I was fortunate that NCBI and A-tek sent me to DrupalCon Chicago, the annual three-day gathering of Drupal developers. I aim to distill the talks I went to each day, starting with Day 1, March 8th, 2011.
Keynote: Dries Buytaert
The creator himself! Dries reviewed highlights of the Drupal 7 release, and recognized the major contributors to the release.
Mainly, Dries laid out his vision for Drupal 8:
- Optimizing Drupal for mobile output
- Making Drupal rendering more flexible for outputting not just HTML, but also XML, web services, JSON etc.
The Future of Drupal Development, Testing & Deployment: Josh Koenig
Josh talked about Pantheon, which is “ ….a best practice, cloud based platform for developing, hosting, and managing Drupal websites …
Basically, this is a web-based service that acts as a control panel for your Drupal site, allowing you to do performance optimizations, run automated testing, trigger dev, staging, and production deployments, and do git version control.
Josh talked about several other projects that went into Pantheon including:
The Pantheon team is starting to offer Beta accounts for testing Pantheon; although, he said they were backlogged, and it would be a while until everyone who wanted an account got one.
Drupal Security for Coders: Greg Knaddison
Greg gave a talk on very common security issues for general web developers, and Drupal developers in particular. He focused on Cross Site Scripting (XSS) attacks and Cross Site Request Forgery (CSRF). It was an entertaining talk, but I was a bit disappointed at the lack of new information, at least for me. I already know to sanitize user input.
I did see an interesting example of how a user could, for example, delete a piece of data (let's call it reource 'bar') if the deleting process doesn't require a confirmation. Someone could do this by adding a piece of content like this:
The img tag, of course, would make an http request to the value of the src attribute and remove the 'bar' object, assuming going to that url removes the content. The easy fix, of course, is adding a confirmation screen.
During the talk I did learn about a bunch of modules:
- browsecap. This allows you to easily track browser stats on your visitors.
- login security. This protects against brute-force login attempts, where a hacker tries to gain access by trying common usernames and passwords.
- Hacked!. This module scans your actual Drupal files and if the diff module is installed, will tell you if any of your files have been changed.
- Coder. A sweet module that ensures your code conforms to drupal standards. This can also help find insecure code.
- Secure Code Review
- Security Review. This module automates the review of common, insecure Drupal configuration settings.
Greg also mentioned, in passing, a few functions:
- l(), the function you should use in your modules to create links. By passing text to this function, all the sanitizing functions are applied to the text in the proper order.
- drupal_get_token. A function for generating a unique token, useful for checking that a user really intended to do something. You could pass this token along in the url or a hidden input.
Finally, Greg recommended the following read: Safe String Theory
Aphorisms of API Design: Larry Garfield
Larry talked about how to develop API patterns. He made several good points:
- fail fast, fail save
- play by your own rules
- UI is not an API; the UI is a user of the API
- generic APIs make better UIs
- put off decisions as much as possible, because by the time you are forced to make a decision you will have more info to go by
Views for Hackers: Karim Ratib
This was a very technical lecture about the guts of the Views module. I found it very useful, as Karim mapped all the UI aspects of views to the SQL the module generates, and the class hierarchy of the
$view object. Karim also ran through how to write plugins for views, which has always been a mystery to me, mostly because I never took the time to figure it out. Even though it was a bit dry, I found the session to be very meaty.