8

Mié, 08/01/2018 - 22:19
Videos have become a major part of the internet alongside images and of course text. They not only increase the engagement of your website but also making it more engaging. Historically, Drupal hasn’t been too media friendly and has been criticized for that compared to other CMS. But with Drupal 8 as well as its media initiative, those days are behind us. In this post, let’s take a look at how easy it is to embed a video on your Drupal 8 site. Start off by downloading the Video Embed Field module. Install the module and enable it (It requires the Drupal Media module to be enabled). Before we… READ MORE

Debug Academy: How to quickly patch your Drupal site for today's Moderately Critical security release ( SA-CORE-2018-005 )

Mié, 08/01/2018 - 21:04
Author: Ashraf Abed

Do you manage a Drupal site? You are likely to have heard about today's moderately critical security update: https://www.drupal.org/SA-CORE-2018-005

There's no time to spare - what now?

This update is has one key difference from the other recent security updates. Those security issues resided within Drupal core's code, whereas this update is in an external vendor package which Drupal core relies on. I'll spare you some of the details - the tl;dr is that makes it harder for us to provide a single patch you can reliably apply. Knowing the version of Drupal core you're running does not necessarily give us enough information to generate a patch.

Here is how to apply the security updates to your website if you are already on Drupal 8.5:

  • SSH into your website
    • Git add and commit all files
    • Create a database backup with drush:
      • drush sql-dump > ../../2018-08-01-pre-sa-core-2018-005.sql
  • Using Composer, and on Drupal 8.5.x?
    • composer update drupal/core --with-dependencies
    • Unsuccessful? Try: composer update drupal/core --with-all-dependencies
    • Still no luck? OK - this should work:
      • composer require symfony/http-foundation:~3.4.14
      • composer require symfony/http-kernel:~3.4.14
  • Not using composer, but are on Drupal 8.5.x?
    • I strongly recommend using composer in the near future. Until then, manually update the two packages:
    • ​Now that we have the new versions of the two packages, we need to replace the unsecure versions of those packages in our project:
      • Open your project
      • Within your project, find for these folders:
        • http-foundation
          • This can usually be found in: YOUR-PROJECT/vendor/symphony/http-foundation
        • http-kernel
          • This can usually be found in: YOUR-PROJECT/vendor/symphony/http-kernel
      • Those are the two unsecure folders. Note their location, and delete those folders
        • ​This step will break your website until the remaining steps are completed. Because of which, you should always perform development work on a dev environment, not on the live website.
    • Remember the zip files we downloaded earlier? Find those on your machine now.
    • Unzip the two zip files. You should now have these two folders on your computer:
      • http-foundation-3.4.14/
        • Rename this folder to http-foundation
        • Then move the renamed into your project, replacing the old http-foundation folder
          • This is normally YOUR-PROJECT/vendor/symphony/http-foundation
      • http-kernel-3.4.14/
        • Rename this folder to http-kernel
        • Then move the renamed folder into your project, replacing the old http-kernel folder
          • This is normally YOUR-PROJECT/vendor/symphony/http-kernel
    • Save (git add and commit) the updated folders on your website
    • Clear your websites cache
    • Test your website thoroughly
    • If everything looks good, you should be able to deploy these changes to the live website before clearing its cache

These steps come with no warranty, implied or otherwise.

Those steps will allow you to patch your site, not fully update it. Once the patches are in, you can rest assured that your site should now be secure. Take 24 hours off, then schedule fully updating your website to the latest version very soon. Future patches are not guaranteed to be applicable to earlier versions.

Drupal Association blog: Changes Coming for DrupalCon Seattle 2019

Mié, 08/01/2018 - 19:58

DrupalCon is evolving and improving to better meet your needs and those of the Drupal market. The goal of the project and the Drupal Association is to grow Drupal adoption and its impact in the world, and based on your feedback, we’re segmenting DrupalCon’s offerings -- which we affectionately call “tracks” -- to achieve this. This also comes with a different price point.

While the programming, speakers, sessions and more still make up the core of DrupalCon, for the first time, we’re retooling and creating more value to serve everyone in the Drupal lifecycle; builder/developers, agency owners, sales teams, content editors, marketers, end-user decision-makers….

The Backstory and Evolution

Growing adoption means inspiring and educating all decision-maker personas, so we’re creating programming and experiences uniquely tailored to each personas needs so that they can all find ways to participate in the continued evolution of the project.

