PNW Drupal Summit, final thoughts

What didn’t show up in my notes, but was in my Twitter feed, is that C’s cold was, in fact, almost certainly the flu. Saturday he got a fever that left him delirious, but thankfully broke that night. Sunday he was doing better, but I still left a couple of hours early, since I had a long bus ride home. Honestly, I’m glad I got home at 7pm instead of 9pm. I’d be (even more of) a complete mess today getting home that late. I’m feeling torn about having been gone while he was sick. It would’ve been good to be around in case something really awful had happened, but I’m not sure how helpful I would’ve actually been, since mostly he just needed sleep and fluids. Plus the Drupal Summit was incredibly interesting and useful.

One thing I tried out that wasn’t actually covered in the sessions – MAMP. I kept seeing presenters using local installations for demonstrations, and so I finally looked up the MAMP project. And it rocks! Sunday morning I set up Managing News on the laptop, and on the bus ride home I fiddled around with some ideas for an ENA project. (I think I need to switch from CiviCRM 2.x to 3.x.) Super-easy.

Drupal 7 is looking quite interesting, lots of smart ideas coming out with the new release. Maybe I’m being overly optimistic, but it even looks like more modules will be ready than were available at the beginning of D6. I spent a long time waiting for modules to come out before we could do Drupal for work.

I think I have a bunch of work to do reworking some panels implementations, but I’m okay with that. I’m also looking at exploring some new-to-me modules (features, context, deploy, admin, flickr, drush) and getting better acquainted with CTools.

The venue was quite nice, even if the wifi was totally busted. Food was good, although I wish there’d been hot water for tea; omnomnom donuts! The name tags were especially clever, with a space for “also known as”, which turns out quite useful in a community where lots of people have better known usernames than real names.

Of course, the people were fantastic — all the great volunteers setting up and getting things moving! Plus I met some fun interesting people. (Ashley & Syne were great to hang out with over by the power outlets.) Really, Drupal people are fabulous: friendly, curious, and helpful. I just wish Seattle wasn’t so damn far away. Somebody suggested that I organize a Drupal user’s group or a DrupalCamp in Olympia…oh, if only I had time and energy!

PNW Drupal Summit, Day 2

Theming, with John Albin Wilkins (johnalbin) from Taiwan

[still no wifi! altho at some point in here I figured out how to connect via a router from the lovely CivicActions folks.]

fun chitchat in the fiber-scifi-geek gal corner. ๐Ÿ™‚

D6 core themes: 75% themes that suck; 25% Garland – gave people a bad 1st impression
D7: Garland, Stark, Seven

Stark: nothing in it. .info, layout.css, no .tpl.php! still not done with redoing HTML markup in core. Stark allows you to see basic markup.

Seven: Mark Boulton’s admin theme, usability testing showed people when editing because they couldn’t sense the difference between content mode & editing mode. Is default for admin.

Missing piece in the pie chart…might still get some more themes into core. (paint? zen? – my musings, not what he said.)

Showing a default brand new D7 site. “Appearance” link. He added a “pacific” theme for this presentation.

Don’t have to go to separate page to set admin theme!!!!!

Primary & secondary menus renamed: main & secondary.

Looking at page.tpl.php – $main_menu & $secondary_menu – a bunch of variable renaming to make things easier to grasp. sidebar_first and sidebar_second – renamed from “left” and “right” because of RTL language issues. (and I can see where you might do a site with two sidebars both on a single “side”) shows amnesty international site, switches between English & Arabic (also french & spanish), flips the entire design. (a little dance while we’re waiting!) which makes “sidebar_right” a WTF for RTL language developers! first and second is more natural.

template.php – can’t shoot yrself in the foot. “phptemplate”? (missed a bit while switching my phone 2 vibrate)

switches to pacific theme – something about classes – a bit confused about what this change means. is using devel & template function to spit out all page info. classes_array. makes it easier to add stuff to body classes. screwiness with what’s actually showing up in the array. “what happens when you do a live presentation” shows classes being set for the particular block, again, in an array. classes_array[0] = ‘block’ etc. preprocess function, also now process functions, get run after preprocess functions. can turn array created in preprocess into string that can be printed in tpl file. “let me go clear the cache” all caches vs just theme registry? “let’s pretend that worked” o.O?

hated $submitted in D6 – string that had user’s name and date, smushed stuff inside one variable. node.tpl – $name variable, $date variable. Oh, I think I get that now. Also fixed in comments.tpl.

$contextual links – yes, it is like in the Zen D6 block editing thing – but in D7 is extended to lots of things. Can go directly to the admin for menus, for example. (yay!) (how would that look on a dropdown/suckerfish menu? create style specifically for contextual link?)

more page.tpl – mission statement completely removed both from site info and as a variable. same thing with search box variable. D6 theme had search template & checkbox in settings, but wd be greyed out if you didn’t have search enabled, instead show automatically based on template files. (help text is a block too!) I’m a hair confused, but I think that might make more sense once I get to play with it. (one of these days.) All themes need a help region.

