Feed aggregator

Droptica: Drupal Security Modules and Best Practices for Your Website

Main Drupal Feed - Fri, 09/24/2021 - 09:09

The security of the solutions we provide is a very important factor for us. Due to this and the fact that Drupal is the safest CMS, in this article, we'll present the list of recommendations that'll take the security of your Drupal website to an even higher level.

Drupal security. Why is it good to stay up to date?

Your application is less susceptible to exploiting known vulnerabilities. That's it. But it means so much more.

As I've mentioned before – updating modules and libraries is one of the simpler methods of improving the security of our application. The Drupal community supported by the special Drupal Security Team constantly monitors the user reports on potential security bugs and offers to help the modules' authors solve them. The result of these actions are module updates that introduce security patches.

Configuration of the login panel

An incorrectly configured login panel may provide information about the existence in the database of a user using the login provided in the form. If the information that the panel returns in the case in which the attacker provided an incorrect login is different than when the login is correct, we're dealing with a brute force attack vector. This way, the attacker may obtain the logins first and then deal with brute-forcing the passwords.

Drupal modules increasing website security

Drupal has several modules that may improve security. Their configuration doesn't require extensive technical knowledge and doesn't take as much time as other methods of securing a website. We present below some tools of this type.

Drupal Password Policy

The Password Policy module allows for enforcing restrictions on the users' passwords by defining password policies. It can be defined by a set of requirements that must be met before a user password change is accepted. Every restriction has a parameter that specifies the minimum number of important conditions that must be fulfilled to meet the requirement.

Let's suppose we're limited to uppercase letters (with parameter 2), as well as limited to numbers (with parameter 4). This means that a user password must contain at least two uppercase letters and at least four numbers to be accepted.

The module also implements the "expiring password" function. The user is forced to change their password and is optionally blocked when their old password expires.

Drupal Password Policy allows administrators to force specific users or entire roles to change their password the next time they log in. The request to change the password, along with the appropriate form, appears as a popup instead of redirecting the user to the typical user/{user_id}/edit page.

Drupal Security Review

The Security Review module automates the testing of many easy-to-make mistakes that cause the website to be unsafe. This Drupal module is intuitive and very easy to use. The quickly-prepared report is legible and clearly indicates what needs to be improved. The module doesn't automatically introduce changes to your page. The results of the report should be analyzed, and – in selected cases – appropriate corrections should be made. Not all recommendations will be acceptable. It all depends on the unique factors of your website.

Drupal Security Kit

The Security Kit module provides a variety of security-enhancing options to help reduce the risk of various vulnerabilities in your application being exploited. The module reduces the likelihood of using many types of attacks, including:

  • cross-site scripting,
  • cross-site request forgery,
  • clickjacking.

The full description of the functionalities can be found in the article linked above.

Source: Drupal.org

Drupal Paranoia

The Paranoia module identifies most places where the user can execute the PHP code using the Drupal interface and then blocks them. This reduces the potential threat resulting from the attacker gaining high-level authorization in Drupal.

What does the module do?

  • Blocks the grant of the use of PHP for block visibility permission.
  • Blocks the ability to create text formats that use the PHP filter.
  • Blocks the ability to edit the user account with uid 1.
  • Blocks granting the permissions that may reduce the website security.
  • Blocks disabling this module. To disable it, you need to edit the database.

In order to take full advantage of this module, you need to identify all the entities, fields, and blocks that use the Drupal PHP filter and change them so that they work without it, and then remove the standard PHP filter available in admin/config/content/formats.

How to create a secure code in Drupal?

Drupal uses the solutions that are assumed to be secure when used according to the standards. There are many rules you need to follow when creating a secure code. We present the most important of them below.

Use Twig

The Twig engine "auto-escapes" all variables by default. This means that all the strings rendered by the Twig templates (e.g., everything between {{ }}) are automatically cleared of the elements that may compromise the security of your application.

When rendering the attributes be sure to embed them between quotation marks " or apostrophes '. For example, class=”{{foo}}”, not class={{foo}}.

Use placeholders

Translation API also cleans up strings. Use it for the strings you want to translate and later, for example, render on the frontend side.

In Drupal, there are three types of placeholders in the Translation API:

@variable

We use it when we want to substitute a string or an object of the MarkupInterface class for a placeholder.

%variable

We use it when we want to embed a value between the tags.

:variable

We use it when the value we want to substitute is the URL we want to embed in the href attribute.

You can find more about placeholders at Drupal.org.

Learn the API and use it

Drupal provides many features for cleaning up strings. Among them are:

t(), Drupal::translation()->formatPlural()

Used along with the placeholders described above, it allows for creating secure strings ready to be translated.

Html::escape()

Used to clean up plain text.

Xss::filterAdmin()

Use it when you want to clean up the text entered by an admin who should be able to use most of the HTML tags and attributes.

