My security resolutions for 2017! #SecurityResolutions

Posted by on January 31, 2017 at 5:58pm

I'm a member of the Drupal Security Team, and many of the services offered by myDropWizard involve assisting our customers to improve the security of their Drupal sites -- so, I know quite a lot about security and try to be mindful about my own computer use.

However, computer security is an on-going process: it can always be improved and so you're never truly done.

In this article, I'm going to share my personal list of security resolutions for 2017!

Maybe you'll find something you'd like to implement as well?

Or perhaps you'd like to share your own security resolutions for this year?

Please share your thoughts in the comments (or on Twitter)!

DIY Drupal hosting: Aegir

Posted by on January 31, 2017 at 2:23pm
Aegir Drupal hosting

I had started this series with a post about what features will be evaluated when selecting DIY Drupal hosting solutions. We shall start with the most simplest and earliest solution of them all, Aegir. First, the nomenclature. Aegir is the God of seas and oceans in Norse folklore, much like Varuna in the Hindu pantheon.

Default Search API Sorts Per View in Drupal 7

Posted by on January 31, 2017 at 10:24am

It's been a while since I've written a post here (especially, Drupal-related). But today I have something interesting to share.

There's a module called Search API sorts ( that provides custom sorts and a global sort block for Search API. The module itself is ok, but ...

Read now

Advanced techniques for route access control in Drupal 8

Posted by Web Omelette on January 31, 2017 at 8:00am

Drupal 8 is very flexible when it comes to controlling access to your routes. It inherits quite a bit from the Symfony routing system, but adds its own flavour on top of that. In this article we are going to look at an example of a complex access requirement. In doing so, we won't cover the simpler use cases which are already described in the docs, but we will sure make use of some of them.

The requirement

So let's imagine this scenario: we have two types of users (employees and managers) whose persona is not determined by a user role. Let's say their "role" is determined on the fly as a result of an API call or some dynamic thing.

Now, let's say we have 3 routes: Route A (accessible for employees only), Route B (accessible for managers only) and Route C (accessible for both).

Finally, imagine we have a service called UserType which we can ask what type of person the current user is.


One of the cool things about the Route access control in Drupal 8 is the ability, as the docs show, to delegate the access checking to a service. So a basic implementation for Route A and Route C can be something like this.

  path: 'route-a'
    _controller: '\Drupal\my_module\Controller\DefaultController::buildRouteA'
    _title: 'Route A'
    _company_access_check_employee: 'true'

This is the route definition. As you can see, as per the docs, we have a requirement for the company_access_check access service to return the access result. So let's quickly see that service:

    class:  Drupal\my_module\Access\CompanyAccessCheck
    arguments: ['@user_type']
      - { name: access_check, applies_to: _company_access_check_employee }

A simple tagged service definition with a dependency to our fictitious UserType service that tells us the type of person the current user is. Additionally, we specify that this access checking service should be applied to all routes with the requirement _company_access_check_employee.

I am not going to show you this class because an example is already covered in the docs. However, it has one method called access() which by default gets passed the AccountInterface of the current user. So with the help of our UserType service we can determine whether the current user is an employee. Then we can return either AccessResult::forbidden() or AccessResult::allowed().

For managers, we do the same: create a new service and apply it to Route C.

So where does the complication come? Well, you guessed it: Route B which requires both. If we add two requirements to the route, let's say something like this:

  path: 'route-b'
    _controller: '\Drupal\my_module\Controller\DefaultController::buildRouteB'
    _title: 'Route B'
    _company_access_check_employee: 'true'
    _company_access_check_manager: 'true'

It will check for both but grant access only if both return positive. So in our case this won't be very helpful since we need to check if the user is either. For the purposes of this article, please forgive the implication that managers are not also employees.

The solution

What we can do is create another access service called something like company_access_check_both which is responsible for determining if the current user is of one of the user roles. This is fine if our requirements are as simple as we described them. But what happens when we have multiple user types and a bunch of different routes where we have to mix and match the user types which have access to them? Creating a service for all these different types of combinations is not very efficient.

