Planet Drupal

Specbee: Drupal 8.7 Features (What’s New and Why Should You Care)

1 week 6 days ago
How do you stay ahead of your competition? Easy - Be relevant. Address your audience’s pain points. Repeat. With the adoption of the continuous innovation model, Drupal is doing that and more. Drupal 8.7 was released on May 1st following the 6 months release cycle for Drupal 8. We saw huge improvements in Drupal 8.6 which was a big release. With 8.7, it just got better - With more stable modules ready to be used on productions and other interesting out-of-the-box features.

ThinkShout: Recognizing Insecure Drupal Code

2 weeks ago

Within the Drupal community, it seems like many developers are interested in ensuring their modules and themes are secure, but don’t really know what insecure code looks like. I’ve personally found a lot of resources that tell you about security best practices, but don’t dive deeper into common missteps and their consequences.

Drupal 8 is the most modern and secure release of Drupal yet, which leads developers to expect that all Drupal 8 APIs are perfectly safe to use. While it’s great that Drupal has earned that reputation, there are still plenty of ways to leave your site vulnerable.

In this blog I’ll go through examples of insecure code that I’ve seen doing security research and review into Drupal 8, which will hopefully make it easier for you to know what to look for when reviewing your own code.

So you want to render HTML…

Outputting HTML is Drupal’s bread and butter, but if you’re rendering user input you may be vulnerable to cross site scripting, otherwise known as XSS.

XSS occurs when a malicious user identifies an exploit that allows user input to be executed as Javascript. Then, typically, an attacker leads someone without higher privileges (an administrator) to trigger the exploit. At that point, an attacker can do anything the administrator can do - add more administrator accounts, delete content, download sensitive data, and potentially use a chained exploit to execute server-side code.

Twig has your back

With Drupal 8’s implementation of Twig, all variables rendered normally (within curly braces) are automatically filtered. The attributes object, which is often used in Twig, is also generally safe. For example, trying to add a malicious attribute with code like:

<b {{ attributes.addClass('"onmouseover="alert(1)"') }}>Hello</b>

Will render safely as:

<b class="&quot;onload=&quot;alert&quot;">Hello</b> Unquoted attributes

Twig isn’t inherently immune to XSS. If you don’t wrap attributes in double quotes, for instance, user input could render a malicious attribute. For example, if you have a template like:

<b class={{ configurable_class }}>Hello</b>

And pass in a class configured by a user:

$variables['configurable_class'] = 'foo onclick=alert(bar)';

The final, unsafe HTML will be:

<b class=foo onclick=alert(bar)>Hello</b>

This is because variables have HTML special characters escaped, but aren’t aware of the context they’re rendered in. onclick=alert(bar) on its own is completely safe, but when inside an opening HTML tag can trigger XSS.

The raw filter

One of the filters that comes with Twig, raw, marks a value as being safe and does not escape it. That means that if you ever see something like:

{{ variable | raw }}

In your templates, that could lead to an XSS vulnerability. There are very few use cases for raw, so if you can avoid using it completely you should.

Misusing render arrays

Render and form arrays in Drupal can also be misused to allow XSS. For example, you may know that HTML like this executes arbitrary Javascript on click:

<a href="javascript:alert()">Click me!</a>

And if you’re using url or link objects or render elements, this will be rendered as:

<a href="alert()">Click me!</a>

Which is safe. However, if you’re not using the url or link APIs, Drupal doesn’t have the context to know that the “href” attribute could be unsafe, and will render it without escaping. For example, this code:

$build = ['#type' => 'html_tag', '#tag' => 'a', 'Hello']; $build['#attributes']['href'] = $user_input;

When provided this user input:

$user_input = 'javascript:alert("foo")';

Will render:

<a href="javascript:alert(\"foo\")">Hello</a>

Like the Twig attribute issue, this is a result of Drupal not being aware that untrusted data is being passed to potentially dangerous APIs. Here are some more examples of render arrays that allow XSS:

$build['#markup'] = $user_input; $build['#allowed_tags'] = ['script']; $build['#children'] = $user_input; $build['#markup'] = t($user_input); $build = ['#type' => 'inline_template', '#template' => $user_input]; Not filtering in Javascript