UrlHelper::stripDangerousProtocols(), UrlHelper::filterBadProtocol()

Useful for URL checking, can be used together with SafeMarkup::format().

The strings that have passed through the functions t(), Html::escape(), Xss::filter() or Xss::filterAdmin() are automatically considered safe, as are the strings produced by the render array from the Renderer class.

Filter text also in JavaScript

Server-side text filtering is considered to be one of the best practices. However, there are cases where filtering will also take place on the client side to provide additional temporary filtering capability. It's useful, for example, when rendering the elements that are updated as the user types the text (that is, there are changes to the DOM tree being introduced). To filter text in Drupal by using JavaScript, you should use the Drupal.checkPlain() function. This feature cleans up the text by removing the harmful elements and protects against, for example, some clickjacking attack methods.

Use an abstraction layer when working with a database

We recommend never using pure values in the queries. You should use placeholders instead.

Example:

\Database::getConnection()->query('SELECT foo FROM {table} t WHERE t.name = ‘ . $_GET['user']);

Vs

\Database::getConnection()->query('SELECT foo FROM {table} t WHERE t.name = :name', [':name' => $_GET['user']]);

In the second case, instead of using the value from the user parameter directly, we provide it as the :name placeholder substitute. This way, before putting this value in the final query, Drupal will first clean it from the elements that could cause SQL Injection.

Security audit

The process of "hardening" a site should end with a comprehensive security audit that will catch even more potential threats on your page.

A security audit should include:

Modules and libraries review. This means checking the versions of the installed Drupal modules, reviewing the patches, PHP libraries, and JavaScript.

Configuration review. As part of this activity, we carry out authorization audits for the roles, views, routing.yml files in custom modules, text formats, error logging and forms.

Repository review. We check the custom modules and themes, including routing, custom forms, SQL queries, filtering mechanisms and file permissions.

Repository contents identification. We audit the contents of the settings.php and .env files. We also conduct an audit of deeply hidden elements. It's based on checking the repository for, for example, SSL private keys or database copies or dumps.

You can find the full description of many of the elements presented in the above list in the linked articles.

Drupal security modules - summary

Depending on the level of advancement and knowledge of Drupal, you can introduce appropriate corrections to the application to make it more secure. The examples presented in this article will definitely reduce the number of attack vectors and the likelihood of using them. We recommend analyzing the available options and possibly introducing the changes or new elements that'll reduce the risk of an attack on your application. If you need help with such activities, our Drupal support team can conduct an audit of your website security.

Droptica: Drupal Security Modules and Best Practices for Your Website

Main Drupal Feed - Fri, 09/24/2021 - 09:09

The security of the solutions we provide is a very important factor for us. Due to this and the fact that Drupal is the safest CMS, in this article, we'll present the list of recommendations that'll take the security of your Drupal website to an even higher level.

Drupal security. Why is it good to stay up to date?

Your application is less susceptible to exploiting known vulnerabilities. That's it. But it means so much more.

As I've mentioned before – updating modules and libraries is one of the simpler methods of improving the security of our application. The Drupal community supported by the special Drupal Security Team constantly monitors the user reports on potential security bugs and offers to help the modules' authors solve them. The result of these actions are module updates that introduce security patches.

Configuration of the login panel

An incorrectly configured login panel may provide information about the existence in the database of a user using the login provided in the form. If the information that the panel returns in the case in which the attacker provided an incorrect login is different than when the login is correct, we're dealing with a brute force attack vector. This way, the attacker may obtain the logins first and then deal with brute-forcing the passwords.

Drupal modules increasing website security

Drupal has several modules that may improve security. Their configuration doesn't require extensive technical knowledge and doesn't take as much time as other methods of securing a website. We present below some tools of this type.

Drupal Password Policy

The Password Policy module allows for enforcing restrictions on the users' passwords by defining password policies. It can be defined by a set of requirements that must be met before a user password change is accepted. Every restriction has a parameter that specifies the minimum number of important conditions that must be fulfilled to meet the requirement.

Let's suppose we're limited to uppercase letters (with parameter 2), as well as limited to numbers (with parameter 4). This means that a user password must contain at least two uppercase letters and at least four numbers to be accepted.

The module also implements the "expiring password" function. The user is forced to change their password and is optionally blocked when their old password expires.

Drupal Password Policy allows administrators to force specific users or entire roles to change their password the next time they log in. The request to change the password, along with the appropriate form, appears as a popup instead of redirecting the user to the typical user/{user_id}/edit page.

Drupal Security Review

The Security Review module automates the testing of many easy-to-make mistakes that cause the website to be unsafe. This Drupal module is intuitive and very easy to use. The quickly-prepared report is legible and clearly indicates what needs to be improved. The module doesn't automatically introduce changes to your page. The results of the report should be analyzed, and – in selected cases – appropriate corrections should be made. Not all recommendations will be acceptable. It all depends on the unique factors of your website.

