Development News

SunshinePHP 2018 Conference

PHP Announcements - Tue, 11/07/2017 - 20:00
In February 2018 come to Miami, Florida and escape the cold to learn more about PHP and speak with other developers, like you, to see what others are doing. The SunshinePHP 2018 speaker list has been announced, and we've assembled a great line-up with the most current PHP related topics for you. Topics include: Middleware Security API Development DevOps Continuous Delivery Databases Javascript PHP Core UI/UX Frameworks Scalability Team Development Come celebrate our 6th year from February 8th to 10th, 2018 in sunny Miami, Florida. There will be a full tutorial day featuring 3-hour sessions followed by 2 days of 1-hour talks and inspirational keynotes. Register now! SunshinePHP.com
Categories: Development News, PHP, PHP News

International PHP Conference Spring Edition 2018 - Call for Papers

PHP Announcements - Mon, 11/06/2017 - 11:44
The International PHP Conference is the world's first PHP conference and stands since more than a decade for top-notch pragmatic expertise in PHP and web technologies. At the IPC, internationally renowned experts from the PHP industry meet up with PHP users and developers from large and small companies. Here is the place where concepts emerge and ideas are born - the IPC signifies knowledge transfer at highest level. All delegates of the International PHP Conference have, in addition to PHP program, free access to the entire range of the webinale taking place at the same time. THE BASIC FACTS Date: June 4-8, 2018 Location: Maritim ProArte Hotel, Berlin Main Conference: June 5-7, 2018 Workshop Days: June 4 and 8 Deadline for submissions: 22 November 2017 URL for submissions: https://callforpapers.sandsmedia.com Please see the spectrum of topics we'd like to see covered: PHP Development Web Development Web Architecture Server & Deployment Agile & DevOps Performance & Security Data & Privacy We are looking forward to your exciting submissions! For further information on International PHP Conference's sessions and speakers visit: www.phpconference.com
Categories: Development News, PHP, PHP News

Detecting and Solving Five Common MySQL Performance Problems (30 Nov 2017)

MySQL Web Seminars - Thu, 11/02/2017 - 15:08

MySQL Enterprise Monitor provides historical and real-time visibility into the performance and availability of all your MySQL databases, whether on-premises or in a public cloud. It continuously monitors your MySQL databases and alerts you to potential problems—with a MySQL Server or host machine—before they impact your production applications. In this webinar learn how to detect and solve five common, real-world MySQL performance problems using key features of MySQL Enterprise Monitor including MySQL Query Analyzer, advisors, timeseries, and monitoring of MySQL Group Replication (HA) clusters.



Date and Time: Thursday, 30 Nov 2017, 09:00 US/Pacific
Categories: Development News, MySQL

MySQL Document Store and Node.js (15 Nov 2017)

MySQL Web Seminars - Thu, 11/02/2017 - 15:06

The last few years saw the advent of JavaScript in the server, and particularly Node.js. The dynamic functional nature of the language and the key philosophy of using schemaless literal objects or the corresponding JSON counterparts to express data-structures. 

Matching this environment, MySQL recently introduced the MySQL Document Store, which enables using a regular MySQL database to manage schemaless data. This presentation will describe the key concepts of the Document Store alongside the new X protocol that supports it and will show how to use the X DevAPI with the MySQL Node.js connector.



Date and Time: Wednesday, 15 Nov 2017, 09:00 US/Pacific
Categories: Development News, MySQL

5 Steps to Get Your Drupal Site Multilingual Ready

Drupal News - Wed, 11/01/2017 - 16:43

The following blog was written by Drupal Association Premium Technology Partner, Lingotek.

Everyone is jumping on the localization bandwagon because it’s dawning on enterprises everywhere that creating site content in a customer’s language is one way to personalize their experience and improve engagement. That means more organizations are going to prioritize making their Drupal websites multilingual, so we’ve created a handy checklist to help you get ready.

From Module Mayhem to Built-in Language Support

Drupal 7 is a very stable and well-used content management platform and it supports a vast array of modules, but it wasn’t built with multilingual in mind. Making a Drupal 7 site multilingual can be a time-intensive process for developers. To address this issue, the Drupal community went to work to rebuild language support. Drupal 8 was created to understand language from the beginning. Custom or contributed modules or themes don’t have to understand language support--it’s already built in.

Drupal 8 is a great platform to work with, not only because it is so multilingual capable out-of-the-box, but also because you can easily expand while maintaining the translatability of your data. The Drupal 8 multilingual core paves the way for more automation, more seamless workflows, and better publication management.

