Feed aggregator

Chocolate Lily: Open Outreach welcomes new partner Praxis Labs

Drupal Planet - Tue, 2014-12-02 12:24

A managed hosting service will be the first fruit of a new partnership between Chocolate Lily Web Projects and the Montreal-based cooperative Praxis Labs aimed at strengthening and expanding the nonprofit-focused Open Outreach Drupal distribution.

Collaboration between Chocolate Lily and Praxis comes out of a community engagement process that began last fall.

Categories: Drupal

Linnovate: Drupal And the Disappearing Images Mystery

Drupal Planet - Tue, 2014-12-02 11:03

After working many years with a specific framework, you sometimes face difficulties that in other situations, specifically while learning a new language or framework would not even challenge you.
One example for such a case is one I’ve encountered this past week, and to tackle it, all I’ve needed to do is to actually read the Drupal docs and not just flip through it.
One of my clients came to me and told me that all of the images he’s uploading to his site are deleted from the files directory of his Drupal project after several hours.
After checking that the images are created successfully in the Drupal’s temp directory and are then moved to the files directory as they should, I begun checking for any file/image related modules and any Drupal configurations that could hint a relation to the problem.
Checking those off I’ve started to look at custom code developed by our programmers, as this is a more time-consuming task I’ve not started with it but knew from the beginning that this is probably where the culprit could be found.
While carefully combing the code I’ve landed upon a form api piece of code related to an image field similar to this:

<!--?php // Use the #managed_file FAPI element to upload an image file. $form['image_example_image_fid'] = array(   '#title' => t('Image'),   '#type' => 'managed_file',   '#description' => t('The uploaded image will be displayed on this page using the image style chosen below.'),   '#default_value' => variable_get('image_example_image_fid', ''),   '#upload_location' => 'public://image_example_images/', ); ?>

This piece of code will add a nice file/image field to the page and will allow you to attach an image to the current entity.
After finding the “managed_file” type documentation the problem and the solution was clear.

Note: New files are uploaded with a status of 0 and are treated as temporary files which are removed after 6 hours via cron. Your module is responsible for changing the $file objects status to FILE_STATUS_PERMANENT and saving the new status to the database. Something like the following within your submit handler should do the trick.

 <!--?php // Load the file via file.fid. $file = file_load($form_state['values']['my_file_field']); // Change status to permanent. $file->status = FILE_STATUS_PERMANENT; // Save. file_save($file); // Record that the module (in this example, user module) is using the file. file_usage_add($file, 'user', 'user', $account->uid); ?>

So in order to prevent the (weird – in my opinion) automatic 6 hour cron deletion of the uploaded images you have to add a submit handler and inside it add that piece of code.
To clarify and help those in need, this is an expanded example of a form and submit functions.

$form = drupal_get_form('my_module_example_form'); ... function my_module_example_form($form, &$form_state) { $form['image_example_image_fid'] = array(   '#title' => t('Image'),   '#type' => 'managed_file',   '#description' => t('The uploaded image will be displayed on this page using the image style chosen below.'),   '#default_value' => variable_get('image_example_image_fid', ''),   '#upload_location' => 'public://image_example_images/', ); $form['submit'] = array( '#type' => 'submit', '#value' => t('Submit'), ); return $form; } function my_module_example_form_validate($form, &$form_state) { // Validation logic. } function my_module_example_form_submit($form, &$form_state) { // Submission logic. // Load the file via file.fid. $file = file_load($form_state['values']['my_file_field']); // Change status to permanent. $file->status = FILE_STATUS_PERMANENT; // Save. file_save($file); // Record that the module (in this example, user module) is using the file. file_usage_add($file, 'user', 'user', $account->uid); // a more generic example of file_usage_add // file_usage_add($file, 'my_module_name', 'user or node or any entity', 'that entity id'); // you don't need to use "file_usage_add" if you're not attaching the image to an entity }

Originally posted on my personal blog.

