PNW Drupal Summit, Day 1

I’m making it a weekend up here, rather than trying to go home and then come back again — staying with Kat, which is always fun — last night we went to a fab Mediterranean restaurant (Petra?) and then stayed up late talking, while her cats sniffed around my backpack, shoes, etc.

Today came up bright & clear; I’m wishing I’d stuck my sunglasses in my bag, rather than rainhat & gloves! Also wishing I had a bike that I could take on the bus, since neither the X nor the Townie will load on the front racks. ๐Ÿ™ Someday I want to get a folding bike to take on trips, because wow! standing at the bus stop, looking down Dexter, kept thinking, mmmm, that looks like a seriously fun straightaway. But I guess I can manage a couple of days of being a bus commuter again, even if the weather is good. (Tomorrow apparently is supposed to be not so much. We’ll see.)

Alas, C managed to catch a cold right before I left, and I had to leave him laying in bed looking morose & stuffed up. We both just got over colds, too, the first cold I’ve had in years, which laid me flat for the weekend of his birthday a couple of weeks back. I did make sure he wasn’t feverish before I left, so it shouldn’t be flu, just another head cold, or I wouldn’t be here…and I’m feeling pretty decent, just a tiny bit of post-nasal/sinus ick. And I’m being obsessive about drinking lots of water, using hand sanitizer, etc.

Drupal 7, ksensee

presentation is actually channeling webchick. ๐Ÿ™‚

most people have no idea what’s in D7.

D7 user experience project, bring in actual usability experts w/no D experience. don’t want to be WP, but want that “ooooh, it’s shiny!” feeling, but with the actual “good code” of drupal.

New IA, gonna hate at first, but get used to it — contexts: what are you working with. Shows 4.x IA, then 5/7 with colors showing what kinds of things are where. Content, Appearance, People, Structure, Config, Reports.
New toolbar & shortcut modules, new ia along top, NOT dropdown, a lot of people will still want Admin Menu, but this is good for content creators. Shortcuts are customized for types of users. Yaaaaaay! And editable, plus add a shortcut button.

New admin theme, have settled the debate: it’s called Seven. Dashboard with admin blocks — but no actual blocks. If you write modules: add admin block. (I don’t think my KB search module needs an admin block.)
Overlays, admin stuff opens in overlay iframe, thickbox kinda thing. “Not in your admin section tempted to do something else” — looks like overlays are for shortcuts. “needs yr help”

Edit in place — needs help w/icons. (doesn’t the Zen theme do that? can’t remember. find it distracting, honestly.)

Univ of Baltimore, usability testing, working with “smart people” “who could’ve been in this room if they’d picked drupal” but who found it WAY too hard to use. “Sort of like COBOL.” (I always compare to swiss-army-chainsaw ala the old perl saying.)

More subtle announcements.

Verticle tabs for all that extra editing stuff.

Descriptions of permissions! Huzzah!

Install profiles. Minimal takes away a bunch of stuff.

New minimum requirements: php5.2, MySQL 5

Timezones and DST — uses PHP built-in handling.

Users can cancel own accounts….took EIGHT YEARS to get in.

Internationalization…nobody here’s done it.

Imagefield/imagecache in core. Looks way nicer.

Security: bunch of stuff on slide

Lots of stuff for #smallcore, removes a bunch of stuff

And then for #largecore, oh hey, admin role! Just tested that last week. In core, as is Poormanscron.

CCK OMG! ๐Ÿ™‚ Calling it “Fields” — bunch of basic types, taxonomy is now field vs modules. Fields for users, and comments.

Update manager, altho I’d never use it at work.

Skipping all the themeing/design stuff, thing tomorrow. Taking away all the ugly-ass core themes. Many page elements are now blocks/regions. Content region is a “real region” ? Revamped template files. Stark: core markup “doesn’t suck anymore” JS improvements.

Silly Darth Vader graphic: testing. (I’ve never used automated testing. Someday this will all make sense to me. Looks cool, tho.)

Database: new layer, session this aft. Uses PDO, all kinds of fancy DB stuff. Lots of module-related stuff. (Actually I might need to go tweak my KB Search module.)

Fields: anything can be “fieldable” theoretically could store field info someplace other than SQL. Oh, that would potentially create a solution to the pulling rates from MortgageBot thing, which I had to hack into a theme file, so help me god.

Bundle = node type or user info. Instance of field on each bundle.