While the examples so far have been about backend code, XSS is commonly triggered from Javascript. Take this example, where the value of an input is passed to jQuery’s html function to display an error:

var value = $('input.title').val(); $('.error').html('<p>Invalid title "' + value + '"</p>');

Since the html function assumes the data you pass is safe, this could trigger XSS. A better way of approaching this is to use the text function, which escapes special characters:

var value = $('input.title').val(); $('.error').text('Invalid title "' + value + '"');

The most Drupal-y way to accomplish this would be to use the Drupal.t function, which accepts placeholders that are automatically escaped, and translates text:

var value = $('input.title').val(); $('.error').html(Drupal.t('<p>Invalid title "@title"</p>', {'@title': value}); Sniffing out XSS problems

In general, a good way to spot XSS is to question complexity wherever you see it. Look into your biggest forms and controllers and see if there’s anything odd using user input, and if so make an effort to exploit it. Also, if there’s any opportunity to use Twig instead of concatenating HTML in the backend, use Twig!

So you want to query the database…

Drupal comes with a database abstraction layer that saves you from writing SQL by hand, which has done a lot to prevent a type of vulnerability called SQL injection, otherwise known as SQLi.

SQLi occurs when a malicious user identifies an SQL query that can be unsafely modified by user input, allowing them to add arbitrary statements or additional queries onto an existing query. SQLi can allow attackers to read arbitrary sensitive data, insert arbitrary data, or even wipe existing data if they are able to.

Use the abstractions

The best advice when querying the database is to use Drupal’s database API wherever possible. Drupal has great documentation on how to properly use this API here: https://www.drupal.org/docs/8/api/database-api

The API is normally safe to use, but can be used unsafely in ways that aren’t clear to all Drupal developers.

Not using placeholders

There are cases where you need to write a query by-hand, which is fine unless that query uses user input, in which case you need to use placeholders. For example, this code has user input ($name) in the query string:

\Drupal::database() ->query("DELETE FROM people WHERE name = \"$name\"") ->execute();

If $name is set to a malicious value, like:

$name = 'myname" OR "" = "';

The final query ends up being:

DELETE FROM people WHERE name = "myname" OR "" = ""

Which in this example would delete everyone from the people table. The proper way to do this would be to use placeholders in your query string, and pass the user input as an argument:

\Drupal::database() ->query('DELETE FROM people WHERE name = :name', [ ':name' => $name, ]) ->execute(); Not escaping LIKE

Typically when using the database API, using the condition method and passing user input as the value is safe. However, if you are using the LIKE condition, you need to escape user input that may contain the wildcard character (%). For example, this code has user input ($name) in a LIKE condition:

$result = \Drupal::database() ->delete('people') ->condition('name', '%_' . $name, 'LIKE') ->execute();

If $name is set to a malicious value, like:

$name = '%';

The final query ends up being:

DELETE FROM people WHERE name LIKE "%_%"

Which would delete every row in the people table where the name included an underscore. The proper way to do this is to escape the user input using the escapeLike method, like so:

$database = \Drupal::database(); $result = $database ->delete('people') ->condition('name', '%_' . $database->escapeLike($name), 'LIKE') ->execute(); Trusting user operators

Passing user input as a condition value is generally safe, but passing it to other parts of the API like table names, column names, or condition operators is dangerous. For example, this code has user input ($operator) as a condition operator:

$result = \Drupal::database() ->select('people') ->condition('name', $name, $operator) ->execute();

If $operator is set to a malicious value, like:

$operator = 'IS NOT NULL) UNION ALL SELECT SID,SSID FROM SESSIONS JOIN USERS WHERE ("foo" <>';

The final query ends up being:

SELECT FROM people WHERE (name IS NOT NULL) UNION ALL SELECT SID,SSID FROM SESSIONS JOIN USERS WHERE ("foo" <> :name)

Which would query all session IDs from the sessions table, allowing user sessions to be hijacked.

To address this, compare the user input to a list of known valid SQL operators before using it in the query.

General SQL tips

If you use the database API in a typical, non-complex way, you’ll probably be fine. Just remember to use placeholders, escape user input when used in a LIKE statement or as an operator, and try to never write queries by hand.

