Drupal News

Exsen

Drupal Themes - Fri, 04/19/2019 - 05:45

A base commerce admin theme for extension.

Lullabot: Lullabot Podcast: DrupalCon Seattle Recap

Main Drupal Feed - Fri, 04/19/2019 - 00:51

Mike and Matt gather a random group of Drupalers in Seattle, drag them back to a hotel room, and record a podcast. 

Duo Consulting: Accessibility Lessons from DrupalCon Seattle

Main Drupal Feed - Thu, 04/18/2019 - 17:57

In the Drupal community, the annual DrupalCon show is the biggest event of the year. Held in a different city each year, the event brings Drupal users together for a week of sessions and networking.

With so many people and agencies committed to Drupal in attendance, DrupalCon is the perfect opportunity to provide training and guidance. This year’s show, DrupalCon Seattle, dedicated its first two days to community summits and full-day training sessions. One of these summits tackled one of the most prevalent issues of the year for Drupal: Accessibility. Through a combination of keynotes, panels and breakout sessions, the summit’s organizers gave attendees actionable insights and new perspectives on front-end accessibility.

The day kicked off with a keynote from OpenConcept’s Mike Gifford, who spoke about his agency’s work with the Canadian National Institute of the Blind (CNIB). For the organization’s 100-year anniversary, the CNIB sought a rebrand and redesign with an emphasis on making their site’s content more accessible. As OpenConcept learned, creating an accessible platform is easier said than done. To illustrate how difficult the process can be, Gifford wryly offered this Donald Rumsfeld quote:

There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know.

In the context of web development, accessibility is often an “unknown unknown.” Without extensive testing, programmers won’t know that any given element won’t limit access for certain users. As such, one of the major lessons that Gifford shared was the importance of manual testing.

“Automated accessibility testing will only get you 25 percent of the way there,” Gifford said. “Manual testing is essential, and this mostly comes down to getting rid of your mouse and tabbing through a site."

As Gifford and speakers from subsequent panels noted, the best method for testing a site’s accessibility is to actually use it. While a lot of problems can be found by, as Gifford said, unplugging your mouse and using the “tab” key to navigate, this approach can still miss blind spots that able-bodied users wouldn’t consider. Alternatively, hiring disabled users to perform QA testing on a given site is often the best solution. 

This ethos is especially true when building mobile sites. Another keynote speaker, Gian Wild of AccessibilityOz, covered the mobile accessibility testing process in detail. Manual testing on real devices can root out common traps, like if a site’s buttons are too small to be navigated with a finger or if links aren’t underlined. For more common errors, Wild’s slide deck can be found here.

As important as manual testing is, though, automated accessibility tools are a vital element of the accessible design arsenal. Though pervasive and subtle errors still require hands-on QA testing, automated solutions will identify many more thousands of minor issues in a fraction of the time. As such, using these tools in coordination with manual testing will ensure that your site is as accessible as can be.

During the final breakout session of the summit, attendees shared which tools they think work best for rooting out accessibility issues, many of which conveniently come in the form of browser extensions. Some commonly mentioned tools included:

We’ve previously profiled several accessibility tools, and you see which one is best for you here.

As challenging as accessibility testing can be, the reward of expanding your audience is well worth it. Fortunately, the Drupal platform helps ensure out-of-the-box accessibility features. During his keynote, Gifford pointed out that Drupal design patterns have already been tested, known bugs are listed transparently, and the development community actually cares about the issue. In fact, OpenConcept’s work for CNIB produced several fixes and modules that can now be utilized by any Drupal user. These contributions and further info about the CNIB redesign can be found on Gifford’s slide deck here

With a senior-level team of designer and developers, Duo can apply these lessons to sites across industries. Our commitment to accessibility means that every site we build will be open to all users. To learn more about our process and values, reach out to our team today!

Duo Consulting: Accessibility Lessons from DrupalCon Seattle

Main Drupal Feed - Thu, 04/18/2019 - 17:57

In the Drupal community, the annual DrupalCon show is the biggest event of the year. Held in a different city each year, the event brings Drupal users together for a week of sessions and networking.

