Skip to Content

Planet Drupal

Syndicate content - aggregated feeds in category Planet Drupal
Updated: 2 days 6 hours ago

Drupal Association News: team week notes #22

11 March 2014 - 2:21pm improvements

As usual, a lot of big and small deployments happened on during the past 2 weeks. RTBC patches are now being automatically re-tested (thanks jthorson!). Module index page is back, as well as full pager on issue listings, except for text search pages (thanks drumm!).

There is a new block available in your Dashboard on - “Your security issues”. The block will display the issues you have access to on Thanks mlhess and drumm!

Personal blog tags: week notes
Categories: Drupal

Drupal Association News: Addressing the Growing Demand for Drupal Talent

11 March 2014 - 11:40am

Recently, the number of Drupal websites on the web surpassed a million and that number will no doubt continue to grow. While there is plenty of interest from businesses, nonprofits, and government entities in implementing Drupal websites, a big challenge remains: the relative scarcity of talent.

Categories: Drupal

2bits: Another botnet spamming Drupal web sites, causing performance issues

11 March 2014 - 10:36am
We previously wrote in detail about how botnets hammering a web site can cause outages. Here is another case that emerged in the past month or so. Again, it is a distributed attempt from many IP addresses all over the world, most probably from PCs infected with malware. Their main goal seems to be to add content to a Drupal web site, and trying to register a new user when that attempt is denied because of site permissions. The pattern is like the following excerpt from the web server's access log.

read more

Categories: Drupal

Drupalize.Me: Seeing What Has Been Done in Drupal Theming

11 March 2014 - 8:00am

There is a Buddhist quote which states, "I never see what has been done; I only see what remains to be done." But learning can be overwhelming if we only look forward. In this post, let's take a journey back in time to get a better sense of how far Drupal theming has come and where it's headed next.

Categories: Drupal

Drupal Association News: DrupalCon Goes to Latin America in 2015

11 March 2014 - 7:35am

Here is the much awaited blog post to consider our options for the location of our 2015 Latin American DrupalCon. While we have looked at the pros and cons for two locations, we want you to weigh in and tell us what you think!

Categories: Drupal

InternetDevels: Field API D8 - Custom Formatters && Widgets

11 March 2014 - 7:00am

Drupal 8 has dramatically changed the process of creation of custom formatters and widgets. If in Drupal 7 this could have been done with hooks usage, then in the new version this process is similar to Ctools plugin writing. Further in this blog we will explain why.

Read more
Categories: Drupal

Deeson Online: It canna handle the load cap'in

11 March 2014 - 4:00am
Load testing

When building a site you want to make sure that it can handle the expected (and even unexpected) load that might incur through the traffic that the site will receive.

There are some tools that you can use, such as ‘siege’ or 'ab' (Apache Benchmark) to test the impact of multiple users requesting a page (or several pages).  These can be good for the initial testing of page loads etc., but in order to be able to see more realistic results of multiple users from multiple locations around the world there is a nice online service called Load Impact.

This allows you to configure user scenarios (user journeys through a site) and store your test configurations (configurations that you can run multiple times and clone to store different variations) and even schedule tests to be run on you site at regular intervals.

The configuration allows you to set how many user syou want to simulate accessing your site over a period of time, known as a 'load test'. So, for example, you can scale from one to 200 number of users over a five minute period. 

You can also add multiple user schedules within the load test, meaning that you can build a scenario which increases the number of users from one to 200 over a four minute period, then keep the number of users at 200 for a further two minutes.

You can also configure where your traffic is going to be coming from in the world and set up multiple sources.

Site testing

This approach became invaluable recently when working on a site. The site had varnish cache configured for it, but there were a couple of places where AJAX calls were being made back to the Drupal site to get up-to-the-minute data from a third party web service. 

From the initial testing with Load Impact on the home page, our varnish cached pages responded as you would have expected - no problems at all. We then also used Load Impact to test a specific AJAX end point to see how this would handle the requests.

Having done this, this highlighted that the third party web service response gradually got slower as the number of users increased, indicating a potential weak point in the site.

After the initial testing of specific pages, we did full testing of a users journey. We used Load Impact as it has a nice plugin for Chrome which allows you to record page clicks into its programming language script (Lua) which you can save as a user scenario. They also have full documentation on their scenario scripting.

We then ran this test using the above load plan (one - 200 users in four minutes, followed by continuous 200 users for a further two minutes) and found that once we had got up to about 200 users using the site, the site became very slow and finally ground to a halt. Not a good outcome.