Over the past few years, through surveys, evaluation forms, in-person comments, attendance data and meetings, the community provided valuable feedback and ideas about how DrupalCon North America could best target each of the differing attendees.

While making changes, we also want to make the experience for our alumni attendees even better. We pinpointed common themes and requests; namely more in-depth content, learning opportunities, and concentrated time for networking.

Serving Drupal's Personas

DrupalCon’s overall programming is now a siphoning of who you are and how your role uses Drupal. We’ll carve the Seattle conference center into 4 distinct areas; one for each persona track:

  • Builder Track
  • Agency Leadership Track
  • Content and Digital Marketing Track
  • Executive Summit

These tracks can better inform each group, allowing attendees’ time to be targeted and well-spent at DrupalCon as a whole. Each of these tracks will have their own space, their own journey and their own content -- with opportunities to come together in keynotes, social events, and the hallway track for the cross-pollination, community building, and DrupalCon’s culture of collaboration, which remain core benefits of attending the conference.

More About the Builder Track

As mentioned, in addition to expanding who DrupalCon serves, we also want to create a more valuable experience for returning attendees. The Builder Track will be for people who make the software and create the experience, with job roles including but not limited to: back end and front end developers, themers, QA specialists, technical leads and architects, site builders and other technical personas.

Here’s what’s new and different for this track, so that it better serves you:

  • Sessions will include multiple topic tags; content will be more accessible to attendees instead of in strict silos; no missing out!
  • Due to feedback, we have expanded our one-day programs to run on Monday and Tuesday, and our session, BoF and keynote content to full days on Wednesday and Thursday.
  • Adding new summits to provide expanded vertical networking opportunities in strong and emerging industries.
  • Increasing our offering of hands-on trainings and labs throughout the week to up-level knowledge.
  • We will work to provide more meaningful interactions at Drupal Association hosted social events.
  • More featured speakers -- offering new and relevant information from both inside and outside of Drupal.
  • Additional grants and scholarships so that a cross-section of contributors can attend.
  • An increase in the Speaker Inclusion Fund to ensure diverse voices and perspectives on our stages.
  • All-day free coffee (you read that right!)
In Dollar Terms

With all of this value comes another change that we haven’t made in three years, even as our costs to hold and host the event have escalated year over year: ticket prices. After careful consideration and analysis, the prices for 2019 have increased. Prices now align with industry standards in the North American market, yet remain the most affordable across the board. For context, Linux Open Source Summit starts at $950 and O’Reilly’s conferences start at $1,795. DrupalCon remains at or lower than similar events.

New Ticket Pricing:

Supporter Price

Conference Price

Early-Bird $595 $795 Regular $695 $894 Last Chance $795 $995 On-Site $1,095 $1,095

Supporting Partners’ organizations do a lot financially for Drupal, Drupal Association and DrupalCon. We recognize that many are also sponsors of DrupalCon and send numerous employees to attend every year. As a thanks for funding Drupal.org and the Engineering Team, we’re providing Supporting Partner organizations with a lower pricing tier on DrupalCon tickets moving forward.

To learn more about becoming a Supporting Partner, how fees fund Drupal.org, and how to get the supporter rate, click here.

Easing the Transition

While we are creating more value for DrupalCon attendees, we know it can be a challenge when pricing increases, so for 2019, we have an Individual Alumni Rate. If you have attended DrupalCon twice or more in recent years -- self-funded -- you have the opportunity to register with a different pricing structure. Those who attended both Nashville and Baltimore (or Nashville and Vienna) -- and who have provided us with their email contact information and opted in to our communications -- will be emailed this offer. If you are not opted in to DrupalCon communication but believe you qualify, you can go directly to https://seattle2019.drupal.org/registration. If you are logged in and you qualify, your Drupal.org username will allow you to access the registration button.

Supporting Partner organization employees who are sponsored by their employer to attend are not included in this rate; their early-bird rate is on par with the alumni rate.

Alumni registration opens Wednesday, August 1; General Registration opens Saturday, September 1 -- as does the Call for Papers.

Mark Your Calendars

We are committed to DrupalCon as the go-to event that accelerates the creation of Drupal digital experiences, and the place to collaborate with the largest open source community. The Drupal Association invites you to share what changes about the Con you're most excited about. Watch for our news outlining new programming, and we plan to see you face-to-face in Seattle, April 8-12, 2019!