With so many people and agencies committed to Drupal in attendance, DrupalCon is the perfect opportunity to provide training and guidance. This year’s show, DrupalCon Seattle, dedicated its first two days to community summits and full-day training sessions. One of these summits tackled one of the most prevalent issues of the year for Drupal: Accessibility. Through a combination of keynotes, panels and breakout sessions, the summit’s organizers gave attendees actionable insights and new perspectives on front-end accessibility.

The day kicked off with a keynote from OpenConcept’s Mike Gifford, who spoke about his agency’s work with the Canadian National Institute of the Blind (CNIB). For the organization’s 100-year anniversary, the CNIB sought a rebrand and redesign with an emphasis on making their site’s content more accessible. As OpenConcept learned, creating an accessible platform is easier said than done. To illustrate how difficult the process can be, Gifford wryly offered this Donald Rumsfeld quote:

There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know.

In the context of web development, accessibility is often an “unknown unknown.” Without extensive testing, programmers won’t know that any given element won’t limit access for certain users. As such, one of the major lessons that Gifford shared was the importance of manual testing.

“Automated accessibility testing will only get you 25 percent of the way there,” Gifford said. “Manual testing is essential, and this mostly comes down to getting rid of your mouse and tabbing through a site."

As Gifford and speakers from subsequent panels noted, the best method for testing a site’s accessibility is to actually use it. While a lot of problems can be found by, as Gifford said, unplugging your mouse and using the “tab” key to navigate, this approach can still miss blind spots that able-bodied users wouldn’t consider. Alternatively, hiring disabled users to perform QA testing on a given site is often the best solution. 

This ethos is especially true when building mobile sites. Another keynote speaker, Gian Wild of AccessibilityOz, covered the mobile accessibility testing process in detail. Manual testing on real devices can root out common traps, like if a site’s buttons are too small to be navigated with a finger or if links aren’t underlined. For more common errors, Wild’s slide deck can be found here.

As important as manual testing is, though, automated accessibility tools are a vital element of the accessible design arsenal. Though pervasive and subtle errors still require hands-on QA testing, automated solutions will identify many more thousands of minor issues in a fraction of the time. As such, using these tools in coordination with manual testing will ensure that your site is as accessible as can be.

During the final breakout session of the summit, attendees shared which tools they think work best for rooting out accessibility issues, many of which conveniently come in the form of browser extensions. Some commonly mentioned tools included:

We’ve previously profiled several accessibility tools, and you see which one is best for you here.

As challenging as accessibility testing can be, the reward of expanding your audience is well worth it. Fortunately, the Drupal platform helps ensure out-of-the-box accessibility features. During his keynote, Gifford pointed out that Drupal design patterns have already been tested, known bugs are listed transparently, and the development community actually cares about the issue. In fact, OpenConcept’s work for CNIB produced several fixes and modules that can now be utilized by any Drupal user. These contributions and further info about the CNIB redesign can be found on Gifford’s slide deck here

With a senior-level team of designer and developers, Duo can apply these lessons to sites across industries. Our commitment to accessibility means that every site we build will be open to all users. To learn more about our process and values, reach out to our team today!

OpenSense Labs: Changing Businesses Using Artificial Intelligence and Drupal

Main Drupal Feed - Thu, 04/18/2019 - 01:47
Changing Businesses Using Artificial Intelligence and Drupal Shankar Thu, 04/18/2019 - 07:17

Advancements in artificial intelligence (AI) are opening up a plenitude of possibilities in different industries. Efforts like Robotics at Google, for instance, are showing the world the way forward. Google is working on machines that may not be as eye-catching as humanoid robots but will have subtly more advanced technology inside them. The idea is to let them learn skills on their own and sort through a bin of unfamiliar objects or navigate a warehouse that is filled with unexpected obstacles. And in the healthcare sector, while the doctors are already using AI for diagnosing and treating medical conditions, Dr. Eric Topol, in his book called Deep Medicine, says that AI can do much more than that. AI can save doctors from performing tasks like jotting down notes and reading scans and allow them to spend more time connecting with their patients. The AI’s influence in different fields will make for an endless list.


