Home

Rules for admin notifications, Part 2: New comments and content

06 August 2012
New spam content posted

Rules is an especially useful Drupal module for all kinds of tasks. One use you might want to put it to is providing admin notifications of certain events on your site, e.g. user registrations (covered in the previous post) and the creation of new comments and content by “untrusted” users (assuming your use case allows them to create any content at all). For some use cases, you may wish to put strict limits on the creation of user accounts and content, but for the purposes of this article we are assuming you are administering a Drupal site where you want to encourage growth and community involvement, so you might allow anonymous users to comment on posts (albeit likely with the rel="nofollow"* attribute added to their links). And you might also allow users to create and confirm their own accounts and then create some types of content (e.g. forum posts, bug reports, etc). The downside is that you’ll need to be vigilant about squashing all the spam this policy invites (or the flow of new spam will quickly increase and be damaging to your SEO efforts), but on a site with only moderate traffic you should be able to manage this without a lot of trouble. This post covers using Rules to provide notifications of new comments and content. If you keep a close eye on user registrations and immediately block the user accounts which follow a pattern like other spam accounts you’ve removed (i.e. accounts likely created with the help of a “spambot”), you can eliminate almost all of the spam that requires use of an authenticated user account.

Adding rel equals nofollow to Drupal Links

*Adding rel="nofollow" to links posted in “Filtered HTML”, presumably the only text format you allow for “untrusted” users, is simple, but well worth doing if you allow “anonymous” or newly-registered “authenticated” users to make any kinds of posts on your site. In Drupal 6, go to admin/settings/filters/1/configure and select the “Spam link deterrent” checkbox. In Drupal 7, go to admin/config/content/formats/filtered_html and find the vertical tab near the bottom labeled “Limit allowed HTML tags”, where the same feature is enabled with a checkbox labeled “Add rel="nofollow" to all links”.

Getting back on topic, the three events we want to create Rules for are:

  1. New user registered (done, see previous article)
  2. New comment posted by “untrusted” user (described below)
  3. New content posted by “untrusted” user (also described below)
In each case, we simply want to send an HTML email* to notify at least one member of staff (anyone with the admin role and, in the case of comments on blog posts, we might want to also email the article’s author.) As with the past installment in this two-part series, this article does not cover configuring your server for sending mail nor setting up HTML mail, but we use Mime Mail for the “send HTML mail” versions of the exported code you’ll find attached. (See attachments to this article for code you can use to import these Rules into your own system—you’ll possibly need to tweak them a bit, but they could save you some time.) Where screenshots are included, we’ll display the Rules administration interface in both Drupal 6 and Drupal 7, side-by-side, since there are some differences that might otherwise lead to confusion. So this article should be helpful for administrators of both Drupal 6 and Drupal 7 sites.

In every case, creating a new rule starts by going to the “add rule” page:
D6: admin/rules/trigger/add
D7: admin/config/workflow/rules/reaction/add

Notify Admin (and/or content authors) when new comments are posted

This rule sends an (HTML or plain text) email which includes the comment title and body, along with a link to quickly edit it. Here at Cocomore, rather than delete comment spam, we’ve been unpublishing the comments so we can still observe patterns. So we don’t get an email for each of our own responses to comments, we configure the rule to only notify us when “untrusted” users (i.e. any users who don’t have a “staff” or admin role) post comments.
Share this

Rules for admin notifications, Part 1: New user registrations

05 July 2012
New Spammer Registered

Rules is an especially useful Drupal module for all kinds of tasks. One use you might want to put it to is providing admin notifications of certain events on your site, e.g. user registrations and the creation of new comments and content by these “untrusted” users (assuming your use case allows them to create any content at all). I recently created such rules to help monitor the creation of users, content, and comments on drupal.cocomore.com/.de. Since we use the Project module (and supporting code) to host and track issues on some Drupal modules, we allow users to create accounts and “Issue” nodes. But there hasn’t been much recent change to the modules we host, so most of the “users” turn out to be spamming scumbags who post “issues” with links to questionable sites (you know the type). Since we allow anonymous users to comment on our blog posts, we also get our fair share of comment spam, but a tricky Captcha (we’re using Riddler, these days, to filter out visitors who don’t know or can’t take the time to search the answers to simple Drupal trivia questions) helps keep comment spam to a minimum. Keeping vigilant about stomping out spam is important since leaving spam published looks unprofessional and is bad for SEO… and since it also attracts more spam (spammers see that your site leaves spammy links in place); but of course it’s also important to keep an eye on the valid posts, too, and to respond to them in a timely fashion.

