Excel at Drupal 8 structuring

For large-scale Drupal projects, one of the tools we use at the requirements-gathering stage is a build spec document. Previously, we used the one from palantir.net’s blog post. But with the arrival of Drupal 8, having Media in core, and the Paragraphs module, we needed an updated version.

Drupal 8 Build Spec 1.0

Although this is a technical document, mainly for use by developers, producing it at an early stage helps to inform the whole project by raising questions about how the system will work. For example:

  • “What page templates do we need?” – By listing likely content types, as well as views, we have an idea of what templates will need to be designed, and what fields are likely to appear.
  • “Is this vocabulary really a content type?” – If you find that a vocabulary is being given fields and is likely to have its own templates, you might consider making it a content type instead.
  • “Should the banner image in news/events items be mandatory?” – If clients don’t have appropriate images, will they be able to use default images, or will the design need to accommodate items without images?
  • “Can programmes belong to more than one theme?” – If the design uses colour-coding, what happens if an item can have more than one theme attached (or none)? Can the design accommodate this?
  • “How will the site be structured and what should URLs look like?” – In addition to sitemaps, there’s a philosophical question of how to structure paths and where each item of content should live. By nesting destination pages under a theme, you risk limiting the flexibility of these pages and creating unwieldy URLs. Defining simple paths based on content type is often cleaner and more flexible.
  • “Should this intro text include HTML?” – The intro text in a design may be plain paragraph text, but will users want to use simple formatting?
  • “What image styles do we require?” – How should the system scale and crop images, and will content editors need to find images in specific dimensions?

This is a sample of the types of question that are prompted by filling in the spreadsheet, and all require input from clients, copywriters, designers, and front-end and back-end developers. For this reason, it’s useful to complete the spreadsheet early in the process. Whilst the document itself is technical and geared towards Drupal developers, it can be shared with all parties, alongside other requirements documentation such as a more traditional functional specification document (with MoSCoW prioritisation) or user stories.

Discover the ECA Advent Calendar 2015

The ECA Advent Calendar 2015 takes up where the 2014 calendar left things.

Discover the ECA Advent Calendar 2015

This year’s calendar includes offerings from students at Edinburgh College of Art, in varied programmes such as Animation, Music, Film & TV, and Textiles.

Like in 2014, there is a wide variety of content, and lots of humour and talent on display.

ECA ADvent Calendar screenshot


ECA Advent Calendar 2014

A fun Drupal site we’ve built recently was the ECA Advent Calendar 2014 for Edinburgh College of Art.

What’s in the ECA Advent Calendar 2014?

Behind each randomised door is a short video. All videos are the creative work of students on the BA (Honours) Animation programme.

The calendar grid is responsive. In other words, it adapts to different widths of device by resizing and re-stacking (24 is a handy number, being divisible by 4, 3 and 2).

There’s a lot of variety to the animations: some are very funny, some a little melancholy, and all are very creative. It’s great fun to check each morning.

ECA Animation Advent Calendar

http://www.eca.ed.ac.uk/advent-calendar (external link)

P.S. If you don’t feel like clicking through all the doors, you can get the elves to do it for you.
http://www.advent-calendar.eca.ed.ac.uk/?magic-elves=awake (external link)
(note: videos won’t autoplay on iPad)

After the success of the ECA Advent Calendar 2014, Edinburgh College of Art commissioned a new edition in 2015!

Discover the ECA Advent Calendar 2015

ECA Degree Show website

The Edinburgh College of Art Degree Show opens on 24th May, and we were tasked with developing a new website for it. In many ways this is a dream project, as there is so much fantastic content! When you have such rich content, the job of the website is simply to showcase it with an unobtrusive design. Nicky Regan at ECA produced attractive designs, based on the new ECA branding, and we brought it to life as a Drupal website.

Home Page

Home Page

Drupal was chosen mainly as it’s what the new ECA website is built on, and will ultimately be the CMS for the new University website. It made sense to give admins a similar interface as the ECA site, and it was also an opportunity to further our own technical knowledge of Drupal.

Continue reading

Why you shouldn’t reuse passwords

With so many website accounts to keep track of these days, many people are tempted to use one or two passwords that they can remember for lots of different sites. We have heard that it’s dangerous to write down passwords, and of course no-one can store dozens of random strings of characters in their head for websites that they may only visit occasionally. So, having a small number of passwords to reuse across multiple websites can seem like a sensible compromise.

However, this can be a very dangerous practice. It’s impossible to know how securely a website stores your data, and you should always ask what would be the worst case scenario if this information were to get into the wrong hands. There have been countless examples of password lists being leaked (examples include last.fm, eHarmony, LinkedIn, Yahoo!, Phandroid, Writerspace, and Adobe), but often passwords can be stolen without users being any the wiser.