It is true that AI is growing at a fast clip. But, currently, it is still dependable on human intelligence. Nevertheless, AI is here to stay and will only get better with time.

In the web landscape, too, AI has the provision for a superabundance of use cases. Drupal, as one of the leading content management frameworks, has been a pioneer when it comes to giving a push to digital innovation. Drupal, replete with modules for implementing AI, can lay the groundwork for a more AI-centric future for your digital business.

Unwrapping artificial intelligence

The term ‘Artificial Intelligence’ was coined by Dartmouth professor John McCarthy in the summer of 1956 when he invited a small group to spend some weeks musing on how to enable machines to do things like use language. He pinned high hopes on the breakthrough of human-level machines. Since then, artificial intelligence has come a long way and will undergo a lot of research and development in the coming years.

AI can emulate human performance by learning from it.

Gartner states that “AI applies advanced analysis and logic-based techniques, including machine learning, to interpret events, support and automate decisions, and take actions”. Commonly, definitions of AI emphasise on automation. But AI can emulate human performance by learning from it. This can come very handy as it gives a plethora of opportunities to IT and business leaders.

Adopting AI in businesses

When it comes to adoption of AI in the business workflow, organisations need a well-planned strategy to measure their firm against the AI maturity model, states Gartner.

Source: Gartner

AI maturity model can help in identifying where your firm is on the potential growth curve and decide what steps should be taken by discussing it with the management. Some organisations can be doing conversations about AI and are in an Awareness stage. There can be firms in the Active stage who may be including AI in proofs of concept and pilot projects. Organisations can be termed to be in the Operational stage when at least one of their AI projects has moved to production. Business organisations can be said to be in the Systematic stage when they, at least, start considering AI for all of their new digital projects. Once you figure out what stage you are in, you can aim for reaching the Transformational stage and make AI a part of your DNA with the help of top-notch, adaptive strategy and by giving more room for experimentation.
 
As you start implementing AI in your business, it is important to identify the right use cases i.e. the key business hurdles that can be resolved by the capabilities of AI. And there is no dearth of what AI has to offer as can be seen in the figure below.


A combo of AI and Drupal

AI has made its foray into different industries and has opened up new opportunities for improving business workflow. Web development is one of the areas where artificial intelligence can be leveraged to a great extent. Some of the examples of how Drupal can be of great use to leverage artificial intelligence are:

Chatbots

Artificial intelligence can be of great help in imbibing cognitive computing abilities, that simulates human thought processes in a computerised model, in a website. This can be done in the form of chatbots. Drupal’s Chatbot API module can offer fantastic conversational experiences. Chatbot API gives you a common flexible additional layer that comes in between Drupal, your Natural Language Processing (NLP) and your several chatbots and personal assistants thereby making your website chatbot-friendly. This assists in avoiding the need for writing new code whenever you have to translate conversational experience from one interface to another.

Web personalisation

Personalisation of the web content is done on the basis of a person’s digital persona. Content can be recommended to the users based on their profile or past activities. For instance, if they are searching for a blue shirt, something like this would work - “Here are more blue shirts”. Or, if a user is reading about futuristic technologies, then something like this may work - “Read more articles like this”. Artificial intelligence can improve even further.


A session at DrupalCon Baltimore 2017 talked about personalising web content using machine learning (a subset of AI). They demonstrated Deep Feeling, a proof-of-concept project, that leverages machine learning techniques to enhance content recommendations to the users. They utilised Instagram API for accessing a user’s stream-of-consciousness and filtered their feeds via a computer vision API. This was, then, used to detect and learn subtle themes about the user’s predilections. On getting a notion about the sort of experiences the user thinks are worth sharing, user’s characteristics were matched against their own databases. The proof-of-concept involved Acquia lift service and Drupal 8.

Multilingual platform

“In keeping with our deep integrations to Web Content Management, Content Management Systems, and Marketing Automation platforms, our Drupal 8 connector is the latest example of Cloudwords building integrations that speed and scale a company’s global marketing engagements with personalized experiences in any language”, said Richard Harpham, former CEO at Cloudwords Inc.
 
