Drupal articles

If you don't have access to the file system on the server for a Drupal site, when a security issue like Drupalgeddon2 comes along, you are entitled to panic! Many sites are run by a combination of teams, so sometimes you really don't have control over the server... but that might even mean there is another way to apply fixes. If you've been tasked with updating such a site (I was!), it's worth checking if the server has been misconfigured in such a way to actually allow you to patch Drupal, via Drupal!

A heavy caveat first: we would never...

Drupalgeddon2 happened! We got all but two of our projects updated within an hour, with those remaining trickier two fully patched another hour later. The key was planning the right process using the right tools. We actually use these tools for regular deployments every day, but speed was essential for this security update. Here's what we did, since some of you may be interested.

1. Our on-call developers split up the various sites/environments/projects that would need updating amongst themselves, using a simple online shared spreadsheet.

2. Ahead of time, we prepared pull requests for sites that simply use Drush make...

In light of the recent Drupal security release we at ComputerMinds have taken the decision to rebuild all our client sites in a brand new bespoke CMS custom built in Perl.

Our new CMS, codenamed F001, offers significant improvements over the Drupal architecture - mainly by managing to fit the entire codebase into a single line of code. Other significant improvements include :

1. Support for HTML1.0 only. By standardising on this well established HTML version we have completely eliminated any cross browser issues, drastically reducing testing time and complexity.

2. Removing all javascript. Everyone knows javascript is a horrid...

No one seems quite sure what to call SA-CORE-2018-002, although there does seem to be a trend towards drupalgeddon2.  Whatever we call it, it's here and it is every bit as scary as everyone had feared - the key lines from the update :

How difficult is it for the attacker to leverage the vulnerability? None (user visits page).

What privilege level is required for an exploit to be successful? None (all/anonymous users).

Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.

Can this exploit allow system data (or data handled by the system) to be compromised?...

If you are reading this, then you are probably already aware of the impending security update that is due to drop this evening (UK time). At this stage, it is not clear quite how serious the security update is, we are hoping it's not at the level of Drupalgeddon (PSA-2014-003 - Oct '14) - but we are working on the assumption that it is.

So this means, we are aiming to get all sites we manage - including any test sites - secure and patched within 30 minutes of the release being made available.

Our developers are either...

We've settled on what we think is a best practice for class naming for Javascript in Drupal – let me explain what I mean and then talk you through our reasoning.

Extra quick tip for developers working with Drupal 8 or 9: Adding views to your page content is now incredibly straightforward:

$content['editor_tools']['view'] = [
  '#type' => 'view',
  '#name' => 'editor_tools',
  '#display_id' => 'embed',
  '#arguments' => [
    123,
  ],
];

And that's it! $content is my render array which I'll return and let Drupal render. I suspect most of the bits there are self-explanatory, but in case they aren't:

• '#type' => 'view' is the magic that lets Drupal's rendering system know that this array represents a view to render.
• '#name' is the machine name of the view you want...

Following on from my feature branching bash script I thought I would do another quick post about a super handy tool I use to streamline my dev workflow a little more (marginal gains and all that).

Hub is a command line tool that lets you do all kinds of clever github stuff without ever having to open a browser.  

All the setup instructions are here https://hub.github.com/ - it's pretty simple to get working (if I can do it ...).  I wasn't quite brave enough to alias my git command so I skipped that bit!

During a typical working day I can easily flip between 15 projects, fixing small bugs or working on various features.  Each flip normally requires a new feature branch, and i found myself repeating myself.  A lot.  I'm a parent so I'm pretty used to this, but in this instance I figured I could probably do something about it - so put together a simple bash script.

Having PII in Google Analytics is a big no no, it violates their terms of service and can cause you to have to remove all your analytics data - not fun.

The good news is, most 'standard' Drupal sites using most 'standard' GA implementations avoid sending any PII with one exception - and that is the user password reset page.  

The problem occurs when a user attempts to login but enters and incorrect password.  They are then presented with a message saying "Unrecognised username or password.  Have you forgotten your password?".  The "forgotten your password" bit is a link to...