Investigating highlighted problems

Within Apache’s configuration for its log format, you can include the 'the time taken to serve the request, in seconds' (%T) and 'the time taken to serve the request, in microseconds' (%D)  in the access log. The reason for including both is because the first (%T) is in seconds and you would hope that most requests take less than a second to process.  

So including the second time (%D) which is in microseconds, you can get a more accurate response time. Also, having the first time in seconds can help when grepping the logs for requests (which took over a second to process).

You can also enable Apache’s ’status’ screen, but for security reasons, make sure that this is configured to be behind a htpassword or only accessible via localhost and an SSH tunnel. This status page shows various details about Apache including the number of threads that are being used and what requests the threads are being used for.  

Having added the request times to the log format and activated that status page, we re-ran the test.

As the number of users approached 200 concurrent users, we could see the apache threads building up and not being released until we hit the maximum number of threads (255). At this point apache was then queuing requests, delaying all future requests.

Once the test had stopped we analysed the access logs which showed that the AJAX requests had been taking over 40 seconds to process as the number of users increased, which was therefore tying up a thread meaning that we eventually hit out limit.

As there was nothing that could be done about the speed of the third party web service, we opted for caching the response from their web service for a period of five minutes, reducing the number of requests to it, meaning that the service could then handle the requests better.

Having implemented the caching, we re-ran the tests. Throughout the test, the site was responsive and seemed to have no impact from the number of users on it.  

We were much happier and the client was very pleased that their site would be able to handle the load that they might expect!

Read moreIt canna handle the load cap'inBy Mike Davis | 11th March 2014
Categories: Drupal

Zero to Drupal: Quicktips with Charlie: Entity Metadata Wrapper and Null Values

10 March 2014 - 7:06pm

Last year I had the privilege of meeting Charlie Schliesser, a fellow developer here in St. Louis. Little did I know, a few months later we'd actually be working together quite a bit as I took a new position with my church which utilized the services of the company he worked for. Since that time, we've had several co-working sessions where we swap tips, talk about new technologies, get help with problems and leave inspired to do cool work. Each time we depart, I feel like I have a few more tools in my toolbox and I'm eager to share them. With that in mind, I'd like to start a series of posts that share what we learn. Feel free to leave comments, ask questions, or give feedback!

Entity_metadata_wrapper and Null Values

Are you a fan of entity_metadata_wrapper from the entity module? If you aren't, it's a great alternative to node_load()/entity_load() that gives you chain-able, localized, and sanitized (if requested) access to fields and properties of any entity. If you are hip to EMW, you've likely run into an issue where you try to access the value() of a field that isn't set on the object and EMW throws a nasty exception killing the page.

This often happens when looping through nodes where a non-required field is blank (i.e. $wrapper->field_middle_name->value()) and is quite frustrating. Before today, I'd try to avoid this issue by using field_get_items() or dumping the entity (using $wrapper->value()) and checking the value there. Thankfully, today I found a stackoverflow post that provided a pretty elegant alternative.

The Solution

Who knew that the good folks who created EMW implemented the magic method __isset() on the EntityMetadataWrapper class? Now, we can do something like this to check for set values:

  1. $wrapper = entity_metadata_wrapper('node', 123);
  2. if($wrapper->__isset('field_middle_name')) {
  3. // Do something awesome with the middle name.
  4. } else {
  5. // Don't do anything awesome, they don't have a middle name.
  6. }

Pretty neat huh?

Categories: Drupal

Open Source Training: Is Drupal Entityforms a Good Alternative to Webforms?

10 March 2014 - 5:41pm

Last month, we ran a Drupal webinar called 45 Modules in 45 Minutes.

In the webinar we ran through 45 of the best and most popular modules in 45 minutes.

One of the modules we mentioned was Webforms which is a module we use in every beginner class.

In the comments on that webinar, someone mentioned Entityforms as a viable alternative to Webform and one that is more tightly integrated to Drupal.

I decided to take Entityforms for a test drive ...

Categories: Drupal

David Norman: Guardr achieves point release status

10 March 2014 - 1:35pm

The first point release of the Guardr distribution for Drupal was released last week. Though the Guardr node wasn't created until May 2012, the project actually started about 5 years ago. The product follows much of the history of Drupal - as a collaboration between many developers across multiple different shops. The reality is that the Guardr make file is just a way to organize a crap-load of work that was done in module contrib land.