Field (storage in DB) -> Widget (add/edit presentation) -> Formatter (display presentation)

Files API stuff going whoosh! right over my head. (Oh, flickr module, as a total aside, shd go track that down)

Performance: it’s still a little slow. Registry is supposed to make it faster, like poor man’s opcodecache (sp?!), but it sucked in practice, hard to use, whitescreen on deleting function! couldn’t move a module, etc. Ow. Now have class registry that actually works. Register all files in .info in module.

Return a bunch of nodes etc in one DB call.

Bunch more stuff that isn’t done yet that needs help. Still slow. Big push in next few months is performance.
New hooks. Yeah, that gets into stuff I don’t do…yet. $page object. That looks as tho it could be useful. Like node? (Is it an object or an array?)

hook_page_alter — can do INSANE stuff “screw you, hippie. the page is what I say it is.” explaining use case with content in iframe, removing toolbars, etc.

Bunch more APIs. “If you don’t know what I’m talking about, it’s all good.”

Node access issues. don’t have to grant administer nodes to allow people to see nodes that others can’t!
Install profiles — in D6 way too much work. Now if you can write a module, you can create an install profile. Can specify dependencies in re: specific versions.

Whew. That was a whirlwind tour.

When will it be available? When D7 is released, D5 gets retired: always only 2 versions live.

Code thaw: fix things that have always annoyed you. Add features. Integrate useful contrib modules. “World domination!”

Code freeze: just fixing bugs. Alpha -> Beta -> RC

Step 5 =GOTO Step 1

I has a sad. waiting for modules to be ported. ๐Ÿ™

Sept 1 was supposed to be code freeze, but 10 exceptions, actual freeze was 10/15 — inbetween was called “code slush” — polish phase ends 11/15, UI cleanups, accessibility, performance, then “when it’s ready”: bug fixes & stabilization. when # of critical issues is 0. Audience Q: who decides what’s critical? Community. Anyone w/ account can change status of issues.

Do NOT start building sites on D7. But DO start converting modules! #d7cx – on release date, yr module will be updated.

Core maintainers. webchick’s note: SLACKERS. who writes code? anyone! 500 people have submitted code. you can help!

The work that gets done is the work that people do. (Sounds a lot like ENA.) Big list of how you can help. Critical = breaks your site. If it just sucks, it ain’t critical. (Hm, documentation?)

Q: form api? not a whole lot of changes. Q: anticipation of upgrading – seamless upgrades of sites? “upgrading between major version has always been worst thing about drupal, not anticipating any changes” at the moment, infinite loop if you try to upgrade! Q: is there an upgrade path from CCK to D7? CCK should (will?) be providing module for upgrading. Q: views? Underlying stuff is done for D7, she’s confident it’s going to happen quickly. Audience member adds that there’s more than one person working on it.
Slides are on webchick’s site.

Ubercart, Gregory Heller

With special guest via Skype: Ryan Szrama

“Ubercore” project has just emerged, Ryan is the lead on Ubercart, in Kentucky (?).

Just got stable release for D6. (jesus christ on a crutch. srsly?)

Since this new project JUST got announced. Hasn’t been ideal – end of 2.0 lifecycle, looked at what’s hindering: took 16 months to get port from D5 to D6: feature creep, sluggishness of some (other?) modules, not able to take in patches effectively. Rethink how they implement features in D7. Boiling down Ubercart into Ubercore (non-negotiable) and essential non-core, Ubercart as installation profile with Ubercore and other essentials. Try to get more contributors, clearer standards & roadmap. Got a project manager in SF. (Sounds like they’ve been really flying by the seat of their pants.) Have been ambiguous. has his posts. Has been difficult to use for non-tangible goods, because of the origins of UC. Fields in core of UC, no reason product needs to be a node. (Kinda confused) Root field entity: product. Then add attributes to it. “Hard to explain on Skype in 30 seconds” So all the neato stuff is going to be in D7. ‘kay. Not forking Drupal, just creating low-level install profile.

Qs from Greg: for current users w/pain point experiences, what’s best way to contribute w/out traveling to a physical scrum event? to spec out what they have now, and let people come in and say what works, what doesn’t, etc. Then a bunch of blah blah blah. Sprint planning meetings. #d7uc on IRC. Wants to get ideas for how people want to give feedback. Greg notes that user stories has been helpful in his business, suggests that for guiding UC development.

