May 09 2019
May 09

What an event this last DrupalCon was! Thanks to all who joined us in April for DrupalCon Seattle 2019.

In planning this event, more funds than ever before — 30 percent more, to be exact — were allocated for grants and scholarships. This tied in with the overall aim of having a cross-section of attendees, all of whom play a part in contributing and advancing the Drupal Project. Funding for grants and scholarships is from the support of our conference partners, as well as conference registrations.

May 09 2019
May 09
  • Malabya
  • 09/05/2019

How do you stay ahead of your competition? Easy - Be relevant. Address your audience’s pain points. Repeat. With the adoption of the continuous innovation model, Drupal is doing that and more. Drupal 8.7 was released on May 1st following the 6 months release cycle for Drupal 8. We saw huge improvements in Drupal 8.6 which was a big release. With 8.7, it just got better - With more stable modules ready to be used on productions and other interesting out-of-the-box features.

What's new in Drupal 8.7.0

Drupal 8.7 release is a big step which makes it more modernized, competitive, and user-friendly. Drupal is now truly API first, accessible, easy to use for editors and uses the latest PHP. The new features in Drupal 8.7 makes it easier for marketers to manage and update content effectively.

JSON:API lands in Drupal core

Drupal 8 ships with the JSON:API module which takes forward the API first game. API first initiative is one of the most anticipated features that the Drupal community is working towards. With API first, Drupal will do what it does best - Manage content,and talk to different integrations to deliver content over HTTP APIs. JSON:API is the first module which is added to the core as a stable module without going through an experimental phase.

JSON:API is a contributed module which is meant to deliver high performing API endpoints to expose content using JSON:API specifications. With JSON:API module, to expose any entity from your Drupal 8 site you just need to enable the module and JSON:API that will do the job for you. With its flexibility, the payload can be modified as needed by using just parameters. There's a lot more to that, which can be a topic of another blog post.

Layout Builder is now stable

Layout builder is one of top modules and I was really looking forward to it. In Drupal 8.7 it finally got a stable release and Layout builder now ships with massive improvements. In the current state, I will recommend Layout builder to replace a bunch of layout building modules like Panels, Panelizer, Display suite and another one of my top modules “Paragraphs”.

What’s new in Layout Builder? Well, not only you can have layouts for fieldable entities but now we can have unstructured data as well on our layouts. This means, we can now attach various block types in your Drupal site and create one time block instances.

Here is a short video to demo the powerful Layout Builder from Driesnote in Drupalcon Seattle.

[embedded content]

Umami goes Multilingual

The evaluation and demo installation profile, Umami Food Magazine, has a lot of improvement in Drupal 8.7. Umami is an out-of-the-box initiative which demonstrates the power of Drupal 8 out of the box. In 8.7, Umami is now more accessible, has multilingual features, a new welcome tour and uses the new Layout Builder module on Recipe pages to demonstrate the capabilities of the module. It now includes a Spanish version and more languages are being added as you read this.

A new Shiny look for Media Library

Even though still in experimental phase, the Media library gets a fresh look. Built on top of the stable Media module, the Media library allows usage of reusable Media in your Drupal site. These Media can vary from Images, Videos, Files, Documents and even Remote videos. These media assets will have their own identity with a set of attributes and meta information attached to them. This makes search and reusability extremely beneficial for marketers to quickly search and attach media for their contents. Apart from that, it’s easy to use with it’s drag and drop functionality, inline media creation and flexible grid and table views.

Here is a short video to demo for the new things in Media from the Driesnote in Drupalcon Seattle.

[embedded content]

Other Notable Updates in Drupal 8.7:

Support for PHP 7.3 and drop of PHP 5.6 support

PHP 7.3 was released in December 2018 and comes with numerous improvements and new features. Also with this release new Drupal sites can only be installed on PHP 7.0.8 or later. Installing Drupal on older versions results in a requirement error.

Support for automatic entity updates has been removed

In Drupal 8.7, automatic entity updates were removed which allowed to a site to update the existing schema of an entity type and its fields storage definitions to the latest (in-code) definitions. It was done to remove data integrity issues since it’s hard to anticipate side effects and critical bugs when executed.

Revisionable Taxonomy terms and Menu items

Taxonomy terms and Menu items are now revisionable which makes them eligible for the editorial workflow like Contents and Blocks.

As we’re getting closer to welcome the release of Drupal 9, things are already falling in place. Drupal 8.7 is packed with new features like a stable Layout Builder that lets you create layout templates really fast and easy. Comes with stable JSON:API support to help you build powerful decoupled applications. A more efficient and good lookin’ Media library (experimental) for content builders. Added features in Umami demo profile. While Drupal 8.7 makes way for PHP 7.3, it also dropped support for PHP 5.6. On the whole, Drupal 8.7 release has something for everybody - content editors, site builders, developers and site owners. Stay updated with Drupal’s new releases - stay ahead of your competition. We can help you do just that.

May 09 2019
May 09

Within the Drupal community, it seems like many developers are interested in ensuring their modules and themes are secure, but don’t really know what insecure code looks like. I’ve personally found a lot of resources that tell you about security best practices, but don’t dive deeper into common missteps and their consequences.

Drupal 8 is the most modern and secure release of Drupal yet, which leads developers to expect that all Drupal 8 APIs are perfectly safe to use. While it’s great that Drupal has earned that reputation, there are still plenty of ways to leave your site vulnerable.

In this blog I’ll go through examples of insecure code that I’ve seen doing security research and review into Drupal 8, which will hopefully make it easier for you to know what to look for when reviewing your own code.

So you want to render HTML…

Outputting HTML is Drupal’s bread and butter, but if you’re rendering user input you may be vulnerable to cross site scripting, otherwise known as XSS.

XSS occurs when a malicious user identifies an exploit that allows user input to be executed as Javascript. Then, typically, an attacker leads someone with higher privileges (an administrator) to trigger the exploit. At that point, an attacker can do anything the administrator can do - add more administrator accounts, delete content, download sensitive data, and potentially use a chained exploit to execute server-side code.

Twig has your back

With Drupal 8’s implementation of Twig, all variables rendered normally (within curly braces) are automatically filtered. The attributes object, which is often used in Twig, is also generally safe. For example, trying to add a malicious attribute with code like:

<b {{ attributes.addClass('"onmouseover="alert(1)"') }}>Hello</b>

Will render safely as:

<b class="&quot;onload=&quot;alert&quot;">Hello</b>

Unquoted attributes

Twig isn’t inherently immune to XSS. If you don’t wrap attributes in double quotes, for instance, user input could render a malicious attribute. For example, if you have a template like:

<b class={{ configurable_class }}>Hello</b>

And pass in a class configured by a user:

$variables['configurable_class'] = 'foo onclick=alert(bar)';

The final, unsafe HTML will be:

<b class=foo onclick=alert(bar)>Hello</b>

This is because variables have HTML special characters escaped, but aren’t aware of the context they’re rendered in. onclick=alert(bar) on its own is completely safe, but when inside an opening HTML tag can trigger XSS.

The raw filter

One of the filters that comes with Twig, raw, marks a value as being safe and does not escape it. That means that if you ever see something like:

{{ variable | raw }}

In your templates, that could lead to an XSS vulnerability. There are very few use cases for raw, so if you can avoid using it completely you should.

Misusing render arrays

Render and form arrays in Drupal can also be misused to allow XSS. For example, you may know that HTML like this executes arbitrary Javascript on click:

<a href="javascript:alert()">Click me!</a>

And if you’re using url or link objects or render elements, this will be rendered as:

<a href="alert()">Click me!</a>

Which is safe. However, if you’re not using the url or link APIs, Drupal doesn’t have the context to know that the “href” attribute could be unsafe, and will render it without escaping. For example, this code:

$build = ['#type' => 'html_tag', '#tag' => 'a', 'Hello'];
$build['#attributes']['href'] = $user_input;

When provided this user input:

$user_input = 'javascript:alert("foo")';

Will render:

<a href="javascript:alert(\"foo\")">Hello</a>

Like the Twig attribute issue, this is a result of Drupal not being aware that untrusted data is being passed to potentially dangerous APIs. Here are some more examples of render arrays that allow XSS:

$build['#markup'] = $user_input;
$build['#allowed_tags'] = ['script'];

$build['#children'] = $user_input;

$build['#markup'] = t($user_input);

$build = ['#type' => 'inline_template', '#template' => $user_input];

Not filtering in Javascript

While the examples so far have been about backend code, XSS is commonly triggered from Javascript. Take this example, where the value of an input is passed to jQuery’s html function to display an error:

var value = $('input.title').val();
$('.error').html('<p>Invalid title "' + value + '"</p>');

Since the html function assumes the data you pass is safe, this could trigger XSS. A better way of approaching this is to use the text function, which escapes special characters:

var value = $('input.title').val();
$('.error').text('Invalid title "' + value + '"');

The most Drupal-y way to accomplish this would be to use the Drupal.t function, which accepts placeholders that are automatically escaped, and translates text:

var value = $('input.title').val();
$('.error').html(Drupal.t('<p>Invalid title "@title"</p>', {'@title': value});

Sniffing out XSS problems

In general, a good way to spot XSS is to question complexity wherever you see it. Look into your biggest forms and controllers and see if there’s anything odd using user input, and if so make an effort to exploit it. Also, if there’s any opportunity to use Twig instead of concatenating HTML in the backend, use Twig!

So you want to query the database…

Drupal comes with a database abstraction layer that saves you from writing SQL by hand, which has done a lot to prevent a type of vulnerability called SQL injection, otherwise known as SQLi.

SQLi occurs when a malicious user identifies an SQL query that can be unsafely modified by user input, allowing them to add arbitrary statements or additional queries onto an existing query. SQLi can allow attackers to read arbitrary sensitive data, insert arbitrary data, or even wipe existing data if they are able to.

Use the abstractions

The best advice when querying the database is to use Drupal’s database API wherever possible. Drupal has great documentation on how to properly use this API here:

The API is normally safe to use, but can be used unsafely in ways that aren’t clear to all Drupal developers.

Not using placeholders

There are cases where you need to write a query by-hand, which is fine unless that query uses user input, in which case you need to use placeholders. For example, this code has user input ($name) in the query string:

  ->query("DELETE FROM people WHERE name = \"$name\"")

If $name is set to a malicious value, like:

$name = 'myname" OR "" = "';

The final query ends up being:

DELETE FROM people WHERE name = "myname" OR "" = ""

Which in this example would delete everyone from the people table. The proper way to do this would be to use placeholders in your query string, and pass the user input as an argument:

  ->query('DELETE FROM people WHERE name = :name', [
    ':name' => $name,

Not escaping LIKE

Typically when using the database API, using the condition method and passing user input as the value is safe. However, if you are using the LIKE condition, you need to escape user input that may contain the wildcard character (%). For example, this code has user input ($name) in a LIKE condition:

$result = \Drupal::database()
  ->condition('name', '%_' . $name, 'LIKE')

If $name is set to a malicious value, like:

$name = '%';

The final query ends up being:

DELETE FROM people WHERE name LIKE "%_%"

Which would delete every row in the people table where the name included an underscore. The proper way to do this is to escape the user input using the escapeLike method, like so:

$database = \Drupal::database();
$result = $database
  ->condition('name', '%_' . $database->escapeLike($name), 'LIKE')

Trusting user operators

Passing user input as a condition value is generally safe, but passing it to other parts of the API like table names, column names, or condition operators is dangerous. For example, this code has user input ($operator) as a condition operator:

$result = \Drupal::database()
  ->condition('name', $name, $operator)

If $operator is set to a malicious value, like:

$operator = 'IS NOT NULL)
JOIN USERS WHERE ("foo" <>';

The final query ends up being:

JOIN USERS WHERE ("foo" <> :name)

Which would query all session IDs from the sessions table, which in Drupal 8 is less scary than 7 since session IDs are hashed.

To address this, compare the user input to a list of known valid SQL operators before using it in the query.

General SQL tips

If you use the database API in a typical, non-complex way, you’ll probably be fine. Just remember to use placeholders, escape user input when used in a LIKE statement or as an operator, and try to never write queries by hand.

So you want to write some code…

Beyond Drupal specific APIs, a lot of your code is just plain PHP, which comes with its own set of security issues. One last kind of exploit I’ll briefly cover is remote code execution, otherwise known as RCE.

RCE occurs when a malicious user identifies an exploit that allows user input to be executed as server-side code, most commonly by your runtime language (PHP) or the shell. RCE allows an attacker to do anything your web user can do, which could be everything from reading sensitive data, setting up a persistent backdoor, or using the compromised server to reach more servers on your network.

PHP, historically, has allowed for RCE in a lot of different ways, so there’s no golden rule to follow. Instead, watch out for some of the RCE classics:

Using user input to execute shell commands:

`magick convert $user_input output.png`;
shell_exec("magick convert $user_input output.png");

You could use the escapeshellarg function here to escape user input, but that isn’t foolproof as options (--foo=bar) are just wrapped in quotes, which in some command line applications is treated as a valid option. Validating the user input against a small set of allowed characters may be the best bet here, in addition to using escapeshellarg.

Using eval to execute dynamic PHP expressions:


This allows arbitrary PHP to be executed and should not be used.

Using unserialize on data that could be entered by the user:


This allows for object injection, a vulnerability that can lead to RCE, and should be avoided if possible. Consider storing complex data as JSON instead, which is safe to use.

Without a deep experience in how RCE exploits are performed it’s hard to spot vulnerabilities, but you should review any code that has dynamic shell commands, eval, or unserialize with a high level of scrutiny.

A parting thought

Information like this can be daunting, but the best way to apply it to your work is to research common vulnerabilities, try a few exploits out, and make security a part of your company’s culture as well as code. Once you start thinking about security it’s hard to get it out of your head - does your company properly use encryption? Is two factor authentication enforced? How’s your office’s physical security? Being aware of these issues can lead to improvements that extend far beyond your custom code.

Get In Touch

Questions? Comments? We want to know! Drop us a line and let’s start talking.

Learn More Get In Touch
May 08 2019
May 08

The Northwest Environmental Training Center (NWETC) is an organization that is committed to helping environmental protections improve their career opportunities. The organization focuses on two…

Visit Site ReThink Orphanages

ReThink Orphanages is a courageous organization with a benevolent charge, grand ambition, a network of high-powered partners, and a commitment to make the world a better place. The organization is…

Visit Site Using Video to Document and Tell Stories is a Brooklyn-based non-profit that “…makes it possible for anyone, anywhere to use video and technology to protect and defend…

Visit Site Fred Hutchinson Cancer Research Center eagle-i IntegrationAbout Fred Hutchinson Cancer Research Center

Fred Hutchinson Cancer Research Center’s (FHCRC) Shared Resources core facilities support biomedical research by providing services and expertise that…

Visit Site University of Washington Center for Reinventing Public Education (CRPE)

We originally partnered with CRPE's in-house web manager in 2012. He was familiar with the content management aspect of Drupal, but needed a bit of support with the more intricate ways that Drupal…

Visit Site Seattle Humane Society

We began working with Seattle Humane Society in February of 2016. They had reached out to us because they needed some emergency help with their website. For some reason, their site was reverting…

Visit Site Middle East Policy Council

The Middle East Policy Council (MEPC) is a 501(c)(3) nonprofit organization founded in 1981 whose mission is to contribute to American understanding of the political, economic and cultural issues…

Visit Site American College for Healthcare Sciences (ACHS)

ACHS originally partnered with Freelock in August of 2011 to perform some easy wins on their site. We started with a Freelock Site Assessment and code review of their Drupal 6 website. After that…

Visit Site Peninsula College

Peninsula College reached out to us in 2012 for some emergency work related performance issues on their site and problems with their site crashing. Once we were able to jump in and diagnose, we…

Visit Site Appliance Standards Awareness Project - ASAP

Appliance Standards Awareness Project (ASAP) organizes and leads a broad-based coalition effort that works to advance, win and defend new appliance, equipment and lighting standards which deliver…

Visit Site Georgetown University Qatar

We were contacted by the Georgetown University team in Qatar in late November 2016 regarding several of their sites that were using the Drupal Domain Access module. They had several requirements…

Visit Site Seattle Children's Alliance

Another Drupal 8 site upgrade! In June of 2016 we were approached by Seattle’s Children’s Alliance for a Drupal 5 to Drupal 8 migration. Their main concern was that their Drupal 5 site modules…

Visit Site Fred Hutchinson Cancer Research Center – HANC

We started working with another team at Fred Hutch in early 2016. They contacted us after they were needing some local TLC with their HIV/AIDS Network Coordination global CRM database (…

Visit Site

We were approached in late 2015 by a marketing/design agency to take over this project. Their Drupal developer was on her way out and they needed some Drupal expertise. The website was just in…

Visit Site Jim Ovia Foundation

We originally worked with the main Jim Ovia stakeholder on a separate project, when she worked with a different giving organization. She then reached out to us in September of 2015 to let us know…

Visit Site World Vision Knit for Kids

When the team at World Vision approached us in late 2015 to work on a few of their Drupal sites, they also had their Knit for Kids website that was in WordPress. They wanted to take that site and…

Visit Site Second Nature Sports

Second Nature Sports is owned and operated by the same folks over at Locker Soccer Academy, so when their previous developer was closing shop, it was just natural to have them roll this site into…

Visit Site Locker Soccer AcadamyLocker Soccer Academy

In December of 2013, our friends at Locker Soccer Academy reached out to us regarding their soccer academy sites, that were already developed by a shop in Colombus, Ohio. The development shop was…

Visit Site mEducation Alliance screenshotWorld Vision mEducation Alliance

The product owners of the mEducation Alliance website contacted us in September, 2015 to provide ongoing monthly Drupal security and module updates. The site is a partnership between…

Visit Site World Vision Chinese siteWorld Vision Chinese/Korean Websites

World Vision decided to partner with Freelock in September of 2015 for their Chinese and Korean websites. Headquartered in Federal Way, Washington – this was a perfect fit! We took…

Visit Site Queen City Yacht Club websiteQueen City Yacht Club

Our friends at Queen City Yacht Club approached us in April of 2015 regarding their Drupal 5 website. It was at the end of life and they wanted to upgrade. Their motivations were that they wanted…

Visit Site National Center for Science Education

In June of 2015, our collegue recommended our Drupal maintenance services to the National Center for Science Education. Our colleague was looking forward to large project and just didn't have the…

Visit Site Snoqualmie Tribe

Snoqualmie Tribe contacted us in December of 2014 in desperate need to secure their website. It turns out, they were susceptible to the Drupalgeddon attack and needed the Drupal 7.34 core…

Visit Site Lease Crutcher Lewis

In December of 2013, we were contacted by Lease Crutcher Lewis to take over their hosting. Their site is a great contender for Drupal 8! They were also interested in our Drupal maintenance plan…

Visit Site Bonavita World

In early 2014, our friends at Bonavita came to Freelock requesting that we help manage their main website Espresso Supply. Soon thereafter, they wanted to launch a website for one of their brands…

Visit Site Washington Housing Alliance Action Fund

The Washington Low Income Housing Alliance Action Fund first talked to us about building a new site last October, but they were not ready to proceed. This summer they were finally ready, and used…

Visit Site Makah Community Portal About the Makah Tribe

The Makah Tribe is located in Neah Bay, Washington. They had a custom portal for the Makah Tribe and the Neah Bay Community. Their website is the hub for the community,…