Whether you use Drupal 7 or Drupal 8, every Drupal developer who works with contributed or custom modules designed for multilingual or non-English sites needs to know how to build the best integration possible.

To make your path to global engagement and localization easier, we’ve created a checklist for getting your Drupal site multilingual ready in five steps.

Step 1: Understand Your Site

First step in your multilingual prep is to understand your site! Take a look at your customizations, nodes, fields, and modules so you have an idea of the size and scope of your multilingual prep. Let’s be honest though, most of us will never really know our sites completely. But that doesn’t mean you shouldn’t try. Start your multilingual readiness by taking a look at your theme, content, and modules.

Step 2: Examine Your Theme

Next step, review any customizations you have. Make sure all strings are wrapped in a t() function. You need to ensure both your base and sub-themes are multilingual ready. It helps if you use a well-established, multilingual-ready base theme like Zen, BootStrap3, etc.

Step 3: Think About Your Content

Figure out how many nodes are on your site and familiarize yourself with how and where they are used. Find out how many different content types you have and make note of diverse custom fields. The more types of content, the more complex your site translation will be. It’s also important to know how many languages are currently on the site, so check your node language settings. If they aren’t set up correctly, it can lead to translation barriers down the road.

Step 4: Rein In Your Modules

Find out how many modules are installed on your site. For multilingual, the fewer modules installed, the better! When it comes to contributed modules, you’ve got to rein them in. Too many modules can compromise functionality and interfere with site translation. Limit your modules to those that you really need and use. It’s best to have as few as you can (under 200). Be sure to code review your custom modules to ensure all strings are properly wrapped in t() functions.

Step 5: Examine Potential Trouble Spots

There are some additional areas that have the potential to become trouble spots. They may not affect large portions of your site, but it’s good to know where you might run into issues. Take a moment to inspect the following areas to ensure your Drupal site’s multilingual readiness:

  • URL Aliases
  • Taxonomy Terms
  • Blocks
  • Fieldable Panels Panes
  • Mini-panels
  • Groups
  • Views

Every Drupal developer who works with contributed or custom modules designed for multilingual or non-English sites needs to know how to build the best integration possible. It’s also good for Drupal themers who want to make their theme templates translation-ready and for those who want to know how to build Drupal multilingual support for modules, themes, and distributions. By doing a little upfront prep, and following this short 5-step checklist, you will be ready to join the legions who are making the switch to multilingual.

Learn more about integrating translation in your site, check out the Lingotek - Inside Drupal Module.

Written by Calvin Scharffs

Categories: Development News, Drupal

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

Drupal Contributed Security - Wed, 11/01/2017 - 14:22
Version: 
7.x-4.x-dev
Date: 
2017-November-01
Vulnerability: 
Cross Site Scripting
Description: 

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

PHP 7.1.11 Released

PHP Announcements - Fri, 10/27/2017 - 01:52
The PHP development team announces the immediate availability of PHP 7.1.11. This is a bugfix release, with several bug fixes included. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.11 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 5.6.32 Released

PHP Announcements - Thu, 10/26/2017 - 16:32
The PHP development team announces the immediate availability of PHP 5.6.32. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version. For source downloads of PHP 5.6.32 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.2.0 Release Candidate 5 Released

PHP Announcements - Thu, 10/26/2017 - 12:26
The PHP development team announces the immediate availability of PHP 7.2.0 RC5. This release is the fifth Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 5 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The next Release Candidate will be announced on the 9th of November. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

PHP 7.0.25 Released

PHP Announcements - Thu, 10/26/2017 - 08:00
The PHP development team announces the immediate availability of PHP 7.0.25. This is a security release. Several security bugs were fixed in this release. All PHP 7.0 users are encouraged to upgrade to this version. For source downloads of PHP 7.0.25 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

Drupal Contributed Security - Wed, 10/25/2017 - 12:28
Project: 
Version: 
7.x-1.x-dev
Date: 
2017-October-25
Vulnerability: 
Cross-site scripting
Description: 

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

Solution: 

Install the latest version:

Also see the Mosaik project page.

Reported By: 
Fixed By: 
Coordinated By: 

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

Drupal Contributed Security - Wed, 10/25/2017 - 12:09
Version: 
7.x-1.x-dev
Date: 
2017-October-25
Vulnerability: 
Multiple Vulnerabilities
Description: 

This module enables you to display any number of galleries based on images located in the files folder.