So instead, let's create a generic service called company_access_check_multiple AND specify in the route the type of user that has access to it in the form of a custom option. For example, the route definition can be something like this:

  path: 'route-b'
    _controller: '\Drupal\my_module\Controller\DefaultController::buildRouteB'
    _title: 'Route B'
    _company_access_check_multiple: 'true'
      - Employee
      - Manager

In this route we created a custom option called _company_access_users in which we list the types of users that should have access to it.

But how can we make use of this inside our service? Well, the Route object can be inspected and the list of allowed user types can be retrieved:

$types = $route->getOption('_company_access_users');

So if the route has that option, $types will tell us what type the current user needs to be in order to have access.

However, where do we get the Route object? As we know, the access() method of the service only receives the user account as a parameter. We might be tempted to inject the current route match service into our own. This does the trick, but only when the route in question is being checked upon a user actually going to it. It will miserably fail when a given route is being checked for access from another one (for example when building menu links).

If we dig deep and look closely, before our access() method is called, an arguments resolver is employed via the AccessArgumentsResolverFactory. This allows for the current user account to be passed to the access() method. But what not many people know is that if we type hint our access() method with either Route, RouteMatchInterface or Request, we will be getting those parameters as well. And in this case, the Route object is that of the route being checked for access rather than the current route.

So something like this:

public function access(AccountInterface $account, Route $route) {
  $types = $route->getOption('_company_access_users');
  // etc

So there you have it. A neat little trick that opens the door to some complex access restriction rules on your routes.

AGILEDROP: Virtual Drupal Camps

Posted by Blog on January 31, 2017 at 7:41am
Drupal events have a lot of positive things for Drupal users. We highlighted them in the previous blog post. But there are many Drupalistas around the world, who can't attend such events, due to the expenses, time, work responsibilities, and many other reasons including the fact that many don't live near any of the available Drupal Camps. With that, they are automatically deprived for knowledge about Drupal. And that knowledge may come in hand for them, especially if they professionally work with Drupal. Luckily, organizers came up with one of the solutions. It's online or virtual Drupal Camp… READ MORE

Set up BLT and Drupal VM entirely within Windows 10

Posted by Jeff Geerling's Blog on January 31, 2017 at 2:15am

BLT - Setup complete on Windows 10

Quite often, I get inquiries from developers about how to get Drupal VM working on Windows 10—and this is often after encountering error after error due to many different factors. Just for starters, I'll give a few tips for success when using Drupal VM (or most any Linux-centric dev tooling or programming languages) on Windows 10:

Drupal 101 at General Assembly Denver

Posted by Aten Design Group on January 30, 2017 at 10:19pm
Aten Presents 3-hour class Drupal 101 General Assmbly Training: February 8, 2017, 6pm - 9pm MT Register Now

Get a crash course in the basics of building a website using Drupal.

In this 3-hour training, we'll dive into the world of Drupal and learn about content types, views, blocks & themes as we build a site together.

This webinar is ideal for those with experience working with content management systems like Drupal, Wordpress, Joomla, or Craft.

Brought to you in partnership with General Assembly

Reserve your spot today

February 8, 2017, 6pm - 9pm MT Register Now

Drupal 8 Migration: Migrating files / images (Part 3)

Posted by Evolving Web on January 30, 2017 at 3:00pm
 Managing files

A tutorial on migrating files / images to a Drupal 8 site and associating them to other entities.

read more

Migrating Date Ranges from CSV into Date Range Module

Posted by MTech, LLC on January 30, 2017 at 2:09pm
Migrating Date Ranges from CSV into Date Range Module

As you might know, the Datetime Range module is currently an experimental module within Drupal 8 core. This module allows you to create specific time intervals, such as: the creation date and the expiration of a product, a schedule of a workshop or event which has different blocks of hours, or hotel room reservations, etc.

Gerardo Hernández Mon, 01/30/2017 - 08:09

That was Drupal Global Sprint Weekend 2017

Posted by J-P Stacey on January 30, 2017 at 1:51pm

Last weekend was the Drupal Global Sprint Weekend, and Drupal Yorkshire took part in Sheffield. Our venue was the fantastic Union St coworking and event space, and it's fair to say that having such a great venue was a key part of what made the day a success. 