Cloudwords for Multilingual Drupal module offers a superfast and efficacious way of governing the process of making your site multilingual. On installing this module, your content can be served in multiple languages to the market. Its powerful workflow automation and project management capabilities enable you to choose the content that you want to localise and the rest of the process is taken care of by Cloudwords. Its CAT tool utilises artificial intelligence and machine learning for enhancing productivity.

Deriving insights from your images

Google’s artificial intelligence capabilities can be applied for solving the obstacles of content management at scale. A session held at Badcamp 2018 exhibited how can content editors keep up with reviews during a continuous stream of content submissions.


For this, Google Cloud Vision API was utilised. Google Vision API offers image labelling as it detects an object automatically and even provides data about objects such as its position within the image. It can also detect text within the images. It can assess your image and identify if it contains adult content, violence and so on. Google Cloud Vision API can be configured with Drupal via the Drupal module. This enables you o automatically add metadata to uploaded media and allow explicit content detection on image fields.

Conclusion

We can do so much with artificial intelligence just as there is much that we have done with the wheel. But to consider AI as an outright replacement for human intelligence is not the right thing to do. AI can improve our lives and it is important to figure how to leverage it for our betterment.
 
Drupal, a catalyst giving importance to digital innovation and emerging technologies, can be used in combination with AI to build futuristic solutions.
 
We have been working towards the provision of better digital experience and offer a suite of services. Let us know at hello@opensenselabs.com how you want us to be part of your digital transformation endeavours.

blog banner blog image Blog Type Articles Is it a good read ? On

OpenSense Labs: Changing Businesses Using Artificial Intelligence and Drupal

Main Drupal Feed - Thu, 04/18/2019 - 01:47
Changing Businesses Using Artificial Intelligence and Drupal Shankar Thu, 04/18/2019 - 07:17

Advancements in artificial intelligence (AI) are opening up a plenitude of possibilities in different industries. Efforts like Robotics at Google, for instance, are showing the world the way forward. Google is working on machines that may not be as eye-catching as humanoid robots but will have subtly more advanced technology inside them. The idea is to let them learn skills on their own and sort through a bin of unfamiliar objects or navigate a warehouse that is filled with unexpected obstacles. And in the healthcare sector, while the doctors are already using AI for diagnosing and treating medical conditions, Dr. Eric Topol, in his book called Deep Medicine, says that AI can do much more than that. AI can save doctors from performing tasks like jotting down notes and reading scans and allow them to spend more time connecting with their patients. The AI’s influence in different fields will make for an endless list.


It is true that AI is growing at a fast clip. But, currently, it is still dependable on human intelligence. Nevertheless, AI is here to stay and will only get better with time.

In the web landscape, too, AI has the provision for a superabundance of use cases. Drupal, as one of the leading content management frameworks, has been a pioneer when it comes to giving a push to digital innovation. Drupal, replete with modules for implementing AI, can lay the groundwork for a more AI-centric future for your digital business.

Unwrapping artificial intelligence

The term ‘Artificial Intelligence’ was coined by Dartmouth professor John McCarthy in the summer of 1956 when he invited a small group to spend some weeks musing on how to enable machines to do things like use language. He pinned high hopes on the breakthrough of human-level machines. Since then, artificial intelligence has come a long way and will undergo a lot of research and development in the coming years.

AI can emulate human performance by learning from it.

Gartner states that “AI applies advanced analysis and logic-based techniques, including machine learning, to interpret events, support and automate decisions, and take actions”. Commonly, definitions of AI emphasise on automation. But AI can emulate human performance by learning from it. This can come very handy as it gives a plethora of opportunities to IT and business leaders.

Adopting AI in businesses

When it comes to adoption of AI in the business workflow, organisations need a well-planned strategy to measure their firm against the AI maturity model, states Gartner.