Categories: Drupal

Amazee Labs: DrupalCamp Moscow 2014

Drupal Planet - Tue, 2014-12-02 11:00
DrupalCamp Moscow 2014

It must be weird, but living in Russia I have never attended a russian Drupal event. I was at DrupalCon Prague 2013 and have attended ukrainian DrupalCamps several times before. The Ukraine is located much closer to the town where I live than to the russian capital, so for me it’s faster to get to the neighbour country rather than to visit Moscow.

Amazee Labs travels back to the USSR

This time I decided to visit a russian Drupal event, DrupalCamp Moscow 2014. I didn’t know what to expect. Another country means another people. But with the Drupal community, this rule never works. Drupal folks are pretty much the same all around the world: sociable, nice, friendly, and always ready to help! If you are a professional drupalist, or a newbie, or even if you know nothing about Drupal… You are always welcome!

And this is exactly what Boris and Corina were talking about in their blog posts “Be a part of the community” and “Being part of the community - a non-techie perspective”.

@duozersk рассказывает про #angularJS и #drupal http://t.co/KbMheeFSY6 #dcmsk pic.twitter.com/Cqrl6yLifb

— Nikolay Shapovalov (@RuZniki) 29. November 2014


The sessions I attended were good. I learned how russian drupalists work with Solr, which we use a lot at Amazee Labs, learned some new techniques for high-performance sites, went to Drupal 8 theming, and even learned some cases of using AngularJS with Drupal.

Speaking at Moscow State University, feeling like a professor

For us at Amazee Labs it is an essential part of our company culture to contribute back to the community. We are a proud sponsor of the event, and I shared our knowledge and know-how by giving a presentation about Drupal 8 configuration management. My next post will be about it. Subscribe to our RSS FeedTwitter, or Facebook page to not miss it ;)

Categories: Drupal

Drupalize.Me: Drupal 8 Core, Now with More Fields

Drupal Planet - Tue, 2014-12-02 10:00

One of the the things I like most about Drupal 8 as a site builder is how quickly you can get up and running on creating a new site. Although the installer takes a tad (insert jokes here) longer than Drupal 7, you get so much more out of the box. No need to install Drupal and head to Drush to download/enable a handful of modules just to get your site ready. For example, just to get something like an email field was yet another download. Of course, there is Views in Core, but another great thing is a much larger plethora of field types. Now in Drupal 8 there are a handful of useful fields in Core:

Categories: Drupal

Another Drop in the Drupal Sea: It's Giving Tuesday, Drupal community!

Drupal Planet - Tue, 2014-12-02 09:57

Today is Giving Tuesday, "a global day dedicated to giving back."

Drupal's tagline is "Come for the software, stay for the community." I'd like to ask you to consider supporting the Teach Yourself Drupal Kickstarter campaign to create a free totally open source online Drupal training product. By backing this project, you will be giving a gift that keeps on giving back to the Drupal community.

Categories: Drupal

3C Web Services: Creating custom Contextual links in Drupal 7

Drupal Planet - Tue, 2014-12-02 09:46
How to add your own, custom context links to Drupal Views and Nodes using the Custom Context Links module.
Categories: Drupal

CoreOS Announces Competitor To Docker

Slashdot - Tue, 2014-12-02 00:12
New submitter fourbadgers writes: CoreOS, the start-up making the CoreOS Linux distribution, has announced Rocket, a container management system that's an alternative to Docker. CoreOS is derived from Chrome OS and has a focus on lightweight virtualization based on Linux containers. The project has been a long-time supporter of Docker, but saw the need for a simpler container system after what was seen as scope-creep in what Docker provides.

Read more of this story at Slashdot.

Categories: Linux News

NEWMEDIA: Coming Soon to a Hacked Drupal Site Near You: Stolen Credit Card Data

Drupal Planet - Mon, 2014-12-01 22:59
Coming Soon to a Hacked Drupal Site Near You: Stolen Credit Card DataSix weeks ago, the Drupal Security Team disclosed one of the most critical vulnerabilities in the history of the project. Today we're still seeing usage statistics that indicate tens of (if not hundreds of) thousands of Drupal sites are still at risk. Given that approximately 10% of all reported Drupal installations have an eCommerce component enabled, it's only a matter of time before we start seeing reports of stolen credit card data.