Drupal Security Kit

The Security Kit module provides a variety of security-enhancing options to help reduce the risk of various vulnerabilities in your application being exploited. The module reduces the likelihood of using many types of attacks, including:

  • cross-site scripting,
  • cross-site request forgery,
  • clickjacking.

The full description of the functionalities can be found in the article linked above.

Source: Drupal.org

Drupal Paranoia

The Paranoia module identifies most places where the user can execute the PHP code using the Drupal interface and then blocks them. This reduces the potential threat resulting from the attacker gaining high-level authorization in Drupal.

What does the module do?

  • Blocks the grant of the use of PHP for block visibility permission.
  • Blocks the ability to create text formats that use the PHP filter.
  • Blocks the ability to edit the user account with uid 1.
  • Blocks granting the permissions that may reduce the website security.
  • Blocks disabling this module. To disable it, you need to edit the database.

In order to take full advantage of this module, you need to identify all the entities, fields, and blocks that use the Drupal PHP filter and change them so that they work without it, and then remove the standard PHP filter available in admin/config/content/formats.

How to create a secure code in Drupal?

Drupal uses the solutions that are assumed to be secure when used according to the standards. There are many rules you need to follow when creating a secure code. We present the most important of them below.

Use Twig

The Twig engine "auto-escapes" all variables by default. This means that all the strings rendered by the Twig templates (e.g., everything between {{ }}) are automatically cleared of the elements that may compromise the security of your application.

When rendering the attributes be sure to embed them between quotation marks " or apostrophes '. For example, class=”{{foo}}”, not class={{foo}}.

Use placeholders

Translation API also cleans up strings. Use it for the strings you want to translate and later, for example, render on the frontend side.

In Drupal, there are three types of placeholders in the Translation API:

@variable

We use it when we want to substitute a string or an object of the MarkupInterface class for a placeholder.

%variable

We use it when we want to embed a value between the tags.

:variable

We use it when the value we want to substitute is the URL we want to embed in the href attribute.

You can find more about placeholders at Drupal.org.

Learn the API and use it

Drupal provides many features for cleaning up strings. Among them are:

t(), Drupal::translation()->formatPlural()

Used along with the placeholders described above, it allows for creating secure strings ready to be translated.

Html::escape()

Used to clean up plain text.

Xss::filterAdmin()

Use it when you want to clean up the text entered by an admin who should be able to use most of the HTML tags and attributes.

UrlHelper::stripDangerousProtocols(), UrlHelper::filterBadProtocol()

Useful for URL checking, can be used together with SafeMarkup::format().

The strings that have passed through the functions t(), Html::escape(), Xss::filter() or Xss::filterAdmin() are automatically considered safe, as are the strings produced by the render array from the Renderer class.

Filter text also in JavaScript

Server-side text filtering is considered to be one of the best practices. However, there are cases where filtering will also take place on the client side to provide additional temporary filtering capability. It's useful, for example, when rendering the elements that are updated as the user types the text (that is, there are changes to the DOM tree being introduced). To filter text in Drupal by using JavaScript, you should use the Drupal.checkPlain() function. This feature cleans up the text by removing the harmful elements and protects against, for example, some clickjacking attack methods.

Use an abstraction layer when working with a database

We recommend never using pure values in the queries. You should use placeholders instead.

Example:

\Database::getConnection()->query('SELECT foo FROM {table} t WHERE t.name = ‘ . $_GET['user']);

Vs

\Database::getConnection()->query('SELECT foo FROM {table} t WHERE t.name = :name', [':name' => $_GET['user']]);

In the second case, instead of using the value from the user parameter directly, we provide it as the :name placeholder substitute. This way, before putting this value in the final query, Drupal will first clean it from the elements that could cause SQL Injection.

Security audit

The process of "hardening" a site should end with a comprehensive security audit that will catch even more potential threats on your page.

A security audit should include:

Modules and libraries review. This means checking the versions of the installed Drupal modules, reviewing the patches, PHP libraries, and JavaScript.

Configuration review. As part of this activity, we carry out authorization audits for the roles, views, routing.yml files in custom modules, text formats, error logging and forms.

Repository review. We check the custom modules and themes, including routing, custom forms, SQL queries, filtering mechanisms and file permissions.

Repository contents identification. We audit the contents of the settings.php and .env files. We also conduct an audit of deeply hidden elements. It's based on checking the repository for, for example, SSL private keys or database copies or dumps.

You can find the full description of many of the elements presented in the above list in the linked articles.

Drupal security modules - summary

Depending on the level of advancement and knowledge of Drupal, you can introduce appropriate corrections to the application to make it more secure. The examples presented in this article will definitely reduce the number of attack vectors and the likelihood of using them. We recommend analyzing the available options and possibly introducing the changes or new elements that'll reduce the risk of an attack on your application. If you need help with such activities, our Drupal support team can conduct an audit of your website security.