Commerce Guys: Drupal Commerce 2.8 & Cart Flyout Module Updates

Mié, 08/01/2018 - 18:25

We recently released Drupal Commerce 2.8 and are excited to highlight some of the new features. We also published new releases of two key contributed modules that make lightning-fast, client-side Add to Cart forms possible, representing a significant improvement to the customer experience.

Drupal Commerce 2.8 adds BOGO support

The most significant new feature in the 2.8 release is the “Buy X, Get Y” offer type funded by Norwegian Drupal agency Ny Media. You can now configure promotions with just core functionality that grant free or reduced price products after a set number of other products have been added to the cart. This work required a re-architecture of parts of the promotions data model and a redesign of the user interface to make it easier for merchants to create promotions in general.

Other key updates and improvements in this release include:

Read the release notes to get the full scope of additional updates and also to learn about some backward compatibility breaks that affect custom promotions, custom tax types, and order processors. We'll keep chipping away at the core roadmap and plan to add query-level entity access to the API for the next release.

Commerce Cart Flyout “Add to Cart” Update

The newest release of the Cart Flyout module includes notable updates to its JavaScript based “Add to Cart” feature. In addition to powering an editable shopping cart in a “flyout” sidebar, it now improves the Add to Cart experience with a very fast client-side solution using resources defined by the Commerce Cart API.

The standard Add to Cart form uses Drupal’s Forms API to update form elements based on attribute selection. It can submit three to four Ajax requests on average while customers select a product variation, but the new module can build, update, and submit the form purely in the client via JavaScript. Because the server sends the browser all the data it needs to build the interactive form in the initial request, we're able to avoid any additional requests to the server until the customer is actually ready to initiate the Add to Cart. Check it out:

Following up on our Commerce 2.8 release, we've released updates to our Cart Flyout and Cart API modules to build, update, and submit dynamic Add to Cart forms purely in the browser via JavaScript. More on this decoupling effort in the latest blog: https://t.co/yXcZOv1RQy pic.twitter.com/bIikuiERaq

— Drupal Commerce (@drupalcommerce) August 1, 2018

Even under high visitor load, users will have a faster experience overall. Server resources are only devoted to users who decide to convert. Casual visitors can browse and modify product variations as much as they like and not affect other users’ load times. This is yet another step on our path toward providing a progressively decoupled eCommerce solution for the community to build robust experiences for merchants and consumers.

Lullabot: Quick Tip: Add a Loading Animation for BigPipe Content

Mié, 08/01/2018 - 16:22

BigPipe is a technique pioneered by Facebook that’s used to lazy-load content into a webpage. From the user’s perspective, the “frame” of a webpage will appear immediately, and then the content will pop in place when it’s ready. BigPipe has been included as a module in Drupal core since 8.1.x, and is very simple— just enable the module.

On my latest project, I'm using it to lazy-load content that’s generated from a very slow API call. The functionality works great out of the box, but we noticed a user-experience problem where the end-user would see a big blank area while the API call was waiting on a response. This behavior made the website seem broken. To fix this, we decided to implement a simple loading animation.

Finding the CSS selector to attach the animation to wasn’t as simple as I hoped it would be.

Spoiler: Let’s see the code

Looking for the code, and not the process? The CSS selector to target is below. Note that you’ll want to qualify this within a parent selector, so the loader doesn’t appear everywhere.

.parent-selector [data-big-pipe-placeholder-id] { /* Loading animation CSS */ }

BigPipe’s placeholder markup is only one <span> element, which makes styling tricky. Luckily, we can make use of CSS pseudo-selectors to make a Facebook-style throbber animation.

Here is some Sass with easy-to-use variables:

$pulse-duration: 0.2s; $pulse-color: rebeccaPurple; @keyframes pulse-throbber { 0% { opacity: 1; transform: scaley(1); } 100% { opacity: 0.2; transform: scaley(0.5); } } [data-big-pipe-placeholder-id] { position: relative; display: block; margin: 20px auto; width: 6px; height: 30px; background: $pulse-color; animation: pulse-throbber $pulse-duration infinite; animation-delay: ($pulse-duration / 3); animation-direction: alternate; &:before, &:after { content: ''; position: absolute; display: block; width: 100%; height: 100%; background: $pulse-color; top: 0; animation: pulse-throbber $pulse-duration infinite; animation-direction: alternate; } &:before { left: -12px; } &:after { left: 12px; animation-delay: ($pulse-duration / 1.5); } } Tracking down the placeholder’s CSS selector

Finding this selector wasn’t as simple as I initially hoped. The first technique that I tried was setting a DOM breakpoint in Chrome Developer Tools. This functionality allows you to pause the execution of JavaScript when a DOM element’s attributes change, the element gets removed, or any descendant DOM elements are modified.