Read more of "That was Drupal Global Sprint Weekend 2017"

Media initiative is official and we are one of its leading parts

Posted by MD Systems blog on January 30, 2017 at 8:53am
The Media Initiative finally became one of the official Drupal core initiatives. We’ve been part of it since its inception more than 3 years ago and we are still one of its leading parts.

Spinning up the Drupal environment with Drupal VM

Posted by ADCI Solutions on January 30, 2017 at 4:14am

What if we tell you that spinning up a Drupal environment could be fun? Yes, we mean it. Drupal Virtual Machine (VM) gives us a plenty of options to ease a whole development process. Other than that, Drupal VM is a universal solution that will work equally on different host machines with different operation systems.

We are going to guide you through the main topics related to an installation and usage of Drupal VM. You will learn about migrating a Drupal website to the Drupal VM environment in general and disabling an automatic installation of Drupal, mounting a local Drupal codebase and uploading a database to the virtual machine in particular. After that you’ll be skilled enough to extend the default configuration for your needs.

We give the useful links and examples throughout the article so click to read the full article here.

Drupal Virtual Machine (VM)

Drupal Modules: The One Percent — User Personas (video tutorial)

Posted by Drupal Modules: The One Percent on January 30, 2017 at 3:39am
Drupal Modules: The One Percent — User Personas (video tutorial) Project page screenshot NonProfit Sun, 01/29/2017 - 21:39 Episode 17

Here is where we bring awareness to Drupal modules running on less than 1% of reporting sites. Today we'll look at User Personas, a module which allows you to assign groups of roles to your users.

Five tips for efficient and effective agile development teams

Posted by Third & Grove on January 30, 2017 at 12:19am
Five tips for efficient and effective agile development teams john Sun, 01/29/2017 - 19:19

How To Configure Let's Encrypt For Drupal & Virtualmin

Posted by Jay on January 29, 2017 at 11:13pm

Let's Encrypt is taking over the world with its free SSL certificates, and I'm using it on ALL of my websites. But using it in conjunction with Drupal & Virtualmin is not as easy as it should be, so today I'll show everyone how to make it work 100%. It took me a few hours of detective work to figure out the following two prerequisites that need to be taken care of before using Let's Encrypt:

#1. In the .htaccess file for Drupal 7, find the line with the following code (for example, line 83 in the most recent version of Drupal 7, 7.53):

RewriteRule "(^|/)\." - [F]

Change it to the following code:

RewriteRule "(^|/)\.(?!well-known)" - [F]

Tags: CentOSDrupal 7Drupal 8Drupal PlanetPHP

Playing with the Sculpin static site generator

Posted by Janez Urevc on January 29, 2017 at 9:08pm
Playing with the Sculpin static site generator

Sculpin generator

I can hear you asking: "What the hack is that?" Let me quote the Sculpin's authors:

Sculpin is a static site generator written in PHP. It converts Markdown files, Twig templates and standard HTML into a static HTML site that can be easily deployed.

Few days ago a need for a very simple website arose which was way too simple to use Drupal 8 for it. Even Wordpress would be way over the top. On the other hand I really wanted to try static HTML generators for a while and this seemed a perfect opportunity to do that.

There are many static HTML generators out there, Jekyll probably being the most popular (it is also supported by GitHub pages, which makes hosting trivial). I, however, decided to go with Sculpin because it is written in PHP and is using Symfony and Twig. I am already more or less familiar with all this technologies, which made the task a bit easier.


Few hours, very simple Bootstrap based theme, FlexSlider, some Markdown and violà! Site was done and running. It is performant, I can host it literary everywhere, no need to clear caches every time when something behaves strange, no updates, security out of the box, ...