So we will assume that you have a site without a massive flow of new user registrations or new content and that you want to be alerted with some useful information whenever these events occur so that you can take appropriate action (block users and clean out the spam… or respond to valid content/comments). This article will lead you, step-by-step, through the creation of three different rules on both Drupal 6 and Drupal 7 -based sites, identifying particular set-up differences between these versions of Drupal/Rules. The three events we want to create Rules for are:

  1. New user registered
  2. New comment posted (by non-staff user or “untrusted” user)
  3. New content posted (again, by some kind of “untrusted” user)
In each case, we simply want to send an HTML email* to notify at least one member of staff (anyone with the admin role and, in the case of comments on blog posts, we want to also email the article’s author.) This article does not get into the various particulars of configuring your server to be able to send mail; there are a number of factors which might differ from server to server and it’s not really within the scope of a Drupal-related article.
*Note: This article also does not cover setting up HTML mail, but some modules, such as Mime Mail help make this a relatively pain-free process and provide a “send HTML mail” action for Rules. Adding specialized modules is probably not justifiable if you don’t plan to use HTML mail for anything more than admin notifications, but if you want to email users, such modules can help you create much more attractive and useful emails.

In every case, creating a new rule starts by going to the “add rule” page:
D6: admin/rules/trigger/add
D7: admin/config/workflow/rules/reaction/add

Notify admin when a new user registers

This is a simple rule which sends an HTML email with a link to a new user’s profile, along with their username. If you allow users to register themselves on your site, you will likely notice patterns that persistent spammers follow and be alert enough to just block the most suspicious user accounts before they even start spamming your site. I won’t specify the suspicious patterns I’ve been reacting to here (I don’t want to teach spammers how to be sneakier or more effective), but if you have a spam problem, you probably already know the patterns or will quickly recognize them.
Share this

How not to delete Drupal variables in your module's uninstall function

04 June 2012

It’s considered “best practice”, if a module creates any variables, to delete those variables in the module’s uninstall function. Before Drupal 7, this was done in a call to db_query(). But with the “new” DBTNG (Drupal 7 Database API), using db_query() is no longer recommended. See the documentation for db_query():

Do not use this function for INSERT, UPDATE, or DELETE queries. Those should be handled via db_insert(), db_update() and db_delete() respectively.

However, browsing through (a relatively small set of) Drupal modules I have for my local Drupal 7 installations, I still see a number of modules which are using db_query to delete variables, typically something like this:

<?php
  db_query("DELETE FROM {variable} WHERE name LIKE 'some_module_%'");
?>

Let’s rewrite this fictional module’s call to db_query() to instead use db_delete():
Share this

Beware of Drupal's Administer users permission

20 April 2012

How do I allow a user to create other users?

It’s a pretty common use case which requires a non-admin user role that can create other users for a Drupal site and I’ve frequently seen questions about how to best implement this. I recently also saw the suggestion to simply create a role with the 'Administer users' permission. At first blush, it might seem to work; if that’s the only “administer” permission they have, users with this role can only create basic users with the role “Authenticated user”, they cannot edit the user to add any other roles or upgrade their own role directly. In limited situations, this might even be appropriate.

Drupal’s “administer users” permission Users with the administer users permission can edit any other user on admin/people

What might not be immediately apparent, however, is that a user with this permission can edit any other user’s account… and I do mean any. This means that, if their intentions are not pure, a user with this role could easily change the password (or any other fields) on a more privileged user, even user/1, and then log into that account. Once they’ve done that, there is really no limit to what they could do to your site. Even if they have no means to add modules, ones which might be used for particularly nefarious purposes, if you have a module like Backup and migrate available, they could download your database with all sensitive user data; and even if this module is not available to them, you most likely have Views, which they could also use to harvest all user email addresses or other private data fields. And then they could easily cover their tracks, too. If they don’t do anything obvious (like deface your site or start sending spam from it), and only change the password on the admin account, you might be puzzled by why you cannot log in with your normal password, and follow the normal procedure to reset your forgotten password, then forget all about it. Meanwhile, your “user moderator” has collected lots of sensitive data from your site and still has the means to do it again one day.

Share this

Using Eclipse PDT for Drupal Development

08 March 2012

At the latest Rhein-Main region Drupal meetup, and then at the recent DrupalCamp in Essen, I gave presentations about installing and configuring the latest version of the Eclipse IDE (Eclipse Indigo / 3.7.x) for Drupal development, with coverage of commonly-used plug-ins, and identified some features which enhance a Drupal development workflow. This article is related to that presentation and covers some tips for the PDT (PHP Development Toolkit), productivity shortcuts, and configuration requirements for coding in accordance with Drupal standards. The Aptana Studio (as an Eclipse plugin) is not covered in great depth; much of it differs from PDT and PDT-supporting plugins, so it may be covered in a separate post.