In our case, we want to set a breakpoint when any descendant element is modified and then reload the page. Hopefully, when BigPipe inserts the rendered HTML, the breakpoint will trigger, and we can then inspect the placeholder HTML to find the appropriate CSS selector.

undefined

Unfortunately, this didn’t work. Why? I’m still not sure. This appears to be a bug within Google Chrome. I created an issue within the Chromium bug tracker and will update this article when there’s progress.

PHP Breakpoints to the rescue!

Because I know I’m using the BigPipe module to stream the content in, the next step is setting a PHP breakpoint within the BigPipe module within PHPStorm. I ended up setting a breakpoint within the sendContent() function within BigPipeResponse.php. This had the expected result of pausing the lazy-loading of the content, which enabled me to easily inspect the HTML prior so I could find the placeholder’s selector.

undefinedundefined Conclusion

Sometimes a seemingly simple theming task ends up being tricky. It’s important to understand proper front-end and backend debugging techniques because you never know when you’re going to need them in a pinch. Hopefully, this article will save someone from having to go through this process.

Photo by Jonny Caspari on Unsplash

Security advisories: Drupal Core - 3rd-party libraries -SA-CORE-2018-005

Mié, 08/01/2018 - 15:54
  • Advisory ID: SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01
Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

Dries Buytaert: Acquia a leader in 2018 Gartner Magic Quadrant for Web Content Management

Mié, 08/01/2018 - 15:49

Today, Acquia was named a leader in the 2018 Gartner Magic Quadrant for Web Content Management. Acquia has now been recognized as a leader for five years in a row.

Acquia recognized as a leader, next to Adobe and Sitecore, in the 2018 Gartner Magic Quadrant for Web Content Management.

Analyst reports like the Gartner Magic Quadrant are important because they introduce organizations to Acquia and Drupal. Last year, I explained it in the following way: "If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO or CMO wants to spend $250,000 or more on enterprise software, they often consult an analyst firm like Gartner.".

Our tenure as a top vendor is not only a strong endorsement of Acquia's strategy and vision, but also underscores our consistency. Drupal and Acquia are here to stay, which is a good thing.

What I found interesting about year's report is the increased emphasis on flexibility and ease of integration. I've been saying this for a few years now, but it's all about innovation through integration, rather than just innovation in the core platform itself.

An image of the Marketing Technology Landscape 2018. For reference, here are the 2011, 2012, 2014, 2015, 2016 and 2017 versions of the landscape. It shows how fast the marketing technology industry is growing.

Today, there is an incredible amount of value in community-driven innovation. Just look at the 2018 Martech 5000 — the supergraphic now includes 7,000 marketing technology solutions, which is a 27% increase from a year ago. This accelerated innovation isn't exclusive to marketing technology; its happening across every part of the enterprise technology stack. From headless commerce integrations to the growing adoption of JavaScript frameworks and emerging cross-channel experiences, organizations have the opportunity to re-imagine customer experiences like never before.

It's not surprising that customers are looking for an open platform that allows for open innovation and unlimited integrations. The best way to serve this need is through open APIs, decoupled architectures and an Open Source innovation model. This is why Drupal can offer its users thousands of integrations, more than all of the other Gartner leaders combined.

When you marry Drupal's community-driven innovation with Acquia's cloud platform and suite of marketing tools, you get an innovative solution across every layer of your technology stack. It allows our customers to bring powerful new experiences to market, across the web, mobile, native applications, chatbots and more. Most importantly, it gives customers the freedom to build on their own terms.

Thank you to everyone who contributed to this result!

Acquia Developer Center Blog: A Simple Way to Communicate Better with Your Customers

Mié, 08/01/2018 - 13:03

Whenever you get into a situation where you are not sure which version of Drupal to use, or you expect to get challenged by a client, my recommendation is to use the approach of putting together the pros and cons, and see what insights emerge.