Last week, a vulnerability was found in WHMCS, a billing and support application used by web hosting providers. Potentially, attacks such as this can give hackers control over things such as DNS settings and hosting control panels. In other words, your website itself can be as secure as possible, but hackers can still gain control by extracting your password from other applications.

A good solution is to use software such as KeePass. This allows you to store all your login details in a single encrypted database, so you only need to remember the password for the database, not individual passwords for every website. It also allows you to create much stronger passwords (since you don’t need to remember them), and will even generate them for you. Or if you need access to passwords when out and about, there are versions of KeePass for your phone/tablet.

Some nice WordPress plugins

A few nice WordPress plugins I’ve been using recently:

Better WP Security – A very popular and powerful plugin that takes a range of steps to harden your WordPress installation.

Mail on Update – Emails you to let you know of available plugin updates.

Polylang – Simple and easy to use, it allows you to create a multilingual site (no in-built translation workflows – if you need that try WPML).

Approval Workflow – An easy way to add an Administrator-approval process to your publications.

Blackbox Debug Bar – For plugin developers. It gives useful feedback on SQL queries, page load times, errors, and values of superglobals.

Pure Profiles WordPress plugin – version 1.7

A new version (1.7) of the WordPress plugin for displaying Pure Profiles is now available to download at https://bitbucket.org/gmaxwell/pure-wordpress-plugin/downloads

The WordPress pseudo-cron has been removed, meaning that it now updates the cache using a traditional cron job only. This helps prevent any confusion about when the update will take place. In addition, an authentication key (editable on your Settings page) must be sent with the call. This ensures that the API is not being called maliciously.

There are also some other improvements, such as the use of preferred names, and publications linking to DOIs.


WordPress plugin for Pure profiles

The University is using the Pure software to keep track of research activity. The front end for this is the Edinburgh Research Explorer, which allows you to browse the data.

Pure provides an API to the data, and several people in the University have been investigating how to extract and make use of the information. It’s been interesting to see the variety of approaches taken, and it seems that different solutions may be suitable depending on the application. We plan to make use of some of these solutions in our sites. In the HSS Web Team, we’ve been particularly keen to make the information available in WordPress. We use WordPress for several sites and wanted a plugin to give users a nice profile page, automatically generated from the golden copy.

I’ve been working on a WordPress plugin to do this, which is now at a release stage: https://bitbucket.org/gmaxwell/pure-wordpress-plugin

Development decisions

There was a consensus in the University that REST was the best way forward (Pure also provides a SOAP API). I’ve written a couple of REST APIs in the past, and used the PHP cURL library to consume them. However, we recently discovered Guzzle, a library which makes things nice and easy, and abstracts things a little from the PHP cURL library. Guzzle is going to be part of Drupal 8 core, so well worth checking out.

It’s important that the data is cached locally, both to reduce the load on the server, and to ensure fast page load times. Therefore, when the plugin is enabled, it creates several custom WordPress tables. The API is then called periodically and the data stored in these tables until the next time we want to refresh the database.

The source code is available to browse or clone on Bitbucket.


To use the plugin, you should first download the latest version (currently 1.5) from the downloads page.

You can then go into your WordPress admin area, and Plugins->Add New->Upload to upload the zip file. After installing, click to enable the plugin.

Once the plugin is enabled, you have an additional option under Settings for Pure Profiles.


The first section in the Settings page is Connection Details. This is where the hostname, username and password go. It’s sensible to connect to the beta server to begin with.


You can currently specify which people to pull out by specifying the Pure UUID, Employee ID, or a combination of both. You can also specify an organisation’s UUID, to pull out all the people associated with it (to reduce server load, it’s best to do it this way only when you actually need all of the people in that organisation). All of these should be provided as comma separated lists. The system ignores line breaks, which means you can have the UUIDs on separate lines for readability.


I’ve found the easiest way is to search the Edinburgh Research Explorer for the person you want, and then retrieve their UUID from the URL (between the brackets). It’s also a way of checking that they are actually in Pure!

The next section allows you to specify the time of the cron job to update the database. Note that this is a WordPress pseudo-cron, and is actually triggered the next time the site is accessed. For this reason, it makes sense to set up an actual cron job to call the site shortly after the scheduled WordPress cron. This ensures that the update takes place overnight, rather than being triggered in the morning when someone visits the site.


There’s also an option to enable Development Mode. This calls the API on every page load. Enabling Development Mode slows the site down significantly and puts an unnecessary load on the Pure server, so it should be avoided, particularly with the live server. However, enabling it after you install the plugin and then disabling it immediately afterwards allows you to populate the database right away, rather than waiting overnight.