Visit Site Max Dale's Steak and Chop House

Max Dale's Steak House is a popular restaurant a few dozen miles up the road in Mt. Vernon, Washington. If you're not from this state, you might have heard of Mt. Vernon when a major Interstate…

Visit Site IslandWood

About Islandwood

IslandWood is a nonprofit educational…

Visit Site Northwest Wall & Ceiling Bureau

Freelock built an informational website for the Northwest Wall & Ceiling Bureau (NWCB), an international trade organization for the wall and ceiling industry. We delivered a snappy…

Visit Site Totem Ocean

Freelock teamed up with Eben Design to build a new site for Totem Ocean Trailer Express, a shipping company that has two voyages between Tacoma and Anchorage each week. In addition to being a…


The International Training and Education Center for Health (I-TECH), a non-profit collaboration between the University of Washington and the University of California, San Francisco, came to…

Bellingham School District

For the Bellingham School District, Freelock put together a large, multi-faceted Drupal site for district-wide information and standardized sites for schools within the district containing…

Visit Site Olympic Peninsula Tourism Commission

The Olympic Peninsula Tourism Board came to us in early 2009 to assist them in developing a visually stunning and highly functional website in a Content Management System. The site needed to be…

Latitudes in Learning

Latitudes in Learning creates personalized learning experiences that engage people and organizations in meaningful interactions with the world. Learning is one of the most difficult activities in…

Visit Site World Class Hunting The Project

The owner of World Class Hunting approached Freelock to launch their website. They had worked with Drupal on a previous project, so they were familiar and enjoyed Drupal. The project…

Visit Site Joey Klein The Project

Joey Klein's team approached Freelock to "rescue" their website. Through the course of their planning stages, the original developers found that they had reached a point where they did…

Visit Site LedgerSMB Web Site

LedgerSMB is an open source accounting and financial package. Freelock has used LedgerSMB for its bookkeeping practically since the project began, forking an earlier open source project called…

Visit Site Hydra Content Management System

Freelock worked closely with Consumer Media Network to create a content management system (Hydra) through which they can track assignments and submissions. We implemented a custom workflow system…

Visit Site DanceSafe

DanceSafe is a non-profit, harm reduction organization promoting health and safety within the rave and nightclub community. Local chapters consist of young people from within the dance culture…

Visit Site Answers for Elders

Freelock developed an informational website for Answers for Elders. Answers for Elders is an online resource for adults caring for elderly parents. Branded as the "Boomers' Online Community to…

Visit Site Ge•cko About Geocko

Geocko builds powerful tools that save time and increase engagement for nonprofit organizations.  They simplify tasks, so organizations can stay forcused on running programs and…

Visit Site I-TECH Drupal 7 Upgrade About I-TECH

The International Training and Education Center for Health (I-TECH) is a center in the University of Washington's Department of Global Health.  I-TECH headquarters in Seattle with…

Visit Site Nightingale-Bamford School About Nightingale-Bamford School

The Nightingale-Bamford School is an independent all-female university-preparatory school founded in 1920.  With grades K-12, NBS is one of the top-ranked private…

Visit Site Lindbergh Gallery About Lindbergh Gallery

Lindbergh Gallery is Erik Lindbergh's venue for selling aerospace sculptures, furniture and other custom art pieces he creates.  Erik Lindberg is the grandson of Charles…

Visit Site RevEquip About RevEquip

The RevEquip team is composed of foodservice consultants experienced in Revit and the creation of foodservice documents.  Revit Families are developed to meet the standards…

Visit Site Nia Technique, Inc. About Nia Technique, Inc.

Nia is a sensory-based movement practice that draws from martial arts, dance arts and healing arts. Nia Technique Inc is built…

Visit Site Crossfit Games/PLY Interactive

In December 2011, Ply Interactive came to Freelock for assistance theming the Crossfit Games site, because of our Drupal expertise and the tight schedule for the project. This site was built from…

Visit Site Alaska Fishing Jobs Center

Scott Coughlin, a 24-season veteran of Alaska's salmon, herring and halibut fisheries, came to Freelock for help getting his site done. We picked up the pieces of the development project, yet…

Visit Site West Seattle Family Zone

The folks at WSFZ needed a directory-based website that was easy to maintain and easy to use. Catering to the families of this popular Seattle-area neighborhood, West Seattle, WSFZ wanted a clean…

Visit Site Cool Day Trips

Freelock was approached to build a website focused on the “Top 50” Day Trips from Seattle, based on rankings and reviews from users. includes a description of each destination,…

Visit Site Maltby Produce Markets, CSA

Our friends at Flower World came back to us for their latest project, Maltby Produce Markets CSA. Maltby Produce Markets grow a wide variety of fruits and vegetables in their fields, orchards,…

Visit Site Littlestar Prints

Littlestar Prints is one of our favorite sites. It combines some powerful drag-and-drop photo editing in the browser with e-commerce. We got to use both of our favorite software packages--Drupal…

Visit Site Organic Materials Research Institute (OMRI)

Another large scale project by Freelock Computing, the Organic Materials Research Institute tested our abilities to work with a variety of sources and the Drupal system. The project brought their…

Visit Site TerraBella Flowers - Organic Florist in Seattle

TerraBella Flowers & Mercantile specializes in European garden-style designs, using an assortment of local, organic, and sustainably grown flowers and is based in the Greenwood neighborhood…

Visit Site RadioFrame Networks

RadioFrame Networks came to Freelock in late 2008 for a web development project aimed at bringing their existing corporate static site content into the Joomla CMS. We worked with their existing…

WestSide Baby

WestSide Baby, in partnership with the Puget Sound community, provides essential items to local children in need by collecting and distributing diapers, clothing, toys and equipment. They partner…

Visit Site Booktrope

Booktrope's goal of getting online books to as many people as possible (for free!) was a project right up our alley, fitting nicely with our open source foundation.

From the beginning, we…

Visit Site Robinson Newspapers

Robinson Papers hired us to build a centrally-managed web site with different personalities for each of their papers but shared control. We built out a sophisticated system in Drupal, with…

Visit Site Riverview Community Church

Riverview originally came to Freelock to design and develop a website that would serve the needs of their rapidly growing church community. Originally a simple Joomla deployment, we have since…

Visit Site Phytec America

In early 2008, Phytec America brought Freelock on to maintain its Linux server systems and add an additional server. We configured a new server as an internal mail and file server, and converted…

Visit Site BlueView Technologies

BlueView Technologies initially hired us for Linux server administration in 2007. We have worked extensively with BlueView, expanding their IT infrastructure from one server which did everything…

Visit Site Running Wild Spirit Zen Cart

Running Wild Spirit is one of our earliest Zen Cart projects and has greatly contributed to the success and growth of their business. Based out of the small town of Maltby an hour and a half away…

Visit Site Seattle Jobs Scraper System hired Freelock to implement a system to scrape job listings from their customers' web sites. lists jobs from about 45 member companies. In order for Seattle Jobs…

Visit Site Outdoor Research

Outdoor Research, an outdoor gear manufacturer, hired us to build their main public web site, along with a full administrative back end. We implemented a system that imports product data from…

Visit Site P5 Group Website

When P5 Group was looking to create a dynamic website, they looked to Freelock Computing to help. Using Drupal as a CMS platform, we created a site with multiple access levels for their wide…

Visit Site An XML-based Report Browser

One of Freelock, LLC's ongoing customers needed a web front-end for a proprietary reporting tool. This reporting tool could be configured to generate reports that ended up in Microsoft Excel.…

Custom Client Extranet

One of Freelock, LLC's ongoing customers needed a password-protected site that actually provided different content to different users, depending on the company or user group the user is part of…

Single-Source Help System

Over the course of creating help systems for multiple clients, Freelock, LLC developed a set of scripts that manage browse sequences, tables of contents, and cross-references for help systems.…

May 08 2019
May 08

by David Snopek on May 8, 2019 - 12:31pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Drupal core to fix a vulnerability in the protections added in SA-CORE-2019-003. You can learn more in the security advisory:

Drupal core - Moderately Critical - Third-party Libraries - SA-CORE-2019-007

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on

May 08 2019
May 08
Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesCVE IDs: CVE-2019-11831Description: 

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

The known vulnerability in Drupal core requires the "administer themes" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.


Install the latest version:

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Reported By: Fixed By: 
May 08 2019
May 08

Drupal released its latest version - Drupal 8.7.0 on 1st May 2019. The latest version of Drupal 8.7.0 accomplishes tasks like making page layouts, media management and decoupled web experiences easier to manage and deliver, conserving production time and effort and it was recently revealed at DrupalCon Seattle 2019.

Core objectives when developing Drupal 8.7 were to:

  • Make Drupal easy for content creators and site builders
  • Make Drupal easy to evaluate and adapt.
  • Keep Drupal impactful and relevant
  • Reduce total cost of ownership for developers and site owners

JSON:API at Core:

The latest Drupal 8.7 update includes JSON:API as a part of the Drupal core!  
This makes Drupal an API first platform for building both decoupled and coupled applications. JSON API module exposes the entities as a standards-compliant web API and data can then be pulled from third-party URLs or API’s.

JSON:API is designed specifically to minimize both the number of requests and the amount of data transmitted between clients and servers. This efficiency is achieved without compromising readability, flexibility, or discoverability.

By enabling the JSON:API module, you can immediately create a full REST API endpoint for every type(content, taxonomy, user, etc.) in your Drupal application. JSON:API inspects your entity types and their bundles to dynamically provide URLs to access every entity using the standard HTTP methods, GET, POST, PATCH, and DELETE.

JSON:API adopts the philosophy that the module should be production-ready. This means the module is highly opinionated about where your resources will reside, what methods are immediately available for them, and allows Drupal Core's permissions system control the access. The configuration pages are no longer present in this upgrade (Drupal 8.7). This means that you can get an API-driven Drupal application up and running with minimal effort.


Watch the JSON:API demohere!

Stable Layout Builder

The Stable Layout Builder was released with Drupal 8.6 as an experimental module and now it is stabilized in Drupal 8.7.

Drupal 8's Layout Builder allows content editors and site builders to easily and quickly create visual layouts for displaying content. Users can customize how content is arranged on a single page, across content types, or even create custom landing pages with an easy to use drag-and-drop interface.

Explore the sections below to find out how to get started with Layout Builder and how to apply it to templated content types. Layout Builder is anchored on one of Drupal’s stronger features – the ability to create structured content; but it faces some of the same accessibility challenges encountered by  WordPress’ Gutenberg editor. Drupal's Layout Builder offers a single, powerful visual design tool for three use cases:

Layouts for templated content: The creation of "layout templates" that will be used to layout all instances of a specific content type (e.g. blog posts, product pages).
Customizations to templated layouts: The ability to override these layout templates on a case-by-case basis (e.g. the ability to override the layout of a standardized product page).
Custom pages: The creation of custom, one-off landing pages not tied to a content type or structured content (e.g. a single "About us" page).

Layout builder

Watch the Demo of Drupal 8 Layout Builderhere!

Media Library

Drupal 8.6 had Media Library in the Drupal core, which was a part of Media Initiative. In Drupal 8.7 Media Library comes with a new stylish and handy user interface. Which makes it nice to look and nice to work with. Media library is now stable.



Third-party library updates

  • Guzzle has been updated from 6.3.0 to 6.3.3.
  • Previously, Drupal packaged a copy of the PEAR Archive_Tar library in a Drupal core namespace. In Drupal 8.7, this has been deprecated and replaced with a proper Composer dependency on this library. The dependency has also been updated to version 1.4.6.
  • Stylelint has been updated from 9.1.1 to 9.10.1. Stylelint version:
  • Coder to ^8.3.1
  • CKEditor has been updated to 4.11.3.
  • Twig has been updated to 1.38.4.
  • A number of other PHP dependencies have also been updated, including:
  • composer/installers to 1.6.0
  • composer/semver to 1.5.0
  • egulias/email-validator to 2.1.7
  • paragonie/random_compat to v2.0.18
  • Most symfony/* components to v3.4.26
  • symfony/http-foundation to v3.4.27
  • symfony/polyfill-* to v1.11.0
  • typo3/phar-stream-wrapper to v2.1.0

Other updates you can find in Drupal 8.7 are:

Internet Explorer 9 and 10 will not be supported in Drupal 8.7

The 8.7.0 release is a final goodbye to Internet Explorer 9 and 10. It removes a workaround that still existed in D8.5 and D8.6 Issue link: Internet Explorer 9 and 10 support dropped from Drupal 8.4.x

Goodbye PHP 5 support

Drupal 8.7 is the last release to support PHP 5. Updates for existing websites that use PHP 5 are still possible, but a warning will be displayed. In release 8.8, Drupal security updates will require PHP 7.

Entity updates will not be automatic

In new Drupal 8.7.0 release, the support for automatic entity updates has been removed. The reason is data integrity issues and conflicts. So the drush entity: updates (drush entup) command no longer works. Changes to entities will now be performed using standard update procedures.

Symfony 4 and 5 compatibility issues resolved

Additionally, numerous critical Symfony 4 and 5 compatibility issues are resolved in this release.

Changes to base themes (Stable, Classy)

This release includes some small changes to the core's base themes (Stable, Classy). Themes that extend one of these base themes should review the following changes. JavaScript messages template changes. Pager CSS ID changed from "pagination-heading" to a unique ID.

These Drupal upgrades are gradually getting us ready for Drupal 9. If you have questions regarding Drupal upgrades we are here to help. Drop us a word at .

May 08 2019
May 08

The Backstory

I was fortunate enough to attend DrupalCon Seattle this year, as well as give a presentation on mental health in tech, but one of the key topics of DrupalCon was Drupal 9 readiness. Dries mentioned it several times in the Driesnote and we even had some contribution efforts specific to Drupal 9 readiness at MidCamp 2019.

One thing that stuck out to me as particularly awesome was my friend and fellow MidCamp organizer Matt Glaman's drupal-check tool that will check your modules for deprecated code that is NOT ready for Drupal 9 being mentioned in the Driesnote. Additionally just as awesome was another good friend, Dwayne McDaniel getting a shoutout for going through EVERY. SINGLE. CONTRIB. MODULE. and running this tool against it. That's a lot of modules!

In case you didn't know, the upgrade path from Drupal 8 to Drupal 9 is supposed to be extremely easy. As someone who had to migrate from 7 to 8, this is welcome news. The TL;DR version is: Once there are backwards compatibility breaks, we're at a new version. What does this mean? It means that code that is marked as deprecated in 8 will NOT be in 9 and you can't upgrade from 8 to 9 if you're using this deprecated code. (I'm looking at you array())

The Problem(s)

Drupal Check is AMAZING! That's not a problem. The first problem is making sure that your code is ready to be checked by Drupal Check.

Issue 1 (Acquia Cloud Site Factory/Multisite)

We use Acquia Cloud Site Factory extensively at Genuine. This leads to many multi-site installs. Why is this an issue? Well, it's not unusual to have multiple profiles available on Site Factory. Often times, these profiles will be based off another one, but different in theme, look and feel, or functionality. This means that there is a chance that there will be some duplicated functions in the .theme file. Specifically, helper functions that may not fall into the _THEMENAME_function_name() convention and may be missed when you change everything around.

Fatal error: Cannot redeclare _my_poorly_named_function() (previously declared in /var/www/docroot/profiles/custom/profile_1/themes/profile_1_theme/profile_1_theme.theme:150) in /var/www/docroot/profiles/custom/profile_2/themes/profile_2_theme/profile_2_theme.theme on line 168

It happens. Stop looking at me like that.

Solution 1

Well, this is a pretty easy fix, again compliments of Matt Glaman and Will Long AKA Kerasai. You can either prefix the functions OR use namespaces!


namespace my_profile_name;

Your .profile files are autoloaded so the namespace will be valid. This prevents the error above.

Issue 2 (Acquia BLT)

This one is a doozy. Acquia BLT or Build and Launch Tool (as of 9.2) has a little command in it that checks for deprecated code, but the dependencies it uses are outdated and cause Drupal Check to fail before it gets anywhere.

blt tests:php:sniff:deprecated

This command depends on the package sensiolabs-de/deprecation-checker which has a dependency on nikic/php-parser:~3.0. Drupal Check requires nikic/php-parser:^4.0 due to the way it's built. Trying to run composer require nikic/php-parser:^4.0 will make composer yell at you. A lot.

Solution 2

This one gets a bit tricky. There are a few things that need to happen here if you're wanting to reap the benefits of Drupal Check, and trust me, you do.

In your base composer.json file there should be a couple of lines that look like this

        "merge-plugin": {
            "require": [
            "include": [

The composer.required.json file is in your blt/ folder and is autogenerated by BLT so it's not safe to change. The workaround for this is to copy the file to composer.required-modified.json and update the line below "require": [ to blt/composer.required-modified.json. The end result should look like this:

"merge-plugin": {
            "require": [
            "include": [

Next, you will need to run the command composer remove sensiolabs-de/deprecation-detector This should remove the old package and update nikic/php-parser but if it doesn't, check in your new composer.required-modified.json file, make sure that Deprecation Detector is gone, and add in "nikic/php-parser": "^4.0" at the end of the "require-dev" section. DON'T FORGET YOUR COMMA!

Now you should be able to run Drupal Check without issues, but there's still one thing we need to take care of before saying we're done. That little BLT command from above blt tests:php:sniff:deprecated. If we try running it without the deprecation-detector package then we're going to have a bad time.

My workaround for this was to create a replacement command for BLT. This is done by using replace command annotation in a custom class. The BLT docs are here but they are lacking and caused me some headaches, so I've got some docs for you right here.

My custom command file lives in blt/src/Hooks/NoDeprecatedCommandHook.php. The name of the file and class needs two things:

  1. It can't be the same as the class you're replacing.
  2. It needs the word Hook at the end.

DeprecatedCommandHook.php will not work. NoDeprecatedCommand.php will not work. MyReplacementCommandHook.php will definitely work, so long as your class shares the same name, but let's stick with my own file here.


namespace Acquia\Blt\Custom\Hooks;

use Acquia\Blt\Robo\BltTasks;

 * Defines commands in the "tests:php:sniff:deprecated*" namespace.
class NoDeprecatedCommandHook extends BltTasks {

   * Detects usage of deprecated custom code.
   * @hook replace-command tests:php:sniff:deprecated
   * @aliases tpsd deprecated
  public function detect() {
    $this->say("This command has itself been deprecated. Please use drupal-check for all of your deprecated code needs.");

    return 0;



Let's walk through the file a bit

namespace Acquia\Blt\Custom\Hooks;

Without this line, it won't work It needs to be in this namespace or you're going to have a bad time.

use Acquia\Blt\Robo\BltTasks;

This is optional, but I used it to get the say() method available.

class NoDeprecatedCommandHook extends BltTasks {

Our class name. If you're using BltTasks, don't forget to extend it.

   * Detects usage of deprecated custom code.
   * @hook replace-command tests:php:sniff:deprecated
   * @aliases tpsd deprecated

This is where the magic happens. @hook replace-command tells the system to forget about the original command, this one is driving now.

  public function detect() {
    $this->say("This command has itself been deprecated. Please use drupal-check for all of your deprecated code needs.");

    return 0;


This is our function that does nothing more than tell us to stop using this function. Clever, right?

The end result is a functioning drupal-check and a function that tells its own deprecation.

➜  project git:(master) ✗ blt tests:php:sniff:deprecated
This command has itself been deprecated. Please use drupal-check for all of your deprecated code needs.