Open Y Lily

Drupal Themes - Fri, 09/24/2021 - 08:15

# Maintaining the theme.

In order to compile css here are the necessary steps:

1. Install Ruby 2.2.5:

`gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3`

`\curl -sSL https://get.rvm.io | bash -s stable`

To start using RVM you need to run
`source ~/.rvm/scripts/rvm`

If still not working restart sh client.

`rvm install ruby-2.2.5`

Set as default ruby:

`rvm --default use 2.2.5`

2. Install ruby-compass:

`sudo apt-get install ruby-compass`

3. Install bundler

`sudo gem install bundler`

4. Install autoprefixer

`sudo apt-get install ruby`ruby -e 'puts RUBY_VERSION[/\d+\.\d+/]'`-dev`

`sudo gem install autoprefixer-rails -v '6.4.1.1'`

5. Go to the theme folder

`bundle install`

If you see error like this `tmpdir': could not find a temporary directory (ArgumentError)`
Run command `sudo chmod o+t /tmp` and try again.

5. To compile css one time use

`bundler exec compass compile`

6. Compass watching changes

`bundler exec compass watch --poll`

Open Y Lily

Drupal Themes - Fri, 09/24/2021 - 08:15

# Maintaining the theme.

In order to compile css here are the necessary steps:

1. Install Ruby 2.2.5:

`gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3`

`\curl -sSL https://get.rvm.io | bash -s stable`

To start using RVM you need to run
`source ~/.rvm/scripts/rvm`

If still not working restart sh client.

`rvm install ruby-2.2.5`

Set as default ruby:

`rvm --default use 2.2.5`

2. Install ruby-compass:

`sudo apt-get install ruby-compass`

3. Install bundler

`sudo gem install bundler`

4. Install autoprefixer

`sudo apt-get install ruby`ruby -e 'puts RUBY_VERSION[/\d+\.\d+/]'`-dev`

`sudo gem install autoprefixer-rails -v '6.4.1.1'`

5. Go to the theme folder

`bundle install`

If you see error like this `tmpdir': could not find a temporary directory (ArgumentError)`
Run command `sudo chmod o+t /tmp` and try again.

5. To compile css one time use

`bundler exec compass compile`

6. Compass watching changes

`bundler exec compass watch --poll`

Open Y Rose

Drupal Themes - Fri, 09/24/2021 - 08:02

# Maintaining the theme.

1. Install Ruby 2.2.5:

`gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3`

`\curl -sSL https://get.rvm.io | bash -s stable`

To start using RVM you need to run
`source ~/.rvm/scripts/rvm`

If still not working restart sh client.

`rvm install ruby-2.2.5`

Set as default ruby:

`rvm --default use 2.2.5`

2. Install bundler

`sudo gem install bundler`

3. Go to the theme folder

`bundle install`

If you see error like this `tmpdir': could not find a temporary directory (ArgumentError)`
Run command `chmod o+t /tmp` and try again.

4. To compile css use

`bundler exec compass compile`

5. Compass watching changes

`bundler exec compass watch --poll`

Open Y Rose

Drupal Themes - Fri, 09/24/2021 - 08:02

# Maintaining the theme.

1. Install Ruby 2.2.5:

`gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3`

`\curl -sSL https://get.rvm.io | bash -s stable`

To start using RVM you need to run
`source ~/.rvm/scripts/rvm`

If still not working restart sh client.

`rvm install ruby-2.2.5`

Set as default ruby:

`rvm --default use 2.2.5`

2. Install bundler

`sudo gem install bundler`

3. Go to the theme folder

`bundle install`

If you see error like this `tmpdir': could not find a temporary directory (ArgumentError)`
Run command `chmod o+t /tmp` and try again.

4. To compile css use

`bundler exec compass compile`

5. Compass watching changes

`bundler exec compass watch --poll`

Open Y Carnation

Drupal Themes - Fri, 09/24/2021 - 07:34

# OpenY Carnation theme Readme.

##1. General info.
Carnation is an OpenY profile theme based on Twitter Bootstrap 4.

##2. Theme development

Carnation uses Webpack compiler. If you want to make any changes in css
or js, please install Node.js and follow next instructions.

##2.1 Go to the theme's folder and install packages that, required for compilation.

`npm install`

##2.2 Use dev mode for development (watcher wil scan for your changes and generate compiled version on fly)

`npm run dev`

##2.3 For final compilation, please use build command.

`npm run build`

##2.4 YARN (alternative to NPM) support

If you prefer yarn rather than npm, it is also supported

To install it, use (`brew install yarn`)

Dev mode: `yarn run dev`

Production build: `yarn run build`

PreviousNext: Overview of our Front-end Stack

Main Drupal Feed - Fri, 09/24/2021 - 02:12

Front-end technology stacks tend to move quickly. At PreviousNext, we have been constantly evolving the tech stack to take advantage of best-practice.

