module

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

• Insecure file system permissions
• Insecure input formats
• Dangerous code in nodes and comments
• Printed errors
• Private files directory not set outside the web root
• Dangerous allowed upload extensions
• Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!

There seems to be a new pattern emerging in Drupal and I want to let you know that the Token module has joined the bandwagon with a "Token Starter Kit"

History of the Starter Kit in Drupal: Zen Theming

When the Zen project started it's goal was to be a really solid base HTML theme with tons of comments in the templates so that a new themer could take it, modify it, and end up with a great theme. Unfortunately, that second step of modifying it meant that people ran into all sorts of support issues that were hard to debug and they were in trouble when a new version of Zen came out - they weren't really running Zen any more.

How to use the Token Starter Kit

The Token Starter Kit is meant to be similarly easy for folks to use. The idea is that if you just open up the token module itself and start adding tokens then you are "hacking a contrib" (modifying it) and you will have to remember to make those changes again when you upgrade. Bad news. It's also not particularly simple to understand how the module works (it's got includes, and hooks, oh my!).

Enter the tokenSTARTER module. Just copy the tokenSTARTER .info and .module files to a new directory in your modules directory, rename them, and rename all the functions inside to match the filenames. This gives you a clean place to start adding in your own tokens. So, go for it. You'll see that it's quite simple and all you need are two hooks.

Documentation on Token API

There's also an API.txt file and README.txt file which explain how to write tokens in general. Lots of great advice in there.

We can support your Drupal site, but first let’s make it right

When we first offered formal Drupal Support services we expected clients would know their site fairly well and need help with advanced administration and/or doing “new” things. In practice, we’ve quickly learned an important lesson about the diversity of Drupal site owners. Some are virtuosos, and need our help with very complex issues. Some have an existing site with major deficiencies, perhaps built by a vendor who is no longer in the picture. Some need some tutoring in Drupal basics, or even the concepts of dynamic websites.

So we have learned to sort out from the start whether clients will need a more intensive initial phase that includes a site review, an assessment of how well administrators and users understand their Drupal site, and quite possibly a detailed site tune-up. Here is how the technical side went with one client …

We recently helped out with the development of a pretty neat multiple vendor e-commerce website. In working on it much of the code was custom but we were able to build a novel, generic per user content type quota system. Each user can purchase credits towards their quota, which allows them to submit new content.

About LolliShops - Multi Shop Marketplace

The easiest way to describe LolliShops is an upscale boutique version of Etsy, built in Drupal. Lollishops provides a turnkey solution for artistic individuals who make jewelry, clothing and art by hand. Anyone can sign up and setup a personalized online store in minutes. It focuses on the Frou Frou market (if you're not familiar with it, it's probably best described by the site). So far, LolliShops has thousands of individual stores. The theme and products shown on the home page give a great sense of the intended audience. Vendors on the site purchase the ability to sell their products on the site with 3 different selling arrangements. Two of these arrangements limit the number of products that they can create, requiring a quota system.

About the User Quota Module

Of course the first thing I did when looking to build that quota functionality was to compare all of the existing solutions. I posted a summary of my research into the Duplicate Modules Hall of Shame group for others to benefit from the research. It seemed like there was no way to do exactly what we need with the existing modules, so I set to work building a new module.