Source: Gartner

AI maturity model can help in identifying where your firm is on the potential growth curve and decide what steps should be taken by discussing it with the management. Some organisations can be doing conversations about AI and are in an Awareness stage. There can be firms in the Active stage who may be including AI in proofs of concept and pilot projects. Organisations can be termed to be in the Operational stage when at least one of their AI projects has moved to production. Business organisations can be said to be in the Systematic stage when they, at least, start considering AI for all of their new digital projects. Once you figure out what stage you are in, you can aim for reaching the Transformational stage and make AI a part of your DNA with the help of top-notch, adaptive strategy and by giving more room for experimentation.
 
As you start implementing AI in your business, it is important to identify the right use cases i.e. the key business hurdles that can be resolved by the capabilities of AI. And there is no dearth of what AI has to offer as can be seen in the figure below.


A combo of AI and Drupal

AI has made its foray into different industries and has opened up new opportunities for improving business workflow. Web development is one of the areas where artificial intelligence can be leveraged to a great extent. Some of the examples of how Drupal can be of great use to leverage artificial intelligence are:

Chatbots

Artificial intelligence can be of great help in imbibing cognitive computing abilities, that simulates human thought processes in a computerised model, in a website. This can be done in the form of chatbots. Drupal’s Chatbot API module can offer fantastic conversational experiences. Chatbot API gives you a common flexible additional layer that comes in between Drupal, your Natural Language Processing (NLP) and your several chatbots and personal assistants thereby making your website chatbot-friendly. This assists in avoiding the need for writing new code whenever you have to translate conversational experience from one interface to another.

Web personalisation

Personalisation of the web content is done on the basis of a person’s digital persona. Content can be recommended to the users based on their profile or past activities. For instance, if they are searching for a blue shirt, something like this would work - “Here are more blue shirts”. Or, if a user is reading about futuristic technologies, then something like this may work - “Read more articles like this”. Artificial intelligence can improve even further.


A session at DrupalCon Baltimore 2017 talked about personalising web content using machine learning (a subset of AI). They demonstrated Deep Feeling, a proof-of-concept project, that leverages machine learning techniques to enhance content recommendations to the users. They utilised Instagram API for accessing a user’s stream-of-consciousness and filtered their feeds via a computer vision API. This was, then, used to detect and learn subtle themes about the user’s predilections. On getting a notion about the sort of experiences the user thinks are worth sharing, user’s characteristics were matched against their own databases. The proof-of-concept involved Acquia lift service and Drupal 8.

Multilingual platform

“In keeping with our deep integrations to Web Content Management, Content Management Systems, and Marketing Automation platforms, our Drupal 8 connector is the latest example of Cloudwords building integrations that speed and scale a company’s global marketing engagements with personalized experiences in any language”, said Richard Harpham, former CEO at Cloudwords Inc.
 
Cloudwords for Multilingual Drupal module offers a superfast and efficacious way of governing the process of making your site multilingual. On installing this module, your content can be served in multiple languages to the market. Its powerful workflow automation and project management capabilities enable you to choose the content that you want to localise and the rest of the process is taken care of by Cloudwords. Its CAT tool utilises artificial intelligence and machine learning for enhancing productivity.

Deriving insights from your images

Google’s artificial intelligence capabilities can be applied for solving the obstacles of content management at scale. A session held at Badcamp 2018 exhibited how can content editors keep up with reviews during a continuous stream of content submissions.


For this, Google Cloud Vision API was utilised. Google Vision API offers image labelling as it detects an object automatically and even provides data about objects such as its position within the image. It can also detect text within the images. It can assess your image and identify if it contains adult content, violence and so on. Google Cloud Vision API can be configured with Drupal via the Drupal module. This enables you o automatically add metadata to uploaded media and allow explicit content detection on image fields.

Conclusion

We can do so much with artificial intelligence just as there is much that we have done with the wheel. But to consider AI as an outright replacement for human intelligence is not the right thing to do. AI can improve our lives and it is important to figure how to leverage it for our betterment.
 
Drupal, a catalyst giving importance to digital innovation and emerging technologies, can be used in combination with AI to build futuristic solutions.
 