$message (footer?) variable that was hard-coded, now custom block. (which I was doing already, I think.)
main page content. content is a region, main page content is a block. could put recent comments in the content region above the main page content, for example. (menu_block module?)

jquery ui (yay!) now included.

granular theming…render($page[‘content’]) in page.tpl instead of printing content region. means that — ah, missed it! arrays that we can modify, may take a while to figure out how to do it.

top & bottom of html no longer in page.tpl – now have html.tpl – easier to generate styles and scripts. (o look: RDFa in doctype.)

issue for allowing themes to alter page? a bit confused. may or may not happen. for little tweaks to forms. I sorta kinda understand, altho not entirely.

JS in D7

interfering with other libraries

wrap everything in:
(function($) {
…yr code…
otherwise get JS alert. NEED TO REMEMBER THIS.

drupal_add_js (actually, I’ve never used that, I don’t think) – changed a lot in D7, more parameters. also add external.

want latest jQuery, but isn’t in core! use hook_js_alter to swap out for latest.

rendering arrays, pass in attached property, this output needs this JS. so, ok, homepage has its own little thing w/slides, use attach to add just to that thing? not sure.

no standard way of adding jQuery plugins, etc. now can define a library – hook_library, so system_library includes $libraries[‘vertical-tabs’] – then need to call to actually use. can pass settings and dependencies as well. then use drupal_add_library in template functions.

AHAH forms – example? quicktabs module admin form, adding a new element to the form. holy moley, that’s a lot of code to put in the new form element, and first big chunk of code goes into ANY similar item. new code: 3 lines.

now a framework for ajax in D7. showing, all the form processing that was in and it just does work for you! series of php functions, sends JSON — handwave-y stuff.

examples module in D7, to show how to use new stuff. ๐Ÿ™‚

was looking at documentation – noticed mention of using class & link, attach behavior. neat! but doesn’t actually work in core as-is. ๐Ÿ™ shows her hacking. I think she just said that the link will go to a real thing if JS not avail. she added her own render_link function. has been submitted to/as RTBC?

stuff going kinda over my head. ๐Ÿ™‚ JS and my brain are not exactly friends, adding in Drupal coding…yeah. I think eventually this will make things vastly easier, but not quite yet.

she actually asked if eyes are glazing over. in my case, yes, but not everybody.

yep, jQuery UI in core. only loads when needed. super-easy to get accordion. yay! now I can do super neato stuff with annual reports!

misc code changes, both in behaviors and in naming. and a function to make sure a behavior only gets attached once.

just seems like lots easier stuff.

materials will be online, but caveat that she’s using a patched version of core in re: that one function mentioned earlier. will include link to issues related.

Q: will this enable drag & drop, infinite scrolling stuff like other sites? a lot of that in jQuery UI. Q:ร‚ย will there be standard way to include/manage libraries? if 2 modules define same plugin, if they use the same version, will only get added once. ๐Ÿ™‚ huge amount of discussion about that. Q:ร‚ย anything going to be rolled back into D6? some stuff has workarounds in D6.

Panels 3 (yes, this is the version I’m using)

would rather be sailing? srsly?

super-excited to be talking abt panels.

might be skipping some stuff he doesn’t quite yet grok. heh.

how much collision: always lots of ways of doing [x] in drupal. no kidding.

terminology. audience: “pane is a great name…they just spelled it wrong.”

logged in vs not logged in page. basically like Star City site.

audience advice to show the UI. yep.

can u have pane inside page w/out panel? no.

[warm in here. can haz AC?]

contexts w/features — also works w/panels? or is it using the same word for different modules.ร‚ย can’t quite grasp how context is different from relationship. info about how data elements are connected.

ashley asking for more info…context only knows about UI? another audience talking abt panels 2, use case: news section for nonprofit site, each article had taxonomy, full page view, block with “other new jersey news” not easy to do. panels & context, grab the taxonomy from the main node, then make available in another pane in that panel and use as a filter.