So you want to write some code…

Beyond Drupal specific APIs, a lot of your code is just plain PHP, which comes with its own set of security issues. One last kind of exploit I’ll briefly cover is remote code execute, otherwise known as RCE.

RCE occurs when a malicious user identifies an exploit that allows user input to be executed as server-side code, most commonly by your runtime language (PHP) or the shell. RCE allows an attacker to do anything your web user can do, which could be everything from reading sensitive data, setting up a persistent backdoor, or using the compromised server to reach more servers on your network.

PHP, historically, has allowed for RCE in a lot of different ways, so there’s no golden rule to follow. Instead, watch out for some of the RCE classics:

Using user input to execute shell commands:

`magick convert $user_input output.png`; shell_exec("magick convert $user_input output.png");

You could use the escapeshellarg function here to escape user input, but that isn’t foolproof as options (--foo=bar) are just wrapped in quotes, which in some command line applications is treated as a valid option. Validating the user input against a small set of allowed characters may be the best bet here, in addition to using escapeshellarg.

Using eval to execute dynamic PHP expressions:

eval("is_null($user_input)");

This allows arbitrary PHP to be executed and should not be used.

Using unserialize on data that could be entered by the user:

unserialize($user_input);

This allows for object injection, a vulnerability that can lead to RCE, and should be avoided if possible. Consider storing complex data as JSON instead, which is safe to use.

Without a deep experience in how RCE exploits are performed it’s hard to spot vulnerabilities, but you should review any code that has dynamic shell commands, eval, or unserialize with a high level of scrutiny.

A parting thought

Information like this can be daunting, but the best way to apply it to your work is to research common vulnerabilities, try a few exploits out, and make security a part of your company’s culture as well as code. Once you start thinking about security it’s hard to get it out of your head - does your company properly use encryption? Is two factor authentication enforced? How’s your office’s physical security? Being aware of these issues can lead to improvements that extend far beyond your custom code.

Freelock : Assessment of May 8 Drupal Security update SA-CORE-2019-007

2 weeks ago
Assessment of May 8 Drupal Security update SA-CORE-2019-007 John Locke Wed, 05/08/2019 - 14:12

New versions of Drupal core dropped today, to fix a file handling issue.

After assessing the patches, statements, and risks associated with this update, we have decided this is an important update to apply, but not urgent for most of the sites we manage.

Exploitation of the flaw takes two things:

Drupal Drupal Planet Security

myDropWizard.com: Drupal 6 core security update for SA-CORE-2019-007

2 weeks ago

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Drupal core to fix a vulnerability in the protections added in SA-CORE-2019-003. You can learn more in the security advisory:

Drupal core - Moderately Critical - Third-party Libraries - SA-CORE-2019-007

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Security advisories: Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

2 weeks ago
Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesDescription: 

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Reported By: Fixed By: 

TEN7 Blog's Drupal Posts: Episode 059: 2019 Twin Cities Drupal Camp

2 weeks ago

Chris Weber and Dan Moriarty, volunteer organizers for the 2019 Twin Cities Drupal Camp are today's podcast guests. We'll be talking about the changes to this year's TCDrupal Camp and fond memories of previous camps. 

TCDrupal Camp is a three-day conference for open source enthusiasts, designers, hackers, geeks, developers, UI experts, IT managers and anyone else that wants to find out more about Drupal. It’s a great place to learn, code, network and have fun with your fellow Drupalistas.

Dries Buytaert: Acquia acquires Mautic to create the Open Digital Experience Platform

2 weeks ago

I'm happy to announce today that Acquia acquired Mautic, an open source marketing automation and campaign management platform.

A couple of decades ago, I was convinced that every organization required a website — a thought that sounds rather obvious now. Today, I am convinced that every organization will need a Digital Experience Platform (DXP).

Having a website is no longer enough: customers expect to interact with brands through their websites, email, chat and more. They also expect these interactions to be relevant and personalized.

If you don't know Mautic, think of it as an alternative to Adobe's Marketo or Salesforce's Marketing Cloud. Just like these solutions, Mautic provides marketing automation and campaign management capabilities. It's differentiated in that it is easier to use, supports one-to-one customer experiences across many channels, integrates more easily with other tools, and is less expensive.