Q: 1/3 of room already using, another 1/4 planning soon. Jump in the water now or wait for D7? He’s continuing to do D6+UC2. By March 31 have ubercore 1.0 with installation profile. Still talking about whether to straightforward port ubercart to D7. Upgrade path? Painful? Fully intend to have paths. (missed something help plug in an extension cord.) “I hope it’s not going to be a pain, because I’m going to be do it” Backporting patches? Sounds like some stuff, maybe, but maybe not.

Audience Q: ecommerce big & sprawling messy but works; Ubercart seems to planned to work together, and now Ubercore. Have you talked to ecommerce people, either — oh, Amy the project mgr is here — wants to, reached out but haven’t heard back.

Audience Q: handling intangibles — specifics you can talk to? Have no idea WTF project lead is talking about, really? Not a great communicator, IMHO.

This session not really helping me a lot so far. ๐Ÿ™ (just went to ubercart site: UC2 for D6 was released on 10/21…is that lst Tuesday? and hey, conflict with Date module! Srsly? Then again, ecommerce module is only at an RC for D6.)

Audience Q: if it’s a total rearchitect, can u still backport, etc.? Only what they can, usability is the thing he keeps mentioning.

Audience Q: was about to start on new project: should I tell my client to wait until next spring? 6 months out. (that’s not end of March, according to my calcs; that’s mid/end-April.) he’d say go for it.

Audience Q: what about migrations of UC-related modules that his firm has written? what’s the main goal of new API integration? Consistency, actually adding some API stuff where there isn’t any now.
[I’m really hungry now. How can I be first in line for lunch?!]

Drupal Development Security Essentials

Initial slide image features Sean Connery in Zardoz (awesome awful movie!) in freaky red underwear/suspenders & thigh-high boots

Mentions Cracking Drupal book — I have sample chapters of that in my bag. Primary audience is for people who want to submit contrib modules. “not a guru””if I’d gotten these basics I wouldn’t have gotten in trouble”
Big herking list of Drupal Security team, who review modules.

How many have been hacked? I had a site hacked IIRC ages ago, although I think that was a problem on the server end.

Lost time/money; lawsuits; embarrassing (he just mixed up Connery w/Burt Reynolds? WTF?!) and users are slow to upgrade. (not us!) — applying for CVS account includes getting some of your module’s code scanned.

[wow this wifi is dead frigging slow. am writing in textedit instead.]

setting up a free development environment –, acquia application (no, I think he just doesn’t know how to spell). missed last item.

golden rule of drupal security – one thing: lots of audience suggestions, his rule: Use the APIs. if you find yourself coding directly in PHP, you’re probably missing some drupal security. takes a while to learn, but nearly all security-related functions have awesome side benefits.

quick definition of common attaxss (is that a pun?) – yes, that is a deliberate pun. XSS – malicious input of JS. Basic drupal filters! (If he wanted to be more useful in that definition, a gnarly example would be fun.) SQL injection. little bobby tables! DOS (denial of service) – ways to reduce load to make this harder. CSRF (cross site request forgeries) – his explanation is confusing.

functions: string filtering – links – access control – database – data passing.

t() (of course: Mr T.) protects against XSS. filter malicious leave delicious. ๐Ÿ™‚ string overrides module? variable replacement options, for stuff that shouldn’t be translated — like paths…would make a better example than the one he’s using. can also use to format plural strings. can use with jQuery? wrap t() around entire sentences. avoid escaping quotation marks. vague warning about variables & t(). are the <p>’s part of structure or part of the content? pass with t() if part of content.

check_plain() – just converts directly to plain text.

check_markup() – apply filters to content. can also embed blocks, views, images, etc. (is that how insert view/insert block filters work? I love those!) return value is text run thru all the filters.

filter_xss_admin() – can trust user input, lets thru all html except styles & scripts, basic basic filtering. works like check_plain(). also filter_xss() – filters more stuff.

[mmmm, someone brought in their pizza plate.]

content sanitizing when you create links: l() & URL() – filters out html, also insures that URL is pointing to the right place. audience note – can pass node reference and get actual url!

user_access – (1) use hook_perm – return array of permissions; (2) then check with user_access when stuff gets access.