In this post, we take a closer look at the front-end tools we use at PreviousNext in 2021 and some of the rationale behind the decisions.

by kim.pepper / 24 September 2021

Our front-end stack consists of the following tools:

  • npm, manages all our dependencies and runs our build scripts.
  • post-css to modernise our CSS.
  • kss-node builds the styleguide.
  • stylelint and eslint lints our CSS and JS.
  • Browsersync is used for testing and CSS live reloading.
  • babel and rollup.js are used to transpile and bundle ES6 js.
NPM

Modern front-end development leverages many open-source libraries for JavaScript. To manage all this, we use npm as the package manager. There was a period where frustrations with performance led to us switching to yarn, but these issues have been resolved in more recent versions of npm, so we switched back.

We also store a number of script aliases in package.json to simplify the day to day task. This includes compiling CSS/JS and generating a styleguide. For example:

$ npm start

will automatically watch for any changes to .css or .js files, will build the CSS, styleguide, and live reload Browsersync.

KSS

KSS Node is a Node.js implementation of Knyle Style Sheets (KSS), "a documentation syntax for CSS" that's intended to have syntax readable by humans and machines.  We use KSS to generate our living styleguides.

Browsersync

We use Browsersync to speed up the feedback loop. Changes to CSS and JS are compiled and automatically sync'd with the browser, so you see changes immediately.

Maintaining coding standards

By default Linting is required for all custom CSS and JS files. This makes code reviews way easier, as we're not having to pick up on style changes, and can focus on the meaningful changes.

We use Stylelint for CSS linting, and ESLint for JavaScript linting with

SMACSS, BEM and DRY

We follow the SMACSS approach to categorisation, breaking CSS down into modular components.

We also follow the basic BEM naming pattern.

When combined with DRY (don’t repeat yourself) approach to CSS in general, this ensures the Drupal theme meets current coding standards.

We use some alternative terminology as these are used in Drupal already (e.g. blocks and modules). They map to the original as follows:

# From SMACSS module = component submodule = variant theme = variant # From BEM block = component modifier = variant CSS Structure and Categorisation

We like to compile CSS files into separate components:

# Custom variables; included in all other files. /src/_constants.css # Base styles; resets, element defaults, fonts, etc. /src/base/* # Layouts and grid systems. /src/layout/* # Form fields. /src/form/* # Components; independently styled components that can live anywhere in a layout. /src/* Testing for accessibility

We regularly run our Drupal theme through Nightwatch Axe to make sure we aren't creating any accessibility errors.

This will review the following (and more):

Mixtape

On top of all this, PreviousNext has developed it's own design system, Mixtape. This allows us to re-use common design components across the sites we develop.

Mixtape provides:

JavaScript ESM

Our JavaScript builds have evolved to leverage ES6 modules/imports and code splitting with  Rollup.

Entry points from custom profiles, modules, and themes are consumed and outputted with common chunks into site wide libraries. You can read more about our approach in our post on  Performance improvements with Drupal 8 Libraries.
 

All JavaScript uses ES6 syntax, which is transpiled using Babel. This allows us to develop using modern JavaScript while still supporting older browsers. See Using ES6 in your Drupal Components.

Summary

Front-end development is constantly evolving, but as you can see, we can keep the front-end development of Drupal sites up to date using the latest tools and techniques.

Tagged Front End Development, JavaScript, CSS

Drupal Association blog: You can become a co-maintainer of modules for Drupal 9!

Main Drupal Feed - Thu, 09/23/2021 - 20:26

Are you looking to take the next step in contributing to Drupal?

At DrupalCon Europe contribution days, 4-7 October (free to all!), one way you can get involved is by offering to co-maintain modules that still need to be updated for Drupal 9. 

You can find a list of available projects here - be sure to check the date in the issue title to ensure the project is eligible for maintainer requests! 

If an issue has already been closed - that means the maintainer has declined new maintainer help, so focus on the open issues only. 

The steps to request co-maintainership are:

  1. Comment on the issue explaining why you would like to maintain the module. 

  2. If the project is opted in to security coverage, confirm that you have previously received security coverage opt-in permission.

  3. If an existing maintainer has not commented, move the issue to the Drupal.org Project Ownership queue by editing the 'Project' field on this issue.

  4. From there, a Drupal.org Site Moderator will review the issue and grant maintainership if the requirements are met. 

Thank you for getting involved and making Drupal even better!

Promet Source: Why Open Source is Force for Good Government

Main Drupal Feed - Thu, 09/23/2021 - 17:00
Last week, one of the largest and most populous counties in the United States launched a new website that a team of us at Promet Source had the privilege to design, build, and manage the content migration from a proprietary CMS.  Seeing this beautiful multi site project through to completion was more than a labor of love. We viewed it as a rescue mission from a costly, locked-in software licensing contract and toward the flexibility and freedom of an open source, Drupal CMS. 