We have been working towards the provision of better digital experience and offer a suite of services. Let us know at hello@opensenselabs.com how you want us to be part of your digital transformation endeavours.

blog banner blog image Blog Type Articles Is it a good read ? On

Tandem's Drupal Blog: Transparency in Picking a Digital Partner

Main Drupal Feed - Thu, 04/18/2019 - 00:00
April 18, 2019 Why we use services like Clutch.co to help you pick a digital partner faster. Picking a digital partner is hard. What firm can understand your strategy, translate that into conversion-increasing design, and then develop a website on your chosen technology platform? After reading multiple proposals and sifting through digital agenc...

Tandem's Drupal Blog: Transparency in Picking a Digital Partner

Main Drupal Feed - Thu, 04/18/2019 - 00:00
April 18, 2019 Why we use services like Clutch.co to help you pick a digital partner faster. Picking a digital partner is hard. What firm can understand your strategy, translate that into conversion-increasing design, and then develop a website on your chosen technology platform? After reading multiple proposals and sifting through digital agenc...

myDropWizard.com: Drupal 6 core security update for SA-CORE-2019-006

Main Drupal Feed - Wed, 04/17/2019 - 21:00

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Drupal core to fix a vulnerability in jQuery. You can learn more in the security advisory:

Drupal core - Moderately Critical - Third-party Libraries - SA-CORE-2019-006

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

FYI, there was another Drupal core security release made today (SA-CORE-2019-005) but that one doesn't affect Drupal 6, because Drupal 6 doesn't depend on Symfony.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

myDropWizard.com: Drupal 6 core security update for SA-CORE-2019-006

Main Drupal Feed - Wed, 04/17/2019 - 21:00

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Drupal core to fix a vulnerability in jQuery. You can learn more in the security advisory:

Drupal core - Moderately Critical - Third-party Libraries - SA-CORE-2019-006

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

FYI, there was another Drupal core security release made today (SA-CORE-2019-005) but that one doesn't affect Drupal 6, because Drupal 6 doesn't depend on Symfony.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Security advisories: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

Main Drupal Feed - Wed, 04/17/2019 - 20:30
Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 

Security advisories: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

Main Drupal Feed - Wed, 04/17/2019 - 20:30
Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 

Security advisories: Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

Main Drupal Feed - Wed, 04/17/2019 - 20:29
Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security release fixes third-party dependencies included in or required by Drupal core.

  • CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory:

    Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.

  • CVE-2019-10910: Check service IDs are valid. From that advisory:

    Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

  • CVE-2019-10911: Add a separator in the remember me cookie hash. From that advisory:

    This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 

Lullabot: Rocket Ship Fast Jobs in CircleCI by Preinstalling the Database

Main Drupal Feed - Wed, 04/17/2019 - 18:00

CircleCI is great at enabling developers defining a set of images to spin up an environment for testing. When dealing with a website with a database, the usual build process involves downloading a database dump, installing it, and then performing tests. Here is a sample job that follows this approach. Notice where the majority of the time is allocated:

WeKnow: Drupalcon Seattle 2019 Recap

Main Drupal Feed - Wed, 04/17/2019 - 17:42
Drupalcon Seattle 2019 Recap

DrupalCon Seattle 2019 was my second Drupal Conference. Everybody enjoys travel, and everybody should enjoy learning while at it! This year I had the opportunity to do both, taking benefit of the Professional Development Program that weKnow offers as well as taking my family on vacation.

The Washington State Convention Center

 

In my first hours in Seattle, I joined my teammates, got my credentials and the full information about the event... I was surprised by the variety of sessions available! One difference compared to Nashville 2018, this year there were only 2 days for room conferences, but the quantity looks similar. In fact, I did attend more sessions this year than in 2018.

dsabolo Wed, 04/17/2019 - 17:42

Aten Design Group: Placing Components with Drupal's Extra Fields

Main Drupal Feed - Wed, 04/17/2019 - 17:17

One of the challenges front-end developers face is adding new components to entity templates that exist outside of what is defined in the Field API; or in other words, adding dynamic components that aren’t really fields. Often this can be easily done by throwing the custom markup in a .html.twig file and calling it a day. But if you’re working on something that needs to be reusable, or if you’re collaborating with a site builder who doesn’t write code, the custom template route can be limiting.