NO, this is NOT the same as the module context! panes know about other panes. many contexts at once in panels. (great audience input on this session!) you can write a module that creates its own context.

panel node: [what was I going to write here, anyway? probly something about exposing panels to search.]

creating context automatically = a relationship? am very very very confused. Jen just explained, and I was unfortunately looking at something else. context can take info from URL and pass in, if you need to define explicity connection between info in the panel, that becomes a relationship. (I’m wondering if there’s some significant changes in terms from P2 to P3.)

some settings warnings.

selector rules, including custom PHP. o rly? put most specific first, general later, if nothing matches, have default. different stuff at the same URL.

don’t use flexible — bogs down. good for wireframing. hrm. check out the template files, can define custom layout in custom module? panels3 has way more terminology for layouts. what’s the benefit of having made it so much more complicated? making regions more general to get away from table-concept layout. “because it was written by a developer” heh.

hm, use “variants” for panels? instead of how I actually did it. should make the layout much easier, plus remembering what should and should not be visible.

oh, can turn off Drupal blocks with a checkbox. wow, making me feel dumb.

the layout designer. lots of discussion about how stuff works.

panels or blocks? a dashboard in a panel, rest of the site uses blocks. performance hit issues? block visibility setting in theme setting? can be done, can be PITA.

“thank you for this interactive presentation” [that’s one of my favorite things about this session, lots of audience expertise/experience.]

“just the code that was importing the variants was completely wrong”

caching…which would be good for some of those relatively static bits. override settings in the node itself, etc. don’t forget that you set something in panels!

blocks show up in miscellaneous.

whew, there’s a lot going on with this!

Staging & Deployment – Greg D (heyrocker)

deployment is well understood in traditional software (website?) deployment

Drupal puts lots in the DB that you might not normally put there. Contemplate module (evil! but I like it. ๐Ÿ™ ) and PHP in blocks or content (do that a lot too) – and stuff moves both ways. testing data over here – comments over there. can’t push anything either direction! “to launch a huge bunch of changes…and you’re screwed.” I remember him first talking about this at a Seattle Times related event. not a lot of tools. ๐Ÿ™ I think it’s not just “large development shops” but people who don’t fly by the seat of their pants. Normally I wouldn’t care about just doing stuff to a site, but doesn’t work w/work site.

content and configuration have very different issues. “going to assume that everybody’s pretty nerdy” node ids not matching (primary keys), pieces of data that didn’t have any APIs. no “role_load” etc. Config has no standards for how to set from module to another or for exportability. Plus all that other stuff. Exporting blocks from dev to live. (Yep. I’ve been just recreating stuff from scratch each time, like recent addition of [????! oh, yeah,ร‚ย – created just last week IIRC]

nice simpsons quote – cause of and solution to all life’s problems

hook_form_alter – in a module, inject terms of service into registration form, for example. oh, that’s what that’s about. 80% that drupal works is because of hook_form_alter. but…makes exporting INSANE. when node goes out, no way to make sure the module stuff comes with the node or form.

nice graphic of picard & riker.

options that suck: develop on production (this is what I meant by “seat of pants”); repeat by hand (hey, that’s what I’ve done!).

move db stuff into code. okaaaaaay. (what does that mean, exactly?)

find import/export mechanism, write update hook.

devel macro module – d5. records things that you do, saves into a file, puts into an update hook, run execute. (ok, lost something there) but doesn’t quite work in D6.

views/panels/cck export & import mechanisms.


programmatic cck, managing views in code, a lullabot article.

if I make 15 views, have to remember to export, and make sure client doesn’t change anything. gah.
“this thing kinda makes me sick” – reserved key ids, auto-inc ids on dev at 1, on live at 1001, module to move over, and supposedly get clear set of IDs. “this is bad” and yet I find it weird & fascinating. odd and even IDs?! wtf.

database scripts module automates that process, worth looking at, keep DB dumps in version control. huh. I’ve never used version control for anything, and probably should try it. :\ not always db-portable, not community-oriented solutions.

5 species develop at the same time. (2nd time I’ve heard that analogy.)

Exportables – concept more than thing. part of CTools. talk abt bringing into core for D8. you have to write yr own import stuff. kind of a hook thing for modules, etc. “in 3 years we may have something that really works well”

Features – development seed thing. refers to Robin’s talk. ack. that kinda sorta went over my head. built on the exportables concept. curious. context and “spaces” — that last new to me.

Deploy – that he wrote. For pushing content around – foreign affairs magazine, write content on editorial server and push to live server: unwilling to accept usual drupal way. group pieces to go live together. I like that. (for promos!!!!) Services module – core API. “deployment plan” way to group together stuff to the live site. modules then integrate. Uses services to receive & manage deployed data. Implements UUIDs to alleviate primary key issues. if you add a node & choose to deploy, will also pull along nodes referenced, taxonomies, etc. Oh, like Dreamweaver FTP publish dependencies. (which I always turn off in DW, but might be useful here.)

example: content about drupal books. deploy has stuff, live is blank. “add to deployment plan” XMLRPC? works for anything in drupal that uses [setting forms?]. doesn’t work with blocks? for content type, uses cck copy, can’t push updates to existing fields. OMG. that would’ve made that foreclosed homes page EVEN EASIER to set up. pushing live. needs to be logged in with a user on the remote server that has sufficient permissions, ATM need to enter pwd every time, which is honestly ok by me. 6 things in plan, but pushing 32 items, and in an order where nothing breaks. doesn’t push permissions or roles, but does push users. “nothing up my sleeves” duuuuude.

and can deploy nodes immediately after editing on dev. some sort of counting error, tho.

image: services module has files service, works with all binary types, and works with drupal security.

directionally agnostic – q of whether can push back to dev. yep. actually got automated pulling content back into dev for foreign relations, altho couldn’t release as part of contrib module.

no rollback, that’s where to go from there.

if not using pathauto, there will be issues.

