Growing Venture Solutions - GVS - module http://growingventuresolutions.com/taxonomy/term/31/0 en Security Review module and securing your Drupal site http://growingventuresolutions.com/blog/security-review-module-and-securing-your-drupal-site <p>Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.</p> <p>I'd like to introduce the <a href="http://drupal.org/project/security_review">Security Review module</a> for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:</p> <ul> <li>Insecure file system permissions</li> <li>Insecure input formats</li> <li>Dangerous code in nodes and comments</li> <li>Printed errors</li> <li>Private files directory not set outside the web root</li> <li>Dangerous allowed upload extensions</li> <li>Permissions granted to untrusted roles</li> </ul> <p><a href="http://drupal.org/project/security_review">Security Review</a> also looks for the common attacks of SQL injection/system probing and brute-force login attempts.</p> <p>The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.</p> <p>Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!</p> http://growingventuresolutions.com/blog/security-review-module-and-securing-your-drupal-site#comments Planet Drupal contributions drupal module security Tue, 08 Dec 2009 22:30:46 +0000 Ben 752 at http://growingventuresolutions.com Introducing Token Starterkit - Simple Introduction to Creating your own Drupal Tokens http://growingventuresolutions.com/blog/introducing-token-starterkit-simple-introduction-creating-your-own-drupal-tokens <p>There seems to be a new pattern emerging in Drupal and I want to let you know that the <a href="http://drupal.org/project/token">Token</a> module has joined the bandwagon with a "Token Starter Kit"</p> <h3>History of the Starter Kit in Drupal: Zen Theming</h3> <p>When the Zen project started it's goal was to be a really solid base HTML theme with tons of comments in the templates so that a new themer could take it, modify it, and end up with a great theme. Unfortunately, that second step of modifying it meant that people ran into all sorts of support issues that were hard to debug and they were in trouble when a new version of Zen came out - they weren't really running Zen any more.</p> <h3>How to use the Token Starter Kit</h3> <p>The Token Starter Kit is meant to be similarly easy for folks to use. The idea is that if you just open up the token module itself and start adding tokens then you are "hacking a contrib" (modifying it) and you will have to remember to make those changes again when you upgrade. Bad news. It's also not particularly simple to understand how the module works (it's got includes, and hooks, oh my!).</p> <p>Enter the tokenSTARTER module. Just copy the tokenSTARTER .info and .module files to a new directory in your modules directory, rename them, and rename all the functions inside to match the filenames. This gives you a clean place to start adding in your own tokens. So, go for it. You'll see that it's quite simple and all you need are two hooks.</p> <h3>Documentation on Token API</h3> <p>There's also an <a href="http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/token/API.txt?view=markup">API.txt</a> file and <a href="http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/token/README.txt?view=markup">README.txt</a> file which explain how to write tokens in general. Lots of great advice in there.</p> http://growingventuresolutions.com/blog/introducing-token-starterkit-simple-introduction-creating-your-own-drupal-tokens#comments Planet Drupal development module token Wed, 21 Oct 2009 23:16:12 +0000 Greg 528 at http://growingventuresolutions.com Economist.com - Providing Tools to Support the Severe Contest Online http://growingventuresolutions.com/about/customers/economist-com-providing-tools-support-severe-contest-online <p>I (Greg) have been reading the Economist since I was a teenager, so I was quite excited to hear that they were going to be moving to Drupal. Of course, I was even more excited when I got the opportunity to work on the project.</p> <div style="float: right"><img src="http://farm4.static.flickr.com/3358/3564511589_10e3e0f5ed_m.jpg" alt="severe contest" /></div> <p>The Economist provides a variety of services, but their most popular one is the very dense newspaper they deliver each week full of insightful articles. As printed media undergoes an enormous change in the age of online delivery, The Economist draws inspiration from the <a href="http://www.economist.com/agenda/displaystory.cfm?story_id=1873493">Prospectus</a> and their <a href="http://theeconomistonline.blogspot.com/2008/05/in-pursuit-of-severe-contest-online_28.html">mission statement</a> to find a purpose:</p> <blockquote><p>To take part in a severe contest between intelligence, which presses forward, and an unworthy timid ignorance obstructing our progress.