The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited even by anonymous users and could potentially allow them to take over the site.

The module doesn't sufficiently confirm a user's intent to save checklist data, which allows for a cross-site request forgery (CSRF) exploit to be executed by unprivileged users.

Some configuration fields are not filtered while rendered, resulting in a cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Brilliant Gallery".

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

ScotlandPHP

PHP Announcements - Thu, 10/19/2017 - 13:46
Scotland's Original and Best PHP Conference Saturday 4th November 2017, EICC, Edinburgh 2 Tracks, 14 World Class Speakers, 2 Social Events, 1 Amazing Day! Josh Holmes MICROSOFT - Opening Keynote: “Rise of the Machines” Adam Culp ZEND - “Clean Application Development” Amanda Folson NEXMO - “Open Source for Closed Source Companies” Ciaran McNulty INVIQA - “Behat Best Practices” Christian Lück CONSULTANT - “Pushing the Limits of PHP with ReactPHP” Craig McCreath MTC - “Refactoring Large Legacy Applications with Laravel” Dave Stokes ORACLE - “MySQL 8: A New Beginning” David McKay CONSULTANT - “What even is ‘Cloud Native’?” Matt Brunt VIVA IT - “Content Security Policies: Let's Break Stuff” Renato Mefi ENRISE - “GraphQL is right in front of us, let's do it!” Seb Heuer KARTENMACHEREI - ”The Myth of Untestable Code” Terrence Ryan GOOGLE - “Containing Chaos with Kubernetes” Thomas Shone BOOKING.COM - ”Security Theatre: The State of Online Security” Meri Williams MOO.COM - Closing Keynote: “Creating Space to be Awesome” More Information... Follow us on twitter: @scotlandphp
Categories: Development News, PHP, PHP News

Community Spotlight: Rwandan enthusiasm for Drupal causes big challenge

Drupal News - Wed, 10/18/2017 - 15:00

Bikino's profile pictureFor Ildephonse Bikino (bikilde) of Rwanda, it was supposed to be an uneventful Drupal Global Training Day call-out; he expected 50 people but he got 388!

Bikino began working to get local interest in Drupal, sharing information by creating a simple website and posting information about the trainings on groups.drupal.org and sharing it locally.

Hoping to reach the room capacity of 50 people, the registrations came flowing in.

“The venue, which is kLab, where I was expecting to run my first training, they only accommodate 50 people. And the channel I used to announce the training, I was not expecting too many people attending, but people ...shared my communication to different channels and in so many different ways. I was surprised to get more than 388 applications.”

How do you deal with the logistics of training 388 people? That’s hard! Bikino was committed to the challenge. One session became eight over a number of weekends. Bikino made sure everyone got the opportunity to attend!

Discovering Drupal

Students learning about Drupal at one of the training classes

Bikino's start with Drupal began commonly enough; through his job. Like many small teams, staff get mixed roles and he inherited the website role. His experience grew from there. In 2016 he had the opportunity to attend DrupalCon New Orleans via scholarship through the Drupal Association. This let him discover the global opportunities and connections that open source software and the Drupal community can provide.

“My interest [in going to DrupalCon New Orleans] was to learn how thousands of people can just work together to deliver one single platform, how it works, and how people can really do it as volunteering work and through contributions. [The experience left me feeling that] I could really share that culture and community with young Rwandan people… and how they can love what they are doing this much. That’s where my inspiration came from.”

Bikino says technology offers more than just jobs, it provides local activities, ways to collaborate, and a chance to build knowledge. He plans to create a platform for the Rwanda Drupal community to share skills, projects, opportunities and experience.

Moving Forward

The local support for the Drupal Global Training Day is a sign of changing times in Rwanda. Those attending the training are educated, but there can be a lack of connection between what they are learning in school and the outside market. Bikino wants to connect those gaps by creating opportunities to learn, build, and develop. Like many countries across the globe, the Rwandan government sees technology as a way to build economic diversity, nurture jobs, and transform the country.

Local Projects

Students gathered during Global Training Day event

The Rwanda Information and Communication Association (RICTA) and partners launched The 1K Websites project, to promote Local Content Hosting. For now most of the websites made are Government, but they are expanding the project. With good internet infrastructure already in place, this is the start of local content creation and websites for business and community..