Issues: revisioning, rollback, mysqldump before pushing. can’t do unattended deployments. gaps: upload.module, translations, block, permissions.

no magic bullets – investigate, ask questions, know yr needs, PLAN. sounds a lot like my work doing import/export on the initial setup. missed what group is talking abt that stuff. [change mgmt group] lot of activity around this area, likely to be a focus for D8. bring up use cases, do testing.

how does update.php factor in? not w/Deploy, doesn’t use it at all, not pushing changes to code. update.php is mostly for code.

I’m really glad I stuck around for this one, actually. I’ve got some (admittedly vague) idea of how to handle future updates, especially in adding new features. might try it out for top-secret project I want to pull together this week.

PNW Drupal Summit, Day 1

I’m making it a weekend up here, rather than trying to go home and then come back again — staying with Kat, which is always fun — last night we went to a fab Mediterranean restaurant (Petra?) and then stayed up late talking, while her cats sniffed around my backpack, shoes, etc.

Today came up bright & clear; I’m wishing I’d stuck my sunglasses in my bag, rather than rainhat & gloves! Also wishing I had a bike that I could take on the bus, since neither the X nor the Townie will load on the front racks. ๐Ÿ™ Someday I want to get a folding bike to take on trips, because wow! standing at the bus stop, looking down Dexter, kept thinking, mmmm, that looks like a seriously fun straightaway. But I guess I can manage a couple of days of being a bus commuter again, even if the weather is good. (Tomorrow apparently is supposed to be not so much. We’ll see.)

Alas, C managed to catch a cold right before I left, and I had to leave him laying in bed looking morose & stuffed up. We both just got over colds, too, the first cold I’ve had in years, which laid me flat for the weekend of his birthday a couple of weeks back. I did make sure he wasn’t feverish before I left, so it shouldn’t be flu, just another head cold, or I wouldn’t be here…and I’m feeling pretty decent, just a tiny bit of post-nasal/sinus ick. And I’m being obsessive about drinking lots of water, using hand sanitizer, etc.

Drupal 7, ksensee

presentation is actually channeling webchick. ๐Ÿ™‚

most people have no idea what’s in D7.

D7 user experience project, bring in actual usability experts w/no D experience. don’t want to be WP, but want that “ooooh, it’s shiny!” feeling, but with the actual “good code” of drupal.

New IA, gonna hate at first, but get used to it — contexts: what are you working with. Shows 4.x IA, then 5/7 with colors showing what kinds of things are where. Content, Appearance, People, Structure, Config, Reports.
New toolbar & shortcut modules, new ia along top, NOT dropdown, a lot of people will still want Admin Menu, but this is good for content creators. Shortcuts are customized for types of users. Yaaaaaay! And editable, plus add a shortcut button.

New admin theme, have settled the debate: it’s called Seven. Dashboard with admin blocks — but no actual blocks. If you write modules: add admin block. (I don’t think my KB search module needs an admin block.)
Overlays, admin stuff opens in overlay iframe, thickbox kinda thing. “Not in your admin section tempted to do something else” — looks like overlays are for shortcuts. “needs yr help”

Edit in place — needs help w/icons. (doesn’t the Zen theme do that? can’t remember. find it distracting, honestly.)

Univ of Baltimore, usability testing, working with “smart people” “who could’ve been in this room if they’d picked drupal” but who found it WAY too hard to use. “Sort of like COBOL.” (I always compare to swiss-army-chainsaw ala the old perl saying.)

More subtle announcements.

Verticle tabs for all that extra editing stuff.

Descriptions of permissions! Huzzah!

Install profiles. Minimal takes away a bunch of stuff.

New minimum requirements: php5.2, MySQL 5

Timezones and DST — uses PHP built-in handling.

Users can cancel own accounts….took EIGHT YEARS to get in.

Internationalization…nobody here’s done it.

Imagefield/imagecache in core. Looks way nicer.

Security: bunch of stuff on slide

Lots of stuff for #smallcore, removes a bunch of stuff

And then for #largecore, oh hey, admin role! Just tested that last week. In core, as is Poormanscron.