</p></blockquote> <p>Growing Venture Solutions has engaged with developers at The Economist and many other fine consultants including <a href="http://www.cyrve.com/">Cyrve</a> and <a href="http://fourkitchens.com/">Four Kitchens</a>. We are working with their scrum teams to build the tools necessary to host a <em>severe contest</em> online. Included in these tools are features that drive at the heart of Drupal: content management, identity, rating, and individually focused customization.</p> <p>Much of the work is making its way back to the Drupal community. The <a href="http://drupal.org/project/views_bulk_operations">Views Bulk Operations</a> and <a href="http://drupal.org/project/votingapi">Voting API</a> modules have seen some improvements already. The amazing <a href="http://drupal.org/project/tw">Table Wizard</a> and <a href="http://drupal.org/project/migrate">Migrate</a> modules were vastly improved as a result of their use importing data into the site. As we move beyond the migration stages of the project, we should be able to make even more improvements to Drupal.</p> <p><img src="http://farm4.static.flickr.com/3373/3565327086_b05e6bf9c1_m.jpg" alt="Greg and Rob in the office" /></p> http://growingventuresolutions.com/about/customers/economist-com-providing-tools-support-severe-contest-online#comments development module Tue, 26 May 2009 02:07:18 +0000 Greg 468 at http://growingventuresolutions.com Preparing a Drupal site for efficient support http://growingventuresolutions.com/blog/preparing-drupal-site-efficient-support <h3>We can support your Drupal site, but first let&#8217;s make it right</h3> <p>When we first offered <a href="about/services/drupal-support">formal Drupal Support services</a> we expected clients would know their site fairly well and need help with advanced administration and/or doing &#8220;new&#8221; things. In practice, we&#8217;ve quickly learned an important lesson about the diversity of Drupal site owners. Some are virtuosos, and need our help with very complex issues. Some have an existing site with major deficiencies, perhaps built by a vendor who is no longer in the picture. Some need some tutoring in Drupal basics, or even the concepts of dynamic websites.</p> <p>So we have learned to sort out from the start whether clients will need a more intensive initial phase that includes a site review, an assessment of how well administrators and users understand their Drupal site, and quite possibly a detailed site tune-up. Here is how the technical side went with one client &#8230;</p> <!--break--><!--break--><p>From the outset, we sensed all of this client&#8217;s support hours could be consumed just trying to stay ahead of the ad hoc techniques used in the construction and management of the site. We knew we had to stabilize the situation so the client could get more value from our support &#8212; and from their site. We found the site running an older version of Drupal 5 on a Windows IIS host with only FTP (not SFTP nor ssh) access for managing the site. The clients wanted to improve SEO and feel more in control. They weren&#8217;t really using Drupal as a content management system.</p> <h3>First steps in Drupal site evaluation</h3> <p>To move forward, and protect their investment in the site, we helped the client to arrange for Linux hosting and planned an upgrade to Drupal 6. In short, this would put them on a version that is easier to support, simplify setup of clean URLs and guarantee availability of security updates beyond the Drupal 7 horizon. Using a Linux host with ssh access is a strong preference for our team; it makes our work for clients more efficient.</p> <p>We prepared to migrate and upgrade the site by reviewing the site&#8217;s:</p> <ul> <li>32 contributed modules,</li> <li>four custom themes (hacked versions of Garland applied to specific pages via <a href="http://drupal.org/project/taxonomy_theme">Taxonomy Theme</a>),</li> <li>structure including menus, content types, views and input filters,</li> <li>status of existing content, including some content not linked into site navigation at all,</li> <li>non-Drupal static pages and a Wordpress installation on the same domain, all themed to appear as part of the main site.