DrupalCon2012 notes

From Earth Science Information Partners (ESIP)

DrupalCON Denver 2012 – Notes by Ajinkya Kulkarni

Keynote (3/20) by Dries Buytaert : Winning the hearts and minds through innovation

  • Drupal 7 grew 2.5 times faster than Drupal 6 (counted against first 10,000 installations)
  • Drupal weaknesses:
  • Rudimentary authoring experience
  • Aging web development framework
  • Small Drupal talent pool
  • Not mobile friendly
  • Opportunities for Drupal:
  • 1.5 million Drupal sites
  • 6.7% of all CMS sites use Drupal
  • 30% of all sites are CMS
  • 25x growth over next 5 year
  • Drupal 8 : Embraces Symfony 2, Restful web services, HTML5 responsive design
  • Symfony 2: Set of reusable PHP component, robust, well tested, healthy welcoming community

Keynote (3/21) by Mitchell Baker : Collaborative Development, the "Maker" Ethic and Internet Freedom

Keynote (3/22) by Luke Wroblewski : Mobile First

  • Web products should be designed for mobile first
  • Designing the mobile app first forces us to strip down to essentials
  • 371K babies born per day , 1.5 million mobile devices activated per day
  • 6 billion mobile connections, 12 billion in 2020
  • $131 M PayPal mobile payments processed in 2009, $4B in 2011
  • Twitter 55% mobile users
  • Pandora 70% mobile users
  • Yelp 85% searches on mobile
  • Facebook 50% mobile web traffic
  • Reduce request and file size
  • Take advantage of HTML5
  • Design for speed: adaptive pre-loading

Session: Tame the Burrito: Understanding the Five Layers of Drupal

  • Caching problem: Each module tries to implement its own caching mechanism
  • Drupal: 5 layer stack
  1. Web framework (e.g. HTTP Request, Response caching, Database access )
  2. Building Blocks (e.g. Nodes, Fields, Views, Regions, Blocks)
  3. Building Tools (e.g. Field UI, Views UI, Features, Drush, Admin structure)
  4. Distinct Features (e.g. My Dashboard, Photo Gallery, Newsletter, Surveys, Wikis)
  5. Products (e.g. Drupal Garden, OpenPublic, The Grammies)
  • Separate form validation logic from Drupal form validation API so that Drush, SimpleTest or installation profile can use it

Session: Native Mobile Application Development on Drupal

  • Why not native?
  1. Titanium supports multiple devices
  2. Rapid Prototyping
  • Why Native?
  1. Faster Performance
  2. Manage errors on side of stack
  3. No waiting on API update
  • Development process
  1. Get idea on paper
  2. Wireframe ( Use tools: Briefs or Omnigraffle)
  3. Design
  4. Development

Session: Science on Drupal

  • Drupal uses in science
  • Libraries
  • OpenScholar
  • Social science
  • Drupal test portal driven by VIVO . VIVO is a simple CMS ,uses RDF and OWL , available as VM
  • Amazon Mechanical Turk Integration
  • DNA/RNA databases
  • Pubic facing research showcase
  • Archive & preserve data
  • Medical data
  • podaac.jpl.nasa.gov

Session: ESIP Commons

Session: Drupal Security for Coders - How to Avoid "All Your Base Are Belong To Us"

  • Why care?
  • Security is business
  • Affects your good name
  • Your site is useful for bad guys no matter if it is big or small
  • Keep up to date
  • Subscribe to security advisory emails
  • Have a consistent method for updating your site
  • Checklist:
  • Other than admin do not let anyone use Full HTML or PHP filter
  • Most vulnerabilities are in custom theme and templates
  • Use Drupal DB APIs
  • Use Drupal Form API
  • In doubt? Use check_plain()
  • For URL: check_url()
  • For plain text: check_plain()
  • For Rich text: check_markup()
  • For HTML: filter_xss()
  • XSS is major vulnerability, SQL injection is another
  • Failure to escape user input or output
  • You can do almost anything
  • http://drupalsecurityreport.org/
  • In DB APIs, use place holder
  • XSS can happen via IMG tags
  • Can run JS on 3rd party site
  • Both GET and POST are vulnerable
  • Form tokens or URL tokens tied to your session protect your
  • When not using form API, use drupal_get_token() and drupal_valid_token(). See Flag module for example
  • Dev/Themer Harmony
  • User preprocess functions to provide safe variables for use in theme template
  • In Drupal 7 may need to be used with render()
  • JS can do XSS better than humans
  • Just loading a malicious third party site can hack your Drupal account
  • CSRF:
    • Use form token when there is a link to click
    • Own caching can have problem: Need per use cache
    • Do not use password based SSH (use key based SSH)
  • Drupal 7: $query->addTag(‘node_access’);
  • Drupal Modules:
    • security_review
  • Coder

Session: Fast flexible architecture

  • Engineering axes
  • Fast to run
  • Low memory
  • Scalability
  • Modifiability
  • Extensibility
  • Human axes:
    • Usability /UX for end users
    • Understandability for developers
    • Learnability for both
    • Maintainability
  • Command line is very powerful
    • § Graphical is learnable, slows down interface
  • QA axes
    • Testability – ability to write test
    • Verifiability – code will do what is supposed to do
  • Who cares?
    • Your client
    • Your boss
    • You in 6 months (to fix performance & scalability)
  • To what extent do I care about mobile:
    • Responsive design limits
    • Target Audience
    • Look at traffic logs, browser stats
    • Responsive design is not always needed
    • Hand coding is ok for site –specific
    • Node reference in Drupal 5 loads all node: very bad
    • Overridable by any module or by any specific site
  • Do I care if operation is fast?
    • Modifiability vs. performance
    • Expediency vs. Modifiability
    • Extensibility vs. Testability
    • Extensibility vs. Understability
    • Verifiability vs. Expediency
  • Can’t prove PHP code is correct mathematically ( do not use for nuclear reactor)
  • Your job is to balance -> what is worth my time -> write most appropriate code
  • Drupal assumes everything a page -> symphony solves this problem -> serves only parts -> symphony already implemented what Drupal 8 wanted
  • Put varnish & memcache at least ( Acquia cloud & Pantheon uses it)

Session: Symfony

  • ‘Drupal way’ is not used in other PHP community
  • Drupal is barriers to entry for developer
  • Refactor towards a ‘framework’ core
  • Drupal needs more standardized framework
  • Synfony 2 is MIT licensed , on github
  • Synfony 2 is a reusable set of standalone cohesive PHP components that solve common web development problems
  • An object oriented set of classes
  • Compatible with PHP 5.3 & later
  • A full stack web framework
  • http://tools.ietf.org/html/rfc2616 must read for PHP developer
  • http://en.wikipedia.org/wiki/Edge_Side_Includes

Session: Views for developer

Session: Drush 5

  • New features
  • Shell –alias
  • Windows compatible installer sponsored by Microsoft
  • Drush make in Drush core
  • Drush Autocomplete
  • Built in server
  • Drush quickdrupal command
  • Drush runner for Queue api
  • Drush support for multi site setup
  • Drush site-set command

Session: Delivering Drupal