CCK OMG! ๐Ÿ™‚ Calling it “Fields” — bunch of basic types, taxonomy is now field vs modules. Fields for users, and comments.

Update manager, altho I’d never use it at work.

Skipping all the themeing/design stuff, thing tomorrow. Taking away all the ugly-ass core themes. Many page elements are now blocks/regions. Content region is a “real region” ? Revamped template files. Stark: core markup “doesn’t suck anymore” JS improvements.

Silly Darth Vader graphic: testing. (I’ve never used automated testing. Someday this will all make sense to me. Looks cool, tho.)

Database: new layer, session this aft. Uses PDO, all kinds of fancy DB stuff. Lots of module-related stuff. (Actually I might need to go tweak my KB Search module.)

Fields: anything can be “fieldable” theoretically could store field info someplace other than SQL. Oh, that would potentially create a solution to the pulling rates from MortgageBot thing, which I had to hack into a theme file, so help me god.

Bundle = node type or user info. Instance of field on each bundle.

Field (storage in DB) -> Widget (add/edit presentation) -> Formatter (display presentation)

Files API stuff going whoosh! right over my head. (Oh, flickr module, as a total aside, shd go track that down)

Performance: it’s still a little slow. Registry is supposed to make it faster, like poor man’s opcodecache (sp?!), but it sucked in practice, hard to use, whitescreen on deleting function! couldn’t move a module, etc. Ow. Now have class registry that actually works. Register all files in .info in module.

Return a bunch of nodes etc in one DB call.

Bunch more stuff that isn’t done yet that needs help. Still slow. Big push in next few months is performance.
New hooks. Yeah, that gets into stuff I don’t do…yet. $page object. That looks as tho it could be useful. Like node? (Is it an object or an array?)

hook_page_alter — can do INSANE stuff “screw you, hippie. the page is what I say it is.” explaining use case with content in iframe, removing toolbars, etc.

Bunch more APIs. “If you don’t know what I’m talking about, it’s all good.”

Node access issues. don’t have to grant administer nodes to allow people to see nodes that others can’t!
Install profiles — in D6 way too much work. Now if you can write a module, you can create an install profile. Can specify dependencies in re: specific versions.

Whew. That was a whirlwind tour.

When will it be available? When D7 is released, D5 gets retired: always only 2 versions live.

Code thaw: fix things that have always annoyed you. Add features. Integrate useful contrib modules. “World domination!”

Code freeze: just fixing bugs. Alpha -> Beta -> RC

Step 5 =GOTO Step 1

I has a sad. waiting for modules to be ported. ๐Ÿ™

Sept 1 was supposed to be code freeze, but 10 exceptions, actual freeze was 10/15 — inbetween was called “code slush” — polish phase ends 11/15, UI cleanups, accessibility, performance, then “when it’s ready”: bug fixes & stabilization. when # of critical issues is 0. Audience Q: who decides what’s critical? Community. Anyone w/ account can change status of issues.

Do NOT start building sites on D7. But DO start converting modules! #d7cx – on release date, yr module will be updated.

Core maintainers. webchick’s note: SLACKERS. who writes code? anyone! 500 people have submitted code. you can help!

The work that gets done is the work that people do. (Sounds a lot like ENA.) Big list of how you can help. Critical = breaks your site. If it just sucks, it ain’t critical. (Hm, documentation?)

Q: form api? not a whole lot of changes. Q: anticipation of upgrading – seamless upgrades of sites? “upgrading between major version has always been worst thing about drupal, not anticipating any changes” at the moment, infinite loop if you try to upgrade! Q: is there an upgrade path from CCK to D7? CCK should (will?) be providing module for upgrading. Q: views? Underlying stuff is done for D7, she’s confident it’s going to happen quickly. Audience member adds that there’s more than one person working on it.
Slides are on webchick’s site.

Ubercart, Gregory Heller

With special guest via Skype: Ryan Szrama

“Ubercore” project has just emerged, Ryan is the lead on Ubercart, in Kentucky (?).

Just got stable release for D6. (jesus christ on a crutch. srsly?)

Since this new project JUST got announced. Hasn’t been ideal – end of 2.0 lifecycle, looked at what’s hindering: took 16 months to get port from D5 to D6: feature creep, sluggishness of some (other?) modules, not able to take in patches effectively. Rethink how they implement features in D7. Boiling down Ubercart into Ubercore (non-negotiable) and essential non-core, Ubercart as installation profile with Ubercore and other essentials. Try to get more contributors, clearer standards & roadmap. Got a project manager in SF. (Sounds like they’ve been really flying by the seat of their pants.) Have been ambiguous. has his posts. Has been difficult to use for non-tangible goods, because of the origins of UC. Fields in core of UC, no reason product needs to be a node. (Kinda confused) Root field entity: product. Then add attributes to it. “Hard to explain on Skype in 30 seconds” So all the neato stuff is going to be in D7. ‘kay. Not forking Drupal, just creating low-level install profile.