Acro Media: Getting started with BigCommerce for Drupal | Acro Media

Main Drupal Feed - Thu, 09/23/2021 - 14:00

Acro Media’s own Chithra K has put together this handy, step-by-step guide to integrating your BigCommerce store with the Drupal CMS.

BigCommerce for Drupal setup guide

The BigCommerce for Drupal module, created by Acro Media in partnership with BigCommerce, was released early this year and brings together two different platforms – BigCommerce, the open SaaS ecommerce platform, and Drupal, the open source content management system. The result provides a wonderful new way for retailers to implement an innovative and content-rich headless ecommerce strategy. If you use one and would like to have the capabilities of the other, the BigCommerce for Drupal module is the bridge you need. With this module, you can use Drupal as the powerful front-end CMS with BigCommerce as the easy-to-use and scalable ecommerce backend.

This post is a step-by-step guide for people who want to know how to install the BigCommerce for Drupal module and get started with both platforms. If you just want to know more about BigCommerce and Drupal together as an ecommerce solution, check out this post instead.

How this module works

Here’s a quick overview of how this all works. The BigCommerce for Drupal module integrates BigCommerce and Drupal together, but each platform is still used for different tasks.

In BigCommerce, you configure products, categories, shipping, taxes and everything else for the ecommerce side of your site. BigCommerce is also where you go to manage orders as they come in.

Drupal is then used for the website frontend and themeing. Product and category information from BigCommerce are synced to Drupal, importing them as Drupal Commerce products so that they can be displayed and used like any other Drupal-based content. Any non-commerce content is also managed within Drupal. When a customer goes to checkout, a BigCommerce checkout pane is embedded in the Drupal site to securely process payment and save customer and order information.

Setup BigCommerce and Drupal

On to the guide! Follow these steps and you’ll have your BigCommerce and Drupal store configured in no time!

Prerequisites

This guide already assumes that you have the following ready.

  1. A BigCommerce account and store created
    You will need to create a BigCommerce account with at least one product, shipping method and payment method configured in your BigCommerce store. Do this here, not in Drupal.

    NOTE: BigCommerce currently offers a 14-day trial period, so anyone can go and create and configure a store easily for free. For this demo, I signed up for that and created some random products to use for testing.

  2. A working Drupal 8 site
    You should have a Drupal 8 site with the Commerce module enabled and a default store added (via Commerce > Configuration > Store > Stores). You don’t need to do any other setup here yet or enable any of the other Commerce modules like checkout or payment. BigCommerce is going to handle all of this for you.

  3. An SSL certificate for your Drupal site
    Your Drupal website needs to have an SSL certificate active for the BigCommerce checkout form to render. This is required because it ensures security for your customers at checkout, so make sure you install one.
BigCommerce for Drupal setup guide

With the prerequisites done, here’s what you need to do to the BigCommerce for Drupal connection made.

Step 1: Create a BigCommerce API account
  1. Go to your BigCommerce store admin page and navigate to Advanced Settings > API Accounts.

  2. Click on the “Create API Account” button and select “Create V3/V2 API Token”.


    Fig: BigCommerce Store API Accounts page

  3. Provide a name (i.e. Product Sync) and select the scope for each feature (i.e. if you don’t want the ability for the Drupal admin to modify the product information, you can set the scope for “Products” as “read-only”).


    Fig: API configuration in BigCommerce

  4. Click “Save” to save your changes. Once saved, you will see a summary and a prompt to download a file. Download it and keep it safe. Once you create an API account, you can’t modify the keys (but you can always make a new one).


    Fig: BigCommerce API Credentials dialogue box
Step 2: Download and configure the BigCommerce for Drupal module
  1. Get and install the BigCommerce for Drupal module.

    TIP: This module requires a bunch of other modules to work. To get the BigCommerce for Drupal module and all of its dependencies at the same time it’s recommended to use Composer instead of manually downloading it. Running the following command within your Composer-based Drupal project will get everything you need.

    composer require drupal/bigcommerce
  2. In Drupal, navigate to the module configuration page at Commerce > Configuration > BigCommerce > BigCommerce Settings.
    1. Fill in the API Path, Client ID, Secret Key, and Access Token that you received when creating the BigCommerce API.

    2. Hit “Save”. If everything is correct, you will see a message saying “Connected Successfully”.


      Fig: BigCommerce Configuration page in Drupal site
  3. Next, we configure the Channel Settings. This will create a storefront URL for you in BigCommerce which will match the one that is generated on the Drupal side.