I could totally use something similar for this blog too. Heresy against The religion of Drupal™ you say? Maybe.... But think about it. I am already using Markdown (not really a WYSIWYG fan) to write my posts. That wouldn't change at all. I use Disqus for comments, which would play perfectly fine with static HTML. I could use Liquid Forms or something similar to run the contact form or simply ask people to reach out via Twitter or IRC. That's it. It could probably be done in a day while it took me 3 or 4 days to migrate my Drupal 7 blog to Drupal 8. Not to mention the significantly easier maintenance.

I might even consider doing that when the migration to Drupal 9 comes around. We'll see what the hip thing at that time will be...

All this got me thinking...

Solutions like Jekyll and Sculpin are gaining popularity in the lowest end of the web market. By that they are eating into what used to be market of CMSes like Drupal and Wordpress just a few years ago. Benefits are clear (mainly performance and easy maintenance). The user experience and the ease of use is still on the CMS side, but for slightly tech savvy users it is completely doable. And this might very likely change in the next few years (every software tries to improve over time, right). That said, this kind of tools might (together with pure SaaS solutions) dominate the lower-end web market in the future.

"But Drupal 8 is enterprise-oriented. That's what we care about!" you'll say. OK. Probably true, but...

It is easier than ever to build custom web projects in PHP. In the times before Composer, Packagist and all other nice stuff that we have today existed it was total PITA to find and bring a bunch of 3rd party libraries together to help you build a custom app. In just a few short years this became much simpler and will become even easier as our tools and ecosystem evolve. And PHP is not alone in this world. There are many new and modern languages/platforms that are all doing similar things from this perspective. All of them have some kind of package manager, dependency resolver, repositories of 3rd party packages, etc. It is to be expected that this will only continue. Tools will become even easier to use, 3rd party libraries/packages will become more powerful and building custom projects based on them even faster.

Higher-end projects usually have some budget to invest into development. What would you choose if the cost of development using a CMS like Drupal would be similar to the cost of building a custom project? Specially if you don't need all the features and complexity that CMS offers?

"Are you saying that Drupal is going away?" you ask.

Of course not. Drupal is a great tool that can efficiently solve many problems. But there are definitely better tools for some others. It also seems that there is strong competition on all sides of the web market, which is eating into the pie that was reserved for traditional CMSes in the past. Drupal will need to think about this and position itself into that segment of the market where it is the strongest. The days of "Drupal for everything" are clearly over.

What is your opinion about this? What do you think future will bring us? Let's continue the discussion in the comments below!

slashrsm Sun, 29.01.2017 - 22:08 Tags Drupal web Enjoyed this post? There is more! Join us at the next Drupal Media sprint at the Mountain camp in Davos! Drupal dev environment on Docker Entity browser feature freeze will happen in two weeks

Do you really need Drupal for that? How to choose the right technology for your project

Posted by Red Route on January 29, 2017 at 6:40pm

We're moving house soon, and we're planning to rent out the flat we live in now. We could use an estate agent, and get the flat up on all the usual property boards. But, in the spirit of the IndieWeb, and because we don't want to pay commission to agents, we decided to put up our own website advertising the flat.

As with most developers, as soon as I had the idea of a project, my mind was racing with possibilities, and I had to stop myself from jumping straight into a code editor.

What technology will we use?

Whenever a web project starts, this is one of the most fundamental questions to answer. Until you've decided this, you can't get very far with building the thing.

A lot of developers will default to their standard toolkit. We tend to use what we've used before, what we're comfortable with. Most of the sites I've built over the last few years have used Drupal. For a while I used to choose Wordpress for smaller, simpler sites, and Drupal for anything that needed more flexibility and complexity, but as I got more familiar with Drupal, I became more efficient with it, to the point where it was quicker and easier to use Drupal.

Besides, often those smaller sites will end up evolving into something more complex, and with Drupal it's fairly straightforward to set the CMS up so that it isn't too intimidating to the editors. In my mind, that leaves the ease of updates as the only thing in favour of Wordpress, and that's a double-edged sword if people don't test updates properly.

But it's important to remember that developer convenience shouldn't be the deciding factor in how you approach a project. Your technology choice should be guided by the needs of the project and its stakeholders.

Does the site even need a CMS?