This actually is a good follow-up to our discussion around Drupal 7 vs Drupal 8. So let's build a table for that case as an example.

Tags: acquia drupal planet

Savas Labs: How to transition your website from HTTP to HTTPS

Mar, 07/31/2018 - 21:00

How to move from serving your site over HTTP to HTTPS. Spoiler alert: there are some easy ways to do this with various Drupal hosting options. A quick read for guidance. Continue reading…

Acquia Developer Center Blog: 10 Reasons Why You Should Start Your New Project in Drupal 8 (instead of Drupal 7)

Mar, 07/31/2018 - 15:02

Sorry Drupal 7, it’s not you, but it’s time to move on... (to Drupal 8).

As developers, we sometimes forget that we live in a tech bubble. In our highly technical world we assume things that not everyone sees.

For example, there are still reasons that clients frequently cite to justify staying in an old version of Drupal, in this case Drupal 7, instead of starting a new project straight away in Drupal 8. This is true even when we are talking about starting a brand new project (as opposed to just migrating).

Tags: acquia drupal planet

Drupal blog: Building digital backpacks for Syrian refugees

Mar, 07/31/2018 - 12:41

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

I recently heard a heart-warming story from the University of California, Davis. Last month, UC Davis used Drupal to launch Article 26 Backpack, a platform that helps Syrian Refugees document and share their educational credentials.

Over the course of the Syrian civil war, more than 12 million civilians have been displaced. Hundreds of thousands of these refugees are students, who now have to overcome the obstacle of re-entering the workforce or pursuing educational degrees away from home.

Article 26 Backpack addresses this challenge by offering refugees a secure way to share their educational credentials with admissions offices, scholarship agencies, and potentials employers. The program also includes face-to-face counseling to provide participants with academic advisory and career development.

The UC Davis team launched their Drupal 8 application for Article 26 Backpack in four months. On the site, students can securely store their educational data, such as diplomas, transcripts and resumes. The next phase of the project will be to leverage Drupal’s multilingual capabilities to offer the site in Arabic as well.

This is a great example of how organizations are using Drupal to prioritize impact. It’s always inspiring to hear stories of how Drupal is changing lives for the better. Thank you to the UC Davis team for sharing their story, and continue the good work!

Web Wash: Create Dropdown Menus using Superfish in Drupal 8

Mar, 07/31/2018 - 10:30

The Superfish module allows you to create multi-level dropdown menus in Drupal 8. The module uses the JavaScript Superfish library to create and display a Superfish menu block for each menu available on your site.

With a few configuration options, you can control how it’ll behavior on mobile, turn multi-column menus, change the styling and more.

The module does come with a few styling options but you’ll have to style it yourself to match your theme. When you configure Superfish the first time the dropdown functionality will, however, it may not look good.

In this tutorial, you’ll learn how to install the module and how to configure it.

OpenSense Labs: Going All Guns Blazing: Enforce Strong Password Policies with Drupal

Mar, 07/31/2018 - 08:58
Going All Guns Blazing: Enforce Strong Password Policies with Drupal Shankar Tue, 07/31/2018 - 17:28

Ali Baba and the Forty Thieves, invented in the 18th century by the French Orientalist Antoine Galland, portrays the literary history of the password. The invocation, “Open, Sesame!” which was used in this classic tale to open the magically sealed cave enjoys a broad currency as a catchphrase today.


With the rapidly evolving digital space, password security is even more crucial and needs the right kind of strategic perspective with strong policies. Drupal, being one of the most secure platforms among the leading content management systems, can help in enforcing password policies with its enormous security-oriented abilities. 

Password Policy: A Close Look

Password security was brought into the computing world through the invention of the Compatible Time-Sharing System and Unics (Unix) system.  This was developed at the Massachusetts Institute of Technology and Bell Laboratories in the 1960s. The concept of the password was developed so that the users could only have the access to specific files in their allotted time of computer usage.

Source: Digital Guardian

A password policy is a particular collection of rules that enables proper storage and utilisation of passwords, helps in the creation of dependable and secure passwords and enhances computer security. Commonly, it is part of the official regulations of an organisation and might be employed as a component of security awareness training.