Diversity in the community is going to be a challenge, but Bikino realises it’s an important one. The Sustainable Development Goals 5 is “achieve gender equality and empower women and girls”, and access to technology in developing countries such as Rwanda is important for sustainability. Bikino is actively working with kLab management to find funds to develop opportunities for women in technology.

The Future

The last group of the 388 people have just gone through their training. The aim now is to develop local freelancers, do projects within the community, and find mentors to share tips, guidance and best practices. The group would even like to contribute to translating Drupal into the local language (Kinyarwanda). And of course one day, host an African DrupalCon.

Peel away the layers of an impressive attendance to a Drupal Global Training Day event, and you have a story about the potential for technology and Drupal to transform people, communities and industry.

You can follow and connect with Bikino via Twitter or say hi to him in the Drupal Slack. Bikino is the Deputy Director for ICT in Education Projects with FHI 360.

Next Spotlight?

Our next spotlight will be Fatima Sarah Khalid who you may recognise as @sugaroverflow. To those watching DrupalConEur from twitter it looked like no one had more fun than her! Fatima is going to be interviewed by Nikki Stevens who you may recognise as @drnikki. We think it’s going to be very cool.

We are also going to have our new Drupal Spotlight site up very soon. We have big ideas!

Categories: Development News, Drupal

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-78

Drupal Contributed Security - Wed, 10/18/2017 - 12:48
Project: 
Version: 
7.x-3.x-dev
7.x-2.x-dev
7.x-1.x-dev
Date: 
2017-October-18
Vulnerability: 
Cross site scripting
Description: 

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Edited October 19, 2017 to add a note about checking permissions.

Solution: 

Install the latest version:

  • If you use the Yandex.Metrics module for Drupal 7.x, upgrade to Yandex.Metrics 7.x-3.1 and also examine your site's permission configuration to ensure that only highly-trusted administrators have the "Administer Yandex.Metrics Settings" permission.

Also see the Yandex.Metrics project page.

Reported By: 
Fixed By: 
Coordinated By: 

MySQL Performance: Getting the Basics Right (26 Oct 2017)

MySQL Web Seminars - Fri, 10/13/2017 - 07:44

Setting up a MySQL Server solution is not a complex task, and with a few simple steps anybody can run a database. In this session learn useful tips to help you understand the preliminary steps in database design. Learn how to choose the right storage engine, table design, data types for your application, and get a set of useful recommendations. If it is true that premature optimization is the root of all performance evils, it is also true that the starting off right is the most important part of the work. Don’t miss this opportunity to learn from our Oracle MySQL performance tuning expert!



Date and Time: Thursday, 26 Oct 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Using MySQL Containers: Why and How (25 Oct 2017)

MySQL Web Seminars - Fri, 10/13/2017 - 07:38

In this webinar, we’ll cover what Docker is, how MySQL fits in, and why it makes sense to use them together. You’ll then learn how to leverage the MySQL Docker containers that are now included with each of our MySQL product releases with the goal of improving your development operations.



Date and Time: Wednesday, 25 Oct 2017, 09:00 US/Pacific
Categories: Development News, MySQL

PHP 7.2.0 Release Candidate 4 Released

PHP Announcements - Thu, 10/12/2017 - 05:46
The PHP development team announces the immediate availability of PHP 7.2.0 RC4. This release is the fourth Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 4 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The next Release Candidate will be announced on the 26th of October. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

Drupal looking to adopt React

Drupal News - Wed, 10/11/2017 - 13:05

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Drupal looking to adopt React

Last week at DrupalCon Vienna, I proposed adding a modern JavaScript framework to Drupal core. After the keynote, I met with core committers, framework managers, JavaScript subsystem maintainers, and JavaScript experts in the Drupal community to discuss next steps. In this blog post, I look back on how things have evolved, since the last time we explored adding a new JavaScript framework to Drupal core two years ago, and what we believe are the next steps after DrupalCon Vienna.

As a group, we agreed that we had learned a lot from watching the JavaScript community grow and change since our initial exploration. We agreed that today, React would be the most promising option given its expansive adoption by developers, its unopinionated and component-based nature, and its well-suitedness to building new Drupal interfaces in an incremental way. Today, I'm formally proposing that the Drupal community adopt React, after discussion and experimentation has taken place.

Two years ago, it was premature to pick a JavaScript framework

Three years ago, I developed several convictions related to "headless Drupal" or "decoupled Drupal". I believed that:

  1. More and more organizations wanted a headless Drupal so they can use a modern JavaScript framework to build application-like experiences.
  2. Drupal's authoring and site building experience could be improved by using a more modern JavaScript framework.
  3. JavaScript and Node.js were going to take the world by storm and that we would be smart to increase the amount of JavaScript expertise in our community.