Enter hook_entity_extra_field_info().

Content Moderation: A “Pseudo-Field” in Core

Drupal’s documentation says this hook “exposes ‘pseudo-field’ components on content entities.” You can see this hook in action with the Content Moderation module in core. All moderation-enabled entities can have an option box, placed via that entity’s Manage Display page, that contains a widget to update an entity’s moderation state in place rather than clicking through to the edit page.

The moderation option isn’t a real field. Rather, it’s what Drupal calls a “Pseudo Field.” But by using hook_entity_extra_field_info(), you wouldn’t know the difference. The moderation option can be moved around and configured for various display modes, just like “real” fields.

Using hook_entity_extra_field_info in a Custom Module

On a recent project, we needed to integrate a newer commenting service called Coral Talk. After searching, we learned that no module existed to integrate this service in Drupal. This presented a perfect use case for an Extra Field, and only needed two hooks for the bulk of the work:

/** * Implements hook_entity_extra_field_info(). */ function coral_talk_entity_extra_field_info() { // Load commenting configuration. $config = \Drupal::config(coral_talk.settings'); $extra = [];   // Loop over the content types configured to have comments // and get their bundle name. foreach ($config->get('content_types') as $bundle) { if ($bundle) { // Add info for Extra Field to nodes only, specific to configured // content types. This determines what shows on Manage Display. $extra['node'][$bundle]['display'][‘coral_talk_comments'] = [ 'label' => t(‘Coral Talk Comments'), 'description' => t('Place commenting on the page.'), 'weight' => 100, 'visible' => TRUE, ]; } }   // Return our new extra field. return $extra; }

After a cache clear, this new field will appear on the configured content types’ Manage Display page and can be placed on the content type along with the other fields for that content type. Now that the field is defined, it needs some info for what should be rendered to the page. This is handled by Drupal’s hook_ENTITY_TYPE_view() hook.

/** * Implements hook_ENTITY_TYPE_view(). */ function coral_talk_node_view( array &$build, \Drupal\Core\Entity\EntityInterface $entity, \Drupal\Core\Entity\Display\EntityViewDisplayInterface $display, $view_mode ) { // 1. Check to see if our new field should be rendered on the entity display. // 2. Determine whether the user has permission to add comments. $condition = ( $display->getComponent(‘coral_talk_comments') && \Drupal::currentUser()->hasPermission('create coral comment') );   if ($condition) { $config = \Drupal::config(coral_talk.settings');   // Add the new field to the $build array with a call to a custom theme // hook to render the comments. Pass necessary config into comment // settings. $build[‘coral_talk_comments'] = [ '#theme' => 'coral_talk_comments', '#domain' => $config->get('domain') ?? '', ]; } }

After another cache clear, we’ll now see our comments being rendered to our content types in whichever view mode they’re enabled on. The moves setup of comments outside of code and into a place that’s more accessible and flexible for various users.

This approach is great for simple scenarios. One drawback, however, is that it’s not possible to define any custom configuration options for these pseudo fields. Each extra field is identical, and any configuration has to be hard coded in these hooks. This presents challenges for site builders, who might want to configure comments differently per content type however. Fortunately, there is a solution in contrib that changes how Extra Fields are defined and allows for developers to add configuration to each field. In the next post, we’ll explore the Extra Field Settings Provider module.

Phase2: Migration: Making It All Work

Main Drupal Feed - Wed, 04/17/2019 - 17:04

We’ve written a lot about content migration on our blog here—it’s something we have more than a passing interest in, because we do it a lot! The posts below cover the project management, estimation, and basics of content migration from Drupal to Drupal, and other sources too.

Hook 42: Speaker Notes: Attending DrupalCon as a Presenter

Main Drupal Feed - Wed, 04/17/2019 - 13:42

DrupalCon 2019 was a bit different for me. I have attended previous DrupalCons, usually sitting in the back of the room just taking in all that I could from experts around the world. This year, however, I had the opportunity to be a speaker. Not only was I afforded the opportunity to speak, but I had two separate sessions accepted.

Pages