There are two questions I’d always ask when planning a project:

  1. How often is the content going to be updated?
  2. Who’s going to be updating it?

Content management systems are very useful and very powerful, but they bring additional complexity with them. You have to make sure that the software and the server it's running on are configured correctly, and that they're kept up to date. The more you can reduce the complexity, the fewer challenges you'll have.

These days, for simple sites, I'd be more inclined to use a static site generator like Jekyll, as long as the people editing the content would be able to handle writing in Markdown. Security and performance both get a lot easier to handle if you're just serving flat files.

For this project, the content is hardly ever going to change, and when it does, it will be me who edits it, and I’m comfortable editing raw HTML. So no, we don't need a CMS. And because there's only enough content to fill a single page, we don't even need any kind of site generator. Just a single HTML file, with some CSS and JavaScript - keep things as simple as possible.

Where do we start?

No matter how complex your project, there’s always the option of starting from a completely blank slate, but unless what you're doing is very bespoke, do you really need to roll your own every single time? The problems that you’re likely to face in a web project are almost certainly problems that somebody else has already solved, so why not stand on the shoulders of giants?

Having decided to build a single page site, I found a single page template based on Bootstrap that looked OK. Bootstrap and Foundation are often criticised for contributing to a culture where a lot of websites look the same, and perhaps rightly so. But a lot of the time, the people who publish content websites don't want or need their site to be unique. There's a reason why a lot of startups use these frameworks - they want to get something out there quickly, so that they can show the market what they've got, so that they can get some income and start iterating.

Yes, I feel a little lazy for spending five minutes googling single page templates, but what would be the value for me of doing something else? Perhaps I could use this side project as a learning opportunity? A chance to try out a new technology, or a new way of doing things?

Those can be good reasons to choose a technology, especially for a personal project, but I wanted to get a basic site together quickly. I wanted it to be good enough with minimal effort on my part. By starting with a template, I very quickly had something presentable enough to start showing to people. If I’d started from an empty file, perhaps I would have built something with more of myself in it, something I could be more proud of, but it would have taken a lot longer. Moving house is stressful, and I've got a day job and a family, and a bunch of other things on the go, so I didn't want to spend enormous amounts of time on this.

In short, I had a fairly clear idea of my minimum viable product, and using a template meant that I was quickly able to reach the point where I could focus on the content. After all, the content should always be the main thing.

Being a developer, I'm always looking for things to improve. For instance, perhaps I could get the site loading faster by converting FontAwesome to inline SVG, or maybe I could do something clever with the images or critical CSS.

But the point is that the website isn't there to impress other developers - it's there to get a message out to the world - that we're looking for someone to rent our flat.

Tags:  development technology Drupal All tags

Drush commands for every day usage

Posted by Drupal Developer's blog on January 29, 2017 at 5:56pm
Drush stands for "Drupal shell" which means a powerful tool for managing Drupal installation from command line interface. Drush provides a lot of useful commands for dealing with a cache, modules, cron, database etc. But some of contrib modules also provide some extra drush commands for specific functionality (like features module comes with commands for managing features). Here's a bunch of a useful drush commands which I use every day.
Read more »

Continuous integration and testing with Drupal on AppVeyor

Posted by DrupalOnWindows on January 29, 2017 at 6:00am

You can now easily test your Drupal projects on AppVeyor. Currently, AppVeyor is the major player in CI regarding Windows Servers. On other CI systems (Travis, Bitbucket pipelines) you are limited to Docker containers for the *nix platform. (This will soon change as some CI will throw Windows containers into the mix).

Until then, the only tool to CI your Drupal (or any PHP project) on a Windows based environment using IIS is AppVeyor.

Language English More articles...

Drupal 8 survey Feeds/Migrate usage and functionality

Posted by on January 28, 2017 at 4:25pm
We are working on porting Feeds to Drupal 8 today at the Global Sprints weekend in Amsterdam. We would like to know from you how you use these and similar import/export modules and what functionality you like but still miss in Drupal 8. Please take the survey here:


Subscribe with RSS Subscribe to aggregator - Planet Drupal