(For the purposes of this blog post, I use the term "framework" to include both full MV* frameworks such as Angular, and also view-only libraries such as React combined piecemeal with additional libraries for managing routing, states, etc.)

By September 2015, I had built up enough conviction to write several long blog posts about these views (post 1, post 2, post 3). I felt we could accomplish all three things by adding a JavaScript framework to Drupal core. After careful analysis, I recommended that we consider React, Ember and Angular. My first choice was Ember, because I had concerns about a patent clause in Facebook's open-source license (since removed) and because Angular 2 was not yet in a stable release.

At the time, the Drupal community didn't like the idea of picking a JavaScript framework. The overwhelming reactions were these: it's too early to tell which JavaScript framework is going to win, the risk of picking the wrong JavaScript framework is too big, picking a single framework would cause us to lose users that favor other frameworks, etc. In addition, there were a lot of different preferences for a wide variety of JavaScript frameworks. While I'd have preferred to make a bold move, the community's concerns were valid.

Focusing on Drupal's web services instead

By May of 2016, after listening to the community, I changed my approach; instead of adding a specific JavaScript framework to Drupal, I decided we should double down on improving Drupal's web service APIs. Instead of being opinionated about what JavaScript framework to use, we would allow people to use their JavaScript framework of choice.

I did a deep dive on the state of Drupal's web services in early 2016 and helped define various next steps (post 1, post 2, post 3). I asked a few of the OCTO team members to focus on improving Drupal 8's web services APIs; funded improvements to Drupal core's REST API, as well as JSON API, GraphQL and OpenAPI; supported the creation of Waterwheel projects to help bootstrap an ecosystem of JavaScript front-end integrations; and most recently supported the development of Reservoir, a Drupal distribution for headless Drupal. There is also a lot of innovation coming from the community with lots of work on the Contenta distribution, JSON API, GraphQL, and more.

The end result? Drupal's web service APIs have progressed significantly the past year. Ed Faulkner of Ember told us: "I'm impressed by how fast Drupal made lots of progress with its REST API and the JSON API contrib module!". It's a good sign when a core maintainer of one of the leading JavaScript frameworks acknowledges Drupal's progress.

The current state of JavaScript in Drupal

Looking back, I'm glad we decided to focus first on improving Drupal's web services APIs; we discovered that there was a lot of work left to stabilize them. Cleanly integrating a JavaScript framework with Drupal would have been challenging 18 months ago. While there is still more work to be done, Drupal 8's available web service APIs have matured significantly.

Furthermore, by not committing to a specific framework, we are seeing Drupal developers explore a range of JavaScript frameworks and members of multiple JavaScript framework communities consuming Drupal's web services. I've seen Drupal 8 used as a content repository behind Angular, Ember, React, Vue, and other JavaScript frameworks. Very cool!

There is a lot to like about how Drupal's web service APIs matured and how we've seen Drupal integrated with a variety of different frameworks. But there is also no denying that not having a JavaScript framework in core came with certain tradeoffs:

  1. It created a barrier for significantly leveling up the Drupal community's JavaScript skills. In my opinion, we still lack sufficient JavaScript expertise among Drupal core contributors. While we do have JavaScript experts working hard to maintain and improve our existing JavaScript code, I would love to see more experts join that team.
  2. It made it harder to accelerate certain improvements to Drupal's authoring and site building experience.
  3. It made it harder to demonstrate how new best practices and certain JavaScript approaches could be leveraged and extended by core and contributed modules to create new Drupal features.

One trend we are now seeing is that traditional MV* frameworks are giving way to component libraries; most people seem to want a way to compose interfaces and interactions with reusable components (e.g. libraries like React, Vue, Polymer, and Glimmer) rather than use a framework with a heavy focus on MV* workflows (e.g. frameworks like Angular and Ember). This means that my original recommendation of Ember needs to be revisited.

Several years later, we still don't know what JavaScript framework will win, if any, and I'm willing to bet that waiting two more years won't give us any more clarity. JavaScript frameworks will continue to evolve and take new shapes. Picking a single one will always be difficult and to some degree "premature". That said, I see React having the most momentum today.