</li> </ul> <h3>Getting a handle on a Drupal site&#8217;s modules</h3> <p>Our review found that 20 of the contributed modules had no significant purpose on the site, plus two useful modules weren&#8217;t supported for Drupal 6. While the site was functional, under the hood there were overlapping and partially configured modules, as if the previous site builder had left in the middle of some hasty experiments. In some cases we had to query the <em>variable</em> table or the tables associated with a module to be sure whether it was in use.</p> <p>With all of the unneeded modules gone, we added <a href="http://drupal.org/project/token">Token</a>, <a href="http://drupal.org/project/pathauto">Pathauto</a> and <a href="http://drupal.org/project/globalredirect">Global Redirect</a> to set the stage for SEO improvements.</p> <p>Some modules were needed but not supported in Drupal 6. We replaced <a href="">Taxonomy Theme</a> with <a href="http://drupal.org/project/themekey">Theme Key</a>, and <a href="http://drupal.org/project/tinymce">Tiny MCE</a> with <a href="http://drupal.org/project/wysiwyg">Wysiwyg API</a> configured with the <a href="http://tinymce.moxiecode.net/download_i18n.php">TinyMCE 3 plug-in</a> (per the client&#8217;s preference).</p> <h3>Untangling and upgrading Drupal themes</h3> <p>We upgraded the themes to Drupal 6, referring to the <a href="http://drupal.org/node/132442">Converting 5.x themes to 6.x checklist</a> as well as some tips that simplified the process on <a href="http://wtanaka.com/drupal/convert-theme-6">Wesley Tanaka&#8217;s blog</a>. The themes interacted with Nice Menus via <a href="http://api.drupal.org/api/function/theme_menu_item_link/6">theme_menu_item_link</a>, an API function whose definition has changed sufficiently in Drupal 6 that it no longer suited the purpose. <a href="http://drupal.org/project/nice_menus">Nice Menus</a> in Drupal 6 has configuration options that bridged the gap. Theme_menu_item_link was still helpful, though, because the Drupal 5 site contained menu entries which linked nowhere, something Drupal 6 doesn&#8217;t allow. We addressed this in the theme layer with an approach modeled after <a href="http://drupal.org/node/143322">this suggestion by tekket</a>.</p> <p>Once we had sorted through the content and knew which pages were actually live (versus published but not linked from anywhere). We realized one of the themes wasn&#8217;t in use at all. Another turned out to only be used when a certain region shouldn&#8217;t appear, but that region would suppress itself if no blocks were assigned. So it wasn&#8217;t too hard to prune the themes to one for the home page and one more for the rest of the site.</p> <h3>Getting bugs out of the content</h3> <p>Having reviewed and simplified the site configuration, the Drupal 6 upgrade itself went very much by the book. A few of the remaining modules needed a 2.x upgrade while still in Drupal 5 to make ready for Drupal 6. Since the client was making few content changes, the upgraded site could be brought up on the new host and reviewed before changing DNS, simplifying the staging process. Site content upgraded cleanly with a few exceptions. Views import worked, but much of the detail of the views had to be reconstructed anyway.</p> <p>The menus and some of the content had hard-coded references to pages and images on the site without using relative links or clean URLs, and even sometimes linked by IP address. We used queries into the <em>node_revisions</em> and <em>menu_links</em> tables to find what needed fixing. There were few enough problem nodes that it made the most sense to fix them manually, but Greg made a time-saving suggestion &#8212; use a calculation in an ad hoc query to output the complete node/#/edit URL for each node to update. From there (from the mySQL command-line in a Mac OS X iTerm window), I selected the URL from the query output and usied a keyboard shortcut assigned to the Open URL entry in the service menu. Tricks like these can make even a modest manual process take half the time or less.</p> <p><img src="http://growingventuresolutions.com/gvsfiles/mysql_query_concatenation.png" alt="A query with quick links to content that needs to be updated" /></p> <h3>The result: a smoothly-running Drupal site</h3> <p>None of this work was glamorous, but the result is very satisfying &#8212; the site is now in much better shape. The review helped the client know their site better, and we are poised to start doing some real support, such as making the site&#8217;s themes more configurable, adding templates to replace some of the static pages and helping the client manage their own content. The site is stable and its configuration will be much more comprehensible should another Drupal pro need to work with it in the future.