    1. Select “Add new channel” from the select channel list.

    2. Provide a channel name.

    3. Click the “Create new BigCommerce channel” button. You will then see a Site ID and Site URL on the setting page.


      Fig: BigCommerce configuration page in Drupal
  4. Now in the same Channel Settings area, click on the “Update BigCommerce Site URL” button. This lets you confirm that the URL generated is actually sent to BigCommerce, otherwise, the checkout form will not be loaded on your Drupal site.

    You can also confirm the channel connection from within the BigCommerce admin dashboard by visiting the Channel Manager admin page.


    Fig: Channel Manager storefront confirmation in BigCommerce
Step 3: Sync products, variations and taxonomies from BigCommerce
  1. In Drupal, navigate to the product synchronization page at Commerce > Configuration > BigCommerce > BigCommerce Product Synchronization.
  2. Click the “Sync Products from BigCommerce” button and ta-da, all the products, variations, and categories will be synced to your Drupal site in an instant.
    Alternatively, you can also synchronize via the following Drush command. Advanced Drupal users can use this command on cron to do automatic syncing.

    drush migrate:import --group bigcommerce
    Fig: Product Synchronization page


    Fig: Syncing from BigCommerce in progress

    NOTE: If you run into errors when syncing products, it is probably because you don’t have a store added in the Drupal Commerce module yet. Add one at Commerce > Configuration > Store > Stores.

    TIP: Any time you make changes to the products in BigCommerce, visit this page or use the Drush command to synchronize the changes. Before syncing, you’ll also see a message telling you that updates are available.

  3. Confirm the products have synced by visiting the Product page for Drupal Commerce at Commerce > Products. A list of all of the products brought in from BigCommerce will appear here.
Step 4: See the BigCommerce checkout in action
  1. Now that everything is set up, go to a product page, and it to your cart and proceed to checkout.

    If everything was done correctly, you will be able to see the BigCommerce checkout form embedded into your Drupal site! Hurray! All of the shipping methods, payment methods, tax calculations, and other BigCommerce store configurations will be seen in the embedded form here.

    If you don’t see the checkout form make sure that your channels settings are correct and that you have an SSL certificate installed.


    Fig: Drupal’s checkout page with embedded BigCommerce checkout form


    Fig: Drupal’s checkout page after order complete

  2. Once an order has been placed, the order information will be stored in Drupal (at Commerce > Orders) and will also be sent to BigCommerce (at Orders > View).


    Fig: BigCommerce backend View Orders page
Additional notes

The BigCommerce for Drupal module is ready for production and available for all to use. When writing this guide, there were some additional notes that I wanted to share.

  • At this time, product management should always be handled within BigCommerce and then synced to Drupal. Currently, there is no option to bring back a product if you delete it on the Drupal side, so be careful.
  • A development roadmap for the module can be found here. It outlines future features and plans.
  • If you use the module and find any bugs or want specific features, please add them to the module issue queue here.
Acro Media is a BigCommerce Agency Partner

Acro Media is the development team partnered with BigCommerce that made the BigCommerce for Drupal module a reality. We have many, many years of ecommerce consulting and development experience available to support your team too.

If you’re interested in exploring Drupal, BigCommerce or both for your online store, we’d love to talk.

Editor’s note: This article was originally published on December 2, 2019, and has been updated for freshness, accuracy and comprehensiveness.

robertroose.com: How to create the perfect RSS feed with Drupal 9

Main Drupal Feed - Thu, 09/23/2021 - 08:08

RSS is a great way to syndicate your content, but setting up a feed correctly displaying your articles can be tricky. In this blog post I will show you how to use Views to build the perfect feed in Drupal 9.

Redfin Solutions: Upgrading Drupal 7 to Drupal 9: What to expect

Main Drupal Feed - Wed, 09/22/2021 - 14:44
As a Drupal 7 user or website owner, it’s important to understand what’s next for your web presence as Drupal 7 and Drupal 8 reach their respective end-of-life. This guide will help you understand what to expect so that you can plan accordingly and get a sense for the resources you’ll need to allocate to upgrade Drupal 7 to 9.

Tag1 Consulting: On 20 Years of Drupal - an interview with Josh Koenig

Main Drupal Feed - Wed, 09/22/2021 - 14:38

Drupal has had many, many contributors over its 20 years of existence. These contributors vary from the person answering questions here and there in IRC/Slack and the issue queues, to people who run agencies and hosting companies aimed at keeping Drupal in the public eye. Drupal’s continued success relies on all types of people to keep the drop moving. In this Tag1 Team Talk, we continue to celebrate the 20th anniversary of Drupal. Tag1 Managing Director Michael Meyers is joined by Josh Koenig. Long time Drupal community members will know Josh as one of the founders of ChapterThree, and more recently as a co-founder and Chief Strategy Officer at Pantheon. In this talk, Josh and Michael go back into the history of Drupal, where Josh got started, and how ChapterThree and then Pantheon were formed to meet the needs of Drupal users. --- For a transcript of this video, see Transcript - Josh Koenig on 20 years of Drupal. Click here for a list of other interviews in this series. --- Photo by Gloria Cretu on Unsplash

Read more lynette@tag1co… Wed, 09/22/2021 - 07:38

Lullabot: How We Compare: Leaderboards and Related Comparison Metrics in the Drupal Community

Main Drupal Feed - Tue, 09/21/2021 - 20:31

Whoever said "comparison is the death of joy" was onto something. Comparing ourselves to others can create all kinds of problems, whether we think we are worse, better, or equal. Most of us probably know to avoid comparisons, and yet we can't seem to help ourselves. We do it in our personal lives and in professional settings.

