Higher Ed Drupal: Drupal in Computer Science (Part 2 - Realities)

by Elliot Christenson on November 14, 2016 - 1:13pm

You may have read my previous blog post "Higher Ed Drupal: Drupal In Computer Science". In that post, I detailed  what I hoped to achieve with my students this semester. I'm instructing the Introduction to Computer Science class at the University of Wisconsin-Green Bay.

Drupal 6 security update for Views Send

by David Snopek on November 9, 2016 - 1:08pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Views Send module to fix a Cross Site Scripting (XSS) vulnerability.

Views Send enables you to send mail to multiple user from a View.

The module doesn't sufficiently filter potential user-supplied data when it's previewing the mail which can lead to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "mass mailing with views_send".

You can download the patch.

If you have a Drupal 6 site using the Views Send module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Don't Leave Your Website Support & Maintenance to Junior Developers

by Elliot Christenson on November 8, 2016 - 11:19am

In talking to Drupal shops and agency about how they do support, we've sometimes heard something like:

We have junior developers / paid interns handle one-off support and maintenance requests as a way to train them!

We provide white-label fixed-monthly-cost support for agencies, so I am a little biased. :-) But I used to run a small Drupal agency and I truly believe that there are a number of potential issues with this view.

From my perspective, certainly: IT IS NOT OK to leave support and maintenance to junior developers.

I'll try to give some detail to explain my viewpoint on this... Read on to learn more!

Clients don’t want to be billed hourly for site maintenance - even if they say they do!

by David Snopek on October 25, 2016 - 11:11am

As Drupal professionals, you and I know that all sites need maintenance and support after they're launched. There's security updates, bugs, minor tweaks and questions to be answered. Clients might not know that, so it's our job to educate them.

We find that it's easiest to discuss this before development starts on their new site, rather than after it's done, but whenever it happens, you'll need to agree to a plan for when things come up.

Most Drupal shops and freelancers default to "hourly as needed". Usually clients will go along with that - or even insist on it!

However, we strongly believe that billing hourly for site maintenance and support is WORSE for clients (and you).

Read more to find why - and learn a better way to do it!

Drupal 6 security update for Webform

by Elliot Christenson on October 19, 2016 - 12:35pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Less Critical security release for the Webform module to fix an Access Bypass vulnerability.

When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules.

You can download the patch for Webform 6.x-3.x.

If you have a Drupal 6 site using the Webform, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Elysia Cron

by Elliot Christenson on October 12, 2016 - 12:18pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Elysia Cron module to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure this module have the ability to add insufficiently sanitized JavaScript in the "Predefined rules" field, however, this vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

You can download the patch for Elysia Cron 6.x-2.x.

If you have a Drupal 6 site using the Elysia Cron module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Top 5 (In My Opinion) Drupal Blogs for Agencies

by Elliot Christenson on October 10, 2016 - 3:51pm

Drupal is open source sofware. Thousands of contributors help build it, but of similar importance is the marketing and education wing of the Drupal Community. Drupal Twitter accounts, Drupal podcasts, and today's topic: Drupal Blogs.

There are many, many blogs that are of importance to various aspects of Drupaling. My criteria are really just my own non-authoritative views. Please feel free to Tweet me, Facebook me, or throw in your own ideas in the comments below!

If you're still on Drupal 6, you should switch to Pressflow ... ASAP!

by David Snopek on October 3, 2016 - 2:33pm

If you have a site that's still on Drupal 6, you're not alone. As of about a week ago, there's still over 88,000 Drupal 6 sites out there!

While support from the community ended on February 24th, the Drupal 6 Long-Term Support vendors have been hard at work, releasing over 20 security fixes for various contrib so far, including very popular modules like Views and Panels!

While the D6LTS vendors haven't released any security fixes for Drupal 6 core yet - it's only a matter of time!

If you want to be ready for it when they do, we recommend that you update to Pressflow. But that's not the only reason!

Read more to find out why and how!

How to QUICKLY and SAFELY deploy to the live site WITHOUT comprehensive testing!

by David Snopek on September 26, 2016 - 6:41am

On the one hand, you want to deploy changes to the live site QUICKLY (for, say, a Highly Critical security update).

On the other hand, you want make changes SAFELY, ie. you don't want it to break the site.

Testing is good. Automated testing is great.

But what if you simply didn't have the resources to comprehensively test the change (either manually or automatically)?

Maybe the client isn't willing to fund a project to write automated tests. Maybe you don't have the extra time or extra people to do proper QA. Whatever reason, you just couldn't do it.

Is it possible to both quickly AND safely deploy to the live site WITHOUT comprehensive testing?

... besides just crossing your fingures and hoping it doesn't break?

We think there is a way. :-) Read more to found out!

Giving Clients What They Need - Not What They Want

by Elliot Christenson on September 20, 2016 - 7:38am

If you're anything like me, you've spent a few years in the freelance/agency world performing work for clients. If your clients are anything like the ones I've had, they come in with preconceived notions, "wives tales", and many, many things that are just not in their best interest.

I know there is a tendency to say "the customer is always right." I would prefer to say "the customer is entitled to the best product possible."

Part of that product is you - their developer - and your knowledge.

In this post, I'm going to attempt to show you a piece of what I mean when I say "Giving Clients What They Need - Not What They Want".

Articles aggregated for consumption on Drupal Planet!

o