Growing Venture Solutions - GVS - module

Security Review module and securing your Drupal site

Ben — Tue, 08 Dec 2009 22:30:46 +0000

Drupal core is very secure by default, but you can unknowingly open vulnerabilities with insecure configuration. An example of this is how allowing anonymous, untrusted users to use any HTML tag in comments opens a cross-site scripting attack vector on your site.

I'd like to introduce the Security Review module for automatically checking for the existence of insecure configuration and maintaining a secure Drupal site. With the first release come the following checks:

Insecure file system permissions
Insecure input formats
Dangerous code in nodes and comments
Printed errors
Private files directory not set outside the web root
Dangerous allowed upload extensions
Permissions granted to untrusted roles

Security Review also looks for the common attacks of SQL injection/system probing and brute-force login attempts.

The module reports the result of its checks as pass or fail and provides details on an accompanying page. Checks may not be 100% accurate on every system so they can be skipped from being run. I often skip the error reporting check while on a development instance of my site. The checks are explained in detail and where applicable there are links to online documentation.

Future plans for the module include popular contrib module checks and notification support. I encourage you to give the module a run on your sites and let me know what you think in the comments!

Introducing Token Starterkit - Simple Introduction to Creating your own Drupal Tokens

Greg — Wed, 21 Oct 2009 23:16:12 +0000

There seems to be a new pattern emerging in Drupal and I want to let you know that the Token module has joined the bandwagon with a "Token Starter Kit"

History of the Starter Kit in Drupal: Zen Theming

When the Zen project started it's goal was to be a really solid base HTML theme with tons of comments in the templates so that a new themer could take it, modify it, and end up with a great theme. Unfortunately, that second step of modifying it meant that people ran into all sorts of support issues that were hard to debug and they were in trouble when a new version of Zen came out - they weren't really running Zen any more.

How to use the Token Starter Kit

The Token Starter Kit is meant to be similarly easy for folks to use. The idea is that if you just open up the token module itself and start adding tokens then you are "hacking a contrib" (modifying it) and you will have to remember to make those changes again when you upgrade. Bad news. It's also not particularly simple to understand how the module works (it's got includes, and hooks, oh my!).

Enter the tokenSTARTER module. Just copy the tokenSTARTER .info and .module files to a new directory in your modules directory, rename them, and rename all the functions inside to match the filenames. This gives you a clean place to start adding in your own tokens. So, go for it. You'll see that it's quite simple and all you need are two hooks.

Documentation on Token API

There's also an API.txt file and README.txt file which explain how to write tokens in general. Lots of great advice in there.

Economist.com - Providing Tools to Support the Severe Contest Online

Greg — Tue, 26 May 2009 02:07:18 +0000

I (Greg) have been reading the Economist since I was a teenager, so I was quite excited to hear that they were going to be moving to Drupal. Of course, I was even more excited when I got the opportunity to work on the project.

The Economist provides a variety of services, but their most popular one is the very dense newspaper they deliver each week full of insightful articles. As printed media undergoes an enormous change in the age of online delivery, The Economist draws inspiration from the Prospectus and their mission statement to find a purpose:

To take part in a severe contest between intelligence, which presses forward, and an unworthy timid ignorance obstructing our progress.

Growing Venture Solutions has engaged with developers at The Economist and many other fine consultants including Cyrve and Four Kitchens. We are working with their scrum teams to build the tools necessary to host a severe contest online. Included in these tools are features that drive at the heart of Drupal: content management, identity, rating, and individually focused customization.

Much of the work is making its way back to the Drupal community. The Views Bulk Operations and Voting API modules have seen some improvements already. The amazing Table Wizard and Migrate modules were vastly improved as a result of their use importing data into the site. As we move beyond the migration stages of the project, we should be able to make even more improvements to Drupal.

Preparing a Drupal site for efficient support

steve harley — Sat, 11 Apr 2009 13:18:42 +0000

We can support your Drupal site, but first let’s make it right

When we first offered formal Drupal Support services we expected clients would know their site fairly well and need help with advanced administration and/or doing “new” things. In practice, we’ve quickly learned an important lesson about the diversity of Drupal site owners. Some are virtuosos, and need our help with very complex issues. Some have an existing site with major deficiencies, perhaps built by a vendor who is no longer in the picture. Some need some tutoring in Drupal basics, or even the concepts of dynamic websites.

So we have learned to sort out from the start whether clients will need a more intensive initial phase that includes a site review, an assessment of how well administrators and users understand their Drupal site, and quite possibly a detailed site tune-up. Here is how the technical side went with one client …

From the outset, we sensed all of this client’s support hours could be consumed just trying to stay ahead of the ad hoc techniques used in the construction and management of the site. We knew we had to stabilize the situation so the client could get more value from our support — and from their site. We found the site running an older version of Drupal 5 on a Windows IIS host with only FTP (not SFTP nor ssh) access for managing the site. The clients wanted to improve SEO and feel more in control. They weren’t really using Drupal as a content management system.

First steps in Drupal site evaluation

To move forward, and protect their investment in the site, we helped the client to arrange for Linux hosting and planned an upgrade to Drupal 6. In short, this would put them on a version that is easier to support, simplify setup of clean URLs and guarantee availability of security updates beyond the Drupal 7 horizon. Using a Linux host with ssh access is a strong preference for our team; it makes our work for clients more efficient.