This is a pretty specific use case and hopefully Acquia BLT will be pushing out an update in the near future that doesn't require us to have to workaround much longer, but this works for us.

Please test the hell out of your project after making these updates. BLT should really only be used for local dev and deployment artifacts, but it's still worth noting what does and doesn't happen that might bork up your site.

Edit: BLT is going to be getting rid of the DeprecatedCommand function that is replaced in this post in the very near future from 5/8/19. That will help all of you out, but it also means that I spent way too much time typing this thing out. See:

May 08 2019
May 08

Your browser does not support the audio element. TEN7-Podcast-Ep-059-2019-Twin-Cities-Drupal-Camp_0.mp3

Chris Weber and Dan Moriarty, volunteer organizers for the 2019 Twin Cities Drupal Camp are today's podcast guests. We'll be talking about the changes to this year's TCDrupal Camp and fond memories of previous camps. 

TCDrupal Camp is a three-day conference for open source enthusiasts, designers, hackers, geeks, developers, UI experts, IT managers and anyone else that wants to find out more about Drupal. It’s a great place to learn, code, network and have fun with your fellow Drupalistas.

Host: Ivan Stegic
Guests: Chris Weber, software engineer at The Nerdery and Dan Moriarty CEO and Creative Director at Electric Citizen
Running time: 32 minutes 

In this podcast we'll discuss: 

  • TCDrupal Camp's location at St. Thomas
  • Format changes: three days instead of four, 45-minute talks
  • Fewer days, but just as many parties! And food trucks, board gaming and karaoke
  • Focus on expanding talks to topics outside of just Drupal 
  • The House of Balls, a Minneapolis institution
  • How TCDrupal Camp's spontaneity is what makes it great
  • TCDrupal Camp's history
  • So much Drupal goodness coming to Minneapolis (DrupalCon 2020) how will we manage it all?



IVAN STEGIC: Hey everyone you're listening to the TEN7 Podcast, where we get together every fortnight and sometimes more often, to talk about technology, business and the humans in it. I'm your host Ivan Stegic. My guests today are Chris Weber and Dan Moriarty, two of the volunteer organizers of this year's Twin Cities Drupal Camp.

TC Drupal Camp

IVAN: Chris is a software engineer at The Nerdery, and Dan is CEO and Creative Director at Electric Citizen. Hello Chris and Dan. Welcome to the podcast.

CHRIS WEBER: Hello, hello.

DAN MORIARTY: Hey there. Thanks for having us.

IVAN: Oh, it’s my pleasure. Dan Moriarty, I love saying your name. The whole Sherlock Holmes thing, I just love it.

DAN: Yeah, and I will take that anytime. I'm always happy to reference my evil ancestors. [laughing]

IVAN: [laughing] Oh wait! Relation? Are you related to a fictitious person?

DAN: I’ll claim that.

IVAN: [laughing] That's awesome. Well I'm glad that you are on the show with us today talking about Twin Cities Drupal Camp this year. So, Chris, tell us about the camp itself. When and where is it this year?

CHRIS: Well this 2019 version of our camp, is going to be at St. Thomas which is in downtown Minneapolis. We've had it at St. Thomas for a number of years, so it should be familiar to folks that have gone to the Twin Cities Drupal Camp before. It's a really good location, really large open space, very, very lighty and breathy. We’ll be having it on June 6th through June 8th. June 6th is a training day. The 7th will be filled with excellent talks, sessions. And then the 8th will be kind of something a little bit new that we're doing. We're having an unconference on that day, as well as providing a space for people who want to sprint on core contributions. And we’re very excited to have the camp again here in the Twin Cities.

IVAN: And so that's a little different than how we've done it, I would guess, every year since we started, although I don't remember the first year. But that's a Thursday, Friday, Saturday, as opposed to Thursday, Friday, Saturday, Sunday. So, we have one day of sessions as opposed to two. Dan, do you want to talk through kind of the reasoning behind that, and why we decided to do it that way this year?

DAN: Yeah. So, it's something we've talked about off and on for a few years now, and we really as a group decided a couple of things. One is, four days was becoming a fairly large time commitment for a lot of people to participate in the full range of camp activities. And then another reason is we generally saw a bit of a drop off in attendance when we went from the weekday to the weekend. And so, as sort of a trial thing we're doing this year is reducing it to three days, with keeping our focus on the sessions like we've always done on Friday. But then on Saturday, making it a little more open free form, which is the unconference, which we can get into, just to see what that does for our numbers and helps more people participate than on the weekends.

IVAN: So, is the unconference style going to be very similar to the way we did BOFs (Birds of a Feather meetings) in the past? Or, how's that going to be structured?

DAN: You know, that's how I picture it. Although it is still a matter of discussion between various camp organizers, how exactly we're going to do it. But the way I'm envisioning it—and Chris can correct me if I'm wrong—is we're going to largely be in the atrium area on Saturday as opposed to going to the classrooms, and people will sort of self-organize into different groups around that large space just to have informal discussions about whatever topics they would like. And then ideally we'll have a few moderators available, floating around the room to sort of help facilitate conversations and make sure people are in the spaces that they find most helpful.

CHRIS: That's right. In the unconference format, we're looking for interesting things to talk about. Tim likes to bring up that Tim [Ericson] and Wilbur [Ince] were the genesis of this idea, when we were talking about adding it to the camp. He likes to talk about the law of two feet, where if you're in a conversation that isn't providing you with what you need, you could use your two feet in order to find another conversation that is more engaging. Then in that way, kind of like plan your own day out of what talks are engaging you and finding the information you need. But the format is very much like a BOF. Instead of slides and rooms, and a more instructor-led conversation, where one person is just talking for an hour or whatever, it's more of a conversation, sharing of input and allowing more people to provide information than just one person at a time.

IVAN: I love the idea of doing that. It really allows, I think, the community to drive what the topics are and the discussions that are being had. I think that's a good experiment. I'm looking forward to participating and seeing how that affects our camp next year. I was going to ask about Thursday. Usually we have trainings on Thursdays, right? Can you speak to what the trainings are this year?

CHRIS: It looks like Drupal 8 content migrations. This can be a getting started with building sites with Drupal. There is a Drupal 8 crash course for content editors, marketers and project managers. Then intermediate to advanced CSS for practical peoples. I think those are all of our trainings.

DAN: Those are the four trainings, and then on top of the trainings we're also hosting a mini-camp this year.

IVAN: Oh really? Well, tell me about that. I know Backdrop has always got such a great presence at TC Drupal Camp every year. What is that about?

DAN: So, in the past we’ve hosted sessions on Backdrop. Every year we seem to draw some of the leaders behind the Backdrop community, and we'll do that again this year. Particularly Jen Lampton, who's helped lead and create the Backdrop community, she's coming, as well as several other prominent Backdrop contributors. And, what they've decided to do this year in the form of a mini-camp, is hold the day of sort of sessions, all in one room dedicated to Backdrop. And we as a camp decided to provide a room to sit alongside the training sessions for people that are interested in contributing to Backdrop, or learning about it to attend to this free session.

IVAN: I think that's a great idea. And why haven't I reached out to Jen and Nate about Backdrop? We should totally have them on the podcast.

CHRIS: There you go.

IVAN: That's awesome. We will make sure we do that. If you happen to be listening out there, Jen and Nate, please send us an email before we do. But yeah, we'd love to have you on the podcast. So that's great.

So, trainings on Thursday, Backdrop CMS minicamp as well in one of the rooms, and then sessions on Friday. So, I would imagine there is a keynote on Friday? Let's talk about what the day looks like on Friday.

DAN: I can tell you definitively we've got five rooms. So, five tracks if you will, and each track will have six sessions throughout the day, for a total of 30 sessions. We're starting the morning like we typically do with a welcome session at 9 am, going into our first session around 9:45 and continuing with the last session ending around 5:00. We will have a keynote this year during the lunch hour on Friday, and I'm happy to tell you about that.

That is a local group called the Asian Penguins, a Linux user group made of boys and girls grades 6 through 8, and they're based out of Hmong charter school in St. Paul. Their director Stu Keroff, is coming to tell the story about what they do, how their work is helping bridge the digital divide in the metro area. He works with the students to teach them Linux, and they repurpose old computers installing Linux on them and giving them away to families in need. So, we’re excited. He's going to bring some of his students with him too, and they're going to do a presentation for us on Friday.

IVAN: Oh, that's wonderful. That's really wonderful to hear. So, the Asian Penguins. Wow, how did you guys find out about them? Meet them? Involve them? What's the story behind that?

CHRIS: Matthew Tiff could probably give you the full answer of how that connection was formed. We found out about them through him, and then we were able to find out more about their organization. And it just sounds like a really great opportunity. I know you share an interest in making sure that tech is accessible to kids as well, Ivan, and it's really great to hear what they're doing.

IVAN: I'm not surprised that Matthew is involved in that.

DAN: Yeah. Matthew had hosted Stu on his Hacking Culture podcast a few months ago, and then recommended them as a potential keynote speaker. So, we reached out to them and we're just finalizing the details on that now, and it should be up on the site by the time this podcast comes out.

IVAN: Oh, that's great. I'm looking forward to hearing what they have to say. So, keynote over the lunch hour. Sessions in the morning, sessions in the afternoon. Can you tell me a little bit about a session format? Are they the same as last year? How long are they? What do those look like?

CHRIS: Yeah. We actually had quite a bit of a debate on how long our sessions should be. You know Drupalcon has moved to a format of half-hour talks and longer talks more than an hour. Right? It's like an hour and a half. And we were concerned about what is the appropriate amount of duration, so we wanted to make sure that we've got a lot of talks that people can give on Friday. But at the same time we were concerned that a half hour might be too short. We're trying 45-minute talks out this year. We're gonna see how that goes. And as a result, we were able to fit about 30 talks into that Friday.

IVAN: Is that 45 minutes of speaker time, or is that 45 minutes of session plus questions?

DAN: It gives time for questions at the end of sessions, unlike 30-minute sessions. You know that was a common experience at DrupalCon this year, is, there really weren't any time for questions at the end of those 30-minute sessions and speakers are really hard pressed to fit all their content in 30 minutes. So even though DrupalCon experimented with this and I think that's fine, we as a group felt like 45 minutes was a much better time slot, and I wouldn't be surprised if they go back to that at feature DrupalCons.

CHRIS: I wouldn't be surprised with that either.

IVAN: So, the 45 minutes is inclusive of the questions then?

DAN: Right. I mean, the assumption is that the speakers will have time then to answer questions.

IVAN: Got it. Ok. And so, let's talk about the five rooms and the five tracks you have. What are the tracks this year?

CHRIS: Well the tracks are similar. If you look at the website right now, they're almost identical to the tracks that we had last year. But we're making an effort this year to be inclusive of talks that are tangential from Drupal. Not every talk has to be about Drupal. We've got talks about GraphQL, JSON integrations and Ruby on Rails. We wanted to make sure that we've got some talks about mental health. We've got talks on a wide area of topics and not necessarily specifically about Drupal.

IVAN: That's great. I'm looking forward to seeing the list of sessions come out. I'm hoping, fingers crossed, that my session made it. When is that session list going to be published?

DAN: That's a good question. [laughing] The announcements will have gone out to the accepted speakers well ahead of this podcast being released. I don't know that we'll have them accepted and published on the site at that point, but we'll be publishing them hopefully by, what would you say Chris, mid-May at the latest?

CHRIS: Yeah, hopefully earlier, but that is largely based upon how we can contact folks. As our good friend Joe [Shindelar] was telling us, we've never had somebody tell us they either can't make it, or say that they can and don't show up. We've had a really high success rate, and we’d like to keep that going, but there's always the possibility that the worst could happen. If we don't get a hold of somebody, or we have to strategically plan, it's better to have everything figured out before we publish. And so, we're putting the effort in now in order to make sure that can happen.

IVAN: So, if you're listening to this podcast there's a chance the sessions have been published but there's a chance the sessions have not yet been published [laughing]. And if they haven't been published, we promise they will be published in the next week after you listen to this. So, fingers crossed.

DAN: Absolutely.

CHRIS: Let’s hope it works out.

IVAN: Let's hope it does. Ok. So, one of the things I love—I love a lot of things about the Drupal Camp in Minneapolis—is the parties. There's always the speaker party and the sponsor appreciation party, and then there's the Friday night party and the Saturday night party. But if the camp is one day short of four days, does that mean it's one day short of a party as well?

DAN: Absolutely not. [laughing]

IVAN: Oh good. Let's hear about what’s going on there.

DAN: Right. Well we do have a few changes this year. I think one of the big ones is that our Thursday night party, which is the day that camp opens after the training, we're trying something new, sort of inspired by our friends at Midcamp in Chicago, and that is changing the Thursday night party to the welcoming party. And what this means is that we're extending an invitation to anyone that is involved or interested in participating in our conference to come to the welcome party on Thursday.

CHRIS: That's right.

IVAN: And where is that party this year?

DAN: The unofficial plan right now is that we're going to host that at Pizza Lucé in downtown Minneapolis.

IVAN: And what about Friday? The Friday night party?

DAN: Yeah. So, Friday we're going back to the House of Balls.

IVAN: Oh yeah. I love that place.

CHRIS: Yeah, it's a really great place.

DAN: House of Balls, we’ve been at, I think this is our fourth year at this, sort of amazing, eccentric art studio/event space, just off of downtown Minneapolis. And we're going to have some of the same great things we have every year. We're lining up a food truck. We're going to have free food and drinks and most importantly, we’ve lined up karaoke.

IVAN: Oh yeah. That sounds amazing. I'm secretly hoping that Marc [Drummond] is able to give his five-minute talk about hotdish again.

DAN: Yeah, Chris, are we going to try to do any of the lightning talks this year?

CHRIS: Well I don't know. We like to be flexible. We're kind of a spontaneous crowd. We've got a number of events planned for the day. You know, we're gonna have some board gaming, and it seems like the board gaming thing has gotten even stronger here in the Twin Cities community. We're going to have some food and, of course, there will be Foursquare.

DAN: Foursquare.

IVAN: I hope Les [Lim] brings his ball.


CHRIS: We lean on Les for both the rules and the gamesmanship and the setup of that. We should side note, we should double check with him, if he's going to do that again this year, or if he wants one of us to take that on. And, yeah, in years past we've had lightning talks and we've also had karaoke. I do know for a fact that we will be having karaoke again this year. I don't know if we'll have lightning talks, but there's room still, I think Dan, we just need to put a plan into action to see if we can provide equipment and time for that.

IVAN: I'm a proponent of the lightning talks, so if you need votes you have one from me, and if you do need something to help make that happen, please ask, I'll do what I can.

DAN: Great. I think we've got a volunteer to run the lightning talks. [laughing] 

CHRIS: Sounds great. That's how this works.

IVAN: [laughing] Ok, well, if I get to run it that means I get to give one too.

CHRIS: [laughing] Indeed. You can kick us off.

IVAN: Alright. Let’s do that. Let me know the details, and I'll help make it happen.

DAN: Alright. Sounds good.

IVAN: Alright. So that's Thursday and Friday taken care of, and what are we doing Saturday? Are we doing anything Saturday?

DAN: We will. We'll do our traditional post-camp party. It is at a location to be determined. So, you have to stay tuned to the website or the newsletter to find out when and where that's going to happen.

IVAN: Well I'm glad that's still happening even though we don't have the fourth day. Stay tuned on the website. That's and subscribe to the email list, I'm sure that'll be mentioned in the email as well. One more question. How do you register for camp and what does it cost?

CHRIS: Well you can go to our website at and you can register right there. We've got a nice big link for you right there in the top of the page, just click on that, go on over to registration. Registration remains inexpensive, especially compared to other Twin Cities camps which we've been able to look at the cost of camps nearby. Our camp's only $50. We are providing means for people who want to contribute more. Like myself, I tried to come in at the Community Contributor level. How much is that again Dan?

DAN: Yeah. So that's $150, and that includes camp registration, a free T-shirt, and it also means that you are helping support the camp above and beyond, which is really key to us being able to offer all these things, including the parties and the free training and all the sessions and the venue.

So, that's kind of a new, it's not new, but what's new this year is, is we're really trying to emphasize to anyone that uses Drupal professionally and that can afford it, please consider coming in at the Community Sponsor level, Community Supporter level. It really helps us out. But anyone is welcome to come to camp, and as always if anyone wants to come and can't afford it, please contact us, and we would be happy to set you up for free.

IVAN: What's the best way to contact you?

DAN: Yeah, so, go to the website, go to the contact page and just shoot us a message, and one of us would be happy to get back to you. Or you can hit us up on Twitter as well.

CHRIS: Yeah. Like Dan said, if you fill out the contact form on site, you're sending an e-mail message to the entire team. Someone's going to see that immediately. And, again, we're available over Twitter just like the rest of the Drupal community. We all kind of hang out there.

IVAN: And, there are sponsors again this year, like there were last year. There always seems to be a plethora of sponsors for camp, which is just so awesome to see for our little community. Are there still opportunities to sponsor? What options are left, if they are?

DAN: Please, please, please, always welcome more sponsors. The more sponsors we get, the more we can do. You know, we really are wanting and planning to offer free lunch to everyone at camp this year on Friday, and getting a few more sponsors really help make that happen. And so, we have some great sponsors so far including TEN7, thank you for that.

IVAN: Yeah!

DAN: And, you know, we have a few platinum sponsor slots still available. We have unlimited slots at the gold and silver level. And so anyone who wants to consider both helping the camp out and maybe getting a table to tell people about your organization or what you do, you're very welcome to do that. And again, just come to the website. There's information about how to become a sponsor,  or to just get in touch with someone.

IVAN: So, that URL is, and there's a great little button there that you can visit the sponsor page for more information about the benefits of each of the sponsor levels. Yeah, it's been great to see the same companies coming back to the camp and coming back and providing to the community. It’s always a pleasure for us to do it, and I'm sure it is for you too Dan for Electric Citizen and for the others that are also doing that.

I’ve asked this before of members of our community and of members of the organizing team that always puts on this volunteer event. It's volunteers that do it. I'm amazed that it happens every year. But DrupalCon 2020 is in Minneapolis next year, and DrupalCon just happened last month, and we have our camp in close proximity to it. So, has there been any discussion about what, if any effect DrupalCon in Minneapolis is going to have on our camp next year?

CHRIS: So we've had a lot of internal discussions about it, and while we have a lot of energy in the Twin Cities, it seems like the prevailing wisdom is that we want to try to find a couple of smaller events. The work that we anticipate we're going to put in around DrupalCon is really too close to where we would want to have our camp here in the Twin Cities, to make both the contribution we want to put in to make DrupalCon a success and the contribution we want to put in in order to make our camp a success. That said, it's still kind of up in the air.

We haven't had the powwow that we really need in order to come to a firm decision that, “Hey, we're not going to do a Drupal Camp,” or “Hey, we're not going to do a Drupal Camp like later in the fall sometime that day of the year.” So, I guess the answer that we have right now is that, we want to continue to be active. We want to do things in the Twin Cities surrounding Drupal and getting together an event. And I think we've got different ideas on how to accomplish that, but the main thing we want to do is to continue to talk about Drupal, celebrate Drupal and promote knowledge and learning and inclusiveness.

IVAN: So, "Stay tuned. We're evolving the decision as time progresses," is what you’re saying?

CHRIS: Yeah. So, we don't have a good answer yet. We're all so laser focused on getting this year's camp put together and have it be so awesome, that we've postponed any other kind of discussion of what's next, until we're done.