The flowchart style visual campaign builder you saw in the beginning of the Mautic demo video above is one of my favorite features. I love how it allows marketers to combine content, user profiles, events and a decision engine to deliver the best-next action to customers.

Mautic is a relatively young company, but has quickly grown into the largest open source player in the marketing automation space, with more than 200,000 installations. Its ease of use, flexibility and feature completeness has won over many marketers in a very short time: the company's top-line grew almost 400 percent year-over-year, its number of customers tripled, and Mautic won multiple awards for product innovation and customer service.

The acquisition of Mautic accelerates Acquia's product strategy to deliver the only Open Digital Experience Platform:

The pieces that make up a Digital Experience Platform, and how Mautic fits into Acquia's Open Digital Experience Platform. Acquia is strong in content management, personalization, user profile management and commerce (yellow blocks). Mautic adds or improves Acquia's multi-channel delivery, campaign management and journey orchestration capabilities (purple blocks).

There are many reasons why we like Mautic, but here are my top 3:

Reason 1: Disrupting the market with "open"

Open Source will disrupt every component of the modern technology stack. It's not a matter of if, it's when.

Just as Drupal disrupted web content management with Open Source, we believe Mautic disrupts marketing automation.

With Mautic, Acquia is now the only open and open source alternative to the expensive, closed, and stagnant marketing clouds.

I'm both proud and excited that Acquia is doubling down on Open Source. Given our extensive open source experience, we believe we can help grow Mautic even faster.

Reason 2: Innovating through integrations

To build an optimal customer experience, marketers need to integrate with different data sources, customer technologies, and bespoke in-house platforms. Instead of buying a suite from a single vendor, most marketers want an open platform that allows for open innovation and unlimited integrations.

Only an open architecture can connect any technology in the marketing stack, and only an open source innovation model can evolve fast enough to offer integrations with thousands of marketing technologies (to date, there are 7,000 vendors in the martech landscape).

Because developers are largely responsible for creating and customizing marketing platforms, marketing technology should meet the needs of both business users and technology architects. Unlike other companies in the space, Mautic is loved by both marketers and developers. With Mautic, Acquia continues to focus on both personas.

Reason 3: The same technology stack and business model

Like Drupal, Mautic is built in PHP and Symfony, and like Drupal, Mautic uses the GNU GPL license. Having the same technology stack has many benefits.

Digital agencies or in-house teams need to deliver integrated marketing solutions. Because both Drupal and Mautic use the same technology stack, a single team of developers can work on both.

The similarities also make it possible for both open source communities to collaborate — while it is not something you can force to happen, it will be interesting to see how that dynamic naturally plays out over time.

Last but not least, our business models are also very aligned. Both Acquia and Mautic were "born in the cloud" and make money by offering subscription- and cloud-based delivery options. This means you pay for only what you need and that you can focus on using the products rather than running and maintaining them.

Mautic offers several commercial solutions:

  • Mautic Cloud, a fully managed SaaS version of Mautic with premium features not available in Open Source.
  • For larger organizations, Mautic has a proprietary product called Maestro. Large organizations operate in many regions or territories, and have teams dedicated to each territory. With Maestro, each territory can get its own Mautic instance, but they can still share campaign best-practices, and repeat successful campaigns across territories. It's a unique capability, which is very aligned with the Acquia Cloud Site Factory.
Try Mautic

If you want to try Mautic, you can either install the community version yourself or check out the demo or sandbox environment of Mautic Open Marketing Cloud.

Conclusion

We're very excited to join forces with Mautic. It is such a strategic step for Acquia. Together we'll provide our customers with more freedom, faster innovation, and more flexibility. Open digital experiences are the way of the future.

I've got a lot more to share about the Mautic acquisition, how we plan to integrate Mautic in Acquia's solutions, how we could build bridges between the Drupal and Mautic community, how it impacts the marketplace, and more.

In time, I'll write more about these topics on this blog. In the meantime, please feel free to join DB Hurley, Mautic's founder and CTO, and me in a live Q&A session on Thursday, May 9 at 10am ET. We'll try to answer your questions about Acquia and Mautic.