Under Appearance, there’s the option of whether or not to use the default stylesheet. The default stylesheet provided with the plugin gives some basic formatting, but these styles can be overridden in your theme’s stylesheet. The generated HTML has lots of classes provided, so there’s a fair amount of flexibility in how you can style the output.

Displaying the data using Shortcodes

Once the plugin has been configured in Settings, and the database has been populated, the next step is to add the shortcode to a page. The plugin adds an extra icon to TinyMCE, which brings up a dialog.


You can then select the person to include from a dropdown list, and optionally hide sections.


Clicking Create Shortcode inserts the shortcode into the page.


Then it’s just a case of saving the page, and the profile appears.

profile profile2

Note that you could have your publications or projects on separate pages, by using multiple shortcodes and hiding the appropriate sections.

Future Development

The plugin is still very much in development. There may be some fields missing, and there’s no paging of publications, for example.

Please feel free to add issues in Bitbucket, make suggestions, etc., and to use it!


Web Application Security – the Role of Users

For IT professionals, security is an integral part of the job. We must keep up-to-date with the latest techniques being used to target sites, and try to stay a step ahead of the hackers. Most developers foster a healthy paranoia about the range of ways that systems could be exploited, and keep it constantly in mind when designing an application, writing the code, and then deploying and updating.

However, there are also steps that users can and should take to prevent their data being compromised. These three important practices will go a long way to ensuring that your data is secure.

1 – Use strong passwords

Brute force attacks are common, such as this recent attack on WordPress sites. This is where a malicious computer program makes multiple attempts to guess a user’s password. If your password is in the dictionary, related to the name of your website, or too short, there’s a good chance that a brute force attack will crack it. Actually, any password can be guessed given enough time, which is why you should also change your password every few months. Creating a strong random password of 10 or more characters and using a mixture of upper and lower case, numbers, and special characters will protect from most attacks.

You should also be aware of other ways in which your password can be vulnerable. For example, using the same password across multiple sites, leaving a written copy lying around, or connecting over unencrypted Wi-Fi (e.g. in an internet cafe).

2 – Keep your browser up-to-date

Part of the job of IT professionals is to ensure that third-party software and plug-ins are kept up-to-date. This is because, as new exploits are discovered, the software vendors will update their products to protect against them. Therefore using older versions leaves users at risk of being hacked through known vulnerabilities.

As a user, you should also ensure that you keep your browser at the latest version. Older browser versions are often insecure, and some have been abandoned by vendors. Keeping your browser current not only means added protection from hackers, but also that you have all the latest bug fixes and features, and that web pages will display as intended by the web designers.

It’s also good practice to keep your operating system updated with the latest fixes.

3 – Be aware of social engineering techniques

Social Engineering techniques involve attempting to trick people in order to gain access to buildings, systems, or data. The most well-known example is phishing which is an attempt to gain information such as usernames, passwords, or credit card details, normally through emails or impersonating a website. However, scammers use a wide range of con tricks, and it’s important to stay informed and alert.


Having something hacked can be a stressful experience. As well as potential economic costs, there are reputational costs. Whether it is sensitive data being leaked, your site being downgraded by search engines, or your Facebook account being used to send embarrassing messages, the consequences of lapses in security can suddenly become very real when the worst happens. In the case of a hacked website, it can be virtually impossible to fix, since hackers can install sophisticated software to retain control of the server behind the scenes.

There’s no such thing as 100% security, but by bearing in mind some of the most likely exploits, you can at least mitigate the risk.

Could Windows 8 be a bigger flop than Vista?

There’s an interesting article by Gregg Keizer on Computerworld regarding the slow uptake of Windows 8.

In the first four months since the public launch of Microsoft’s new operating system, uptake has risen to 3% of all Windows PCs. That’s a slower rate of uptake than Vista, which managed 4% in its first four months. Vista was widely regarded as a failure, and users held onto Windows XP until Microsoft released Windows 7, less than three years later. The uptake of Windows 7 in its first four months was 9.7%.

Graph showing uptake of Windows 8 below that of Windows Vista, with Windows 7 much higher than both

Source: Computerworld

The big retailers now sell their PCs with Windows 8 pre-installed, so most customers will end up with it by default. That’s whether or not you purchase a touchscreen system. Windows 8 is designed for use on touchscreen systems but since these are still fairly expensive it’s likely that many users will end up with a traditional desktop PC running what is essentially a tablet OS.

The Windows 8 user experience on a traditional PC is pretty awful – it’s like trying to do your work on a mobile phone emulator. Continue reading