IVAN: And thank you for being so laser focused on the camp, and Dan and Chris and everyone else that's helped organize the camp, Jer [Davis] and Tim [Erickson] and all of the other volunteers. It's just always so amazing for me to see the camp happen and for all those people to contribute and for there to be so much empathy and care that it happens in the most equitable and fun and cheap and value-based event that we can put on, and I think that's great. So, thank you both for doing that and for contributing.

CHRIS: After this is all done, there’s so much gratitude to make sure people get, based upon their efforts that they've been able to put in to make this thing a success. And the thing that we keep talking about, it's really our deliverable at the end of this is our process, because our process has been pretty good. We keep on iterating on it, so that we can have the confidence that, “Hey, we can put together a camp like this,” and we could feel really good about that process.

DAN: And not only that, but I've been involved in many years of camp organizing for TCDrupal, and I feel like every year is good, but the gang's really getting along well this year to where I'm not even daunted by the thought of doing it again next year.

CHRIS: I would love to do it again.

IVAN: You heard it here first. [laughing] We’re already thinking about the following year's Drupal camp. That's great.

CHRIS: So that's the high we're on right now from all the good work we’re doing. We’ll see how we’re feeling after this.

IVAN: [laughing] No, you can’t go back now. You just said that you're not even worried about it. So, let's actually just spend a minute before we close here, and say this is version 9 of the camp, if I'm not mistaken. I think the first one was in 2011, so, this would be version 9, and so the next one is the 10th anniversary. Right? So, we should celebrate that somehow.

DAN: Well, we are. It's called Drupalcon 2020, [laughing] and what better way to cap off 10 years of active community growing, stewardship, caretaking, whatever you want to call it. I myself came to this Drupal community group as a lone wolf developer looking to find some other group of people that I can nerd out about Drupal with. And my story is basically the story of how successful this community has been. Thanks to all of the people who have welcomed me in and made me feel like I belonged. I'm here today helping plan the next one.

IVAN: I love it. I think it's precious and amazing, and I'm always amazed by all of that. So, yeah. I hope I'm right about it being the 10th anniversary, because I feel like there were different incarnations of the camp before 2011, but I think 2011 was the first official one, right?

DAN: It was. Yep, you're absolutely right.

IVAN: Ok, good. Well, thank you both for spending your precious time with me today. It's really been a pleasure talking with you Chris and Dan.

CHRIS: Same here, man.

DAN: Yeah, thanks so much for hosting us.

IVAN: Chris and Dan are two of the volunteer organizers of Twin Cities Drupal Camp happening from June 6th, a Thursday to June 8th, a Saturday, at the University of St. Thomas in downtown Minneapolis. Tickets are still available and they're reasonably priced starting at $50, and we're hoping that includes lunch as well.

So, head on over to and register now. You can find the camp on Twitter, Facebook and Instagram. The handle is @tcdrupal. And, of course, the Twin Cities Drupal group is also on for other local events that happen outside of camp, and they happen every month, whether it's the happy hour or something else, it is on.

You’ve been listening to the TEN7 Podcast. Find us online at And if you have a second, do send us a message, we love hearing from you. Our email address is [email protected]. Until next time, this is Ivan Stegic. Thank you for listening.

May 08 2019
May 08

Acquia acquired Mautic, the open source marketing automation platform, to deliver the only Open Digital Experience Platform as an alternative to the expensive, closed, and stagnant marketing clouds.

Acquia joins forces with Mautic

I'm happy to announce today that Acquia acquired Mautic, an open source marketing automation and campaign management platform.

A couple of decades ago, I was convinced that every organization required a website — a thought that sounds rather obvious now. Today, I am convinced that every organization will need a Digital Experience Platform (DXP).

Having a website is no longer enough: customers expect to interact with brands through their websites, email, chat and more. They also expect these interactions to be relevant and personalized.

If you don't know Mautic, think of it as an alternative to Adobe's Marketo or Salesforce's Marketing Cloud. Just like these solutions, Mautic provides marketing automation and campaign management capabilities. It's differentiated in that it is easier to use, supports one-to-one customer experiences across many channels, integrates more easily with other tools, and is less expensive.

The flowchart style visual campaign builder you saw in the beginning of the Mautic demo video above is one of my favorite features. I love how it allows marketers to combine content, user profiles, events and a decision engine to deliver the best-next action to customers.

Mautic is a relatively young company, but has quickly grown into the largest open source player in the marketing automation space, with more than 200,000 installations. Its ease of use, flexibility and feature completeness has won over many marketers in a very short time: the company's top-line grew almost 400 percent year-over-year, its number of customers tripled, and Mautic won multiple awards for product innovation and customer service.

The acquisition of Mautic accelerates Acquia's product strategy to deliver the only Open Digital Experience Platform:

The building blocks of a Digital Experience Platform and how Mautic accelerates Acquia's vision. The pieces that make up a Digital Experience Platform, and how Mautic fits into Acquia's Open Digital Experience Platform. Acquia is strong in content management, personalization, user profile management and commerce (yellow blocks). Mautic adds or improves Acquia's multi-channel delivery, campaign management and journey orchestration capabilities (purple blocks).

There are many reasons why we like Mautic, but here are my top 3:

Reason 1: Disrupting the market with "open"

Open Source will disrupt every component of the modern technology stack. It's not a matter of if, it's when.

Just as Drupal disrupted web content management with Open Source, we believe Mautic disrupts marketing automation.

With Mautic, Acquia is now the only open and open source alternative to the expensive, closed, and stagnant marketing clouds.

I'm both proud and excited that Acquia is doubling down on Open Source. Given our extensive open source experience, we believe we can help grow Mautic even faster.

Reason 2: Innovating through integrations

To build an optimal customer experience, marketers need to integrate with different data sources, customer technologies, and bespoke in-house platforms. Instead of buying a suite from a single vendor, most marketers want an open platform that allows for open innovation and unlimited integrations.

Only an open architecture can connect any technology in the marketing stack, and only an open source innovation model can evolve fast enough to offer integrations with thousands of marketing technologies (to date, there are 7,000 vendors in the martech landscape).

Because developers are largely responsible for creating and customizing marketing platforms, marketing technology should meet the needs of both business users and technology architects. Unlike other companies in the space, Mautic is loved by both marketers and developers. With Mautic, Acquia continues to focus on both personas.

Reason 3: The same technology stack and business model

Like Drupal, Mautic is built in PHP and Symfony, and like Drupal, Mautic uses the GNU GPL license. Having the same technology stack has many benefits.

Digital agencies or in-house teams need to deliver integrated marketing solutions. Because both Drupal and Mautic use the same technology stack, a single team of developers can work on both.

The similarities also make it possible for both open source communities to collaborate — while it is not something you can force to happen, it will be interesting to see how that dynamic naturally plays out over time.

Last but not least, our business models are also very aligned. Both Acquia and Mautic were "born in the cloud" and make money by offering subscription- and cloud-based delivery options. This means you pay for only what you need and that you can focus on using the products rather than running and maintaining them.

Mautic offers several commercial solutions:

  • Mautic Cloud, a fully managed SaaS version of Mautic with premium features not available in Open Source.
  • For larger organizations, Mautic has a proprietary product called Maestro. Large organizations operate in many regions or territories, and have teams dedicated to each territory. With Maestro, each territory can get its own Mautic instance, but they can still share campaign best-practices, and repeat successful campaigns across territories. It's a unique capability, which is very aligned with the Acquia Cloud Site Factory.

Try Mautic

If you want to try Mautic, you can either install the community version yourself or check out the demo or sandbox environment of Mautic Open Marketing Cloud.


We're very excited to join forces with Mautic. It is such a strategic step for Acquia. Together we'll provide our customers with more freedom, faster innovation, and more flexibility. Open digital experiences are the way of the future.

I've got a lot more to share about the Mautic acquisition, how we plan to integrate Mautic in Acquia's solutions, how we could build bridges between the Drupal and Mautic community, how it impacts the marketplace, and more.

In time, I'll write more about these topics on this blog. In the meantime, please feel free to join DB Hurley, Mautic's founder and CTO, and me in a live Q&A session on Thursday, May 9 at 10am ET. We'll try to answer your questions about Acquia and Mautic.

May 08, 2019

3 min read time

May 08 2019
May 08

In case you missed it, Stanford Drupal Camp changed their name to Stanford Web Camp. This transformation marks an important step in the Stanford journey from the camp's inception 10 years ago. We’re happy to be part of the evolution of the Stanford community as they expand into a more inclusive web atmosphere.

Experience Stanford

At Stanford Web Camp, attendees and presenters will discuss a variety of topics about the web from development to accessibility, and everything in between. All of these discussions will take place on the Stanford campus, in sunny California. We're officially inviting you to come explore “The Farm” with Hook 42 and learn other fun Stanford lingo while you’re on site!

As part of the camp, Hook 42’s Aimee Degnan will be giving two talks – one focusing on accessibility and the other on SiteBuilding. So, if you missed Aimee’s talk on a11y tools at DrupalCon 2019 - you can see it live, in-person at Stanford Web Camp! 

Discover Accessibility Tools

Join us to listen to Aimee’s talk, “Which Accessibility Tools are Right For You?“ What you can expect to gain is a broad overview of all the tools that are available in the accessibility testing spectrum. We hope you’ll leave with a better understanding of what the tools are, and how they can be utilized. There are a lot of options out there, and just knowing where to start can be a difficult path.

Aimee will explore the following:

  • Which tools are right for you?
  • Will only one tool fit all of your needs? ;)
  • Build vs. buy some vs. buy vs. free? Is "free" really free?

Level Up Your Layouts

Aimee's second discussion will explore View Modes and Layout Builder. Level up your layout! Component Based SiteBuilding with Layout Builder & View Modes is for those who are familiar with Drupal and are interested in harmonizing tools to streamline component building in the platform.

With Layout Builder in Core, it is essential to build a View Mode and Layout Builder strategy. You can harness the power of View Modes to move beyond Teaser and Paragraphs for display flexibility. Come out and learn how you can build a more streamlined process utilizing the benefits of View Mode and Layout Builder.

The talk will be structured as follows:

  • View Modes in Core
  • Architecting View Modes for your site
  • Lessons Learned with View Modes
  • View Modes and Layout Builder

Join Hook 42 at Camp

Stanford Web Camp is completely free and open to the public, we encourage all of you to explore other sessions and join a community of motivated professionals as we talk about the latest trends and developments in our industry. Come out and say hello to Hook 42, we’re eager to meet new people, connect with old friends, and discuss all things tech.

See you soon! 


May 08 2019
May 08

Last month, we wrote a neatly diverse selection of blog posts: one related to the Drupal community, one about a major recent change for our company and two that were more business-oriented. In case you missed some of them, here’s a quick overview of all of them to get you up to speed. 

6 remote staffing challenges and how to tackle them

Our first post from April discussed the challenges businesses face when opting for a partnership with a digital agency to increase their development capacity. Of course, we also presented very effective solutions to them, which we have employed to great success.

To recap, these challenges are: communication issues, differences in culture and location, challenges with trust in and monitoring of remote teammates, cost and ROI, and miscellaneous, unexpected issues that are beyond one’s control. 

If you or your company are currently contemplating remote staffing, we suggest you read the entire post more thoroughly and arm yourself with the knowledge to make a more informed decision and effectively manage a remote team. 

Read more

Our brand new Ljubljana office

In case you didn’t know - April also marked our Ljubljana team’s transition into shiny, brand new offices! We seized the opportunity and wrote a short blog post about it, documenting our reasons for the move and the teambuilding-like moving process, as well as looking ahead to what this move means for our company. 

The move into bigger offices was a necessary next step if we wanted to stay true to our vision, grow our team even further and scale our business by working on an even greater number of interesting and challenging projects. 

We’ve already had both AgileTalks and AgileFoods in our new offices, and we’re looking forward to running our first free Drupal course at the new location this weekend.

Read more

Interview with Ruben Teijeiro, Drupal hero at 1xINTERNET and co-founder of Youpal

After almost two months, we returned with our Drupal Community Interviews series! This time we spoke with the lively Ruben Teijeiro, Drupal hero at 1xINTERNET and co-founder of the Swedish Drupal agency Youpal

We loved learning about the meaning and responsibilities of a ‘Drupal hero’, as well as his beginnings with Drupal, when he was deciding between at least 10 different technologies. As soon as he encountered Drupal, though, he knew that the CMS was a perfect fit for him. 

Apart from spreading Drupal awareness and meeting diverse Drupal communities, Ruben is really excited about the JavaScript modernization in Drupal and is looking forward to the initiative bringing together the two communities. 

Read more

5 key benefits of remote staffing

The last post we wrote in April was a sort of parallel to the first one; while the latter discussed the challenges of remote staffing, this one focused exclusively on the benefits of this particular outsourcing strategy. 

Without beating around the bush, the main benefits of remote staffing that we wanted to point out are: scalability, redundancy, flexibility, faster acquisition of developers and the ability to get exactly the kind of skillset that a certain project demands. 

All of these smaller benefits add up to the number one benefit of this type of outsourcing: they enable you to better navigate the constantly shifting landscape of digital agencies and grow your business more efficiently. 

Read more

Well, this is it for our blog posts from April. We hope that you enjoyed them and that you were able to learn something new from them. Make sure to check back for our upcoming posts!

May 08 2019
May 08

HTTP Status Code is a new module to manipulate HTTP status header.

Main reason for doing this module is that in some cases you need to do manual fixes on the server side to create 410 Gone headers for paths that you want to remove from Google search index, with this module active you could setup the paths directly in Drupal.

You can find the the module at Normaly install should be done with composer - composer require drupal/http_status_code.

The module supports all Headers used by Symfony\Component\HttpFoundation\Response - with that said - HTTP headers should be used with caution. So make sure what you understand the impact then you manipulate the HTTP Header - like adding a 301 Redirect Header will be real bad when you not have a redirect in place.

If you remove a page, the request for the path of the page normally then gives a 404 not found in the HTTP header - as it should. But Google does not think this really means that the page is gone forever, just temporarily, so to make Google understand it is gone for real, you could set up the path for the path at /admin/config/http_status_code/http_status_entity and select that the path would throw a 410 Gone header. Then Google removes the path from the search index.

Road map:

- Automate rules - like if you unpublish a node of certain type you get a an 410 Gone header for the path.
- If you publish the node again, or another node with same path, remove the 410 Gone header for the path.
- PHP unit tests (needed to get module into beta)
- Nice to have: Wildcard support

May 07 2019
May 07

Back in September 2018, Dries Buytaert, founder and project lead of Drupal, announced, 

Drupal 7 will be end-of-life in November 2021, Drupal 9 will be released in 2020, and Drupal 8 will be end-of-life in November 2021. 

You can read the announcement and get further information on this here -

Since that announcement, Cheeky Monkey Media has been in a lot of conversations with businesses of all shapes and sizes, not-for-profit and for-profit, that are currently on the Drupal 7 CMS platform and are considering migrating to Drupal 8.

The first thing everyone needs to realize is the move to drupal 8 will be painful, and almost as expensive as building a Drupal website from scratch.

The second thing everyone should realize is that once they’re on Drupal 8, the move to Drupal 9 will be relatively painless.

As Dries announced in a later article, should be much easier to upgrade to Drupal 9 than it was to upgrade to Drupal 8. Drupal 9 will simply be the last version of Drupal 8, with its deprecations removed.

You can read the full article here - 

Cheeky Monkey Media has completed several migration projects to Drupal 8, both for our agency partners and our clients.

We’ve approached these projects in several different ways to help organizations make the migration “less painful” from process and a budget perspective, and I’m going to share them with you now.

First let’s make an assumption. 

Whenever we have conversations with organizations about the migration to Drupal 8, in addition to the migration there is typically some issues or challenges our clients want to address with their website while in the process of migration. 

They either want to fix issues with features and/or functionality, design, or all of the aforementioned. 

So let’s assume that you're not entirely happy with how your current D7 site is functioning, and/or you might be considering a redesign. I mean it makes sense. You’re looking at rebuilding your site anyways, so you might as well improve the results you’re getting from it in the process. 

To help illustrate the different approaches and how they will impact your budget, I've also included some mock budgets and timelines to illustrate the budget difference between the approaches. 

I know nothing about your site at this point except that it’s likely on Drupal 7. So, I decided to use nice round figures of $100,000 - $120,000 for option #1 below, which you might be thinking is your only option at this point, but our past projects have shown that this is not the case. 

Again, these budgets and timelines are by no means accurate, they’re just provided as reference.

Let’s take a look:

Option #1 - Discovery, migration to D8, fixing functionality issues and a redesign = $100,000 - $120,000, 8-10 months timeline


  • Solve all your problems in one fell swoop… kill all your birds with one stone?... you get the picture :)


  • It’s difficult to see what makes the difference for your business. Was it improved performance based user experience that made the difference? Was it improved design user experience? Was it improved features/functionality?
  • It’s a big expenditure going out in a fairly short period of time.

Option #2 - Discovery, migration to D8, fixing functionality issues, no redesign = $90,000 - $110,000, 6-8 months


  • You’re getting a lot accomplished and solving a lot of problems with this approach.
  • You’ll have a better idea what changes had the biggest impact.


  • This may not be the approach you want to take if a redesign is part of your overall plan, as you would be paying for front-end development twice.

Option #3, Part 1 - D7 site assessment, fixing functionality issues, discovery/planning D8 migration = $30,000 - $40,000, 12 months

Option #3, Part 2 - D8 migration, no redesign = $60,000 - $70,000, 6 months


  • This gets you where you need to go and allows you to measure success along the way without doing things twice unnecessarily, or paying for them to be done twice.
  • It’s like cleaning your house and doing a purge before you move. No-one wants to move a bunch of problems and stuff you don’t need to move. Fix performance issues, fix functionality/feature issues (at least the ones that make sense), and clean-up your code and your content. These will all be decisions you won’t have to make and challenges you have to figure out when you migrate.
  • There’s a 1.5 year draw-down of budget or expenditure, which might be an easier pill for some organizations to swallow.


  • Again, as in Option #2, this may not be the approach you want to take if a redesign is part of your overall plan, as you would be paying for front-end development twice.

If you want to discuss either or all of these options to help you decide which path to D8 is best for you, feel free to reach out to us.

We’re happy to share our experiences with these various approaches and help you decide the best way for you and what your budget might look like.

The Low Down on Drupal


May 07 2019
May 07
Date: 2019-May-07Vulnerability: Drupal 7 and 8 release on May 8th, 2019Description: 

The Drupal Security Team will be coordinating a security release for Drupal 7 and 8 this week on Wednesday, May 8th, 2019.

We are issuing this PSA in advance because according to the regular security release window schedule, May 8th would not typically be a core security window.

This release is rated as moderately critical.

The Drupal 7 and 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm Eastern).

May 8th also remains a normal security release window for contributed projects.

May 07 2019
May 07

The Field Permissions module in Drupal 8 allows you to set permissions (enter, edit or view) on a Drupal field, based on the role the user belongs to.

In order to demonstrate how this module works, we are going to create a content type called "Essay" for the website of a school.

There will be 2 roles:

  • Freshman
  • Sophomore.

The Freshmen permission will not be allowed to choose the subject of the essay, whereas the Sophomores will have the possibility to choose between literature and history. However, there will be no possibility to change the subject once a student has made a choice.

Let’s start!

Step #1. Install the required modules

There are many ways to install a Drupal module. One of them is to use Composer.

