Drupal 6.1: On Drupal Security

Just noting that I updated my Drupal 6 test site to 6.1 following the security release. The update was painless.

Thanks to Drupal 6’s new update functionality, the site itself checks to see if any updates to core or modules are necessary and let’s you know.

And if you think it’s problematic that 6.0 already had a security patch…I beg to differ: new “dot 0” releases of any software often have bugs, sometimes security related, and Drupal’s quick 6.1 release just demonstrates that Drupal in particular and open source projects in general are often quicker to identify and patch security bugs than proprietary development teams.

Go Drupal security team!

Here’s my first post about what I liked in Drupal 6.

Defaulting to OpenID on Drupal 5

Kudos to walkah et al for their work on the Drupal OpenID module and getting OpenID into core for Drupal 6!

By default, OpenID in Drupal 5 and 6 defaults to present regular Drupal authentication first, giving the user the option to toggle to authenticate via OpenID.

That’s the exact opposite of what I wanted to deploy on my blog: I want users to log in using OpenID unless they have a very good reason not to. Here’s how I solved the problem in 5 easy steps using just the magic of a phptemplate theme to modify the authentication interfaces to default to OpenID.

Step 1: Override Authentication UI

First I added the following overrides in my theme’s template.php file to specifiy that I would be overriding various interface elements.

// override the user log in form at /user
function phptemplate_user_login($form) {
return _phptemplate_callback('user_login', array('form' => $form));
}

// override the user registration form at /user/register
function phptemplate_user_register($form) {
return _phptemplate_callback('user_register', array('form' => $form));
}

// override the password reset form at /user/password
function phptemplate_user_pass($form) {
return _phptemplate_callback('user_pass', array('form' => $form));
}

// override the user log in block
function phptemplate_user_login_block($form) {
// show hint in form element
$form['openid_url']['#value'] = 'OpenID Login';
// remove hint in form element on focus
$form['openid_url']['#attributes'] = array('onfocus' => "javascript:openid_url.value=''");
return _phptemplate_callback('user_login_block', array('form' => $form));
}

Step 2: New User Log In Template

Next I added a template file to my theme directory called “user_login.tpl.php” as per my override in template.php above with the following code.

// reverse default form element visibility toggles set in openid module js
drupal_add_js('$(document).ready(function(){$("#edit-openid-url-wrapper").show();$("#edit-name-wrapper").hide();$("#edit-pass-wrapper").hide();$("a.openid-link").hide();$("a.user-link").show();});', 'inline');

// render login form
print(drupal_render($form));

Step 3: New User Registration Template

Next I added a template file to my theme directory called “user_register.tpl.php” as per my override in template.php above with the following message, giving a link for users to go get an OpenID because I don’t want users to create local Drupal identities.

Establish your <a href="http://openid.net/" title="Learn More about OpenID">OpenID</a> with a provider like <a href="http://myopenid.com/" title="Visit MyOpenID.com">MyOpenId.com</a>. Then come back to this site and <a href="/user" title="Log in to this site">log in</a> with your new OpenID.

Step 4: New Password Recovery Template

Next I added a template file to my theme directory called “user_pass.tpl.php” as per my override in template.php above with the following message, giving a link for users to go recover their password from their OpenID provider.

Visit your <a href="http://openid.net/" title="Learn More about OpenID">OpenID</a> provider to recover your password. Then come back to this site and <a href="user" title="Log in to this site">log in</a> with your OpenID.

Step 5: New User Log In Block Template

Next I added a template file to my theme directory called “user_login_block.tpl.php” as per my override in template.php above with the following code.

// reverse default form element visibility toggles set in openid module javascript
drupal_add_js('$(document).ready(function(){$("#edit-openid-url-wrapper").show();$("#edit-name-wrapper").hide();$("#edit-pass-wrapper").hide
();$("a.openid-link").hide();$("a.user-link").show();});', 'inline');

// render select elements in login block
print(drupal_render($form['form_id']));
print(drupal_render($form['openid_url']));
print(drupal_render($form['submit']));

You’re Done!

After these 5 steps, users are presented with OpenID authentication on my site and guided to getting an OpenID if they don’t have one already. A user with a local, Drupal identity can still toggle to authenticate on the now obscured /user login form, but only an existing user with the proper access can create new local Drupal users.

My dream for OpenID in Drupal core is to have admin UI that allows various configurations which make any necessary changes to the user authentication UI:

  • prefer OpenID authentication, allow Drupal
  • prefer Drupal authentication, allow OpenID
  • allow only OpenID authentication
  • allow only Drupal authentication (this case would be covered by just not enabling the OpenID module)

Let me know if you have more questions about or suggestions for this solution.

Drupal 6.0 Released

With today’s release of Drupal 6.0, I’ve upgraded my test site from RC4, which was again as easy as pie.

You can read my earlier post on what’s exciting in Drupal 6.

Stay tuned for more on Drupal 6, and oh, in case you haven’t heard, go to DrupalCon 2008 in Boston!

Drupal 6.0

I just installed my first Drupal 6.0 version (RC4), which took a total of about 3.5 minutes. You [used to be able to] visit the resulting (minimalist) site.

The new installer worked flawlessly, requiring only establishing a database and user and changing the the access control on a single directory and changing it back again once the install was complete. The rest was answering a few basic questions in Drupal’s web-based installer. Given that the db and file access steps could also be accomplished via a web interface (eg, cpanel on a hosted server), the whole installation process could easily be handled by a non-technical user in the same few minutes it took me.

What’s exciting in Drupal 6? You can check out a complete list, but for me, here are the highlights:

  • OpenID integrated as a core module. My only suggestion here would be to add some administrative controls to toggle various authentication options (eg, only use OpenID or Drupal authentication, prefer OpenID or Drupal authentication, hide password change controls from OpenID users, etc).
  • Workflow actions and triggers integrated as core modules. This demonstrates something I’ve admired most about Drupal: the right functionalities are brought into core as general services/APIs. I haven’t experimented with these yet, but core’s where they belong.
  • The latest jQuery integration. Drupal worked with the jQuery folks to deliver jQuery 1.2.3. This should make for even more jQuery goodness.
  • The update module integrated into core. Now let Drupal tell you when it needs upgrades.

I’ll need to wait until key contrib modules like CCK and Views are ready to test in Drupal 6, but I have every faith that added together, this release will significantly increase the sophistication and power of Drupal.

Meanwhile, there are already even little tweaks to love, like drag and drop reordering of menus and blocks, and hiding the revision log field on the node edit form in a closed fieldset (yes, it would be nice if every user explained every content update they made, but most have no idea what is being asked for in the log).

Stay tuned for more on Drupal 6, and oh, in case you haven’t heard, go to DrupalCon 2008 in Boston!

Flock Me!

O how I want to Flock in the morning. O how I want to Flock in the eve.

But I can’t because Flock can’t authenticate me to my OpenID, Drupal blog.

Flockstars take notice: OpenID critical mass is growing. Take a look at OpenID support in these flocky sites and at least let us know what you all are thinking about integrating OpenID support in Flock (very partial list):

Acquia = RedHat for Drupal

Several key Drupal community members have gathered together with some others to form Acquia, a new commercial firm that hopes to sell subscriptions to Drupal a la RedHat’s linux distros. Acquia has already generated $7 million in funding.

I notice the similarities between Acquia and rSmart, where I now work. Both are focused on the open source web application layer, both think of RedHat as a model, both are working within large, already established open source communities. There are other examples…but apparently the idea of commercial subscriptions for open source web applications is catching on…