Digitalist: New module: HTTP Status Code

2 weeks 1 day ago
HTTP Status Code is a new module to manipulate HTTP status header. HTTP Status Code is a new module to manipulate HTTP status header. Main reason for doing this module is that in some cases you need to do manual fixes on the server side to create 410 Gone headers for paths that you want to remove from Google search index, with this module active you could setup the paths directly in Drupal. You can find the the module at drupal.org. Normaly install should be done with composer - composer require drupal/http_status_code. The module supports all Headers used by Symfony\Component\HttpFoundation\Response - with that said - HTTP headers should be used with caution. So make sure what you understand the impact then you manipulate the HTTP Header - like adding a 301 Redirect Header will be real bad when you not have a redirect in place. If you remove a page, the request for the path of the page normally then gives a 404 not… Read More

Cheeky Monkey Media: 3.5 Ways To Approach (And Budget) For a Drupal 8/9 Migration

2 weeks 1 day ago
3.5 Ways To Approach (And Budget) For a Drupal 8/9 Migration dennis Tue, 05/07/2019 - 23:09

Back in September 2018, Dries Buytaert, founder and project lead of Drupal, announced, 

Drupal 7 will be end-of-life in November 2021, Drupal 9 will be released in 2020, and Drupal 8 will be end-of-life in November 2021. 

You can read the announcement and get further information on this here - https://dri.es/drupal-7-8-and-9

Since that announcement, Cheeky Monkey Media has been in a lot of conversations with businesses of all shapes and sizes, not-for-profit and for-profit, that are currently on the Drupal 7 CMS platform and are considering migrating to Drupal 8.

The first thing everyone needs to realize is the move to drupal 8 will be painful, and almost as expensive as building a Drupal website from scratch.

The second thing everyone should realize is that once they’re on Drupal 8, the move to Drupal 9 will be relatively painless.

As Dries announced in a later article,

Security public service announcements: Drupal 7 and 8 release on May 8th, 2019 - PSA-2019-05-07

2 weeks 1 day ago
Date: 2019-May-07Vulnerability: Drupal 7 and 8 release on May 8th, 2019Description: 

The Drupal Security Team will be coordinating a security release for Drupal 7 and 8 this week on Wednesday, May 8th, 2019.

We are issuing this PSA in advance because according to the regular security release window schedule, May 8th would not typically be a core security window.

This release is rated as moderately critical.

The Drupal 7 and 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm Eastern).

May 8th also remains a normal security release window for contributed projects.

OSTraining: Define Role Based Field Permissions in Drupal 8

2 weeks 1 day ago

The Field Permissions module in Drupal 8 allows you to set permissions (enter, edit or view) on a Drupal field, based on the role the user belongs to.

In order to demonstrate how this module works, we are going to create a content type called "Essay" for the website of a school.

There will be 2 roles:

  • Freshman
  • Sophomore.

The Freshmen permission will not be allowed to choose the subject of the essay, whereas the Sophomores will have the possibility to choose between literature and history. However, there will be no possibility to change the subject once a student has made a choice.

Let’s start!

Drupal Association blog: New on Drupal.org: better visibility into the humans behind the comments

2 weeks 1 day ago

We're excited about a feature built by a member of our community and recently deployed on Drupal.org: to give more human context to discussions in the Drupal issue queue, you can now choose to display your primary language, pronoun, and location.

Update your profile now

This is an opportunity to bolster human context within an online medium where tone and posture can be difficult to read. Providing this level of detail allows for visibility into the global composition of our community — such as when a person's primary language is not English or when a person resides in a distant time zone.

It is important to recognize what being global means and drawing attention to the details that remind us about the people behind the project helps us all to have a greater understanding of one another.

You can enable this new feature by editing your user account and adding pronouns to the personal information tab, and location language on the Language/location tab. Finally, you can opt into what you would like shown inline in comments under the "comments" tab.

Agaric Collective: Agaric is Coming to Drupaldelphia this Friday

2 weeks 1 day ago
City Hall in Philadelphia. Photo by Jason Murphy, licensed as Creative Commons By 2.0

 

Drupaldelphia is an annual camp held in Philadelphia happening this Friday May 10th for the open source content management platform, Drupal. The event attracts developers, site-builders, content administrators, designers, and anyone interested in using Drupal in their organization or upcoming project.