[this reminds me a bit of a JS session I went to at SXSW. smart guy, but a bit too abstract]

granularity in user_access. just because u specify permissions, doesn’t mean they actually get used…unless you use user_access. and be cautious about using permissions from other modules. (I wonder if this is the thing that that makes the permissions screen so ENTIRELY FUCKING INSANE.)

db_query() – this I’ve used! filters out inaccurate/malicious stuff out of queries. allegedly makes queries cross-DB compatible, altho not so much in D6 (yay for D7!) – brackets around table names, to make sure that it works w/prefix. filter data with placeholders %s for string, %d for integers/numbers, %% for LIKE query (wildcards) — there’s usually a drupal equiv (again w/bad spelling!) to most mysql functions.

db_query_range() limits number of items returned, for big DBs can be a huge load on server.

question about whether it’s necessary when not dealing with user input? comment from audience that might be important for upgrade to D7. coder module? for flagging instances which should use db_query. “deadwood” module?

drupal_get_token() – verifies source of request – get v. post. 1) set token. happens with every form that uses Form API. 2) then verify, is token passed the same one that was created. code is really simple! uses MD5, session_id. huh. along with private key for your site. that makes a lot of sense. also works for AJAX stuff: hidden input with token, pass value in AJAX call, then check again server-side.

also to be aware of: forms API (I think he mentioned that before), forms are biggest source of malicious attacks. set permissions properly as an admin (oy, this is a PITA). don’t use User One! “up here as a reminder for me” I’ve set up a whole system for that on the work site. audience comment: if you use drush, don’t even need to use user one. (debate afterwards on correct pronounciation!) SSL certs not a cure-all, esp if not all site is SSL.

Mapping, GIS & Drupal

modules: location, location cck, geo – uses spacial database extensions!, openlayers (sorta, half-implementation)

[lost tweet: #pnwds making a total mess with pink frosted donut. yes, while wearing a black dress. ::sigh:: really can’t take me anywhere.]

for displaying: gmap, nicemap – does points pretty well, openlayers

Openlayers is going to be his focus: uses open layers js library.

[no net connection at all?!]

Geocoding, spacial tables, desktop GIS

jumping to a demo.

location is fading out of use, to replaced by location cck. (I think I had troubles with that latter.)

a view showing two polygon nodes on the same map – union bay & lake union, outlined and overlaid with shading. neat.

editing tool. polygon is a cck field. cck setting determines how many polygons per node. geo is also a cck field.

based on presets, packaged map that you define: what layers are available, beginning lat/lon & zoom. showing preset creation. includes projections, like polar, mercator, etc. whoa. gmap uses meters from 0/0, not lat/lon! can’t match. interesting options of layers, based on which projection selected.ร‚ย  satellite imagery from nasa!

WMS: feeds of maps, published by map creators, incl NASA. ๐Ÿ™‚ Q from audience: ESRI feeds? ESRI products can be published as WMS.

Then cck field can draw on top of this preset map. Two options for field types.

Stepping back… join across tables based on key, idea of spacial key: one table is polys, other is points, join where points are inside poly, etc. wkt = open standard for storing spacial data as strings. use geospatial if needing advanced stuff, openlayers wkt is more basic. (but more stable) [my own personal bike map site?!]

under the WYSIWYG map is field with coordinates.

can collect with one projection and then show with a different projection!

showing some view options “well known text” = description aka WKT, not street addresses or anything. – it would be nice to have a meaningful sample here.

Q: translate from lat/lon to WKT? Yes. (At least I think that’s what I heard him say.)

some interesting options for interactivity on maps — defined as hooks. (is this how to FINALLY get the list/popup branch list working?) declutter includes the word “automagically” in its description. has nice zoom/autocenter to features. feature styles “for advanced users only” no kidding. that looks super-mega-complicated.

[seriously, this is way cool, could be exceptionally awesome for members-only section of ENA site. which reminds me, I need to see about a BOF for civicrm – tomorrow maybe?]

Q: what runs the map? the openlayers javascript library. Q: leverage geodatabase in views? buffer, show other nodes, etc? that’s the long-term vision, but not there now. lets you store stuff, and then you have to write your own queries to display. Q: can consume KML? yes, for security, JS can only load from same domain. have to write proxy to get external KML. Q: nearby a certain point? can’t do w/WKT – unless write yr own PHP – eventual geo module & views interation. postgres (postgis) is better implementation, mysql implementation is more common, tho. and there’s yet another module that sorta kinda implements this stuff (mapping kit?), maybe too ambitious.

Q: use case: social networking site, organic groups, many actually location-based, rolled out proximity searching w/location, want to introduce neighborhoods instead of zip-based. any way to use this stuff? he thinks so… follow-up: any connection between location/location cck & geo/openlayers? is it inside this polygon? currently need to do custom coding to make that happen? can use location cck data in openlayers views. point data sources, identify fields. they want to go there, but not there yet. (bummer)

I missed a question — a partner in openlayers module, but have rolled their own.