I’ve been closely watching the fallout of the SA-CORE-2014-005 Drupal core security advisory, which is sometimes referred to as “Drupageddon” to emphasize the severity of this security issue. If this is the first time you’ve heard of this, then I highly encourage you to read this comprehensive overview before continuing below. My goal is not to rehash what has already been stated in this and the many other recap articles out there. As a member of the Drupal security team and co-author of the Drupal PCI Compliance White Paper, I’m much more interested in the repercussions of SA-CORE-2014-005 on the eCommerce community, which (in my honest opinion) hasn’t been sufficiently addressed.

It’s important to state for the record that it’s not my intention to spread FUD or come off as an alarmist. Had that been the goal, I would have published this article immediately after the disclosure and the numbers I would have had to report at the time would have been purely speculative. Six weeks later, we can have an honest and open discussion about what is left in front of us.

The Good News

The exploit was responsibly disclosed to the Drupal security team rather than keeping it a secret, selling this information to the highest bidder, or leveraging it as a zero-day exploit. Any one of these alternative scenarios would have given the community zero preparation in what could have been a catastrophic attack against every known Drupal site. While clearly not everyone was spared, the damage was significantly reduced (see below).

In terms of preparation, I’m very impressed with Acquia, Pantheon, and Platform.sh, each of which deployed system wide protections that significantly reduced (and in some cases outright eliminated) the vulnerability for any Drupal 7 site hosted within their infrastructure. This was huge win for the community as a whole because large, high visibility websites tend to gravitate towards hosting with these companies and as a result (due to the protection that these services offered for this specific vulnerability) the damage was further mitigated.

For others in the community, there are many anecdotal reports of individuals immediately applying the one line patch on all of the websites they manage. I believe this rapid roll out was in large part due to the quantity of announcements to the community letting them know that something big was about to happen.

The Bad News


  • Not every site was hosted with Acquia, Pantheon, and/or Platform.sh (due to cost, preference, requirements, etc).
  • Not everyone has the ability or capacity to roll out patches within X hours of every security release.
  • Penetration tests across all known Drupal sites began within 7 hours of the vulnerability (see the recap for more details).
  • Anecdotal evidence within the community indicates that backdoor exploits have been added to virtually all sites that were not patched.
  • Hundreds of thousands of Drupal websites are reporting that they are still running an older (and therefore vulnerable) version of Drupal core.
  • Thousands of eCommerce websites are still reporting that they are still running an older (and therefore vulnerable) version of Drupal core.
  • I’ve personally seen two Drupal eCommerce sites that were already hacked by the time I was asked to review them within days of the disclosure.

Anyone exploiting this vulnerability is essentially able to gain admin access to the Drupal application. With admin access, stealing credit card data is a fairly straightforward process for most payment gateway configurations. One of the most obvious attack vectors is to enable the php module in order to drop a keylogger within a custom block on the payment page. Beyond that, there are several other creative ways to access, log, and extract customer information from a hacked Drupal site.

Tempering the Bad News

It’s important to note that the usage numbers are not a 100% accurate representation of what’s out in the wild. Many websites were updated using a hotfix patch versus upgrading Drupal core to 7.32, which results in an underestimation of the percentage of sites that are protected. However this is countered by the fact that not all Drupal sites report their usage statistics back to Drupal.org. Also, there are sites that may simply have an eCommerce module enabled, but they are not setup to the point where they can accept payment.

Here are some other factors that may reduce the damage to the Drupal eCommerce community:

  • Not all sites containing a backdoor haven’t been exploited further in any obvious way. This means that merchants still have time to cleanup the mess.
  • Not all payment solutions are easy to attack. If a website is configured to use a hosted payment page, one has to either swap out the payment gateway completely or create a man in the middle attack. Both of these attacks are more likely to get caught quickly instead of going undetected for days/weeks/months.
  • Not all sites are large enough to make the headlines. A breached website that only manages a couple transactions a month will still get caught, but will not make the front page of any major tech news site. However, the merchant itself will have to deal with the fallout (including fines and the cost of a forensic analysis of the breach).