Disclaimer: I am not an expert Eclipse power user, nor am I a Drupal development expert, however I have taken the time to look at the latest developments and to experiment, so while this material might be especially helpful for people new to Drupal development who are just starting to use Eclipse and configuring it for the first time, I hope that even experienced Eclipse users may find some useful tips in this article. Before I started my internship for Cocomore, back in October 2010, I think I’d used Eclipse for one course in Java development, but it had been some years, and since then I’d used NetBeans in other courses, but whenever possible I still used my editor of choice, TextMate, which I still find most useful for those times when I just want to make a few simple edits. But there are times when a full-fledged IDE is the right tool for the job and when that’s the case, it helps to have your IDE properly configured and to be proficient in its use. Writing this guide has helped improve my knowledge of Eclipse and I hope reading it will help yours.

Eclipse configured for Drupal development

This article is long enough I could have broken it into separate pages in a Drupal “book”, but I’ll provide some quick links for those who just want to jump to a particular topic. So the following is a brief outline of this article:
  • Some Pros and Cons of Eclipse
  • Installing Eclipse
  • Eclipse Plugins useful for Drupal Development
  • Uninstalling Eclipse plugins
  • Configuration of Eclipse for Drupal Coding Standards
  • Drupal templates for Eclipse
  • Creating custom templates
  • Keyboard shortcuts for a better workflow
Share this

Installing and Configuring Tomcat 6 and Apache Solr for Drupal 6 on Ubuntu

25 January 2012
Apache Solr logoTomcat logo

Installing Tomcat6 and Apache Solr

Installation procedure

While there are several ways to install Tomcat 6 and Apache Solr, we will use the repository version to gain the benefit of automatic updates.

What is needed:

  1. Tomcat6 as Servlet container

    sudo apt-get install tomcat6
    sudo apt-get install tomcat6-admin

  2. Apache Solr Search Server

    sudo apt-get install solr-tomcat

Once everything has been correctly installed, you should see the message, “It works!” at http://localhost:8080 and “Welcome to Solr!” at http://localhost:8080/solr/

Configuring Tomcat 6

In the default Tomcat installation, no privileges are created for the Tomcat Manager, so in order to make use of the Tomcat Manager GUI, we still have to create the proper role and a corresponding user.

Share this

Better than WYSIWYG? The BUEditor in Drupal 7: Use and Configuration

28 October 2011

Some time back, I promised another short article in the WYSIWYG set-up series for Drupal 7, one which covers BUEditor. First, we should note that the BUEditor is not actually “WYSIWYG”, but it offers some nice features which might make it a bit better than the WYSIWYG options, depending on your use case. It also does not integrate with the Wysiwyg module. You add it separately (and instead of Wysiwyg), but it does have some great supporting modules and code libraries. This article covers some of the basics about use and installation of the BUEditor on a Drupal 7 site (most of the information applies equally to Drupal 6, where the BUEditor module is also available). I’ve also got some good tips for some ways to extend the default button-set. (And you can download my modified button code here to easily import the buttons into a new editor profile.)

Share this

Continuous Integration with Jenkins and Drupal 7

20 October 2011

As part of the Knowledge Lab at Cocomore on 2 September, 2011, I outlined how to use Jenkins to implement Continuous Integration for a Drupal-based project.

Share this

Configuring and adding images to Drupal 7 content with Wysiwyg, IMCE and Lightbox2

06 October 2011

This article covers the configuration and use of IMCE (and related modules) to integrate uploading and inserting images within your Drupal content. We assume you are using either TinyMCE or CKEditor with the Wysiwyg integration module, but in a separate post we will cover using IMCE with the BUEditor, a simpler text editor which also works well with Drupal. Note: This article uses Drupal 7, but most of the tips should also be helpful if you are configuring a Drupal 6 site for the same functionality. Indeed, this site is still running on Drupal 6 and also uses a Wysiwyg-integrated CKEditor, IMCE, the Image resize filter, and Lightbox2.

Share this

Configure an awesome WYSIWYG content editor in Drupal 7 with TinyMCE or CKEditor

18 September 2011

In Drupal, there are actually a number of ways to add a WYSIWYG editor to a text area. The new “Drupal way”, used on over 150,000 Drupal sites and arguably not so “new” anymore, is to use the Wysiwyg integration module, which has support for several of the editor libraries. I would personally suggest using it, if your needs can be met by it, since it's becoming more and more powerful and offers a fair bit of flexibility to easily change the configuration or editor used. That said, there may still be reason, in Drupal 7, to use one of the single-library integration modules, such as the still-popular CKEditor project. The TinyMCE integration module development has already been abandoned in favor of Wysiwyg, but it's good to have alternatives. Note: In this post, we assume you already know your way around Text formats. Text format configuration can be one of the most tricky parts of properly setting up your WYSIWYG experience, so if you don't already feel you know your way around this common stumbling block, be sure to read our recent post about Text formats / Text filters, too. This article is a companion-post to that one, but it also includes some degree of overlap, since when we turn on the Lightbox and Image Resize Filter modules, we have new filters we'll want to use in some text formats and we will want to pay attention to the order in which they are applied, so we will briefly revisit this topic here.

Share this
Weiter

RSS Feed RSS Feed