We're excited to have Ben present two sessions at the camp. Tickets are only $30 (if you buy today, May 7th!) and the day is packed with helpful presentations and hands-on clinics. See the full schedule.

Iterative UX: Find It Cambridge Case Study

2:15-3:45pm
Hussian Room 125

Developing a trusted, ongoing feedback loop with your users ensures that your project is effective and relevant. We call this approach Iterative UX and Ben will share how this looks in practice with the city of Cambridge. You will get a holistic, honest look at both the highlights and challenges of this type of relationship to help you apply Iterative UX in your projects.

Read the full description.

Scaling Community Decision-making

3:45-4:55pm
Hussian Room 125

Any libre software, volunteer, or even startup project will have elements of do-ocracy (rule of those who do the work) but not all decisions should devolve to implementors. Rather, a basic principle is that decisions should be made by the people who are most affected.

  • Learn why meritocracy ("rule of those with merit") is a completely bogus and harmful concept.
  • Gain a passing familiarity with various ways decisions are or have been made in Drupal.
  • Add sociocracy and sortition to your vocabulary and understand how these esoteric concepts can help our community scale.
  • See how Visions Unite is putting more democratic decision-making approaches into practice.

Read the full description.

Read more and discuss at agaric.coop.

Websolutions Agency: What's New in Drupal 8.7

2 weeks 1 day ago
What's New in Drupal 8.7

Drupal 8.7 was released couple of days ago on May 1, 2019. As you might know, new features are added with each minor release of Drupal 8 (e.g. between 8.6 and 8.7) which occur in 6-month intervals. Originally 8.7 was supposed to be released in March 2019. But the timing of Drupal's releases has historically occurred 1-2 months before Symfony's releases, which forces Drupal community to wait six months to adopt the latest Symfony release. In order to be able to adopt the latest Symfony releases faster, Drupal community shifted Drupal's minor releases to May and December in a plan to allow adoption of latest Symfony releases within a month.

This is penultimate version of Drupal 8, which will be concluded with Drupal 8.8 in December 2019, after which we expect release of Drupal 9 sometime in June next year!

Beside bug fixes and dependency updates lets see what new features Drupal 8.7 brings!

 

Revisions

Taxonomy terms and custom menu links are now revisionable, which allows them to take part in editorial workflows which was until now only possible for Content types and Custom blocks.

 

JSON:API in Core

Drupal 8.7 will provide an out-of-the-box JSON:API implementation, marking another major milestone towards making Drupal API-first.

Now you will be able to generate an API server that implements the JSON:API specification with zero configuration. Once you enable the module, you are done.

Developers and content-creators can use it to build both coupled and decoupled applications and pull content from Drupal into iOS and Android applications, chatbots, decoupled frontends such as ReactJS, voice assistants and many more!

 

Layout Builder module is now stable

Layout Builder module was originally added as an experimental core module in Drupal 8.5 and is now stable and ready for production use!

If you haven’t heard about it Layout Builder is offering a single, powerful visual design tool for site builders to create templated layouts and custom landing pages.

 

PHP 7.3 Is Now Supported

PHP 7.3 was released in December 2018 and comes with numerous improvements and new features. Also with this release new Drupal sites can only be installed on PHP 7.0.8 or later. Installing Drupal on older versions results in a requirement error.

 

However, existing sites will still work on at least PHP 5.5.9 for now, but will display a warning

PHP stopped supporting version 5.5 on July 21, 2016 and Drupal security updates will begin requiring PHP 7 as early as Drupal 8.8.0 (December 2019), so all users are advised to update to at least PHP 7.0.8 now or preferrably to PHP 7.3.
 

GDPR

As part of continuing GDPR compliance improvements in Drupal core, Comment module no longer logs IP addresses for comments by default. Existing sites will still continue to log IP addresses but this can be changed by changing comment.settings.log_ip_addresses to FALSE in the site configuration using settings.php.

 

This was just a short brief into the new features. For a full list take a look at official release notes: https://www.drupal.org/project/drupal/releases/8.7.0

 

ws_admin Tue, 05/07/2019 - 14:05

Jacob Rockowitz: Webform module now supports printing PDF documents

2 weeks 1 day ago

Problem

To be competitive with enterprise form builders, the Webform module for Drupal 8 needs to support the downloading and exporting of submissions as PDF documents, as well as sending PDF documents as email attachments.