Qs from Greg: for current users w/pain point experiences, what’s best way to contribute w/out traveling to a physical scrum event? to spec out what they have now, and let people come in and say what works, what doesn’t, etc. Then a bunch of blah blah blah. Sprint planning meetings. #d7uc on IRC. Wants to get ideas for how people want to give feedback. Greg notes that user stories has been helpful in his business, suggests that for guiding UC development.

Q: 1/3 of room already using, another 1/4 planning soon. Jump in the water now or wait for D7? He’s continuing to do D6+UC2. By March 31 have ubercore 1.0 with installation profile. Still talking about whether to straightforward port ubercart to D7. Upgrade path? Painful? Fully intend to have paths. (missed something help plug in an extension cord.) “I hope it’s not going to be a pain, because I’m going to be do it” Backporting patches? Sounds like some stuff, maybe, but maybe not.

Audience Q: ecommerce big & sprawling messy but works; Ubercart seems to planned to work together, and now Ubercore. Have you talked to ecommerce people, either — oh, Amy the project mgr is here — wants to, reached out but haven’t heard back.

Audience Q: handling intangibles — specifics you can talk to? Have no idea WTF project lead is talking about, really? Not a great communicator, IMHO.

This session not really helping me a lot so far. ๐Ÿ™ (just went to ubercart site: UC2 for D6 was released on 10/21…is that lst Tuesday? and hey, conflict with Date module! Srsly? Then again, ecommerce module is only at an RC for D6.)

Audience Q: if it’s a total rearchitect, can u still backport, etc.? Only what they can, usability is the thing he keeps mentioning.

Audience Q: was about to start on new project: should I tell my client to wait until next spring? 6 months out. (that’s not end of March, according to my calcs; that’s mid/end-April.) he’d say go for it.

Audience Q: what about migrations of UC-related modules that his firm has written? what’s the main goal of new API integration? Consistency, actually adding some API stuff where there isn’t any now.
[I’m really hungry now. How can I be first in line for lunch?!]

Drupal Development Security Essentials

Initial slide image features Sean Connery in Zardoz (awesome awful movie!) in freaky red underwear/suspenders & thigh-high boots

Mentions Cracking Drupal book — I have sample chapters of that in my bag. Primary audience is for people who want to submit contrib modules. “not a guru””if I’d gotten these basics I wouldn’t have gotten in trouble”
Big herking list of Drupal Security team, who review modules.

How many have been hacked? I had a site hacked IIRC ages ago, although I think that was a problem on the server end.

Lost time/money; lawsuits; embarrassing (he just mixed up Connery w/Burt Reynolds? WTF?!) and users are slow to upgrade. (not us!) — applying for CVS account includes getting some of your module’s code scanned.

[wow this wifi is dead frigging slow. am writing in textedit instead.]

setting up a free development environment –, acquia application (no, I think he just doesn’t know how to spell). missed last item.

golden rule of drupal security – one thing: lots of audience suggestions, his rule: Use the APIs. if you find yourself coding directly in PHP, you’re probably missing some drupal security. takes a while to learn, but nearly all security-related functions have awesome side benefits.

quick definition of common attaxss (is that a pun?) – yes, that is a deliberate pun. XSS – malicious input of JS. Basic drupal filters! (If he wanted to be more useful in that definition, a gnarly example would be fun.) SQL injection. little bobby tables! DOS (denial of service) – ways to reduce load to make this harder. CSRF (cross site request forgeries) – his explanation is confusing.

functions: string filtering – links – access control – database – data passing.

t() (of course: Mr T.) protects against XSS. filter malicious leave delicious. ๐Ÿ™‚ string overrides module? variable replacement options, for stuff that shouldn’t be translated — like paths…would make a better example than the one he’s using. can also use to format plural strings. can use with jQuery? wrap t() around entire sentences. avoid escaping quotation marks. vague warning about variables & t(). are the <p>’s part of structure or part of the content? pass with t() if part of content.

check_plain() – just converts directly to plain text.

check_markup() – apply filters to content. can also embed blocks, views, images, etc. (is that how insert view/insert block filters work? I love those!) return value is text run thru all the filters.

filter_xss_admin() – can trust user input, lets thru all html except styles & scripts, basic basic filtering. works like check_plain(). also filter_xss() – filters more stuff.

[mmmm, someone brought in their pizza plate.]

content sanitizing when you create links: l() & URL() – filters out html, also insures that URL is pointing to the right place. audience note – can pass node reference and get actual url!

user_access – (1) use hook_perm – return array of permissions; (2) then check with user_access when stuff gets access.