On what basis can you formulate password policy? One of the best collection of guidelines for password policy comes from the National Institute of Standards and Technology (NIST) which is a part of the U.S. Department of Commerce. They have framed a set of Digital Identity Guidelines that provide a great basis on which password policy can be crafted.

The guidelines provided by NIST stresses on user-friendliness. It states that excessively onerous password policies often impacts negatively. For instance, if the users are forced to change their passwords every week, many of them would wind up choosing bad passwords.

Security has always been a compromise between allaying risk and convenience.

A research from Microsoft on password strategies suggests that simple passwords, which can be easily memorised, should be used for low-risk sites. Intricate passwords should be reserved for the sites where the security risks warrant huge repercussions. This suggestion is debatable but it illustrates the trade-off.

For instance, if your site involves users sharing fields of their pet dogs, you can have a lenient approach towards your password policy. Complex passwords may be used for sites where users access sensitive financial or healthcare-related data.    

Can Drupal modules and configurations be used for implementing strong password policies?

Drupal’s rich security features for enforcing strong password policies

By default, Drupal offers guidance on how to make your password stronger. But it does not enforce any password policy out-of-the-box. In order to do that, it comes with a huge library of modules that can help in the enforcement of firm password policies.

Setting restrictions on password

Password Policy, a Drupal module, allows you to lay a set of requirements on passwords that are created by the users. These requirements comprise of length, digits, case, punctuation etc. For instance, you can set what sort of characters and in what amount could be used in a password. It also comes with a password expiration feature.

Setting composition rules

The Password Policy lets you set up intricate composition rules for the passwords. But another Drupal module, Password Strength, offers a user-friendly alternative to prescriptive composition rules. It offers real-time password strength measurement and server-side enforcement.

NIST guidelines suggest that spaces are permitted in passwords which can contribute towards more user-friendly policies when it comes to passphrases. Drupal allows spaces in passwords out-of-the-box.

In case, you do not need any special locks, you can disable the password strength check using a Drupal module called Password Strength Disabler and allow users to feel at ease while creating passcodes.

Avoiding hints and reminders

In case, your website requires hints and reminders, you can add an additional lock to the doors by incorporating security questions while logging in and resetting passwords. Security Questions, a Drupal module, helps you in achieving this numerous configurable options.

However, NIST guidelines suggest that it is better to avoid hints and reminders. Security questions which are fairly easy to guess can be used to compromise user accounts.

But Drupal offers another very useful module called Username Enumeration Prevention which can make it difficult for website hackers to find the usernames and attempt any brute-force attacks.

Leveraging authentication procedure

In case, you need more than one lock, the Two-factor Authentication module can come in handy. It provides an extra layer of security to the authentication procedure. This can be one-time passwords (OTP), codes sent through SMS, or pre-generated codes. It also allows integration with third-party services like Authy, Duo etc.

An authentication and authorisation infrastructure system, Shibboleth is capable of granting individual users with safe, anywhere, anytime access to resources which are available online. Shibboleth authentication, Drupal module, offers user authentication with Shibboleth.

This confrontation in the so-called shibboleth incident in the 12th chapter of the biblical Book of Judges delineates the earlier forms of password security:

“ ‘Say now Shibboleth’; and he said ‘Sibboleth’; for he could not frame to pronounce it right; then they laid hold on him, and slew him at the fords of the Jordan.” Implementing rate-limiting

Drupal does rate-limiting out-of-the-box. But there is no particular UI which exposes configuration that can be tweaked. Flood control, a Drupal module, allows you to limit the number of login attempts by using a convenient admin interface.

To take rate-limiting a step further, Login security module can be beneficial. It helps in limiting the number of invalid login attempts before blocking accounts or denying access by IP address temporarily or even permanently.

To facilitate the login attempts limitation by blocking out the sources of malicious requests, Fail2ban Firewall Integration module offers an automated firewall tool.

Enhancing login features

If your website is available via both HTTP and HTTPS, Secure Login module can ensure that your user login forms or other pages are transmitted via HTTPS. This keeps the passwords hidden from the prying eyes of hackers.

It is always appreciated when the user is given the convenience of using an all-in-one login. OneAll Social Login module allows users to sign in on your website using their social network accounts like Facebook, LinkedIn Twitter, Instagram etc.

In case, an user types an email address incorrectly in a sign-up form, he will not get any confirmation emails which can be troublesome. Email Verify module verifies whether the email address typed by the user exists or not.