Q: is openlayers going to go in the same direction as geo re:storage? geo is storage-oriented, openlayers is display-oriented.

Missed something else. (speak up, people!)

Somebody asked my question about list + popup. Nobody can make that happen. ๐Ÿ™ But JS library is still there and can make use of it. Something he said fired my brain about doing the view and making it link to fire the JS vs an actual link. Ugh. can’t quite get that working in my head.

Showing some code, didn’t quite work – ah, there it goes. PHP snippet loads map. Can also use Devel module for debugging, render array to screen.

OSM Cycling Map?! (is there any mapping service that provides map via SSL?)

seen a couple of Eees, and talked to a woman who absolutely loves hers. so totally going to do that.

Interesting demo of how the stuff is stored in a JS object.

Q: cross-browser? A few bugs in IE, otherwise good.ร‚ย Q: documentation on Shape files? import as nodes or table wizard route. as nodes, have to convert geometry to WTK. geo module can handle shape files directly into the db. (that makes my brain hurt. also makes me wish that city/state used open source for web.) quantum gis?ร‚ย Q: what types of bugs might one see in Geo? don’t know, but it’s still in dev…somethings with views, not complete implementation. open bugs listed.

BOF: Open Atrium/Managing News

wifi still down.

Installation. New look sites looks ENTIRELY DIFFERENT from new drupal site.

Groups…main content of the site. At the moment you have to create the users yourself. (LDAP/Active Directory/whatever integration?)

Features module, packaged up (groups of modules?) “shoutbox” is like internal twitter.
Every group can have different color & logo.

People can belong to multiple groups? [yes]

Entirely different administration screen, uses Admin module design, etc.

Project vs Cases? So this is a footprints-type thing. with notifications: what does it look like when you have 400 users? Only can notify people in the group. Hrm. Reply by email becomes comment. Yes, very much like footprints…only NOT UGLY. [strange digression from Gregory about evolution, comparing ancient primate to “two unrelated modules developing at the same time.” heh]

Calendar: how does it integrate w/content types? (my question: does it integrate at all w/outlook?)

Accept contrib modules? Yes, you can add your own – using Features? Some open atrium-specific things you need to do, but not too hard.

Can use LDAP/AD.

Asked about home page: a custom dashboard, with activity from your public groups. I don’t know if it’s too simple or too complicated.

“strongarm” steals lots of settings.

ease of theming beyond the built-in? wouldn’t do it. can hijack icons, atrium logo, but wouldn’t go beyond that, esp not until it’s a stable release.

turning over in my mind how feasible this would be. it’s prettier, but almost too much simpler?

managing news – feed aggregator with crazy features. oh, hey, I think this is EXACTLY what C has talked about before. what would you feed in? – OlyBlog, Everyday Olympia, NA sites, Olympian, TNT. YET ANOTHER REASON WHY I WANT THE CITY TO PUBLISH RSS. (is there a way to screen-scrape to RSS?) uses openlayers. oh hey there it is again. ๐Ÿ™‚ Import locations: identify places as being w/in n’hoods? apparently so. feed with place names! also uses features. install shoutbox from open atrium into managing news? ๐Ÿ™‚

Features, Robin

really pretty stuff development seed has been doing – has been wondering is it really as easy as it looked in the videos? if you want to use features, you also want contexts.ร‚ย repeatable & reusable, could put together as a product for clients. fserver is alpha, not yet on drupal.orgร‚ย why context? block configuration, active menu items, don’t have to repeat configuration.

off to the sandbox! Profiles, using Content Profile with file field, image cache.

use Context in lieu of the crazy shit I have going on with OG, Simple Access, Themekey, etc., etc.?! missed a bunch about context getting all excited about new project idea. ๐Ÿ™‚ seriously? I want to go find a spot where the wifi WORKS and try to do this project.

“i’m going to say that that is a cache issue.” ๐Ÿ™‚

create the bundle online, download, then install to modules folder.ร‚ย what IS the feature file? looks like module files, but doesn’t show up in admin/build/modules. php code with arrays/functions. export of a view, etc.

I think I’m sorta kinda getting it, although at this point I’m not sure I have need for it. Nice to know about context, tho. going to give this session 5-10 more mins, see if there’s anything else that’s going to be useful before I just take off.

create features on sandbox site, and then install onto production site. Aha! there’s a use I can get behind. is that going to be part of deployment session tomorrow?

install via features, not modules.

it’s waaaaaaay too late in the afternoon for all this naming silliness.