[this reminds me a bit of a JS session I went to at SXSW. smart guy, but a bit too abstract]

granularity in user_access. just because u specify permissions, doesn’t mean they actually get used…unless you use user_access. and be cautious about using permissions from other modules. (I wonder if this is the thing that that makes the permissions screen so ENTIRELY FUCKING INSANE.)

db_query() – this I’ve used! filters out inaccurate/malicious stuff out of queries. allegedly makes queries cross-DB compatible, altho not so much in D6 (yay for D7!) – brackets around table names, to make sure that it works w/prefix. filter data with placeholders %s for string, %d for integers/numbers, %% for LIKE query (wildcards) — there’s usually a drupal equiv (again w/bad spelling!) to most mysql functions.

db_query_range() limits number of items returned, for big DBs can be a huge load on server.

question about whether it’s necessary when not dealing with user input? comment from audience that might be important for upgrade to D7. coder module? for flagging instances which should use db_query. “deadwood” module?

drupal_get_token() – verifies source of request – get v. post. 1) set token. happens with every form that uses Form API. 2) then verify, is token passed the same one that was created. code is really simple! uses MD5, session_id. huh. along with private key for your site. that makes a lot of sense. also works for AJAX stuff: hidden input with token, pass value in AJAX call, then check again server-side.

also to be aware of: forms API (I think he mentioned that before), forms are biggest source of malicious attacks. set permissions properly as an admin (oy, this is a PITA). don’t use User One! “up here as a reminder for me” I’ve set up a whole system for that on the work site. audience comment: if you use drush, don’t even need to use user one. (debate afterwards on correct pronounciation!) SSL certs not a cure-all, esp if not all site is SSL.

Mapping, GIS & Drupal

modules: location, location cck, geo – uses spacial database extensions!, openlayers (sorta, half-implementation)

[lost tweet: #pnwds making a total mess with pink frosted donut. yes, while wearing a black dress. ::sigh:: really can’t take me anywhere.]

for displaying: gmap, nicemap – does points pretty well, openlayers

Openlayers is going to be his focus: uses open layers js library.

[no net connection at all?!]

Geocoding, spacial tables, desktop GIS

jumping to a demo.

location is fading out of use, to replaced by location cck. (I think I had troubles with that latter.)

a view showing two polygon nodes on the same map – union bay & lake union, outlined and overlaid with shading. neat.

editing tool. polygon is a cck field. cck setting determines how many polygons per node. geo is also a cck field.

based on presets, packaged map that you define: what layers are available, beginning lat/lon & zoom. showing preset creation. includes projections, like polar, mercator, etc. whoa. gmap uses meters from 0/0, not lat/lon! can’t match. interesting options of layers, based on which projection selected.ร‚ย  satellite imagery from nasa!

WMS: feeds of maps, published by map creators, incl NASA. ๐Ÿ™‚ Q from audience: ESRI feeds? ESRI products can be published as WMS.

Then cck field can draw on top of this preset map. Two options for field types.

Stepping back… join across tables based on key, idea of spacial key: one table is polys, other is points, join where points are inside poly, etc. wkt = open standard for storing spacial data as strings. use geospatial if needing advanced stuff, openlayers wkt is more basic. (but more stable) [my own personal bike map site?!]

under the WYSIWYG map is field with coordinates.

can collect with one projection and then show with a different projection!

showing some view options “well known text” = description aka WKT, not street addresses or anything. – it would be nice to have a meaningful sample here.

Q: translate from lat/lon to WKT? Yes. (At least I think that’s what I heard him say.)

some interesting options for interactivity on maps — defined as hooks. (is this how to FINALLY get the list/popup branch list working?) declutter includes the word “automagically” in its description. has nice zoom/autocenter to features. feature styles “for advanced users only” no kidding. that looks super-mega-complicated.

[seriously, this is way cool, could be exceptionally awesome for members-only section of ENA site. which reminds me, I need to see about a BOF for civicrm – tomorrow maybe?]

Q: what runs the map? the openlayers javascript library. Q: leverage geodatabase in views? buffer, show other nodes, etc? that’s the long-term vision, but not there now. lets you store stuff, and then you have to write your own queries to display. Q: can consume KML? yes, for security, JS can only load from same domain. have to write proxy to get external KML. Q: nearby a certain point? can’t do w/WKT – unless write yr own PHP – eventual geo module & views interation. postgres (postgis) is better implementation, mysql implementation is more common, tho. and there’s yet another module that sorta kinda implements this stuff (mapping kit?), maybe too ambitious.