Doing away with passwords altogether

What if you do not want to enter a password at all? The Passwordless module gives a possibility of logging in without using a password at all. So if a user has to log in, only the email address would be required. A login link will be sent to that email address which will be valid for 24 hours.

Outlining best practices of password policy

While Drupal is very efficacious in enforcing strong password policies, it is imperative to understand the best practices that can be adopted for incorporating intelligent password policy.

Source: Dashlane
  • Adopting the 8 + 4 rule can be beneficial. You can use 8 characters with 1 upper-case and 1 lower-case, a special character like an asterisk and a number. Make it as random as possible. Also, make sure the numbers and symbols are spread out through the password to foil hackers.
  • Avoid using personal information like your birth date or last name etc.
  • Use different passwords for different accounts. This can be helpful if there are numerous computers in the same department.
  • Adopting passphrases in combination with symbols and numbers can be useful. For example, The Sun Will Rise Again Tomorrow. Also, keep the characters less in the passwords that are easier to remember.
  • You may consider not changing the passwords frequently and it is safer not to write them down anywhere.
  • Do not share the password over electronic media.
  • Add other barriers like two-factor authentication and multi-factor authentication.
  • Set a number that will lock the user out after few unsuccessful attempts.
Conclusion

Password security has evolved over the years in the digital arena. It is significant to have a strong set of rules while deploying password policies. They should not only assist users in avoiding bad passwords but aid in employing high entropy secure passwords. Drupal provides a superb platform to enforce strong password policies with its amazing set of modules.
 
Not only we aid in Drupal development, we also provide continuous support and maintenance services, Contact us at hello@opensenselabs.com to for the enforcement of strong password policies in your business environment.

blog banner blog image drupal security password password security password policy cyber security website security Drupal 8 Drupal module authentication two-factor authentication multi-factor authentication Security Modules Blog Type Articles Is it a good read ? On

Agiledrop.com Blog: AGILEDROP: Rachel Lawson on the road with Drupal

Mar, 07/31/2018 - 06:57
Agiledrop is highlighting active Drupal community members through a series of interviews. Learn who are the people behind Drupal projects.  This week we talked with Rachel Lawson. Learn how did she first came across Drupal, what change she just saw that she was working on and on what contributors she is most proud of.   1. Please tell us a little about yourself. How do you participate in the Drupal community and what do you do professionally? Well, I did spend a few years as a Drupal site-builder and maybe-developer and got involved in core contribution and mentoring, but recently I took… READ MORE

S. M. Bjørklund: PHP method chaining - Fluent interface

Mar, 07/31/2018 - 06:36

If you have used ever used Drupal or any other frameworks like Symfony, Laravel and so on have you probably come across code that look something like:

Gizra.com: WebdriverIO Tests with Multiple Browsers

Mar, 07/31/2018 - 02:00

Everything was working great… and then all the tests broke.

This is the story of how adding a single feature into an app can break all of your tests. And the lessons can be learned from it.

The Feature that Introduced the Chaos

We are working on a Drupal site that makes uses of a multisite approach. In this case, it means that different domains are pointed at the same web server and the site reacts differently depending on which domain you are referencing.

We have a lot of features covered by automatic tests in Webdriver IO – an end to end framework to tests things using a real browser. Everything was working great, but then we added a new feature: a content moderation system defined by the workflow module recently introduced in Drupal 8.

The Problem

When you add the Workflow Module to a site – depending on the configuration you choose – each node is no longer published by default until a moderator decides to publish it.

So as you can imagine, all of the tests that were expecting to see a node published after clicking the save button stopped working.

A Hacky Fix

To fix the failing test using Webdriver you could:

  1. Login as a user A.
  2. Fill in all the fields on your form.
  3. Submit the node form.
  4. Logout as user A.
  5. Login as user B.
  6. Visit the node page.
  7. Publish the node.
  8. Logout as user B.
  9. Login back as user A.
  10. And make the final assertions.

Here’s a simpler way to fix the failing test:

You maintain your current test that fills the node form and save it. Then, before you try to check if the result is published, you open another browser, login with a user that can publish the node, and then with the previous browser continue the rest of the test.