I was faced with hardening Drupal beyond the built-in controls as part of a project for a Fortune 100 company. At the time, my thoughts were to turn Drupal from a social publishing platform into a business application. One of my project requirements was to conform to business practices that would limit users' sessions - to make sure when someone shared a login at work that it could only be used by one person at a time. Shared logins break a security principle of accountability. As long as users are sharing the same account, nobody can tell for sure who updated node content or changed site configuration. That's when I started committing patches to the Session Limit project.

The Drupal Security Report, updated recently in December 2013, enumerates how Drupal is secure by default and how each of the security points match to the OWASP Top 10 vulnerabilities for web applications. The mitigations for OWASP Top 10 items haven't changed substantially over the past 5 years in Drupal core.

Though Drupal's default configuration sends seemingly harmless information, Guardr goes an extra step - it checks for security updates by default. It seems odd that I should even have to tout that as a feature. Drupal tries to be helpful by displaying errors to the screen after the installation is complete.

Guardr's install profile disables displaying error reporting by default, silently logging them instead. You should be reviewing your logs regularly anyway. Every time Drupal has to log a PHP warning, a deprecated function, or Drupal nuance, it drags down your database and extends your page load times. Even if you mess up in a big way, Guardr hides fatal PHP errors, too.

Part of Drupal's history is as a social platform. Even though the forum module has always been a joke to usefulness, the default new user rules permit new user registration without administrator approval - again, something that Guardr locks down.

While LoginTobogan was a great introduction for usability improvement, allowing users to login using their email address is a security weakness. I recently just added my real email address to the footer of my blog. If I then also allowed anyone on the Internet to login using my email address, the evil they would also have half of the credentials needed to break into my account. Guardr removes usernames from the default outgoing email texts, then combines the Realname module to help keep login usernames private. If the attacker doesn't know the username or their password, they've really got a lot of username/password combination permutations to try. Think of it like a poor man's two-factor authentication.

The Internet has several lists of modules that make Drupal sites more secure, but it's things like the pairing of modules like Realname with the removal of usernames in outgoing core emails that's what makes Guardr stand out. It's the build script. Another example - the Remove Generator module removes the META tag that displays "Drupal 7" in the HTML source of every page, but Guardr's build also removes the CHANGELOG.txt file from the root directory, another easy vector for determining both the software and the version of CMS. Why give the vulnerability scanners and penetration testers the easy way out? Let them try some Wordpress vulnerabilities first so your web application firewall and intrusion detection system can flag them well before they get to specific Drupal version exploits.

Starting with Guardr takes away a bunch of the headaches for securing your site from the start. Imagine having a password policy in place that even forces UID 1 to have a reasonably secure password or which even denies UID 1 the ability to activate the PHP input filter. Run your code through version control, test it, review it, wrap it in accountability, tag it, and don't skip the proper workflow.

Guardr's configuration keeps enough logs that you can actually go back a few weeks to review what your users have been doing, who's accountable, and pin-point events at specific times. Role watchdog module helps you track down scenarios where a user gave themselves extra access through a role change, then removed the role later - it's logged.

All this configuration and the modules to go with it are maintained by people who have studied advanced security issues, who work for companies who pursue security-conscious customers, and have proven over several years to contribute back to the Drupal security co-op.

It's my opinion that starting with Guardr and using the modules therein, sway the balance of Drupal towards being more secure without burdening administrators and users with excess annoyances and overhead. It gives you tools for maintaining uptime, auditing for accountability, injecting countermeasures for attacks, and enforcing policies to make active countermeasures less necessary.

Post categories Drupal
Categories: Drupal

Drupal Association News: Drupal Association Board Meeting this Thursday

10 March 2014 - 12:25pm

We continue to get busier and busier at the Association, and we want to make sure that you know everything we've been up to. Although we normally hold board meetings on Wednesdays, this month we'll be hosting our meeting on Thursday to accommodate some SXSW travel.

Categories: Drupal

Mediacurrent: Meet Jonathan DeLaigle

10 March 2014 - 11:25am

1.  So Jonathan, what's your role at Mediacurrent, both internally and client-related?

As a senior developer at Mediacurrent, I do anything that is necessary to make sure that the vision of the client is executed and delivered on time and in budget.  I fill gaps wherever necessary, from architecture to module updates.  Internally, I work with the devops team to charter a new evolution of local development through the use of great tools such as Vagrant, provisioning software, and virtual machines to create an easily managed and unified local development platform. 

2.  We’re so glad to have you!  Give us an idea of what professional path brought you here.

Categories: Drupal

about seo