Recent Blog Posts

Nearly four years ago I created my first screencast about using iCal calendars in Google Calendar. At the time I used Wink (free) which is a fun tool and has some interesting features, but it's also a bit limited and time consuming to build the videos. Then I started using Camtasia from TechSmith (~$800), which is also a decent tool but is only compatible with Microsoft and isn't particularly fun to use.

Life with iShowUHD Pro

When I moved to a Mac a year ago I started using iShowUHD which costs $30 or $60 (I went for the $60 version) but has a lot of different options that are pretty confusing. I used iShowUHD to do a few short screencasts and then used it to record a live webinar so that we could share the webinar after the fact. It's impossible to redo a webinar - you've got people on the line who don't want to call back in, etc. And unfortunateley, iShowUHD failed to record the video. The audio was recorded fine, but the video stopped working after 10 minutes. I mailed support, upgraded to a newer version and the problem persists. So, I decided to look around for alternatives.

Screenflow: Screencasting Nirvana

I tried out the demo version of Screenflow ($100). The interface is drastically simpler than any of the other tools. It records everything and lets you zoom, rotate, re-arrange, etc. in its editing tools. The editing tools are perhaps one of the best features. They are enormously simple and yet very powerful. I've long wanted to do slow-motion and fast motion in iMovieHD, but it's simply not possible (this depends on your version of MacOS/iLife).

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

• Insecure file system permissions
• Insecure input formats
• Dangerous code in nodes and comments
• Printed errors
• Private files directory not set outside the web root
• Dangerous allowed upload extensions
• Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!

There seems to be a new pattern emerging in Drupal and I want to let you know that the Token module has joined the bandwagon with a "Token Starter Kit"

History of the Starter Kit in Drupal: Zen Theming

When the Zen project started it's goal was to be a really solid base HTML theme with tons of comments in the templates so that a new themer could take it, modify it, and end up with a great theme. Unfortunately, that second step of modifying it meant that people ran into all sorts of support issues that were hard to debug and they were in trouble when a new version of Zen came out - they weren't really running Zen any more.

How to use the Token Starter Kit

The Token Starter Kit is meant to be similarly easy for folks to use. The idea is that if you just open up the token module itself and start adding tokens then you are "hacking a contrib" (modifying it) and you will have to remember to make those changes again when you upgrade. Bad news. It's also not particularly simple to understand how the module works (it's got includes, and hooks, oh my!).

Enter the tokenSTARTER module. Just copy the tokenSTARTER .info and .module files to a new directory in your modules directory, rename them, and rename all the functions inside to match the filenames. This gives you a clean place to start adding in your own tokens. So, go for it. You'll see that it's quite simple and all you need are two hooks.

Documentation on Token API

There's also an API.txt file and README.txt file which explain how to write tokens in general. Lots of great advice in there.

When a form protected by spam prevention measures such as captcha or Mollom is submitted with drupal_execute, validation can fail unless the spam protection is properly suppressed.

This blog post describes the background and solution to a bug that previously existed in the Signup Integration for Ubercart module (uc_signup), and explains the techniques used to fix the bug. It is written with developers and aspiring developers in mind, though other people interested in how Drupal works might also find it interesting.

drupal_execute is a function often used in data imports that allows a developer to take a collection of form values and submit them programatically.
A main reason to use drupal_execute over another technique such as user_save() is that with drupal_execute, Drupal calls the validation and submission functions for the form.

The Context: How uc_signup Uses drupal_execute

In the Signup integration for Ubercart module, we sometimes create a new user account and populate the user's profile with data that was submitted on a form separate from the core user profile form. In earlier versions of uc_signup, we created the new account with user_save, however this allowed crafty users to leave required fields blank by skipping the form and proceeding to checkout, so we switched to drupal_execute which ensures that the form's validation gets executed.

The Problem

The drupal_execute function is relatively easy to use -- just pass in the form_id and form values you'd like to submit to the form.

However, we soon got a bug report with one user reporting a validation error at the time that the new user account is saved, with the captcha module enabled for the user registration form.