The Entity Print module does a great job of generating PDF documents from entities and fields, but webform submissions don't use Field API. This limitation has required site builders and developers to create custom Entity Print integrations for the Webform module.

Solution

The Webform module now includes a Webform Entity Print integration module, which handles downloading, exporting, and attaching generated PDF documents. Additionally, the Webform module allows the generated PDF document's header, footer, and CSS to be customized.

Demo

When enabled, Webform Entity Print module automatically displays a "Download PDF" link below all submissions and adds a download "PDF documents" option to the available export formats. Attaching PDF documents to emails requires that you add an "Attachment PDF" element to a webform and then configure email handlers to "Include files as attachments."

The below screencast and presentation walks through customizing the PDF link and template, exporting PDF documents, and attaching PDFs to emails.

Scratching my own itch

Adding PDF support was not a sponsored feature. I wanted the Webform module to support this advanced feature; so I created it. I was scratching my own itch.

The bigger itch/the challenge that I am always scratching at is:

Competing with other form builders

Competitive enterprise, and also Open Source form builders, tend to put this PDF functionality behind a paywall. For example, WordPress's Gravity Form (Read More

OPTASY: Looking for a Drupal 8 Rating Module? Here Is a Top 5 Flexible and User-Friendly Rating and Review Modules

2 weeks 2 days ago
Looking for a Drupal 8 Rating Module? Here Is a Top 5 Flexible and User-Friendly Rating and Review Modules adriana.cacoveanu Tue, 05/07/2019 - 11:08

Looking for a Drupal 8 rating module that should be:
 

  • easy to install
  • easy to configure
  • easy to use
  • conveniently flexible
  • and user-friendly?
     

And maybe you “crave” for some nice-to-have features, as well:
 

  • enabling users to add a short review
  • multiple ratings: enabling users to vote on several aspects of your product/service, such as price, quality, ease of use?
     

What are your options? What working (and stable) modules for rating and reviewing are there in Drupal 8? 

We've done the research for you, evaluated all the modules for rating in Drupal 8 and come up with a list of 6 best... rated ones:
 

Flocon de toile | Freelance Drupal: Set up a notification system on Drupal 8

2 weeks 2 days ago
For many Drupal 8 projects that have minimal interaction with their users, the need to set up a notification system quickly comes to the forefront. Being notified of a new comment, a response to a comment, a new publication on a particular subject, or a user, are recurring needs. To satisfy this type of need, we are going to talk here about a new module Entity Activity whose sole purpose is to log all types of actions performed, by users, according to their subscriptions, on a project. The Entity Activity module will allow us to generate any type of message, on any type of content entity on the tree main operations of the content life cycle: its creation, its update and its deletion.

Sooper Drupal Themes: Freelancer hiring: 9 Challenges to expect

2 weeks 2 days ago
Freelancing: a growing trend

It seems the trend nowadays is for workers to take the freelancing route. With 36% of the U.S. population currently being freelancers, it seems that this trend is slowly gaining traction. But what does this mean for businesses. It seems that hiring freelancers definitely has its benefits, however it also has its challenges. In this article I’m going to talk about the potential drawbacks that come with hiring a freelancer.

1. Hiring the wrong freelancer

Hiring the right person for the job is a complicated process even for a regular full-time employee. However, when it comes to hiring a freelancer, the interview should not be the same process as when hiring a full-time employee. Working from home requires a high degree of self-motivation, resourcefulness and self-discipline. On top of that, the freelancer should also be resilient to loneliness, since freelancing usually lacks the same social engagement that a conventional workplace can provide. If the freelancer doesn’t have these qualities, then he is going to be unhappy during the 30-40 hours he is working, which is bad for business and bad for humanity.

