michael's blog

Maybe this was covered somewhere on drupal.org awhile back, but either I wasn't searching using the correct terms or I just plain missed it. I'm talking about how to avoid issues when programmatically modifying user roles.

I was working on a module that automatically adds and removes user roles when certain conditions are met. The code to remove and add a user role is pretty straight-forward:

db_query("DELETE FROM {users_roles} WHERE uid = %d AND rid = %d", $user->uid, $rid_to_delete);
db_query("INSERT INTO {users_roles} (uid, rid) VALUES (%d, %d)", $user->uid, $rid_to_add);

I thought this was all I needed to do. My initial testing didn't find anything unexpected, so I moved on to something else.

Yesterday I gave a presentation to the Florida Drupal User's Group at the Orlando Public Library.

We had about a dozen people show up, and there's a lot of interest in future meetups. So much so, in fact, that we went ahead and scheduled monthly meetings (3rd Saturday of every month). We have topics and speakers lined up for the meetups through October. See the meeting wrapup for all the info.

Here's some links to some stuff we discussed that I promised to post:

At Drupalcon Boston I was in a session that Boris Mann of Raincity Studios was giving and he made a throwaway comment about how TinyMCE doesn't actually suck - if you know how to configure it correctly.

Well, I always thought it sucked and caused more problems than it solved, so I contacted Boris and asked him how he configures TinyMCE. He pointed me to a Bryght install profile for Drupal that automatically sets up various TinyMCE profiles.

A Developer's Assistant: Using Coder for Module Developers and Maintainers

Session led by Doug Green from Civic Action, maintainer of the coder module.

The Coder module aids developers in adhering to Drupal's community coding standards as well as helping with security pitfalls and upgrading modules from one version of Drupal to the next. Specifically, Coder reviews:

• style (lots)
• comments (lots)
• sql (some)
• upgrades (lots)
• security (some, but not a lot)
• performance (well - not so much)

Coder mainly uses regular expressions to perform the various checks. It is able to check modules regardless of if they are enabled or not. Doug announced today that the module now supports drush (=drupal shell - running Drupal from the command line).

Drupal Security - Best Practices and Process Discussion

Greg Knaddison and James Walker, both on the Drupal security team, presided over this session.

They talked about the various attack vectors that hackers utilize:

• authentication
• authorization
• client-side attacks (XSS and cross site request forgery [CSRF]
• information disclosure

They stressed the idea of being a secure user by using a strong password, avoiding unecrypted WiFi and FTP (opting for ssh/keys instead), and being really, really careful with UID 1. On the server side, using SSL for login pages (via the Secure Pages module) if desireable, if possible.