  • Type into your terminal application:

composer require drupal/field_permissions

How to Set Permissions for Fields in Drupal 8

  • Click Extend.
  • Scroll down until you find the Field Permissions module and mark the checkbox.
  • Click Install.

Step #2. Create the Roles

  • Click People.
  • Click the Roles tab.
  • Click Add role in order to add the Freshman role.

  • Enter the role name.
  • Click Save.

  • Repeat the process for the Sophomore role.

Step #3. Create the Users

You have to create two users, one for the Freshman role and one for the Sophomore role

  • Click People > Add User.
  • Create a user and check the Freshman box.
  • Click Create new account.

  • Repeat the process for the Sophomore role.

  • Click the Permissions tab.
  • Mark the following permissions for both roles you just created:
    • Essay: Create new content
    • Essay: Edit own content (students are able to change their essays, however, they will not be able to change the subject choice once they save the form the first time)
    • Access the content overview page
    • Use the administration pages and help
    • Use the Toolbar
  • Click Save permissions.

Step #4. Create the Essay Content Type

The Essay content type will have only two fields:

  • Body
  • Subject choice.

The field Subject choice will be only available to the Sophomore role, however, once a student has made a choice, they won’t be able to change it anymore.

  • Click Content > Content types > Add content type.
  • Add a proper Name and leave the default values.
  • Click Save and manage fields.

  • Click Add field.
  • Select List (text) as the field type.
  • Click Save and continue.

  • Enter the two possible values in the Allowed values list.
  • Leave the default allowed number of values (1).
  • Click Save field settings.
  • Mark this field as required.
  • Check the Custom permissions radio button.

Sophomores will be able to enter a value for this field, to view it and to view the subject choice of other sophomore students. Freshmen will only be able to view the choice of their elder classmates.

  • Mark the corresponding checkboxes.
  • Click Save settings.

Step # 5. - Create Content

  • Log out from the site and log back in as a Sophomore.

  • Click Content > Add content.
  • Enter a proper body.
  • Choose one of the two available subjects.
  • Click Save.

You can now see the node. Let’s suppose the student wants to change the content of her essay.

  • Click the Edit tab.

You will see that the subject choice field is not available anymore.

  • Log out and log back in as a Freshman student.
  • Click Content > Add content.
  • Enter a proper body.
  • Click Save.

As you can see, this role does not have the possibility to make a subject choice. If you go back to the homepage of your Drupal installation, you will see both teasers.

  • Click the “Sophomore” essay.

The Freshman student is able to view the subject choice of his sophomore classmates.

I hope you liked this tutorial and it will help you improve your site building skills. The Drupal 8 Field Permissions module works not only with nodes but with other entities like users too.

Thanks for reading!

About the author

Jorge lived in Ecuador and Germany. Now he is back to his homeland Colombia. He spends his time translating from English and German to Spanish. He enjoys playing with Drupal and other Open Source Content Management Systems and technologies.
May 07 2019
May 07

We're excited about a feature built by a member of our community and recently deployed on to give more human context to discussions in the Drupal issue queue, you can now choose to display your primary language, pronoun, and location.

Update your profile now

This is an opportunity to bolster human context within an online medium where tone and posture can be difficult to read. Providing this level of detail allows for visibility into the global composition of our community — such as when a person's primary language is not English or when a person resides in a distant time zone.

It is important to recognize what being global means and drawing attention to the details that remind us about the people behind the project helps us all to have a greater understanding of one another.

@rachel_norfolk and @baddysonja sharing screenshots with this new feature in action.

Thanks to @justafish for working on and requesting this feature. Thanks also to everyone who participated in the issue!

Screenshot of comment submitted by justafish with patch for this feature. Shows the feature in action with pronoun, location, language details.

You can enable this new feature by editing your user account and adding pronouns to the personal information tab, and location language on the Language/location tab. Finally, you can opt into what you would like shown inline in comments under the "comments" tab.

May 07 2019
May 07

Drupal 8.7 was released couple of days ago on May 1, 2019. As you might know, new features are added with each minor release of Drupal 8 (e.g. between 8.6 and 8.7) which occur in 6-month intervals. Originally 8.7 was supposed to be released in March 2019. But the timing of Drupal's releases has historically occurred 1-2 months before Symfony's releases, which forces Drupal community to wait six months to adopt the latest Symfony release. In order to be able to adopt the latest Symfony releases faster, Drupal community shifted Drupal's minor releases to May and December in a plan to allow adoption of latest Symfony releases within a month.

This is penultimate version of Drupal 8, which will be concluded with Drupal 8.8 in December 2019, after which we expect release of Drupal 9 sometime in June next year!

Beside bug fixes and dependency updates lets see what new features Drupal 8.7 brings!


Taxonomy terms and custom menu links are now revisionable, which allows them to take part in editorial workflows which was until now only possible for Content types and Custom blocks.


JSON:API in Core

Drupal 8.7 will provide an out-of-the-box JSON:API implementation, marking another major milestone towards making Drupal API-first.

Now you will be able to generate an API server that implements the JSON:API specification with zero configuration. Once you enable the module, you are done.

Developers and content-creators can use it to build both coupled and decoupled applications and pull content from Drupal into iOS and Android applications, chatbots, decoupled frontends such as ReactJS, voice assistants and many more!

Layout Builder module is now stable

Layout Builder module was originally added as an experimental core module in Drupal 8.5 and is now stable and ready for production use!

layout builder

If you haven’t heard about it Layout Builder is offering a single, powerful visual design tool for site builders to create templated layouts and custom landing pages.


PHP 7.3 Is Now Supported

PHP 7.3 was released in December 2018 and comes with numerous improvements and new features. Also with this release new Drupal sites can only be installed on PHP 7.0.8 or later. Installing Drupal on older versions results in a requirement error.

Drupal PHP 7.3


However, existing sites will still work on at least PHP 5.5.9 for now, but will display a warning

PHP stopped supporting version 5.5 on July 21, 2016 and Drupal security updates will begin requiring PHP 7 as early as Drupal 8.8.0 (December 2019), so all users are advised to update to at least PHP 7.0.8 now or preferrably to PHP 7.3.


As part of continuing GDPR compliance improvements in Drupal core, Comment module no longer logs IP addresses for comments by default. Existing sites will still continue to log IP addresses but this can be changed by changing comment.settings.log_ip_addresses to FALSE in the site configuration using settings.php.


This was just a short brief into the new features. For a full list take a look at official release notes:


May 07 2019
May 07

To be competitive with enterprise form builders, the Webform module for Drupal 8 needs to support the downloading and exporting of submissions as PDF documents, as well as sending PDF documents as email attachments.

The Entity Print module does a great job of generating PDF documents from entities and fields, but webform submissions don't use Field API. This limitation has required site builders and developers to create custom Entity Print integrations for the Webform module.

The Webform module now includes a Webform Entity Print integration module, which handles downloading, exporting, and attaching generated PDF documents. Additionally, the Webform module allows the generated PDF document's header, footer, and CSS to be customized.

When enabled, Webform Entity Print module automatically displays a "Download PDF" link below all submissions and adds a download "PDF documents" option to the available export formats. Attaching PDF documents to emails requires that you add an "Attachment PDF" element to a webform and then configure email handlers to "Include files as attachments."

The below screencast and presentation walks through customizing the PDF link and template, exporting PDF documents, and attaching PDFs to emails.

Scratching my own itch

Adding PDF support was not a sponsored feature. I wanted the Webform module to support this advanced feature; so I created it. I was scratching my own itch.

When contributing to Drupal, the goal is often to optimize the project for personal needs ("scratching our own itch"), but it has to be bigger than that.


The bigger itch/the challenge that I am always scratching at is:

The Webform module should provide all the features expected from an enterprise proprietary form builder combined with the flexibility and openness of Drupal.

Competing with other form builders

Competitive enterprise, and also Open Source form builders, tend to put this PDF functionality behind a paywall. For example, WordPress's Gravity Form ( and Ninja Form ( charge for this type of functionality. This defeats some of the purpose behind Open Source, which is to foster collaboration. For example, both of these form builders then had to implement PDF generation using custom APIs.

Ben shared his code

In the Drupal community, we openly share our code and APIs. Ben Dougherty (benjy), the maintainer of the Entity Print module, shared his code with the Drupal community. The Entity Print module is one the most well thought out and cleanly executed Drupal 8 modules that I have seen. Ben’s hard work made it easy (and enjoyable) for me to add PDF support to the Webform module.

Thanks, Benjy

Everyone should thank Benjy for building and maintaining the Entity Print module.

If you want to thank and encourage me to continue scratching my own itch, please also consider backing the Webform module’s Open Collective and help make the Webform module that much more awesome and more sustainable.

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OKSubscriptions powered by Strikingly

May 07 2019
May 07

In a world where global positioning systems appear to have a handle on every square inch of the roads we’re traveling on, doesn’t it seem like there should be automated website accessibility testing tools that function as well as -- if not better -- than manual testing? 

The fact is ... it’s complicated.

There are efficient automated testing systems that reveal important findings -- many of which you can easily access and apply to your site. But the web accessibility testing landscape is littered with offers of automated testing solutions that claim to provide fast fixes for the full spectrum of your digital assets. You might have already received an offer based on an unsolicited test of your site, alerting you that your site is a prime candidate for a website accessibility lawsuit. 

If that notification and offer does not include a comprehensive web accessibility testing checklist, it’s likely to be laden with pitfalls. One unsolicited finding, based on automated accessibility testing, does not reflect how your site is faring on all accessibility metrics. Automated accessibility testing tools simply cannot detect every potential issue that would cause your site to be noncompliant. Nor does an automated test provide adequate information for web accessibility remediation or mitigate your legal risk.

Avoid Unintended Consequences

Too often, overlay accessibility solutions create a scenario in which one fix leads to unintended consequences in your code and results in the need for further fact-finding and fixes. Subsequent changes to your site’s UI tend to break the overlay, setting in motion a constant cycle of diagnostics and fixes. 

Keep in mind that many automated ADA web accessibility testing tools are free to use and can produce relatively robust results. It might be just as easy for you to conduct this kind of test on your own, and gain a cursory understanding of accessibility issues affecting your site. Consider giving a web accessibility testing tool such as Code Sniffer a try.

Automated accessibility testing tools overlook critical information -- especially when the testing has occurred without your knowledge by someone with whom you have not had a conversation about your objectives and the full scope of your digital assets.

Get it Right the First Time

Promet serves as an ADA accessibility partner that conducts both automated and manual testing holistically from the perspective of the full spectrum of disabled users and available Assistive Technology. We guide clients through the remediation process, actually fixing the code to conform to WCAG 2.1  guidelines. We also provide tools and resources that enable your team needs to maintain your site in conformance moving forward

Our ADA accessibility testing tools and processes go deeper and wider than what automated testing can reveal. We explore a range of issues that require hands-on, manual testing. We look into the unique features of your site, and we take your organization’s mission into account. 

During our engagement process, we start with the development of your scorecard, which reports on our analysis of your site from several different angles. 

Understand Your Options

The scorecard is not intended to serve as a thorough report or to provide formal recommendations. It functions instead as a high-level overview for purposes of starting the conversation that will help you to choose the best path.

For example, we might find that you are using a content management system that is designed to adhere to ADA accessibility requirements, but that your content developers aren't using appropriate techniques when posting. Fixing existing content issues without understanding the reason the issues exist, simply means your site will quickly fall back into noncompliance. A simple process change might be all that’s needed to fix this situation. 

Other fixes, however, might require a fundamental overhaul of your site. If your site was created on a platform that is out of sync with ADA accessibility guidelines, it might be more cost effective to rebuild rather than to launch a series of workarounds. 

As experts in this field, we are clear on the fact that quick fixes, which sound too good to be true, usually are. Our objective is to create real accessibility solutions that enable you to move forward with the confidence that your site is accessible to all people with or without disabilities and that you reduce your risk of being faced with a lawsuit due to noncompliance. 

Leverage Expertise

The decision process associated with web accessibility remediation can feel overwhelming. It is outside of the core competency of most organizations. That's why it’s important to work with a trusted web accessibility consultant. 

The scorecard that we offer as part of your remediation process serves as a critical starting point for helping others in your organization to get an overview of your site's noncompliance and the level of effort that will be involved in the remediation. 

We find that when all stakeholders have an understanding of the process and are vested in the importance of doing the right thing, remediation comes into focus.

We are happy to review with you any emails concerning non compliance that you may have gotten by surprise -- or any unsolicited emails full of dire warnings about a potential lawsuit. 

As a leading expert on web accessibility testing tools, we’ve witnessed untold versions of quick fixes that have given rise to a whole host of complications. If you are looking to get it right the first time with the added benefit of value-added solutions, contact us today.

May 07 2019
May 07

For many Drupal 8 projects that have minimal interaction with their users, the need to set up a notification system quickly comes to the forefront. Being notified of a new comment, a response to a comment, a new publication on a particular subject, or a user, are recurring needs.

To satisfy this type of need, we can rely on the Message module (and the Message stack) which can allow us to achieve this type of result with the help of the Flag module. But we are not going to talk here about these two generic modules, which can do much more, but about a new module Entity Activity whose sole purpose is to log all types of actions performed, by users, according to their subscriptions, on a project.

The Entity Activity module will allow us to generate any type of message, on any type of content entity on the tree main operations of the content life cycle: its creation, its update and its deletion.

Global configuration

The initial configuration of the module is quite quick to set up. The majority of the configuration to be done is done from the menu Configuration > Content authoring > Entity Activity

First, you need to activate on which types of entities you want to be able to generate notifications. And so of course allow users to subscribe to these entities.

Entity Activity Settings

At the same time, you can configure a purge of the different notifications (based either on overall time or a maximum number of notifications per user) if necessary.

Multilingual support

For multilingual projects, subscriptions are also multilingual in the sense that a user can subscribe to content for each of his or her independently available translations. Notification messages are then generated in the current language when the operation is performed. You can force the generation of a log message in the user's preferred language (if defined), by checking the corresponding option in the general settings.

User preferred language option

Warning. This option is costly in performance because each log message must be regenerated for each owner of a subscription. Use it only if you really need log messages to be generated in the user's preferred language.

Configuration of activated content entities

In a second step, we will configure the display modes of the entities we have activated, to display a Subscribe on widget that will allow users to subscribe (or unsubscribe) on each of the entities.

Article subscribe on

You can then display on the different view modes required, on the different content types, this Subscribe on button, as above with the example of the Article content type.

From now on, users, with the appropriate permission, will be able to subscribe and unsubscribe on each activated and configured entity. And they will be able to find from their account a summary of all their subscriptions.

User's subscriptions

Note that the Remove button on each subscription is present because it has been activated in the Subscription entity view mode from the Configuration > Content Authoring > Entity Activity > Subscriptions settings > Manage display configuration page.

Configuration of notification generators.

Thirdly, we must configure which messages will be generated from which operation and for which subscriptions. To this end, we can create as many Generators as necessary according to the needs of a project.

Entity Activity Generators

Each notification generator has a base of four plugin types corresponding to the four main content entity types of a Drupal 8 project, namely content, taxonomy term, user and comment. It is possible to add as many plugins as necessary for specific project needs, but we will have the opportunity to look at this later.

The configuration of these Plugins is identical and follows the same logic.

Plugin log generator

The possible configuration options are as follows.

  • Enable: whether the plugin is active or not
  • Published: option to generate a notification only if the target entity is published
  • Operation: the type of operation from which the plugin must generate a notification (insert / update / delete)
  • Bundles: it is possible to limit the action of a plugin to only one or more bundles of a content entity type. You can leave blank to apply the plugin to all bundles regardless.
  • Subscribed on: this is the configuration option in a way master. It allows you to define from which subscriptions the plugin will generate the notification. The two possible options are Source Entity and Entity Referenced. The first (Source Entity) is the most basic and allows you to select the subscriptions that have been made on the entity itself (content, user, etc.). The second option (Entity Referenced) will allow you to select the subscriptions made on a referenced entity (from an Entity Reference field so) by the current entity. The typical use case is to be able to generate a notification for all users subscribing to an Alpha theme (Taxonomy Term) when new content is published on that theme, or another use case is the generation of a notification when publishing a comment about a content. But the possibilities here are extremely varied and countless use cases can be covered with this second option. In the example above we have chosen here to generate a notification when publishing content to all users who have subscribed to the author of the content.
  • Include parent term: this option allows to include all parent terms in case the entity on which subscriptions are searched is a taxonomy term. Useful if you want a user who has subscribed to the taxonomy term Fruit, for example, to also be notified if content is published with the taxonomy term Orange, which would be a child of the term Fruit.
  • Log message: This is of course the message that will be generated and notified to users. You can configure the text format to use, and of course you can use all the tokens related to the target entity type of the plugin.
  • Use cron: this option allows you to disable the generation of the actual notifications of the operation performed on the entity. Indeed, depending on the number of subscriptions, generating all notifications can be a long and costly process in terms of performance. This option then allows to delegate to the scheduled tasks the generation of these notifications, so as not to penalize the user who performs the operation in question. This option is highly recommended.

You can then create and activate as many notification generators to cover all the business needs of your project, each notification generator can itself have several plugins in charge of generating the notification itself.

Configuring notifications

To finalize the implementation of your notification system, you can then configure two elements on the Log entities of the module that carry these notifications.

From the Configuration > Content authoring > Entity Activity > Log settings > Manage Display

Log manage display

You can activate the extra field Remove log, which will expose a button allowing the owner of the notification (the user who subscribed) to delete this notification (if he has the appropriate permission).

And you can also configure the base field Read, with the Log read / unread field formatter, which will expose a button allowing the notification's owner to change the status from Not Read to Read or vice versa.

Inform the user of new notifications

All this is only really useful if users can be easily informed of the presence of new notifications. To this end, the module offers a block called User log block, which must be placed and configured in the appropriate region of the project theme.

User log block settings

The purpose of this block is to display the total number of unread notifications. For this purpose you can add a (short) text that will be displayed next to this number, you can use an icon font to display an icon next to this number (using the classes of this font), but also configure the maximum number of notifications that will be embedded as well as the view mode used to display them, as well as add a link to the user's page listing all his notifications, whatever their status. Of course you can overload the Twig template to customize the rendering of this block.

Extension of the Entity Activity module

Since notification generators rely on a  plugin type, it is possible to create easily your own plugin to add a very specific logic to a project, overloading the basic methods used, or simply to support a new content entity type from a contributed module.

Plugins must be placed on the Plugin/LogGenerator namespace and may look like this for example if you want to overload and add a very particular logic on one or more of the methods of this Plugin type. 

 * @LogGenerator(
 *   id = "my_custom_node",
 *   label = @Translation("My custom Node Log Generator"),
 *   description = @Translation("Generate custom log for the entity type Node or for related entities referenced."),
 *   source_entity_type = "node",
 *   bundles = {}
 * )
class MyCustomNodeLogGenerator extends LogGeneratorBase {

  public function getEntitiesSubscribedOn(ContentEntityInterface $entity) {
    // Stuff.
  public function preGenerateLog(ContentEntityInterface $entity, AccountProxyInterface $current_user = NULL) {
    // Stuff.

  public function generateLog(array $settings) {
    // Stuff.


The module also exposes two parameters that can be overridden from the settings.php file of a project.