My recommendations at DrupalCon Vienna

Given that it's been almost two years since I last suggested adding a JavaScript framework to core, I decided to talk bring the topic back in my DrupalCon Vienna keynote presentation. Prior to my keynote, there had been some renewed excitement and momentum behind the idea. Two years later, here is what I recommended we should do next:

  • Invest more in Drupal's API-first initiative. In 2017, there is no denying that decoupled architectures and headless Drupal will be a big part of our future. We need to keep investing in Drupal's web service APIs. At a minimum, we should expand Drupal's web service APIs and standardize on JSON API. Separately, we need to examine how to give API consumers more access to and control over Drupal's capabilities.
  • Embrace all JavaScript frameworks for building Drupal-powered applications. We should give developers the flexibility to use their JavaScript framework of choice when building front-end applications on top of Drupal — so they can use the right tool for the job. The fact that you can front Drupal with Ember, Angular, Vue, React, and others is a great feature. We should also invest in expanding the Waterwheel ecosystem so we have SDKs and references for all these frameworks.
  • Pick a framework for Drupal's own administrative user interfaces. Drupal should pick a JavaScript framework for its own administrative interface. I'm not suggesting we abandon our stable base of PHP code; I'm just suggesting that we leverage JavaScript for the things that JavaScript is great at by moving relevant parts of our code from PHP to JavaScript. Specifically, Drupal's authoring and site building experience could benefit from user experience improvements. A JavaScript framework could make our content modeling, content listing, and configuration tools faster and more application-like by using instantaneous feedback rather than submitting form after form. Furthermore, using a decoupled administrative interface would allow us to dogfood our own web service APIs.
  • Let's start small by redesigning and rebuilding one or two features. Instead of rewriting the entirety of Drupal's administrative user interfaces, let's pick one or two features, and rewrite their UIs using a preselected JavaScript framework. This allows us to learn more about the pros and cons, allows us to dogfood some of our own APIs, and if we ultimately need to switch to another JavaScript framework or approach, it won't be very painful to rewrite or roll the changes back.
Selecting a JavaScript framework for Drupal's administrative UIs

In my keynote, I proposed a new strategic initiative to test and research how Drupal's administrative UX could be improved by using a JavaScript framework. The feedback was very positive.

As a first step, we have to choose which JavaScript framework will be used as part of the research. Following the keynote, we had several meetings at DrupalCon Vienna to discuss the proposed initiative with core committers, all of the JavaScript subsystem maintainers, as well as developers with real-world experience building decoupled applications using Drupal's APIs.

There was unanimous agreement that:

  1. Adding a JavaScript framework to Drupal core is a good idea.
  2. We want to have sufficient real-use experience to make a final decision prior to 8.6.0's development period (Q1 2018). To start, the Watchdog page would be the least intrusive interface to rebuild and would give us important insights before kicking off work on more complex interfaces.
  3. While a few people named alternative options, React was our preferred option, by far, due to its high degree of adoption, component-based and unopinionated nature, and its potential to make Drupal developers' skills more future-proof.
  4. This adoption should be carried out in a limited and incremental way so that the decision is easily reversible if better approaches come later on.

We created an issue on the Drupal core queue to discuss this more.

Conclusion

Drupal supporting different javascript front ends

Drupal should support a variety of JavaScript libraries on the user-facing front end while relying on a single shared framework as a standard across Drupal administrative interfaces.

In short, I continue to believe that adopting more JavaScript is important for the future of Drupal. My original recommendation to include a modern JavaScript framework (or JavaScript libraries) for Drupal's administrative user interfaces still stands. I believe we should allow developers to use their JavaScript framework of choice to build front-end applications on top of Drupal and that we can start small with one or two administrative user interfaces.

After meeting with core maintainers, JavaScript subsystem maintainers, and framework managers at DrupalCon Vienna, I believe that React is the right direction to move for Drupal's administrative interfaces, but we encourage everyone in the community to discuss our recommendation. Doing so would allow us to make Drupal easier to use for site builders and content creators in an incremental and reversible way, keep Drupal developers' skills relevant in an increasingly JavaScript-driven world, move us ahead with modern tools for building user interfaces.

Special thanks to Preston So for contributions to this blog post and to Matt Grill, Wim Leers, Jason Enter, Gábor Hojtsy, and Alex Bronstein for their feedback during the writing process.

Categories: Development News, Drupal

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Drupal Contributed Security - Wed, 10/11/2017 - 13:01
Version: 
7.x-1.0
Date: 
2017-October-11
Vulnerability: 
Access Bypass
Description: 

The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 
Syndicate content