Q: use case: social networking site, organic groups, many actually location-based, rolled out proximity searching w/location, want to introduce neighborhoods instead of zip-based. any way to use this stuff? he thinks so… follow-up: any connection between location/location cck & geo/openlayers? is it inside this polygon? currently need to do custom coding to make that happen? can use location cck data in openlayers views. point data sources, identify fields. they want to go there, but not there yet. (bummer)

I missed a question — a partner in openlayers module, but have rolled their own.

Q: is openlayers going to go in the same direction as geo re:storage? geo is storage-oriented, openlayers is display-oriented.

Missed something else. (speak up, people!)

Somebody asked my question about list + popup. Nobody can make that happen. ๐Ÿ™ But JS library is still there and can make use of it. Something he said fired my brain about doing the view and making it link to fire the JS vs an actual link. Ugh. can’t quite get that working in my head.

Showing some code, didn’t quite work – ah, there it goes. PHP snippet loads map. Can also use Devel module for debugging, render array to screen.

OSM Cycling Map?! (is there any mapping service that provides map via SSL?)

seen a couple of Eees, and talked to a woman who absolutely loves hers. so totally going to do that.

Interesting demo of how the stuff is stored in a JS object.

Q: cross-browser? A few bugs in IE, otherwise good.ร‚ย Q: documentation on Shape files? import as nodes or table wizard route. as nodes, have to convert geometry to WTK. geo module can handle shape files directly into the db. (that makes my brain hurt. also makes me wish that city/state used open source for web.) quantum gis?ร‚ย Q: what types of bugs might one see in Geo? don’t know, but it’s still in dev…somethings with views, not complete implementation. open bugs listed.

BOF: Open Atrium/Managing News

wifi still down.

Installation. New look sites looks ENTIRELY DIFFERENT from new drupal site.

Groups…main content of the site. At the moment you have to create the users yourself. (LDAP/Active Directory/whatever integration?)

Features module, packaged up (groups of modules?) “shoutbox” is like internal twitter.
Every group can have different color & logo.

People can belong to multiple groups? [yes]

Entirely different administration screen, uses Admin module design, etc.

Project vs Cases? So this is a footprints-type thing. with notifications: what does it look like when you have 400 users? Only can notify people in the group. Hrm. Reply by email becomes comment. Yes, very much like footprints…only NOT UGLY. [strange digression from Gregory about evolution, comparing ancient primate to “two unrelated modules developing at the same time.” heh]

Calendar: how does it integrate w/content types? (my question: does it integrate at all w/outlook?)

Accept contrib modules? Yes, you can add your own – using Features? Some open atrium-specific things you need to do, but not too hard.

Can use LDAP/AD.

Asked about home page: a custom dashboard, with activity from your public groups. I don’t know if it’s too simple or too complicated.

“strongarm” steals lots of settings.

ease of theming beyond the built-in? wouldn’t do it. can hijack icons, atrium logo, but wouldn’t go beyond that, esp not until it’s a stable release.

turning over in my mind how feasible this would be. it’s prettier, but almost too much simpler?

managing news – feed aggregator with crazy features. oh, hey, I think this is EXACTLY what C has talked about before. what would you feed in? – OlyBlog, Everyday Olympia, NA sites, Olympian, TNT. YET ANOTHER REASON WHY I WANT THE CITY TO PUBLISH RSS. (is there a way to screen-scrape to RSS?) uses openlayers. oh hey there it is again. ๐Ÿ™‚ Import locations: identify places as being w/in n’hoods? apparently so. feed with place names! also uses features. install shoutbox from open atrium into managing news? ๐Ÿ™‚

Features, Robin

really pretty stuff development seed has been doing – has been wondering is it really as easy as it looked in the videos? if you want to use features, you also want contexts.ร‚ย repeatable & reusable, could put together as a product for clients. fserver is alpha, not yet on drupal.orgร‚ย why context? block configuration, active menu items, don’t have to repeat configuration.

off to the sandbox! Profiles, using Content Profile with file field, image cache.

use Context in lieu of the crazy shit I have going on with OG, Simple Access, Themekey, etc., etc.?! missed a bunch about context getting all excited about new project idea. ๐Ÿ™‚ seriously? I want to go find a spot where the wifi WORKS and try to do this project.

“i’m going to say that that is a cache issue.” ๐Ÿ™‚

create the bundle online, download, then install to modules folder.ร‚ย what IS the feature file? looks like module files, but doesn’t show up in admin/build/modules. php code with arrays/functions. export of a view, etc.

I think I’m sorta kinda getting it, although at this point I’m not sure I have need for it. Nice to know about context, tho. going to give this session 5-10 more mins, see if there’s anything else that’s going to be useful before I just take off.

create features on sandbox site, and then install onto production site. Aha! there’s a use I can get behind. is that going to be part of deployment session tomorrow?

install via features, not modules.

it’s waaaaaaay too late in the afternoon for all this naming silliness.