Multiremote Approach

To achieve this, Webdriver IO has a special mode called multiremote:

WebdriverIO allows you to run multiple Selenium sessions in a single test. This becomes handy when you need to test application features where multiple users are required (e.g. chat or WebRTC applications). Instead of creating a couple of remote instances where you need to execute common commands like init or url on each of those instances, you can simply create a multiremote instance and control all browser at the same time.

The first thing you need to do is change the configuration of your wdio.conf.js to use multiple browsers.

export.config = { // ... capabilities: { myChromeBrowser: { desiredCapabilities: { browserName: 'chrome' } }, myFirefoxBrowser: { desiredCapabilities: { browserName: 'firefox' } } } // ... };

With this config, every time you use the variable browser it will repeat the actions on each browser.

So, for example, this test:

var assert = require('assert'); describe('create article', function() { it('should be possible to create articles.', function() { browser.login('some user', 'password'); browser.url('http://example.com/node/add/article') browser.setValueSafe('#edit-title-0-value', 'My new article'); browser.setWysiwygValue('edit-body-0-value', 'My new article body text'); browser.click('#edit-submit'); browser.waitForVisible('.node-published'); }); });

will be executed multiple times with different browsers.

Each step of the test is executed for all the browsers defined.

Instead of using browser you can make use of the keys defined in the capabilities section of the wdio.conf.js file. Replacing browser with myFirefoxBrowser will execute the test only in the Firefox instance, allowing you to use the other browser for other types of actions.

Using the browser name, you can specify where to run each step of the test. The Custom Command Problem

If you take a deeper look at previous code, you will notice that there are three special commands that are not part of the WebdriverIO API. login, setValueSafe and setWysiwygValue are custom commands that we attach to the browser object.

You can see the code of some of those commands in the drupal-elm-starter code.

The problem is – as @amitai realized some time ago – that custom commands don’t play really well with the multiremote approach. A possible solution to keep the custom commands available in all of the browsers is to use some sort of class to wrap the browser object. Something similar to the PageObject pattern.

An example of the code is below:

class Page { constructor(browser = null) { this._browser = browser; } get browser() { if (this._browser) { return this._browser; } // Fallback to some browser. return myChromeBrowser; } visit(path) { this.browser.url(path); } setWysiwygValue(field_name, text) { this.browser.execute( 'CKEDITOR.instances["' + field_name + '"].insertText("' + text + '");' ); } login(user, password) { this.visit('/user/login'); this.browser.waitForVisible('#user-login-form'); this.browser.setValue('#edit-name', user); this.browser.setValue('#edit-pass', password); this.browser.submitForm('#user-login-form'); this.browser.waitForVisible('body.user-logged-in'); } } module.exports = Page;

So now, you have a wrapper class that you can use in your tests. You can create multiple instances of this class to access the different browsers while you are running a test.

var assert = require('assert'); var Page = require('../page_objects/page'); describe('create article', function() { it('should be possible to create articles.', function() { let chrome = new Page(myChromeBrowser); let firefox = new Page(myFirefoxBrowser); chrome.login('some user', 'password'); firefox.login('admin', 'admin'); chrome.visit('http://example.com/node/add/article') chrome.setValueSafe('#edit-title-0-value', 'My new article'); chrome.setWysiwygValue('edit-body-0-value', 'My new article body text'); chrome.browser.click('#edit-submit'); // Here is where the second browser start to work. // This clicks the publish button of the workflow module firefox.visit('/my-new-article'); firefox.browser.click('#edit-submit'); // Once the node was published by another user in another browser // you can run the final assertions. chrome.browser.waitForVisible('.node-published'); }); }); What About Automated Tests?

You may be also wondering, does this work seemlessly for automated tests? And the answer is: yes. We have only tried it using the same browser version in different instances. This means that we trigger several chrome browser instances that acts as independent browsers.

If you have limitations in how many cores you have availble to run tests, it should not limit how many browsers you can spawn. They will just wait their turn when a core becomes available. You can read more on how we configure travis to optimize resources.

As you can see, having multiple browsers available to run tests simplifies their structure. Even if you know that you will not need a multiremote approach at first, it may be a good idea to structure your tests using this browser wrapper, as you don’t know if you will need to refactor all of your tests to run things differently in the future.

This approach also can help to refactor the ideas provided by one of our prior posts. Using JSON API with WebdriverIO Tests so you don’t need to worry about login in with the right user to make the json requests.

Continue reading…

Páginas