</p> http://growingventuresolutions.com/blog/preparing-drupal-site-efficient-support#comments Planet Drupal clean urls globalredirect module path_redirect support Sat, 11 Apr 2009 13:18:42 +0000 steve harley 419 at http://growingventuresolutions.com New User_quota Module Provides Turnkey Solution for Artistic Entrepreneurs http://growingventuresolutions.com/blog/new-user-quota-module-provides-turnkey-solution-artistic-entrepreneurs <p>We recently helped out with the development of a pretty neat multiple vendor e-commerce website. In working on it much of the code was custom but we were able to build a novel, generic per user content type quota system. Each user can purchase credits towards their quota, which allows them to submit new content.</p> <h3>About LolliShops - Multi Shop Marketplace</h3> <div style="float: right"><a href="http://www.lollishops.com/"><img src="http://growingventuresolutions.com/gvsfiles/lollishops_logo.gif" /></a></div> <p>The easiest way to describe <a href="http://www.lollishops.com/">LolliShops</a> is an upscale <em>boutique</em> version of <a href="http://www.etsy.com/">Etsy</a>, built in Drupal. Lollishops provides a turnkey solution for artistic individuals who make jewelry, clothing and art by hand. Anyone can sign up and setup a personalized online store in minutes. It focuses on the <em>Frou Frou</em> market (if you're not familiar with it, it's probably best described by the site). So far, LolliShops has thousands of individual stores. The theme and products shown on the home page give a great sense of the intended audience. Vendors on the site purchase the ability to sell their products on the site with 3 different selling arrangements. Two of these arrangements limit the number of products that they can create, requiring a quota system.</p> <h3>About the User Quota Module</h3> <p>Of course the first thing I did when looking to build that quota functionality was to <a href="http://groups.drupal.org/node/16637">compare all of the existing solutions</a>. I posted a summary of my research into the <a href="http://groups.drupal.org/duplicated-modules-hall-shame">Duplicate Modules Hall of Shame</a> group for others to benefit from the research. It seemed like there was no way to do exactly what we need with the existing modules, so I set to work building a new module.</p> <p>The result is the <a href="http://drupal.org/project/user_quota">User Quota</a> module. Currently the module is very simple. It provides two administrative screens: 1 to list all of the users with their current quotas and a second to manage the quota for a specific user.</p> <p>Why bother announcing it here? To limit confusion in an already crowded area I used the project page from an old module. <a href="http://www.claws-and-paws.com/">Doug Muth</a> graciously agreed to let me use the old <a href="http://drupal.org/project/user_quota">User Quota</a> project page. Thanks, Doug!</p> <h3>Feature Enhancement - Easy Quota Purchases</h3> <p>One sad point with this module is that the Paypal integration we did for Lollishops was very site specific and cannot be directly committed and used on other sites. We are looking for sponsors to help build a simple e-commerce integration. We are debating about whether to integrate with <a href="http://www.ubercart.org/">Ubercart</a>, or <a href="http://drupal.org/project/lm_paypal">LM Paypal</a>, or <a href="http://drupal.org/project/simple_paypal">Simple Paypal Framework</a>. Certainly in time it should provide both of these features. The real question is which to do first. Ubercart appears to have the most solid 6.x release but doesn't fit with the lightweight nature of the module.</p> <p>And of course there is a need to fund that work. If you have a site that could use the ability to sell a node, please <a href="http://growingventuresolutions.com/contact">contact us</a> so we can discuss the exact implementation.</p> http://growingventuresolutions.com/blog/new-user-quota-module-provides-turnkey-solution-artistic-entrepreneurs#comments Planet Drupal development module Fri, 19 Dec 2008 01:15:30 +0000 Greg 248 at http://growingventuresolutions.com