While this does reduce the overall pain caused by this vulnerability, we cannot ignore the reality that it’s only a matter of time before at least one Drupal website (and possibly many more) will report that they had credit card numbers stolen. And when this happens, it will be a black eye for the community regardless of how many of the 100,000+ other eCommerce sites were protected. All it will take is one significant breach and merchants evaluating Drupal against alternatives may think twice due to a perception that it’s not as secure (regardless of whether or not that determination is true or not).

The Silver Lining(s)

What’s done is done and it won’t do the community any good to dwell on the past. Rather, we should focus on the positive as well as what we can do in the future to make the most out of this experience. I know is easier said than done because there are segments of the community that are still feeling the sting. That said, here’s my list of silver linings to this experience:

  • This vulnerability is now fixed and all future Drupal installations will no longer be subject to this exact attack. This is one of the many benefits of open source software—we all reap the benefits from code contributions from the community.
  • This vulnerability was so severe that it has sparked many conversations within the community on how to further harden Drupal and even roll out critical patches automatically. While this attention may wane, the fact is that this will have a permanent impact in how much importance we place on security as a community.
  • For being a volunteer organization, I would argue that the Drupal security team handled the situation as best as it could. The exploit could have been leaked, the disclosure botched, etc. While there are areas that can be improved moving forward, it was a privilege to work with the other members of the team to mitigate the damage as much as possible.
  • It’s possible (although highly improbable) that we may not see any reports of credit card data stolen as a direct result of this vulnerability. Only time will tell…

My final advice to anyone building, maintaining, or operating a Drupal eCommerce site: read the Drupal PCI Compliance White Paper (to learn more about ways to reduce risk) as well as read this article by Greg Knaddison to learn what to do in case you ever discover that a Drupal site’s been hacked.

Categories: Drupal

PreviousNext: The DrupalCI results component

Drupal Planet - Mon, 2014-12-01 20:35

The DrupalCI initiative is geared towards developing tools for the next generation of testing on Drupal.org. In the following video I will demonstrate the "Results" component responsible for providing build feedback.

Categories: Drupal

Pivots recommendations: Recommender API for Drupal: 2014 Relaunch

Drupal Planet - Mon, 2014-12-01 16:52

I am pleased to announce the release of Recommender API 7.x-6.x for Drupal, whose goal is to enable content recommendations on any Drupal site in order to boost site engagement and increase revenue. The new release is relatively stable and many of its helper modules have already supported it (see the full list here).

According to my survey last year, most sites that were using or planned to use Recommender API were small- to medium-sized. Their priorities were: 1) ease-of-use, 2) security, and 3) good recommendations. The new release is the answer to the calls. A few features to emphasize here:

  1. RecAPI runs out-of-the-box if you use its PHP recommendation engine for small site. As your site grows, you can choose to use the more powerful and more complex Java recommendation engine.
  2. RecAPI fully integrates with Views and EntityAPI so you can customize easily.
  3. RecAPI now has better documentation and an example module to teach you how to write helper modules for your particular needs.

For the rest of this article, I'll show you how to set up and use the Browsing History Recommender module, which uses RecAPI to provides two types of content recommendations based on users' browsing history: "users who viewed this also viewed..." and "personalized recommendations".

Read more
Categories: Drupal

Mediacurrent: Major Sports League Moves to Drupal

Drupal Planet - Mon, 2014-12-01 16:27

Another major sports league has joined the NBA, Major League Soccer, NASCAR and others on Drupal with the launch of a platform that will power each of its team sites.

Categories: Drupal

12/01 Manjaro 0.8.11

Distrowatch - Mon, 2014-12-01 16:05
Categories: Distros

Evolving Web: Required Alt Text for Images in Drupal

Drupal Planet - Mon, 2014-12-01 15:17

Drupal 7 gives us the option to include an 'alt text' for each image field. The alt text is used by screen readers or when the image file isn't available. For some organizations with lots of authors, it's hard to get everyone actually using this alt text field. So, sometimes you want to make it required.

read more
Categories: Drupal

Achieve Internet Blog: Learning from Philae

Drupal Planet - Mon, 2014-12-01 14:43
How to Plan, Execute & Succeed in Your Drupal Development Projects

Categories: Drupal

cs_shadow: Google Code-In 2014 starts now

Drupal Planet - Mon, 2014-12-01 13:47

Google Code-In (GCI) just started. For those of you who are not aware of this program, its a contest where students (ages 13-17) work on tasks for Drupal (and other open source open source organizations).

