Feb 04 2013
Feb 04

It's a question we all ask ourselves: What would I do if my site or server was compromised? Security professionals have loads of checklists to follow, and experienced server administrators drill for those moments. As we saw when Twitter.com was recently compromised by hackers, "Reset everyone's passwords, right away!" is almost always one of the important steps. If you run a Drupal site, that particular step can be frustrating. Resetting user passwords one by one is incredibly time consuming, and there's no way to do it for everyone in one fell swoop. At least, there wasn't until the release of the Mass Password Reset module…

Screenshot of administration screen

This recently-released module gives administrators a simple, straightforward admin page where they can reset every user's password with a single click. Notification emails can optionally be sent out to each user, just as if they'd requested the password reset themselves. (If you're using the module as part of the response to an actual security incident, it's probably a good idea to modify the standard password reset email before you click the "reset" button -- explaining why they've been reset is important, and unfortunately the module doesn't let you override it right from its bulk reset screen.) You can also choose to reset the root administrator's password (User 1 on the Drupal site), though the option is disabled by default.

There are a few situations in which you'd want to issue a mass password reset in calmer times. Just before launch, for example, you might want to ensure that a large batch of users migrated from another system all select new, secure passwords. For the most part, though, Mass Password Reset is a good tool to keep in your back pocket for a time when you need it. Hopefully you won't, but it's great to have when you do.

*/
Aug 20 2012
Aug 20

Managing user roles in Drupal is easy -- at least, technically easy. It's a bit trickier if you have a large user base and need to manage a steady stream of people requesting access to specific privileges, new roles, or additional responsibilities. If you're in that situation, get ready for some quality time with your email client, and set up a regular appointment with Drupal's User Management screen. Fortunately, the Apply For Role module can simplify the process.

Screenshot of Apply for Role management screen

With Apply For Role, users can visit a new tab on their user account page and request access to a new role on the site. The request is queued up for an administrator, who can review, approve, or deny requests from a central management page. Requests can also be deleted -- allowing the original user to re-submit their request later -- or denied, ensuring that they can't send in more requests for the same role.

Screenshot of Apply for Role configuration form

The module allows site builders to set up which roles can be applied for (to prevent users from getting a glimpse at roles they should never have access to), prevent or allow multiple simultaneous role requests, and so on. For site builders who want extra control, the module also provides full Views integration, as well as integration with Trigger module. You can easily build a custom administration screen to manage role applications, complete with notification emails.

There are a few noticeable gaps in Apply For Role's functionality. The application form that users fill out is spartan and lacks any explanatory text; giving administrators a way to add more help text to that page would go a long way. In addition, it would be great to customize the names of the roles that are presented to applicants. Most sites' roles are never shown to normal users, so they're often named for brevity rather than clarity. Both of those oversights can be remedied with some minor hook_form_alter() work in a custom module, but it would be great to see them integrated. Even without those wish-list items, Apply For Role is a slick solution to the problem of processing large numbers of permission-change requests. If your site's user management workflow is a good match, you should definitely check it out.

*/
Jul 23 2010
tim
Jul 23

Drupal - Using the Webform Module

For our client Bella Pictures, we’ve been working on a sweepstakes component that allows site visitors to design and win their dream wedding package. The sweepstakes will provide Bella sales representatives with an excellent source of leads.The leads are captured in Drupal, then packaged and sent to Eloqua, a software product Bella uses to manage marketing campaigns.
 
Bella wanted contest participants to experience the simplicity of shopping on the web site (read more about Bella's Ubercart shopping experience here). Contestants proceed through the shopping cart as if they were customers--selecting photo albums, videographers, and other accessories--but instead of buying the package when clicking submit, they’re entered into the contest.
 
In addition to forwarding the information to Eloqua, a new Drupal user is created for each participant. Why? Most of the entries will not win, and Bella wants the non-winners to purchase a wedding package. If the contestant already has a login from entering the sweepstakes, one of the obstacles to conversion is removed.
 

Web_Form_Registration

We frequently handle contest components in Drupal with the Webform module and in this case it provided us with a great starting point.
 
To enable registration for sweepstakes participants, we wrote an extension to web_form called web_form_registration, which allows admins to generate forms that create Drupal users. Although allowing user-creation via web forms can be dangerous, Captcha and rigorous attention to permissions can make it relatively safe.

When editing a web form, admins can check “allow registration” and map these five user fields to the appropriate form fields:

  • Username
  • Password
  • Password Confirmation
  • Email
  • Email Confirmation

There is some intelligence in the module to provide flexibility with respect to the mappings. For example, some sites may find it appropriate to require only an email in order to register a user. Admins can configure the form to omit the other four fields and create the user with only the email. An auto-generated password is then sent to the user’s email.

 
The module’s logic should allow other Drupal developers to integrate it into their systems when appropriate, in order to simplify the task of user creation. We anticipate releasing this module to the community soon and look forward to feedback.

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web