We prepared to migrate and upgrade the site by reviewing the site’s:

32 contributed modules,
four custom themes (hacked versions of Garland applied to specific pages via Taxonomy Theme),
structure including menus, content types, views and input filters,
status of existing content, including some content not linked into site navigation at all,
non-Drupal static pages and a Wordpress installation on the same domain, all themed to appear as part of the main site.

Getting a handle on a Drupal site’s modules

Our review found that 20 of the contributed modules had no significant purpose on the site, plus two useful modules weren’t supported for Drupal 6. While the site was functional, under the hood there were overlapping and partially configured modules, as if the previous site builder had left in the middle of some hasty experiments. In some cases we had to query the variable table or the tables associated with a module to be sure whether it was in use.

With all of the unneeded modules gone, we added Token, Pathauto and Global Redirect to set the stage for SEO improvements.

Some modules were needed but not supported in Drupal 6. We replaced Taxonomy Theme with Theme Key, and Tiny MCE with Wysiwyg API configured with the TinyMCE 3 plug-in (per the client’s preference).

Untangling and upgrading Drupal themes

We upgraded the themes to Drupal 6, referring to the Converting 5.x themes to 6.x checklist as well as some tips that simplified the process on Wesley Tanaka’s blog. The themes interacted with Nice Menus via theme_menu_item_link, an API function whose definition has changed sufficiently in Drupal 6 that it no longer suited the purpose. Nice Menus in Drupal 6 has configuration options that bridged the gap. Theme_menu_item_link was still helpful, though, because the Drupal 5 site contained menu entries which linked nowhere, something Drupal 6 doesn’t allow. We addressed this in the theme layer with an approach modeled after this suggestion by tekket.

Once we had sorted through the content and knew which pages were actually live (versus published but not linked from anywhere). We realized one of the themes wasn’t in use at all. Another turned out to only be used when a certain region shouldn’t appear, but that region would suppress itself if no blocks were assigned. So it wasn’t too hard to prune the themes to one for the home page and one more for the rest of the site.

Getting bugs out of the content

Having reviewed and simplified the site configuration, the Drupal 6 upgrade itself went very much by the book. A few of the remaining modules needed a 2.x upgrade while still in Drupal 5 to make ready for Drupal 6. Since the client was making few content changes, the upgraded site could be brought up on the new host and reviewed before changing DNS, simplifying the staging process. Site content upgraded cleanly with a few exceptions. Views import worked, but much of the detail of the views had to be reconstructed anyway.

The menus and some of the content had hard-coded references to pages and images on the site without using relative links or clean URLs, and even sometimes linked by IP address. We used queries into the node_revisions and menu_links tables to find what needed fixing. There were few enough problem nodes that it made the most sense to fix them manually, but Greg made a time-saving suggestion — use a calculation in an ad hoc query to output the complete node/#/edit URL for each node to update. From there (from the mySQL command-line in a Mac OS X iTerm window), I selected the URL from the query output and usied a keyboard shortcut assigned to the Open URL entry in the service menu. Tricks like these can make even a modest manual process take half the time or less.

The result: a smoothly-running Drupal site

None of this work was glamorous, but the result is very satisfying — the site is now in much better shape. The review helped the client know their site better, and we are poised to start doing some real support, such as making the site’s themes more configurable, adding templates to replace some of the static pages and helping the client manage their own content. The site is stable and its configuration will be much more comprehensible should another Drupal pro need to work with it in the future.

New User_quota Module Provides Turnkey Solution for Artistic Entrepreneurs

Greg — Fri, 19 Dec 2008 01:15:30 +0000

We recently helped out with the development of a pretty neat multiple vendor e-commerce website. In working on it much of the code was custom but we were able to build a novel, generic per user content type quota system. Each user can purchase credits towards their quota, which allows them to submit new content.

About LolliShops - Multi Shop Marketplace

The easiest way to describe LolliShops is an upscale boutique version of Etsy, built in Drupal. Lollishops provides a turnkey solution for artistic individuals who make jewelry, clothing and art by hand. Anyone can sign up and setup a personalized online store in minutes. It focuses on the Frou Frou market (if you're not familiar with it, it's probably best described by the site). So far, LolliShops has thousands of individual stores. The theme and products shown on the home page give a great sense of the intended audience. Vendors on the site purchase the ability to sell their products on the site with 3 different selling arrangements. Two of these arrangements limit the number of products that they can create, requiring a quota system.

About the User Quota Module

Of course the first thing I did when looking to build that quota functionality was to compare all of the existing solutions. I posted a summary of my research into the Duplicate Modules Hall of Shame group for others to benefit from the research. It seemed like there was no way to do exactly what we need with the existing modules, so I set to work building a new module.

The result is the User Quota module. Currently the module is very simple. It provides two administrative screens: 1 to list all of the users with their current quotas and a second to manage the quota for a specific user.

Why bother announcing it here? To limit confusion in an already crowded area I used the project page from an old module. Doug Muth graciously agreed to let me use the old User Quota project page. Thanks, Doug!

Feature Enhancement - Easy Quota Purchases

One sad point with this module is that the Paypal integration we did for Lollishops was very site specific and cannot be directly committed and used on other sites. We are looking for sponsors to help build a simple e-commerce integration. We are debating about whether to integrate with Ubercart, or LM Paypal, or Simple Paypal Framework. Certainly in time it should provide both of these features. The real question is which to do first. Ubercart appears to have the most solid 6.x release but doesn't fit with the lightweight nature of the module.

And of course there is a need to fund that work. If you have a site that could use the ability to sell a node, please contact us so we can discuss the exact implementation.