In case you want to get involved with GCI, join #drupal-google on Freenode and we'll help you out after that. If you're a high school student of age 13-17, lots of interesting tasks await you at Drupal (http://www.google-melange.com/gci/org/google/gci2014/drupal). If you want to sign up as a mentor, register at http://www.google-melange.com/gci/homepage/google/gci2014 and request Mentor role from Drupal.

Post from Google kicking off GCI 2014 @ http://google-opensource.blogspot.com/2014/12/3-2-1-code-in-inviting-tee.... Original post by Matthew Lechleider (Slurpee) on gdo: https://groups.drupal.org/node/450953.

Tags: Drupal PlanetGoogle Code-In
Categories: Drupal

Code Karate: Drupal Shared Hosting: Deciding if shared hosting is right for your Drupal site

Drupal Planet - Mon, 2014-12-01 13:36

Over the summer I was able to attend three different Drupal Camps (Drupal Corn Camp, Twin Cities

Categories: Drupal

Blue Drop Awards: Sponsorship Packages & Early Bird Discount for 2015 Blue Drop Awards

Drupal Planet - Mon, 2014-12-01 11:24

Click to enlarge image

As we’re coming to the end of another year, the Blue Drop Awards has set their "sites" on 2015. We’re extremely excited about the direction of the project but we believe, with your help, the Blue Drop Awards can be bigger and better. 

This past year we’ve received nearly 60,000 visitors to the Blue Drop Awards website which represents a 28% increase over 2013 and a 46% increase over 2012. For the coming year, we’re aiming to receive over 100,000 visitors to the Blue Drop Awards. 

Over the last few weeks, we’ve been working to determine the best possible sponsorship packages for 2015. While you may sign up for a sponsorship package at any time, we’re offering a 20% discount for all 2015 sponsors who sign up before 12pm CST on January 23, 2015.

I’ll take a moment to highlight some of the changes; for a detailed decription, check out our Sponsorship page. For 2015 we have four different types of sponsorship packages. 

The Freelance - $500:

  • At $500 this package is meant for freelancers who are one to two man shops. The ultimate value here is that your brand will be in front of 100,000 people in 2015. We will display your logo in the right side bar on every page on the website. After 2015, the website is archived, but still accessible. Even today, 2012.bluedropawards.org still receives a significant amount of traffic everyday meaning continued exposure for a one-time $500 investment. You’ll also be recognized as a sponsor at the awards presentation at Drupalcon LA. 


Silver - $2,000:

  • One step up from Freelance. This package is specifically meant for emerging companies. In addition to having your logo displayed on every page of the 2015 Blue Drop Awards website, we have added some additional advertising at Drupalcon LA. Your logo and booth number will be displayed at the Blue Drop Awards booth. Additionally, we will link to your website within the winners announcement email blast to provide additional traffic opportunities.


Gold - $3,000:

  • In addition to having your logo on the right sidebar of the Blue Drop Awards’ website, you will also have your own branded and customizable landing page complete with a contact form with the gold package. Your company will have the ability to log into the Blue Drop Awards website to edit your page. We will include your logo on the 2015 Blue Drop Awards t-shirts and on the winner awards. 


Platinum - $3,500:

  • The Platinum package is for companies who want to take full advantage of the lead generation opportunities available through the Blue Drop Awards. As with all packages, your logo will be included on all webpages. You will have your own customizable landing page, but in addition to having your logo, contact form and a description of the company, you will also be able to advertise downloadable content and current job openings. When someone downloads your content, we will notify you and give you their contact information. For a direct marketing approach, we’ll send out a sponsored email blast to the Blue Drop Awards subscriber list. To top it off, you will also be mentioned in tweets, blogs, case studies, and more. 