Specbee: How to export data from Views using Drupal's Views Data Export module

Main Drupal Feed - Tue, 09/21/2021 - 11:33
How to export data from Views using Drupal's Views Data Export module Akshay Devadiga 21 Sep, 2021

Oftentimes, we may need to export huge amounts of data from views into files so that it can be used for analysis or administration by non-technical or technical users. Instead of creating a custom module for this, we can leverage the Views Data Export module which is available with a stable release for Drupal 7, 8 and 9 versions.

The Views data export module was designed to provide a way to export the large amount of data from views. It also provides a plugin for progressive batch operations which will improve your website’s performance.

When would you need the Views Data Export Module?

You would use the Views Data Export module for Drupal 8 and Drupal 9 if you want to:

  • Migrate content for different Drupal instances using migrate tools.
  • Perform a feeds migration - which basically does the migration with zero coding but using migrate tools we need to have a custom module with the migration scripts according to the business logic.
  • Generate reports using site data to analyse day-to-day interactions with the website.
Installing the module

It would be best to download the Views Data Export module using composer since the module has a dependency on the CSV Serialization module and other libraries. When you use composer for the installation, the dependencies will be automatically handled.

$ composer require drupal/views_data_export

Next, install the module as you would install any contributed module. Quickest way is to use the drush command line tool to install the module.

$ drush en -y views_data_export

This will install all the required dependent modules.

Let’s Set it Up

After enabling the module, in order to export the views we will first need to create the views and set up the export display with the necessary configurations. Check the detailed explanations for each step that you can follow:

1. Creation of the Views :

Create a master views display according to the requirements with the necessary fields and filters as needed. In our case, we have created the views for listing all the users in the site. Check image below for reference.

 

2. Creating the Export display :

After enabling the module we will get one more button to add the Data export display in the +Add attachment dropdown. Using this, add the display as data export it will create the new data export display by copying all the fields and filters from the master display.

  3. Data export display configurations :

Export display has various configurations that will help in creating the data export of the views in various formats. See the below image that displays all the configurations.

  4. Displaying the page with download button :

Once all the setup is done, save the view and visit the page. Now you will be able to see the download button in the footer region of the views which will download the data export with all the necessary filters if applied. 

Are there any Limitations to this module?

Yes. One of them is that the Drupal 9 version does not support Excel/Xlsx format. Also, batch operations are fully supported only with MySQL databases.

With Drupal 8 and 9’s list of growing modules, there always seems to be a module for that! 
The Views Data export module for Drupal is one such module which is a very handy tool when you want to migrate your views results into CSV, JSON or XML formats. Thus saving you time and effort in writing custom code. Want to discuss with our Drupal experts about a new project that we could help you out with? We’d love to hear from you!

Drupal Drupal 8 Drupal 9 Drupal Development Drupal Module Drupal Planet Drupal Tutorial Subscribe to our Newsletter Now Subscribe

Leave us a Comment

  Recent Blogs Image How to export data from Views using Drupal's Views Data Export module Image How Drupal Empowers Nonprofits in Achieving their Mission Image An Easy Step-by-Step Guide to Writing Your Own Custom Drush 9 (and 10) Commands Explore Our Drupal Services TAKE ME HERE Featured Success Stories

A Drupal powered multi-site, multi-lingual platform to enable a unified user experience at SEMI.

link

Discover how our technology enabled UX Magazine to cater to their massive audience and launch outreach programs.

link

Discover how a Drupal powered internal portal encouraged the sellers at Flipkart to obtain the latest insights with respect to a particular domain.

link

Web Wash: Bulk Update Content using View Bulk Operations in Drupal

Main Drupal Feed - Tue, 09/21/2021 - 06:45

View Bulk Operations, commonly referred to as VBO, is a module that allows specifically defined actions that can be simultaneously executed on rows of Views data.

This tutorial will show how to install this module and set up a simple View with a defined action and VBO field. We will then demonstrate how to use VBO to perform this action on selected View rows. We will also show how you can define permissions for roles to use our defined action.

Agiledrop.com Blog: 3 key considerations for successful agile transformation

Main Drupal Feed - Tue, 09/21/2021 - 06:20

In this article, we discuss 3 key considerations which can serve as great starting points/guides for an agile transformation.

READ MORE

Pages