$settings['entity_activity_max_log'] = 100;

This setting overrides the maximum number of notifications (default 50) that can be bulk marked as read by a user. Indeed, it has a button on its page listing its notifications which allows you to mark all its notifications as read. This parameter therefore defines the number of notifications that will be processed per pass in the update process that will then be launched.

$settings['entity_activity_purge_user_always'] = TRUE;

This parameter allows you to force the purge per user (maximum number of notifications per user) each time a cron task is executed. Indeed, this method of purging can be very costly in terms of time and performance, depending on the number of users to be treated. Also by default, this method is only executed once a day, at night. This parameter therefore overrides this default behavior.

In addition, the notifications and subscriptions provided by this module are themselves content entities. As such, they can be customized by adding additional fields. In this case, it is up to the project to define the value of these fields in a programmatic way according to business needs. To this end, events are dispatched for each hook implemented by Drupal on the CRUD cycle (presave, postsave, update, insert, delete, etc.).

Finally, the entities provided by this module (Log and Subscription) have a basic rendering that can be used in many cases. The rendering of these entities is heavily based on a Twig template that you can then override to meet your needs.

Possible developments

To date, Entity Activity allows you to quickly configure a project to generate notifications for users based on their subscriptions. It can also be easily extended using Plugins to add specific business logic if necessary. A natural evolution would be to be able to generate and send by email (according to a frequency chosen by the user) a list of the last unread notifications, even if for the moment this feature is not part of the functional scope of the module. But a Drupal 8 developer can easily add this functionality (either in the module itself or in another contributed module), the foundations laid opening up many possibilities in relation to this recurring theme on community projects.


To conclude, Entity Activity is a simple configuration module, as it focuses exclusively on generating notifications, or logging events occurring on a Drupal 8 project. But this simplicity is not at the expense of the necessary modularity as to the generation (and their underlying conditions) of the different notifications to cover most, if not all, of the recurring use cases and needs.

May 07 2019
May 07

Looking for a Drupal 8 rating module that should be:

  • easy to install
  • easy to configure
  • easy to use
  • conveniently flexible
  • and user-friendly?

And maybe you “crave” for some nice-to-have features, as well:

  • enabling users to add a short review
  • multiple ratings: enabling users to vote on several aspects of your product/service, such as price, quality, ease of use?

What are your options? What working (and stable) modules for rating and reviewing are there in Drupal 8? 

We've done the research for you, evaluated all the modules for rating in Drupal 8 and come up with a list of 6 best... rated ones:

Keep in mind that this Drupal 8 rating module doesn't provide a voting mechanism, packed with all the key voting features. Instead, it structures the voting data for other rating modules to leverage.

What it does provide you with is a standardized API and voting data storing schema. Therefore, it streamlines the whole process of retrieving and organizing the voting results for various pieces of content on your Drupal 8 website.

Top features:

  • multi-criteria voting
  • caching the voting results (and it does that in a highly efficient manner, with no need to recalculate them...)
  • enables users to rate any type of content on your Drupal site (users, comments, nodes)
  • automatic tabulating of the voting results

Note: keep in mind that, for now, we only have a pre-release version of the module for Drupal 8...

2. Flag Rating, A Highly Popular Drupal 8 Rating Module 

An extension of the Flag module, that allows you to either:

  • use the default SVG icon 
  • upload your own icon (jpg, SVG or PNG) for each flag

Drupal 8 Rating Modules- Flag Rating

Furthermore, you even get 2 templates to override to your liking:

  • flag-rating.html.twig
  • flag-rating-icon.html.twig

A Drupal 8 rating module that you can use to turn the “select tag” option of the Star Rating module into a more user-friendly, clickable icon.

Drupal 8 Rating Modules: Star Rating Form Display

To “unlock” its functionality just:

  • navigate to Structure > Content type
  • select the “Manage form display” option
  • scroll down to your star rating field
  • click “Star rating clickable”
  • in the Settings screen, configure the custom display to perfectly fit your needs

If you're looking to integrate a voting functionality exclusively for the authors of the articles submitted on your website (hence, not for the end users), Flag Rating is the module you're looking for.

Drupal 8 Rating Modules: Star Rating

Take it as a simple, yet useful module that provides you with a display formatter and a star rating field. In short: with the “bare necessities” for the authors to be able to rate the uploaded articles.

Say you have a review website — a hotel review website — and you want to add multiple star ratings to a node:

  • customer service
  • en suite and private facilities
  • food, etc.

... with a different icon for each node. Then, you just need to use the star rating field that this module provides...

Top features:

  • built-in support for the Views module
  • it doesn't require other modules (e.g. the voting API module) to work
  • it allows you to add a different icon type per field and per view mode

The Drupal 8 rating module that simplifies the entire voting process: it encourages users to express their votes through an intuitive thumb illustration.

Drupal 8 Rating Modules: Vote Up/Down

Top features:

  • code voting support for your pre-defined products/services
  • interchangeable themes for your voting widget
  • the possibility to set up your own custom widgets using ctools plugins

The END!

These are your 5 best options when it comes to working Drupal 8 rating modules that should be both easy to configure and easy to use. 

Have you discovered another way of integrating a reviews feature to your Drupal 8 website?

Image by mohamed Hassan from Pixabay  

May 07 2019
May 07

Freelancing: a growing trend

It seems the trend nowadays is for workers to take the freelancing route. With 36% of the U.S. population currently being freelancers, it seems that this trend is slowly gaining traction. But what does this mean for businesses. It seems that hiring freelancers definitely has its benefits, however it also has its challenges. In this article I’m going to talk about the potential drawbacks that come with hiring a freelancer.

1. Hiring the wrong freelancer

Hiring the right person for the job is a complicated process even for a regular full-time employee. However, when it comes to hiring a freelancer, the interview should not be the same process as when hiring a full-time employee. Working from home requires a high degree of self-motivation, resourcefulness and self-discipline. On top of that, the freelancer should also be resilient to loneliness, since freelancing usually lacks the same social engagement that a conventional workplace can provide. If the freelancer doesn’t have these qualities, then he is going to be unhappy during the 30-40 hours he is working, which is bad for business and bad for humanity.

2. Too many options

After posting a job advertisement a client might be suddenly bombarded with a lot of replies from freelancers who are out to get the gig. But how does the client choose from so many options? Well, some freelancers will set up automatic bots that are automatically replying to the job post based on a few parameters. Most of the time, these type of freelancers will not have read the job requirements. They are not taking their time to make sure that they are a great fit for the job. Then there is another type of freelancers. The ones that report a great  amount of experience, yet they are charging suspiciously low rates. This type of freelancers either don't value their own work or the quality of the work provided is questionable and they use low rates as a cover-up. A client might feel overwhelmed by the options they have at their disposal. The best way to avoid this is to have an effective way on how to screen the freelancers.

3. Communication problems

Another big challenge that comes when hiring a freelancer is one of communication. As the name implies the freelancers are free to work whenever they want or feel inspired. What this means is that as a client you might not receive updates on the status of the work that the freelancer is doing. These can raise a lot of uncertainty for the client as he is kept in the dark with regards to the progress of his project.

4. Payment issues

Freelancers are not like regular employees. Naturally, this means that the payment process is going to be different than that of regular employees. First of all, the freelancer will not appear on the companies payroll, meaning that other alternatives for making the payment have to be found. On top of that, if the freelancer is outsourced from another country, the cost of transferring the money has to be taken into account. It's important to find a way to transfer the money that is advantageous for both the client and the freelancer, this way, confusion regarding the time until the payment is done and high fees when doing the payment through international banks are avoided. Some services that are good to use when paying outsourced employees are Paypal, Skrill and Payoneer. 

5. Being clear in requirements and feedback

In order to avoid frustration on both sides, the client has to be clear in their requirements and in the feedback provided by the freelancer. Otherwise, the client might risk to see the completion of his project in a totally different light than he was expecting. In order to be able to receive the project in the way that he envisioned it, the client has to be as thorough as possible when describing the job requirements. On top of that, regular feedback has to be provided. This way, the client will surely be able to increase the chances that the result he is going to receive is satisfactory.

6. Different language and culture

When it comes to effective communications, speaking a common language is of essence. In most cases, this language is going to be english. Finding a freelancer that is able to communicate at an advanced enough level of english to be able to discuss work related subjects might be difficult. On top of that, the culture of a country also has to be taken into account. Keeping in mind that different cultures have different communication approaches. For example, the difference between low context societies and high context societies, where one relies on explicit communication while the other on implicit communication. On top of that low context and high context are valuing non-verbal communication and cues to different degrees. Being aware of these differences can make communication easier and more pleasant for both parties.

7. Lack of commitment

Freelancers have the possibility to undertake multiple projects from different clients. What this means is that a freelancer will not be able to fully commit to your project, especially if another project is more challenging, exciting or more financially rewarding. On top of that, a freelancer will always prioritize the projects that make more sense from the point of view of the before mentioned aspects, pushing other projects to the side. This can cause a lot of frustration for the client, however, in order to avoid the frustration, the client has to make his project as appealing as possible from every aspect. For example, make sure that the project is challenging and exciting enough to keep the freelancer engaged. On top of that, clients should avoid paying below market-rates for freelancers because that can work as an open invitation for the freelancer to find new clients.

8. Missed deadlines

Another challenge that clients have to face when hiring a freelancers are missed deadlines. Freelancers are having more freedom when it comes to planning their working routine, as long as the contract does not stipulate specific working hours. This means that there is an increased risk of life events happening. Events like weddings, a relative getting sick, funerals seem to be happening at a larger frequency than for regular employees. These events can interfere with the ability of the freelancer to be able to deliver the project in time, thus resulting in a missed deadline.

9. Misunderstandings

Since freelancers don’t work in the office as every other regular employee, they are harder to supervise. What this means is that they are not there for the client to be able to get regular updates, or to provide feedback or to train them. If clear enough instructions were not provided, the freelancer can finish the project in a different manner than the one envisioned by the client. This misunderstanding will lead to frustration on both sides, since the client will demand adjustments and the freelancer will deliver these adjustments while not getting paid for them.


Hiring a remote employee is always a challenge. Especially in these days when the working culture has not fully adapted to the flexibility of the freelancers. However, being aware of the challenges of hiring a freelancer will make it easier to adapt and foster a productive relationship between you and your outsourced employee. So, embrace change and think about the possibility of hiring freelancers.

May 07 2019
May 07

If your organisation uses CiviCRM with Drupal, and would like to do in the future, we need your help!

Over the past few years lots of amazing work has been done on the unofficial Drupal 8 CiviCRM release.
The CiviCRM core team have looked at this and are now in a position to complete the work to make this an official CiviCRM release. This means they will make changes so

  • CiviCRM can easily be installed with Drupal 8
  • They will ensure CiviCRM works with Views in Drupal 8
  • Going forward future CiviCRM releases will be tested with Drupal 8

What about Drupal 9? Isn't that being released soon?

Both Drupal 7 and 8 are officially supported until November 2021. But the move from Drupal 8 to Drupal 9 will not be the same as previous Drupal major updates. It will be much easier to migrate existing sites between Drupal 8 to 9. For more information see

The CiviCRM core team has looked at this and the code changes required to ensure CiviCRM works with Drupal 9 should be minimal.

So very importantly this Make It Happen work is also preparation for Drupal 9.

If your organisation uses CiviCRM with Drupal then please contribute to this Make It Happen.

May 06 2019
May 06

Using UI pattern libraries in Storybook allow us to build a collection of front end UI components that can be used to build bigger components, even full web pages. However, frontend/backend integrations can be fraught with difficulties. In this piece, I’ll explain our process to make these challenges easy, even when using GraphQL fragments inside Twig templates.

What Drupal and GraphQL do well

At Amazee Labs, we build decoupled web applications using GraphQL and Drupal. We’ll touch on the reasons that we use this approach in this article, but if you’d like to know more, check out these blogs:

Drupal is known for its complex and unwieldy theming and rendering system. Data to be rendered comes from across the system in the form of templates, overrides, preprocess functions and contributed modules such as Panels and Display Suite. Sometimes trying to track down where data is being generated or altered is like a murder mystery. 

Thankfully, GraphQL Twig simplifies the situation massively. Each template has an associated GraphQL query fragment that requests the necessary data. This “pull” model (as opposed to Drupal’s normal “push” model) means that finding where the data comes from and how it is structured is really easy. We don’t need to worry about preprocessing or alteration of data, and this method lets us keep the concerns separated.

Advantages of UI component libraries

The main advantage of using a UI component library (also known as a pattern library) is that it facilitates the reusability of components. This means that when a component is created it can be used by any developer on the project to build their parts of the front end and in turn can be used to make larger and more complex components.

There are multiple extra advantages to this, the most obvious being the speed of development. Since all components are simply made up of smaller components, building new ones is usually much quicker, since we don’t need to reinvent the wheel.

This also makes maintenance a breeze, since we’re only maintaining one version of any component. If we decide that all buttons on the frontend need to have an icon next to the text, we simply change the button component and this change will apply everywhere that the component is used.

Finally, the reusability of components in a pattern library means that the UI is consistent. Often, web projects face difficulties where there are multiple versions of various components, each with their own implementation. This is especially true of larger projects built by multiple people, or even multiple teams, where no single person knows the entirety of the project’s implementation details. Thanks to the reusability of our components, we only have one implementation per component.

Challenges of using Drupal, GraphQL, and Storybook together

If done poorly, using pattern libraries like Storybook can be difficult and cause problems during the integration phase(s) of development. The main issue is usually that the frontend and backend developers have different approaches and different goals when developing. 

The frontend developer wants to create the best UI they can in the most efficient way possible, using the paradigms and approaches that are standard or preferred. Unfortunately, at times the implementation doesn’t sync well with the data structure that the backend developers receive from Drupal, so the frontend needs to be refactored or the data structure needs to somehow be altered.

How to make it work

I won’t go into detail on our implementation of the Storybook library, but we keep Storybook in the same repo as our Drupal application, outside the root. We then define a base storybook theme and using the Components module (built by my talented colleague John Albin), we define our path to the Storybook Twig templates as a component library in our .info.yml file. This way, the Drupal theme has access to all of our templates.

      - ../../../../storybook/twig

We then create our project-specific theme, which extends the base Storybook theme, and start to work on our integration. A generic page.html.twig file might look like this:

query {
{% extends '@storybook/page/page.html.twig' %}

{% block header %}
  {% include '@storybook/navigation/header.html.twig' with graphql only %}
{% endblock %}

{% block content %}
  {{ page.content }}
{% endblock %}

{% block footer %}
  {% include '@storybook/footer/footer.html.twig' with graphql only %}
{% endblock %}

So, how does GraphQL tie in here? Well, this is the really clever part. Our developers can create the GraphQL snippets to get the data needed for a specific component, and Storybook allows us to use JavaScript to use this data as mock fixtures. This means that the frontend can be built with realistically structured data, so no refactoring of templates or data alteration on the backend is needed. And since we already have the GraphQL snippet, this automatically works when run in Drupal. 


At Amazee, we use a UI component library because it makes sense to build a maintainable, reusable and consistent set of components for our frontend that also encourages faster development. We also try our best to streamline our integration processes so that all of our developers are more closely aligned and developing solutions that make it easier for their colleagues to use, learn and extend easily. 

Storybook gives us the power to build a component library using mock data that is structured in the exact manner that our GraphQL queries deliver it. This means no refactoring, building both queries and templates only once and an overall smooth integration process. 

Want to know more about using GraphQL and Twig? Check out our webinar

May 06 2019
May 06

Using UI pattern libraries in Storybook allow us to build a collection of front end UI components that can be used to build bigger components, even full web pages. However, frontend/backend integrations can be fraught with difficulties. In this piece, I’ll explain our process to make these challenges easy, even when using GraphQL fragments inside Twig templates.

What Drupal and GraphQL do well

At Amazee Labs, we build decoupled web applications using GraphQL and Drupal. We’ll touch on the reasons that we use this approach in this article, but if you’d like to know more, check out these blogs:

Drupal is known for its complex and unwieldy theming and rendering system. Data to be rendered comes from across the system in the form of templates, overrides, preprocess functions and contributed modules such as Panels and Display Suite. Sometimes trying to track down where data is being generated or altered is like a murder mystery. 

Thankfully, GraphQL Twig simplifies the situation massively. Each template has an associated GraphQL query fragment that requests the necessary data. This “pull” model (as opposed to Drupal’s normal “push” model) means that finding where the data comes from and how it is structured is really easy. We don’t need to worry about preprocessing or alteration of data, and this method lets us keep the concerns separated.

Advantages of UI component libraries

The main advantage of using a UI component library (also known as a pattern library) is that it facilitates the reusability of components. This means that when a component is created it can be used by any developer on the project to build their parts of the front end and in turn can be used to make larger and more complex components.

There are multiple extra advantages to this, the most obvious being the speed of development. Since all components are simply made up of smaller components, building new ones is usually much quicker, since we don’t need to reinvent the wheel.

This also makes maintenance a breeze, since we’re only maintaining one version of any component. If we decide that all buttons on the frontend need to have an icon next to the text, we simply change the button component and this change will apply everywhere that the component is used.

Finally, the reusability of components in a pattern library means that the UI is consistent. Often, web projects face difficulties where there are multiple versions of various components, each with their own implementation. This is especially true of larger projects built by multiple people, or even multiple teams, where no single person knows the entirety of the project’s implementation details. Thanks to the reusability of our components, we only have one implementation per component.

Challenges of using Drupal, GraphQL,
and Storybook together

If done poorly, using pattern libraries like Storybook can be difficult and cause problems during the integration phase(s) of development. The main issue is usually that the frontend and backend developers have different approaches and different goals when developing. 

The frontend developer wants to create the best UI they can in the most efficient way possible, using the paradigms and approaches that are standard or preferred. Unfortunately, at times the implementation doesn’t sync well with the data structure that the backend developers receive from Drupal, so the frontend needs to be refactored or the data structure needs to somehow be altered.

How to make it work

I won’t go into detail on our implementation of the Storybook library, but we keep Storybook in the same repo as our Drupal application, outside the root. We then define a base storybook theme and using the Components module (built by my talented colleague John Albin), we define our path to the Storybook Twig templates as a component library in our .info.yml file. This way, the Drupal theme has access to all of our templates.

      - ../../../../storybook/twig

We then create our project-specific theme, which extends the base Storybook theme, and start to work on our integration. A generic page.html.twig file might look like this:

query {
{% extends '@storybook/page/page.html.twig' %}

{% block header %}
  {% include '@storybook/navigation/header.html.twig' with graphql only %}
{% endblock %}

{% block content %}
  {{ page.content }}
{% endblock %}

{% block footer %}
  {% include '@storybook/footer/footer.html.twig' with graphql only %}
{% endblock %}

So, how does GraphQL tie in here? Well, this is the really clever part. Our developers can create the GraphQL snippets to get the data needed for a specific component, and Storybook allows us to use JavaScript to use this data as mock fixtures. This means that the frontend can be built with realistically structured data, so no refactoring of templates or data alteration on the backend is needed. And since we already have the GraphQL snippet, this automatically works when run in Drupal. 


At Amazee, we use a UI component library because it makes sense to build a maintainable, reusable and consistent set of components for our frontend that also encourages faster development. We also try our best to streamline our integration processes so that all of our developers are more closely aligned and developing solutions that make it easier for their colleagues to use, learn and extend easily. 

Storybook gives us the power to build a component library using mock data that is structured in the exact manner that our GraphQL queries deliver it. This means no refactoring, building both queries and templates only once and an overall smooth integration process. 