To see the full details on the Blue Drop Awards’ sponsorship package, please view the full pricing sheet below. Remember, you have until 12pm CST on 1/23/15 to lock in for the early-bird discount rate for the 2015 sponsorships. 

Not sure about which package to choose? Contact me at erik@bluedropawards.org

Categories: Drupal

Appnovation Technologies: Speeding up manual image cropping

Drupal Planet - Mon, 2014-12-01 11:14

Images are an important part of any website and for some media companies they are the most important part. Sites need to take big images and display them in different sizes throughout the site.

var switchTo5x = false;stLight.options({"publisher":"dr-75626d0b-d9b4-2fdb-6d29-1a20f61d683"});
Categories: Drupal

Dries Buytaert: Business model innovation beats technical innovation

Drupal Planet - Mon, 2014-12-01 10:33
Topic: DrupalBusinessOpinionStartup lessons

Business model innovation is usually more powerful than technical innovation; it is more disruptive and harder to copy than technical innovation. And yet, so many companies are focused on technical innovation to compete.

Consider Airbnb. What makes them so successful is not a technical advantage, but a business model advantage that provides them near-zero marginal cost. For a traditional hotel chain to increase its capacity, it needs to build more physical space at significant cost. Instead of shouldering that setup cost, Airbnb can add another room to its inventory at almost no cost by enabling people to share their existing houses. That is a business model innovation. Furthermore, it is extremely difficult for the traditional hotel chain to switch its business model to match Airbnb's.

The same is true in Open Source software. While it is true that Open Source often produces technically superior software, its real power may be its business model innovation: co-creation. Open Source software like Drupal or Linux is a co-created product; thousands of contributors build and enhance Drupal and everyone benefits from that. A large Open Source community produces vastly more software than a proprietary competitor, and shares in the production and go-to-market costs. It disrupts proprietary software companies where the roles of production and consumption are discrete and the production and go-to-market costs are high. While established companies can copy key technical innovations, it is extremely difficult to switch a proprietary business model to an Open Source business model. It affects how they build their software, how they monetize the software, how they sell and market their software, their cost structure, and more. Proprietary software companies will lose against thriving Open Source communities. I don't see how companies like HP, Oracle and SAP could change their business model while living quarter to quarter in the public markets; changing their business model would take many years and could disrupt their revenues.

Take Amazon Web Services (AWS), one of the most disruptive developments in the IT world the past decade. While AWS' offerings are rich and often ahead of the competition, the biggest reason for the company's success is its business model. Amazon not only offers consumption-based pricing ('pay as you consume' vs 'pay as you configure'), it's also comfortable operating a low-margin business. Almost 10 years after AWS launched, at a time that vast amounts of computing are moving into the cloud, HP, Oracle and SAP still don't have competitive cloud businesses. While each of these companies could easily close technical gaps, they have been unable to disrupt their existing business models.

If you're in a startup, innovating on a business model is easier than if you're in a large company. In fact, an innovative business model is the best weapon you have against large incumbents. Technical innovation may give you a 6 to 18 month competitive advantage, but the advantage from business model innovation can be many years. Too many startups focus on building or acquiring innovative or proprietary technology in order to win in the market. While there is usually some technical innovation around the edges, it is business model innovation that makes a successful, long-standing organization -- it tends to be a lot harder to copy than technical innovation.

Categories: Drupal

Linux Mint 17.1 Cinnamon and MATE Editions Released

Slashdot - Mon, 2014-12-01 09:05
linuxscreenshot writes The team is proud to announce the release of Linux Mint 17.1 'Rebecca' MATE. Linux Mint 17.1 is a long term support release which will be supported until 2019. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use. Linux Mint 17.1 MATE edition comes with two window managers installed and configured by default: Marco (MATE's very own window manager, simple, fast and very stable); Compiz (an advanced compositing window manager which can do wonders if your hardware supports it). Among the various window managers available for Linux, Compiz is certainly the most impressive when it comes to desktop effects. Screenshots can be found here.

Read more of this story at Slashdot.

Categories: Linux News


Subscribe to LinuxColumbus aggregator