2. Too many options

After posting a job advertisement a client might be suddenly bombarded with a lot of replies from freelancers who are out to get the gig. But how does the client choose from so many options? Well, some freelancers will set up automatic bots that are automatically replying to the job post based on a few parameters. Most of the time, these type of freelancers will not have read the job requirements. They are not taking their time to make sure that they are a great fit for the job. Then there is another type of freelancers. The ones that report a great  amount of experience, yet they are charging suspiciously low rates. This type of freelancers either don't value their own work or the quality of the work provided is questionable and they use low rates as a cover-up. A client might feel overwhelmed by the options they have at their disposal. The best way to avoid this is to have an effective way on how to screen the freelancers.

3. Communication problems

Another big challenge that comes when hiring a freelancer is one of communication. As the name implies the freelancers are free to work whenever they want or feel inspired. What this means is that as a client you might not receive updates on the status of the work that the freelancer is doing. These can raise a lot of uncertainty for the client as he is kept in the dark with regards to the progress of his project.

4. Payment issues

Freelancers are not like regular employees. Naturally, this means that the payment process is going to be different than that of regular employees. First of all, the freelancer will not appear on the companies payroll, meaning that other alternatives for making the payment have to be found. On top of that, if the freelancer is outsourced from another country, the cost of transferring the money has to be taken into account. It's important to find a way to transfer the money that is advantageous for both the client and the freelancer, this way, confusion regarding the time until the payment is done and high fees when doing the payment through international banks are avoided. Some services that are good to use when paying outsourced employees are Paypal, Skrill and Payoneer. 

5. Being clear in requirements and feedback

In order to avoid frustration on both sides, the client has to be clear in their requirements and in the feedback provided by the freelancer. Otherwise, the client might risk to see the completion of his project in a totally different light than he was expecting. In order to be able to receive the project in the way that he envisioned it, the client has to be as thorough as possible when describing the job requirements. On top of that, regular feedback has to be provided. This way, the client will surely be able to increase the chances that the result he is going to receive is satisfactory.

6. Different language and culture

When it comes to effective communications, speaking a common language is of essence. In most cases, this language is going to be english. Finding a freelancer that is able to communicate at an advanced enough level of english to be able to discuss work related subjects might be difficult. On top of that, the culture of a country also has to be taken into account. Keeping in mind that different cultures have different communication approaches. For example, the difference between low context societies and high context societies, where one relies on explicit communication while the other on implicit communication. On top of that low context and high context are valuing non-verbal communication and cues to different degrees. Being aware of these differences can make communication easier and more pleasant for both parties.

7. Lack of commitment

Freelancers have the possibility to undertake multiple projects from different clients. What this means is that a freelancer will not be able to fully commit to your project, especially if another project is more challenging, exciting or more financially rewarding. On top of that, a freelancer will always prioritize the projects that make more sense from the point of view of the before mentioned aspects, pushing other projects to the side. This can cause a lot of frustration for the client, however, in order to avoid the frustration, the client has to make his project as appealing as possible from every aspect. For example, make sure that the project is challenging and exciting enough to keep the freelancer engaged. On top of that, clients should avoid paying below market-rates for freelancers because that can work as an open invitation for the freelancer to find new clients.

8. Missed deadlines

Another challenge that clients have to face when hiring a freelancers are missed deadlines. Freelancers are having more freedom when it comes to planning their working routine, as long as the contract does not stipulate specific working hours. This means that there is an increased risk of life events happening. Events like weddings, a relative getting sick, funerals seem to be happening at a larger frequency than for regular employees. These events can interfere with the ability of the freelancer to be able to deliver the project in time, thus resulting in a missed deadline.

9. Misunderstandings

Since freelancers don’t work in the office as every other regular employee, they are harder to supervise. What this means is that they are not there for the client to be able to get regular updates, or to provide feedback or to train them. If clear enough instructions were not provided, the freelancer can finish the project in a different manner than the one envisioned by the client. This misunderstanding will lead to frustration on both sides, since the client will demand adjustments and the freelancer will deliver these adjustments while not getting paid for them.

Conclusion

Hiring a remote employee is always a challenge. Especially in these days when the working culture has not fully adapted to the flexibility of the freelancers. However, being aware of the challenges of hiring a freelancer will make it easier to adapt and foster a productive relationship between you and your outsourced employee. So, embrace change and think about the possibility of hiring freelancers.

Checked
1 hour 45 minutes ago
Drupal.org - aggregated feeds in category Planet Drupal
Subscribe to Planet Drupal feed