Want to know more about using GraphQL and Twig? Check out our webinar

May 03 2019
May 03

Have you ever installed a menu module for one of the following reasons?

  • Adding a class to specific menu items
  • Setting a menu item's target
  • Setting a relationship between linked content
  • or pretty much any other arbitrary attribute.

With the Menu Link Attributes module for Drupal 8 you can satisfy all of those needs in one easy setup. We recently worked on a project that had strict accessibility requirements that we needed to follow and dealing with the menu was a specific pain point for us. Drupal has the basic requirements covered but specific cases required us to set certain attributes on menu items. Normally this is not easily achievable without some major custom work and hard to pass on to the client to maintain themselves for any future menu additions.

Our main problem was setting attributes to not get dinged for duplicate menu links in our menu structure. Let’s take a look at how this module enabled us to quickly setup the attributes we wanted to make available to the client. The config is pretty straight forward, we use YAML to build the form that will appear on the menu item edit page.

We’ll start by declaring the wrapper.


We'll then add all of our options, for our needs we had to create two settings.


We will then add our options to each and we'll have a complete form.

      'true': 'True'
      'false': 'False'
      presentation: Presentation

This is how our settings will appear on the form.

Menu Link Attributes

That’s all there is to it, it’s a really simple module that gives you some really powerful options that take a lot of the headache out of menu config.

May 03 2019
May 03

Have you ever installed a menu module for one of the following reasons?

  • Adding a class to specific menu items
  • Setting a menu item's target
  • Setting a relationship between linked content
  • or pretty much any other arbitrary attribute.

With the Menu Link Attributes module for Drupal 8 you can satisfy all of those needs in one easy setup. We recently worked on a project that had strict accessibility requirements that we needed to follow and dealing with the menu was a specific pain point for us. Drupal has the basic requirements covered but specific cases required us to set certain attributes on menu items. Normally this is not easily achievable without some major custom work and hard to pass on to the client to maintain themselves for any future menu additions.

Our main problem was setting attributes to not get dinged for duplicate menu links in our menu structure. Let’s take a look at how this module enabled us to quickly setup the attributes we wanted to make available to the client. The config is pretty straight forward, we use YAML to build the form that will appear on the menu item edit page.

We’ll start by declaring the wrapper.


We'll then add all of our options, for our needs we had to create two settings.


We will then add our options to each and we'll have a complete form.

      'true': 'True'
      'false': 'False'
      presentation: Presentation

This is how our settings will appear on the form.

Menu Link Attributes

That’s all there is to it, it’s a really simple module that gives you some really powerful options that take a lot of the headache out of menu config.

May 03 2019
May 03

Be part of Drupal's future. and drops falling into clear water making round ripples

This month, we're running a membership campaign to grow our base of support and connect with more of the Drupal ecosystem. We're challenging you to take one step this month to brighten Drupal's future: invite your colleagues and clients to join the Association for Drupal's future.

By building a broader membership base, we're securing a financial future for supporting the Drupal community. A large, global base of members who contribute to sustain the Association are a force! Every member who participates is making an impact and a statement that Drupal is here to stay.

Thank you for taking the time to share this campaign.

The campaign page is full of information on our work toward current goals that help fulfill our mission. If you are using Drupal or contributing to the project, there's some part of what we do that helps you and the community at large.

May 03 2019
May 03

For a long time now, I’ve preferred Vagrant for local development. My starting point of choice for using Vagrant on a project has been the excellent trusty32-lamp VM, maintained by Andrew Berry. However, with Ubuntu 14.04 reaching end of life, Andrew thought to merge the best of trusty32-lamp VM with Laravel’s Homestead. Thus, in a beautiful instance of open source collaboration, it was so.

Homestead is a similarly fashioned Vagrant box, maintained by the Laravel community, built on Ubuntu 18.04. The result of the marriage is a feature packed, ready to go local development environment that includes multiple versions of PHP, your choice of nginx or apache, xdebug support, profiling with xhprof and xhgui, your choice of MySQL or MariaDB, and so much more.

Let’s look at how you would get set up with Homestead for your Drupal project.


If you’re the type to dive into code rather than wade through an article, and you’ve worked with Vagrant before, run this, and take the box for a spin. It sets up a stock Drupal 8 site, ready to install. The database name is drupal_homestead, the root database user and password to install Drupal is homestead / secret.

$ composer create-project m4olivei/drupal-project:8.x-dev drupal_homestead
$ cd drupal_homestead
$ vendor/bin/homestead make
$ vagrant up



I’m kind of assuming that you’ve worked with Vagrant before, but if you haven’t, fear not! Homestead makes the world of Vagrant very approachable. You’ll just need some software before continuing. You’ll need to install a VM provider, eg. VirtualBox, VMWare, Parallels or Hyper-V. I use VirtualBox, as it’s free and the most straightforward to install. Also, you’ll need Vagrant.

Composer all the things

One really nice thing about Homestead is it can be installed and setup as a composer package. This means that you can easily add and share a Homestead local setup with everyone on your project via version control.

We’ll start with a clone of the Composer Drupal project and add Homestead to it. If you’re adding Homestead to an existing project, skip this step.

$ composer create-project drupal-composer/drupal-project:8.x-dev drupal_homestead --no-interaction
$ cd drupal_homestead
$ git init .
$ git add .
$ git commit -m "Initial commit"

Now that we have a Drupal site to add Homestead to, change into your project directory (wherever your root composer.json file is) and continue by requiring the laravel/homestead package:

$ composer require laravel/homestead --dev

Home at last

At this point, we’re ready to setup Homestead for our project. Homestead comes with a handy console application which will scaffold some files that are required to provision the Vagrant box. Run the following:

$ vendor/bin/homestead make

This will copy a handful of files to your project directory:

  • Homestead.yaml
  • Vagrantfile
  • aliases

At the very least we’ll want to make tweaks to Homestead.yaml. By editing Homestead.yaml we can easily customize the Vagrant box to our liking. In a typical Vagrant box setup, you would edit the Vagrantfile directly, but here, Homestead exposes the essentials to customize on a per project basis in a much more palatable form. Open up the Homestead.yaml file in your editor of choice. As of this writing, it’ll look something like this:

memory: 2048
cpus: 1
provider: virtualbox
authorize: ~/.ssh/
    - ~/.ssh/id_rsa
        map: /Users/m4olivei/projects/drupal_homestead
        to: /home/vagrant/code
        map: homestead.test
        to: /home/vagrant/code/public
    - homestead
name: drupal-homestead
hostname: drupal-homestead

It’s worth highlighting a couple things here. If you have better than a single core machine, bump the cpus to match. For my 2013 Macbook with a core i7, I’ve set this to cpus: 4. The VM won’t suck CPU when it’s idle, so take advantage of the performance.

Next folders lists all the folders you wish to share with your Homestead environment. As the files change on your local machine, they are kept in sync between your local machine and the Homestead environment *.

        map: /Users/m4olivei/projects/drupal_homestead
        to: /home/vagrant/code

Here all the files from /Users/m4olivei/projects/drupal_homestead will be shared to the /home/vagrant/code folder inside the Vagrant box. 

Next sites, as you might guess, lists all of the websites hosted inside the Vagrant box. Homestead can be used for multiple projects. I prefer to keep it to a single project per VM, especially since Drupal codebases tend to be so huge, so we’ll just keep the one site. Homestead ships with the option to use either nginx or apache as the web server. The default is nginx, but if you prefer Apache, like I do, you configure that using the type property.

        map: drupal-homestead.local
        to: /home/vagrant/code/web
        type: "apache"
        xhgui: "true"

Notice I’ve also changed the map property to drupal-homestead.local. That’s for a couple of reasons. First, I want my domain to be unique. Homestead always starts you with a homestead.test domain, assuming you may use the same Homestead instance for all your projects, but that’s not the case for per-project setups. Second, I’ve used .local as the TLD to take advantage of mDNS. Homestead is configured to work with mDNS**, which will mean that you shouldn’t have to mess around with your /etc/hosts file (see caveats), which is nice. I also changed the to property to reflect the web root for our project. Composer Drupal project sets that up as <project root>/web. Finally, I’ve aded xhgui: "true" to my site configuration. We’ll talk more about that later.

Next, we’ll customize the database name:

    - drupal_homestead

Homestead will create an empty database for you when you first up the box. Homestead can also automatically backup your database when your Vagrant box is destroyed. If you want that feature, simply add backup: true to the bottom of your Homestead.yaml.

Finally, we’ll want to add some services. We’ll need mongodb for profiling with xhprof and xhgui. I also like to use MariaDB, rather than MySQL, and Homestead nicely supports that. Simply add this to the bottom of your Homestead.yaml:

mongodb: true
mariadb: true

In the end, we have a Homestead.yaml that looks like this:

memory: 2048
cpus: 4
provider: virtualbox
authorize: ~/.ssh/
    - ~/.ssh/id_rsa
        map: /Users/m4olivei/projects/drupal_homestead
        to: /home/vagrant/code
        map: drupal-homestead.local
        to: /home/vagrant/code/web
        type: "apache"
        xhgui: "true"
    - drupal_homestead
name: drupal-homestead
hostname: drupal-homestead.local
mariadb: true
mongodb: true

There are plenty more configurations you can do. If you want to learn more, see the Homestead documentation.

Fire it up

With all our configuration done, we’re ready to fire it up. In your project directory simply run:

$ vagrant up

On your first time running this, it will take quite a while. It needs to first get the base box, which is a pretty hefty download. It then does all of the provisioning to install and configure all the services necessary. Once it’s finished, visit http://drupal-homestead.local in your browser and you’ll be greeted by the familiar Drupal 8 install screen. Yay!


You get a lot all nicely configured for you with Homestead. I’ll highlight some of my favourites, having come from trusty32-lamp VM. I’m still exploring all the Homestead goodness.


Xdebug comes bundled with Homestead. To enable it, SSH into the Vagrant box using vagrant ssh and then run:

$ sudo phpenmod xdebug
$ sudo systemctl restart php7.3-fpm

Once enabled, follow your IDE’s instructions to enable debugging.

Profiling with Tideways (xhprof) and xhgui

Every now and again, I find it useful to have a profiler for weeding out poorly performing parts of code. Homestead comes bundled with Tideways and xhgui that make this exercise straightforward. Simply append a xhgui=on query string parameter to any web request and that request and any that follow are profiled. To read the reports navigate to /xhgui, eg. for our configuration above, http://drupal-homestead.local/xhgui.

Database snapshots

Here's another of my favourite features. From the documentation:

Homestead supports freezing the state of MySQL and MariaDB databases and branching between them using Logical MySQL Manager. For example, imagine working on a site with a multi-gigabyte database. You can import the database and take a snapshot. After doing some work and creating some test content locally, you may quickly restore back to the original state.

Homestead documentation

I’ve found this to be a huge time saver for instances where I need to work on issues that only manifest with certain application state stored in the database. Load the database with the errant application state, create a branch using sudo lmm branch errant-state, try your fix that processes and changes that application's state and if it doesn’t work, sudo lmm merge errant-state to go back and try again.

Portability and consistency of Vagrant

This is more of a benefit of Vagrant than Homestead, but your local dev environment becomes consistent across platforms and sharable. It solves the classic works-on-my-machine issue without being overly complicated like Docker can be. Homestead does add some simplicity to the configuration over just using Vagrant.


There are many more features packed in. I mentioned the ease of choosing between apache and nginx. Flipping between PHP versions is also easy to do. Front-end tooling including node, yarn, bower, grunt and gulp are included. Your choice of DBMS between MySQL, MariaDB, PostgreSQL and Sqlite is made incredibly easy. Read more about all the features of Homestead in the Homestead documentation.


* File sharing

By default, the type of share used will be automatically chosen for your environment. I’ve personally found that for really large Drupal projects, it’s better for performance to set the share type to rsync. Here is an example of that setup:

        map: /Users/m4olivei/projects/drupal_homestead
        to: /home/vagrant/code
        type: "rsync"
          rsync__exclude: [".git/", ".idea"]
          rsync__args: ["--verbose", "--archive", "--delete", "-z", "--chmod=g+rwX"]

An rsync share carries some added maintenance overhead. Namely, you need to ensure that your running vagrant rsync-auto to automatically detect and share changes on the host up to the Vagrant box. If you need to change files in the Vagrant box, you would kill any vagrant rsync-auto process you have running, vagrant ssh into the box, make your changes, and then on your host machine run vagrant rsync-back before running vagrant rsync-auto again. Not ideal, but worth it for the added performance gain and all the joys of Vagrant local development. There are other options for type including nfs. See the Homestead documentation for more details, under “Configuring shared folders”.

** DNS issues

A handful of times I’ve run into issues with mDNS where the *.local domains don’t resolve. I’ve seen this after running vagrant up for the first time on a new vagrant box. In that case, I’ve found the fix to be to simply to reload the vagrant box by running vagrant up. In another instance, I’ve found that *.local domains fail to resolve after using Cisco AnyConnect VPN. For this case, it sometimes works to reload the vagrant box, and in others, I’ve only been able to fix it by restarting my machine.


Big thanks to the following individuals for help with this article:

  • Andrew Berry for porting features from trusty32-lamp VM to Homestead and also for technical and editorial feedback.
  • Matt Witherow for technical and editorial feedback.
  • Photo by Polina Rytova on Unsplash
May 03 2019
May 03

It’s been almost a month since DrupalCon 2019. We can’t believe how time flies! While we were there, we had a variety of things going on at many different levels. Just as fast as the time since DrupalCon has flown past us, our time in Seattle felt like a tiny blip. 

From organizing summits, lunches, BoFs and presentations, our team was just as busy behind the scenes of DrupalCon this year, as we were being attendees. There were so many ways for us to really dive into the DrupalCon experience and we’re already looking forward to the next one! In the meantime, we put together a recap of our time in Seattle.

Presenting & Involvement

The most notable thing about our team, is how involved we are in our community, and DrupalCon 2019 was no exception. From 7 talks, a lunch sponsorship, a summit training and BoF organizations, Hook 42 had many members participating in DrupalCon. We are thankful for the opportunities provided to us to be able to participate in many areas. We know we had an unforgettable experience this year, and we hope we were able to help all of you achieve that same feeling.

DrupalCon is its own unique experience every year. My heavy involvement in community efforts this year was truly eventful. Pun fully intended! I’m glad to have had the opportunity to work closely with those outside my day-to-day operations at Hook 42 to bring together expertise that normally isn’t co-packaged together. 

~ Aimee

In case you were unable to catch us in the act, here is a list of all the ways our team was working at DrupalCon.

Aerial view of Adam Bergstein and other coffee BoF attendeesPhoto Credit: Chris Urban

Being Prepared for the Unpredictable

A Full Team Website Takeover

Our team set out on a mission to band together and tackle some internal items while all together. When the decision was made to extend the level of effort into those items, nobody batted an eyelash! It was an incredible tribute to the stamina, talents and dedication of our team members have to completing tasks. We did a full hotel lobby takeover for the majority of the trip, in between sessions of course, to spend time taking the Hook 42 website from a D7 website to a D8 website. It’s a very rare occasion, when all of us are in one place, focusing on one item, and working hard to ensure a successful migration into the new system. All of those involved still can’t stop talking about it! 

Our little secret, an easter-egg if you will, to those who are so dedicated to continue reading. A redesign of the Hook 42 website is in the works. Unfortunately you’re going to have to wait a little bit for that one! We’re just glad we finally upgraded to D8!

Hook 42 team takes over hotel lobby to work on new D8 website

Presenting On The Fly

Secondly, Kristen Pol was invited to co-present on a talk with Lingotek. Talk about being prepared for anything! Being a support-member in the audience quickly turned into providing insights to a room full of eager listeners. With additional help from Aimee Degnan, our team was able to put together additional assets to provide the Lingotek team for the collaborative presentation. A huge shout-out to those involved for coming together for last-minute changes and helping solidify a great talk.

Lingotek’s session, Avoiding Trouble Spots When Creating a Multilingual Site, explored the challenges multilingual websites create, and Kristen took the charge head-on to be a co-presenter on the subject. It was a great experience for everyone. 

A Chance To Have Fun

Whether it’s with new friends, old friends, or colleagues - every year DrupalCon allows us to forge connections that stay with us for a long time. The team took a day to explore Seattle together. We had a full team lunch, took an underground tour of the city, and took advantage of a rather sunny day in Seattle to walk around and take in the beautiful city.

Hook 42 team on Seattle underground tour

Meeting Our Newest Team Members

We also had quite a few new faces on our own team this year. DrupalCon allowed us a place to all come together and meet in person. Lindsey, Emanuel and Michael were all able to join our team on a cross-country trip to Seattle. Yes, all of them are spread across the East Coast! 

I always love to meet with the Hook 42 team in person since they are just a great group of people. We were also lucky to have a few new team members since our last in-person gathering.

~ Kristen

Other Connection Opportunities

Outside of the team, we were also able to say hello to a lot of familiar faces that we usually only get to see once a year at DrupalCon. Whether it was in a session, during lunch, at dinner or ending the day over a few drinks, we are thankful to be able to have seen so many of our Drupal community members and re-connect. Our team was able to use DrupalCon as a way to take time away from the computer and get some quality face-to-face time with others in the community.

DrupalCons are as much about the community as they are about learning new Drupal things. While sessions where you can learn a lot of new things about Drupal are the focus, one of the best parts is bumping into old friends or sitting down next to someone new and chatting about a common interest in Drupal and web development.

~ Danita

A Place To Learn

Our team is never disappointed when we leave DrupalCon. We’re always coming away with new ideas, new thoughts, and new procedures for how we do our jobs. It’s the most important takeaway from all of this - is that DrupalCon is always providing content that is spread across a variety of skillsets and interests. This year’s focus on inclusivity made our designer especially happy - you can read all about her first ever DrupalCon experience here.

Although the new schedule reduced the total number of days of sessions at the conference, I felt like as usual DrupalCon provided an awesome environment for everyone to come together and share their experience and expertise.

~ Ryan

Some Favorite Sessions:

Presentation Title Screen, PEGA Build for Change

Migration Workflow Diagram Preview

Glitter rainbow Drupal 8 unicorn

Elevated Third presentation title screen

Drake YOLO

diagram depicting design feedback and front end pairing with backend to build the website

meme - wrote PHP unit test, only took 4.5 hours, yes!

Team Benefits

DrupalCon is imperative to the health of our team in many ways. For starters, it's one of the only times our full team is in one place at one time, and that alone is enough of a reason to enjoy all DrupalCon has to offer. Our team also uses the event to provide thought leadership to the community. We take the time to also learn from other experts in the field on unfamiliar topics or expanding expertise in a certain area. Giving back to the community in more ways than one as a culmination of the event is really what ties it all together. 

It's such a heart warming experience, like seeing 500 of your closest friends once a year. It's a celebration of wins, sharing of knowledge, and a real feeling of connection. This year had such a pleasant vibe and was a nice reflection of our community, which goes well beyond tech.

~ Adam

Thank you to DrupalCon, and thank you to Seattle, for having such an amazing line-up of things to do for all of us that attended!

May 03 2019
May 03

I am about to present about Drupal 9 at DrupalCamp Belarus in May and then at Drupal Developer Days Transylvania in June . I already presented an Acquia webinar with Dries Buytaert on the topic, and was on the Lullabot Podcast discussing Drupal 9 with Angie Byron and Nathaniel Catchpole. I am a firm believer that this know-how should spread as far and wide as possible. I should not be needed to travel around the globe to present the topic and people should not spend the same time again to redo slides for their local presentations. There is no intellectual property here to hide, as many people should be aware and excited and participating as possible. The topic should be presented at Drupal Meetups, Camps, and inside your own companies. So the natural next step for me was to create an open source slideshow.

Screenshot of the first 16 slides of the 1.1 version of the slideshow

I took all that we learned from the webinar and Dries' keynote at DrupalCon Seattle as well as new technology that emerged since then. I also used a free slide template and Google Slides so you can make a copy for yourself and add your own contact information as well as edit the slides down to shorter or longer timeslots. The 51 slides in my test run for about 35 minutes, leaving 10 minutes for discussion in a 45 minute slot. You would likely need to cut content for shorter sessions. There are only basic buildup animations, so if you need to present offline that is also an option. Edit in your contact/introduction info and export and present as PDF.

The 1.0 version of the slides have been presented by Christian Fritsch at DrupalCamp Munich last week and I updated some content to the current 1.1 version as it is available now. I'll keep updating slides based on all your feedback. I shared the slides with public comments allowed, so keep the feedback coming there, comments here or some other way you can get ahold of me.

Resources to watch/listen to learn more include:

  1. Dries' State of Drupal presentation from DrupalCon Seattle
  2. Lullabot Podcast on Drupal 9
  3. Acquia Webinar on Drupal 9

Thanks to Acquia for funding me to create this slideshow and thank you for presenting it!

May 02 2019
May 02

Part of me is suspecting that I may be one of the lucky 10,000 today but I figure it's worth putting this out there because if I wasn't aware of this then there may be others too. It turns out that the version of Drush that you just installed may not be the version of Drush that executes your command.

So, as it happens there's a number of ways to install Drush. Older OSs may have it in the package management system, you may have just installed it globally using the instructions on the site, or, if your project is managed by composer it may have been installed as a site-local version. In my case I had messed it up just a little and had multiple versions hanging around and, despite having definitely downloaded and installed drush 8.2.3 to /usr/local/bin/drush and I confirmed that this was being called via which drush when I ran drush --version it informed me I was running version 9.6.2.

The thing that I didn't know... Drush will check the directory the site is in to see if there is a local-site version installed and pass off the request to that. So despite having Drush 8.2.3 installed and called from the command line the request was finding the local copy and returning results from that. If it wasn't for the fact that this was a Drupal 7 site and I'd inadvertently installed Drush 9.x locally via composer. If it wasn't for the fact that Drush 9.x doesn't support Drupal 7.x I'd never have known that this was how it worked.

Big thanks to Kirill for correcting my brain meat on this.

May 02 2019
May 02

Release offers all-new stable layout builder, meets web accessibility guidelines
Washington D.C., Wednesday, May 1, 2019 - The Drupal community announces an update to Drupal 8. This new version — Drupal 8.7.0 — is a leap forward in the Drupal content manager experience as a creative tool streamlining workflows and improving efficiency within teams. Drupal 8.7.0 also maintains the project's commitment to web content accessibility guidelines, enabling screen readers or keyboards to navigate options — meaning this version is accessible to all. 
Drupal's newly stable Layout Builder module enables a drag-and-drop editing experience, which means no custom code or theming is required in order to lay out pages. But Drupal goes far beyond similar offerings by competitors, empowering content editors with increased power and flexibility: enabling management of templated layouts, support for powerful overrides based on content-type, and support for one-off landing pages. 
“Not only can this version support basic use cases, it also supports advanced use cases,” said Drupal Founder Dries Buytaert. “These types of templated layouts and workflow updates are not available in competitors’ layout building tools.” 
Drupal 8.7.0 provides significant improvements over all past versions of Drupal, particularly by including JSON:API as a stable module in core. By enabling the JSON:API module, all Drupal entities such as blog posts, users, tags, comments and more become accessible via the JSON:API web service API. This is a powerful, standards-compliant, web service API to pull content into JavaScript applications, digital kiosks, chatbots, voice assistants and more. This propels Drupal further into the lead among headless content management systems, making it the clear choice for the backbone of digital experiences beyond the web.
Drupal 8.7.0 provides the JSON:API for reading and modifying resources, interacting with relationships between resources, and filtering, sorting, and pagination of resource collections. It also supports complex workflows, allowing for a staging or approval process. 
Tim Lehnen, Executive Director of the Drupal Association, said, “Drupal 8.7 is a milestone release for the Drupal project. It simultaneously extends Drupal's lead as a powerful, API-first content framework, and leapfrogs competitors' tools for content editors.” 

In addition to being incredibly powerful, JSON:API is easy to learn and put into practice, and uses all the existing tooling to test, debug, and scale Drupal sites. 

“This feels like the dawn of a new chapter for Drupal and its authoring experience and we’re certain we’ve only scratched the surface,” said Caroline Casals, a developer at Phase2 - a digital experience agency. 
Overall, this version streamlines the user experience for Drupal content creators and site builders, allowing front-end developers to work easily and efficiently. More than two years’ of commits from the open source community built this rigorous release. 
“On behalf of the Drupal Association and the Drupal community, I want to thank all of the contributors who made the Drupal 8.7.0 release possible,” Lehnen said. 
About Drupal
Drupal is content management software. It is used to make many of the websites and applications you use every day. Drupal has great standard features, easy content authoring, reliable performance, and excellent security. What sets it apart is its flexibility; modularity is one of its core principles. Its tools help you build the versatile, structured content that ambitious web experiences need.
About the Drupal Association
The Drupal Association is dedicated to fostering and supporting the Drupal project, the community and its growth. The Drupal Association helps the Drupal community with funding, infrastructure, education, promotion, distribution and online collaboration.


May 02 2019
May 02

Hook 42 is heading to Philadelphia for Drupaldelphia. Phew, that’s a mouthful to say! Not only are we proud to be sponsoring such a wonderful event, we’re excited to announce that Adam Bergstein will be giving two talks this year.

Dropping the Knowledge

To say we're excited about Adam's talks would be an understatement. To have a chance to share insights and experiences with other eager-to-learn individuals is something Adam enjoys, and he's looking forward to doing it again at Drupaldelphia.

Better Together: Impact Through Contribution

Adam will discuss his journey through the Drupal-verse, and explore ways to make a big community feel easier to navigate. With so many moving pieces, and people involved, it can be overwhelming at times to know what to do and where to find help. The moral of the story? When we all come together and pitch in, we can accomplish big things! Join Adam for an insightful journey through the community, and explorations of togetherness that make Drupal great. - A Community Case Study is a long-standing, free service that has the served Drupal community with an easy-to-use tool for creating Drupal sandboxes. During this case study, we’ll share the motivations behind and how the tool aims to lower the barrier of entry for those participating in the community. We’ll walk through the various use cases and features of the tool and examine how that helps anyone participate in our community. 

We hope you’ll come say hello if you stop in on one of Adam's sessions! If you're not interested in Adam's talks, don't fret! There are plenty of other interesting things happening at Drupaldelphia this year. Take a look at their website to browse other sessions, we're positive there is something for everyone. 


Understanding the importance Drupaldelphia has on the community, we felt it necessary to spread the love and give back to our Drupal family. We enjoy helping our community in many ways, and sponsorship is just another way to contribute to a community that helps so many people develop valuable skills and long-lasting relationships.

The development of our community important to us. Providing support that paves a way for those to come together and learn from each other is a core value of Hook 42 and it applies to more than just our team. Thats why we try to be part of its growth just as much from the outside as we do from the inside. 


Beyond the sponsorship and presentations, we’re happy to be back in the city of brotherly love. Those attending are looking forward to exploring the town and seeing some familiar faces. We hope you'll join Hook 42 in Philly for some good food, good culture and community contribution.

The real question though – when you get to Philly will you be going to Pat’s or Geno’s? Choose wisely!


May 02 2019
May 02

Matt and Mike talk with Angie "Webchick" Byron, Gábor Hojtsy, and Nathaniel Catchpole about the next year's release of Drupal 9. We discuss what's new, what (if anything) will break, and what will remain compatible.

Gábor and Angie selfie at DrupalCon NashvilleGábor and Angie selfie at DrupalCon Nashville
May 02 2019
May 02

“After soliciting input and consulting others, I felt JSON:API belonged in Drupal core.”

Dries Buytaert, creator of Drupal

Here is the news that will make the supporters of API-first Drupal simply lose their breath. Among the new features of the freshly released Drupal 8.7.0, is JSON:API in Drupal core! It is now part of Drupal 8 web services responsible for data exchange with third-party applications. Let’s learn more about JSON:API’s work, its road to Drupal’s “main squad,” and why JSON:API in Drupal core as of the release 8.7 is a significant achievement.

API-first Drupal future has arrived

New times dictate new trends. Businesses today can benefit from much more than just websites. They can embrace different channels through the “Create Once, Publish Everywhere” (COPE) method. Their content can “fly” to mobile applications, Internet of Things devices, and so on, via an API.

Being API-first means being fully ready for this interaction. API-first Drupal future has been the Drupal community’s priority in a recent couple of years. The new Drupal 8 in 2015 came packed with a REST API, which became more and more enhanced in the subsequent minor releases. This is the result of the API-first Drupal Initiative and hard work of the community.

In addition to Drupal 8 core RESTful web services, there emerged an ecosystem of projects for API-first Drupal:

  • contributed modules like GraphQL, Simple OAuth, Open API, Consumers, RELAXed Web Services, Subrequests etc.
  • decoupled distributions Contenta CMS, Reservoir, and Headless Lightning
  • Waterwheel.js SDK

Among the tools, of course, the JSON:API contributed module, which has now finished its way to Drupal core. Congrats!

The road of JSON:API to Drupal 8 core

The JSON:API specification was increasingly popular in the JavaScript community. Dries Buytaert in 2017 recommended the young JSON:API contributed module for Drupal 8 core. As the Drupal creator said, he felt JSON:API belonged there. Still, enormous work was ahead.

The module’s main creator and maintainer was Mateu Aguiló Bosch (e0ipso). But Dries asked Wim Leers and Gabe Sullice of Acquia to devote as much time as possible to helping to get this module ready for the core. Overall, as Wim Leers wrote in his article, the project had as many as 103 contributors.

According to Dries Buytaert, by the time JSON:API was committed to Drupal 8.7 branch, it had taken:

  • 28 months
  • 450 commits
  • 32 releases
  • 5,500+ test runs

Record-breaking module: immediately stable in core!

Usually, Drupal contributed modules are added to the core as experimental and only become stable when polished to perfection. However, JSON:API was the first module in history to be added to Drupal core as stable from day first! This is what Mateu Aguiló Bosch, the module’s main creator, said.

How JSON:API module works

When enabled, JSON:API in Drupal core immediately makes your Drupal entities (blog posts, users, comments or whatever) available via a web service API. For JSON:API, your entities are resource objects. It creates URLs by which the entity types and bundles can be accessed using HTTP methods.

According to Dries, both developers and content editors can create their content models directly in the Drupal user interface. In addition to the great authoring experiences, Dries said, they get a powerful and standards-compliant web service API that allows to pull this content to JS applications, digital kiosks, chatbots, voice assistants, and so on.

It is possible to:

  • fetch the selected entity fields only (for example, blog titles)
  • include relationships (for example, blog authors) and avoid additional requests
  • filter the resource collections
  • sort the resource collections
  • do the pagination of the resource collections

and much more.

What this news means for the users of JSON:API contributed module

According to Wim Leers, the users of JSON:API 8.x-2.x contributed module on Drupal 8.5 or 8.6, can simply update to Drupal 8.7 and delete the contrib. There should be no disruption in its work. Please note that the contributed module will no longer be supported by the end of 2019.

Update to Drupal 8.7 and enjoy JSON:API in core!

Congrats again to the tireless team of JSON:API creators! The API-first Drupal approach gives us an unlimited freedom in fulfilling our customers’ third-party integration ideas. So if you wish to: smoothly update to Drupal 8.7 create data exchange solutions with JSON:API in Drupal core expand your business reach to new channels Contact our Drupal developers!

May 01 2019
May 01

The spring is in full bloom — and so is Drupal development. On May 1st, we officially meet Drupal 8.7.0 release that is bursting with new features. And, of course, they are worth a good review. After the previous release in September, we discussed media handling capabilities in D8.6 as one of many interesting updates. Today, let’s take a closer look at what’s new in Drupal 8.7.0.

What's new in Drupal 8.7.0

Drupal 8.7.0 release is a big step forward that makes the CMS even more modernized, competitive, and user-friendly. It is now API-first, featuring handy UIs for editors, using the latest PHP, speaking more languages, and so on. The details come right now.

JSON:API as a new stable module in Drupal core

Here goes what Drupal's creator Dries Buytaert called an important milestone in its evolution towards being an API-first platform for both decoupled and coupled apps.

In the new release, the JSON:API module was added as a stable module to Drupal 8.7 core — skipping any experimental phases! JSON:API immediately exposes entities as a standards-compliant web API, so the data can be pulled by third-party applications.

The module is now the fifth module in D8’s ‘Web services” package. This means Drupal is now more open than ever to data exchange and third-party integration.

JSON_API is a new stable module in Drupal 8 core

Layout Builder stable and improved in Drupal 8.7

The “great drop” deserved a handy tool to create layout templates — and it got one. Layout Builder appeared in D8 core as of 8.5 release and immediately became popular.

It has been improved a lot in terms of keyboard navigation accessibility, precise permissions, layout overrides, column width selection, and much more. And now we officially have stable Layout Builder in Drupal 8.7 core, ready to work on live sites.

The module lets you create layouts for content types and other fieldable entity types. You can also design the look of individual content items. Constructing pages “brick by brick” by combining elements, configuring the blocks, and drag-and-dropping them around is easy and enjoyable.

Layout Builder stable in Drupal 8.7.0 core

New Media Library user interface

When discussing what’s new in Drupal 8.7.0 release, we need to mention the Media Library’s new, stylish, and handy user interface. It’s both nice to look at and to work with.

Finding media items in the Library, bulk uploading them from the computer to the Library, selecting media items and embedding them into content is a pleasure.

The Media module that works together with the Media Library is already stable. The Media Library is still experimental but its stability will not be late in the coming — it’s planned to be in release 8.8. The creators still have great surprises like WYSIWYG support. 

New Media Library interface in Drupal 8.7.0

New Media Library interface in Drupal 8.7.0 (2)

Umami demo now multilingual

The most delicious Drupal demo — Umami Food Magazine — has been translated into Spanish in Drupal 8.7 release. Umami was created to give a chance to explore the CMS’s capabilities thanks to plenty of demo content and configuration. This includes content types, media types, taxonomy, display modes, views, menus, and much more.

And now, in addition to all the above, Umami also showcases multilingual features configured out-of-box that anyone can study. Umami is available as one of Drupal installation profiles alongside the “Standard” and “Minimal.”

Umami demo translated into Spanish in Drupal 8.7.0

End of PHP 5 support

Drupal 8.7 is the last release to support PHP 5. However, it is already impossible in D8.7 to install new websites with a PHP version lower than 7.0.8. Updates for existing websites that use PHP 5 are still possible, but a warning will be displayed. In release 8.8, Drupal security updates will definitely require PHP 7.

In any case, it’s important to remember that PHP 5.6 reached end-of-life in December 2018. So it’s time to update PHP due to both safety and efficiency reasons. You can entrust this to our website support team.

Revisionable custom menu links & taxonomy

Custom menu links and taxonomy terms have been made revisionable in version 8.7.0, which allows them to fully participate in editorial workflows.

Removal of automatic entity updates

In new Drupal 8.7.0 release, the support for automatic entity updates has been removed. The reason is data integrity issues and conflicts. So the drush entity:updates (drush entup) command no longer works. Changes to entities will now be performed using standard update procedures.

Third-party library updates

The new release has also introduced the updates of important libraries to newer versions. For example, Guzzle to 6.3.3, Stylelint to 9.10.1, Coder to 8.3.1, CKEditor to 4.11.3, Twig to 1.38.4, as well as numerous PHP dependencies.

Drop of support for Internet Explorer 9 and 10

The 8.7.0 release is a final goodbye to Internet Explorer 9 and 10. It removes a workaround that still existed in D8.5 and D8.6 and allowed the inclusion of 32+ stylesheets.

Update to Drupal 8.7 smoothly!

This has been just a brief rundown of what’s new in Drupal 8.7.0. Follow our next blog posts, because we plan to review new features in more detail.

The day of the new release also marks the end of security support for D8.5.x. So it’s time to move forward — let your website enjoy the new features and stay protected. For the smooth update, rely on our Drupal support team.

May 01 2019
May 01


The Drupal community has just announced the winners of the inaugural Global Splash Awards. The Splash Awards were originally founded by Taco Potze, Bert Boerland, and Imre Gmelig Meijling. For this first international award show, Drupal development and design leaders from around the world gathered in Seattle for the awards ceremony in mid-April, where 14 winners across 13 categories were announced, with 1 tie. The awards were held in conjunction with DrupalCon Seattle 2019.

The Splash Awards recognize the best Drupal projects on the web. Each digital experience represents a step forward in digital innovation, and a new model for others to follow.

Michel van Velde, co-organizer of this year's awards, said, "It is wonderful to see the Splash Awards come both to North America and to a global audience for the first time." Co-organizer Baddy Breidert added, "With the wider reach of audience, we saw an outstanding level of projects nominated and showcased at this ceremony."

The Nominees

A total of 109 nominations were submitted, across 13 categories. In the tight field, there was a tie for project of the year: Lullabot for JSON:API and the City of Detroit, Michigan for their government municipal site Other categories and winners include: 

  • E-Commerce: Rob Edwards Freelance, Apex Running 
  • Corporate: Elevated Third, Central Square 
  • Design/UX: Burst, Chupa Chups 
  • Non-Profit: Made It Digital, Memory of Nations 
  • Education: Connect-i, Opigno 
  • Government: City of Detroit, 
  • Publishing / Media: Lemberg Solutions, Monda Magazin 
  • Tools / Apps: Genuine Interactive, FotoOppTM 
  • Social / Community: Phase2, Pinterest 
  • Theme: Last Call Media, 
  • Care / Healthcare: Mediamonks, Montefiore - Orthopedics 
  • Best module: Lullabot, JSON: API

Edgar Montes from the City of Detroit, Michigan, and tied winner for Project of the Year, said, “We like to believe that our dedication to the people of Detroit has helped us deliver a website that can serve the needs of the city and its people; a majority of the web team lives within the city and we make a point of trying to understand the needs of every part of the site and how to best convey the information it contains. It's important to us to try to demonstrate that great things continue to come out of a city which has seen its fair share of struggles and triumphs.”

Both the Splash Awards and the DrupalCon conferences bring the world community together; big agencies and small independent developers, all using Drupal and harnessing the power of open source. The next European Splash Awards will be held in conjunction with DrupalCon Europe 2019, taking place in Amsterdam, Netherlands in October 2019.

About Drupal

Drupal is content management software. It is used to make many of the websites and applications you use every day. Drupal has great standard features, easy content authoring, reliable performance, and excellent security. What sets it apart is its flexibility; modularity is one of its core principles. Its tools help you build the versatile, structured content that ambitious web experiences need.

About the Drupal Association 

The Drupal Association is dedicated to fostering and supporting the Drupal project, the community and its growth. The Drupal Association helps the Drupal community with funding, infrastructure, education, promotion, distribution and online collaboration at



About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web