We are in desperate need of a legislative solution to identity theft problem. I live in Massachusetts, which currently provides little protection for me. It is quite likely that my records and yours are publically available. Organizations have reported 88 million stolen records in the past 15 months.

I published two nice features today to the organic groups module.

• XML-RPC API. A remote system may now interact with og and retrieve all subscribers of a given group, all subscriptions for a given user, and subscribe a user to a group. The motivation for this was integration with Leo Burd's amazing voip module. Leo gave me a demo this morning and I loved it. He wants to voice enable groups just like he already voice enables the usual Drupal site. Leo is a bit busy with his 2 week old baby and his looming thesis deadline. But he promises to publish the module soon.
• OPML. OG offers each user an OPML file of his subscriptions. See the blue icon on the My Groups page for an example (requires login).

UPDATE: i just had to add a conf_init() call before that line to get this working again. Odd.

Drupal 4.7 added a session_regenerate() call which makes it harder to stay logged into multiple sites on the same domain.That call is essential for preventing session fixation attacks, so I'd rather not comment it out, even on dev sites. My fix is to add the following line to bottom of settings.php

conf_init();
ini_set('session.name',  preg_replace("/[^a-z\d]/i", "", $GLOBALS['base_url']));

This line changes the session cookie's name from PHPSESSIONID to a name based on the name of your settings.php directory path. That path should be unique enough to prevent these cookie conflicts. The preg_replace() is there to strip out all non alphanumeric characters since those are invalid in a cookie name.

Also see Cannot stay logged in on more than one site on the same server

I’ve recently learned that our new api.drupal.org web site does have a quick search feature like the old one. The path for this feature is a bit obscure. The key is the path apis, not api. For example, here is a search for module_invoke.

One annoying buglet is that an exact match is not preferred over a substring it is impossible to go directly to the doc page for url(). Patch for api.module is welcome.

I've made a web search entry in my Quicksilver and a smart keyword in Firefox for this. And I installed api.module locally so I am about as optimized as one can get for this.

Technorati Tags: Drupal

The private files system in Drupal is OK for minor usage but does not scale well. The performance problem (yeah, there are non performance problems too) is that every private file request requires a full bootstrap of Drupal which means that all the modules must be loaded and parsed. Now imagine that your site becomes very popular and you have 100 images on your home page that all require this bootstrap. This is not theory - it happenned recently on one of our (Bryght) sites. Server was quite stressed

I'm thinking that temporary URLs are our only hope here. Basically, I propose that all links to private files have tokens on them. When one of these image requests is found, the token is checked for correctness and the image is served. The token is tied to the user's session ID. Drupal need not even make a database connection.

The annoyance with temporary URLs is that they are temporary. You can't just stick one in your HTML and expect it to work forever. So, I propose that we have a placeholder syntax like [[file_path|images/fire.jpg]] wherever we want an image inside of a node or other textarea. Then the filtering system translates this at render time to a valid temporary URL. This scheme will properly show images during preview, but not in a WYSIWYG editor like TinyMCE.

One big downside to this is that any node with a private file reference can't be cached in the filter cache. This may or may not be a big problem, and may or may not solvable. We need some more minds on this issue.

Update

UnConeD came up with a couple improvements which remove the need for the filter tokens and solve the WYSIWYG problem. We use current private file urls during compose. Thos are working urls, and when WYSIWYG sees them, they work as expected. The filter system then transforms those urls into temporary urls at rendering time. This is a brilliant improvement, since we have effectively made this change transparent to all current Drupal modules and such. Old urls will still work. But Drupal will never vend them except during a compose situation.

The filter cache problem remains unsolved. Actually, I've learned that it is worse - all text written in this input format can't be cached - regardless of whether it uses temporary urls. I'm thinking that we have to direct posts with these urls into their own 'nocache' input format(s). Maybe each input format on a site has a mirror one that has temporary urls enabled? Sounds dirty.

Technorati Tags: Drupal

Interest in the organic groups module continues to swell. This module lets users form interest groups on their website. Those groups can then post messages and collaborate on their shared interest. Zack posted a fine screencast about og and its helper modules.

Recently, I've seen some pretty deployments at Goodstorm and ProjectOpus. Universities like Calgary seem to love it too.

Here are the projects I'm planning for Organic Groups. If you are interested in funding any of them, please contact me.

• Unit testing. I have contracted with Thomas Ilsche to write unit test for og. He wrote a bunch of tests last summer as part of the Google Summer of Code project. I'm sure some people don't know that Drupal has a pretty nice unit testing framework based on Simpletest. There are some good ideas floating around about how unit testing fits into the drupal project.
• Views module integration. Two of the key pages provided by og are the groups directory page and the group home page. Each site wants to present these pages a bit differently. Both the Goodstorm and the ProjectOpus links above illustrate this need. Og currently provides themeable functions for customizing these pages, but a coder is required to customize. I'm planning to rip this code out of og and instead rely on Views module to provide them instead. Views is a terrific tool for non coders because they can easily customize how these "list of nodes" pages get displayed.
• ACL module integration. Earl just wrote a nice access control list module which other modules can use to provide private nodes. The module is brand new, but has lots of potential. The best end user benefit to switching over to this module is that sites can safely run multiple node access modules.
• Group vocabulary. webchick will be working on implementing private taxonomies for each group.

this guys kicks so much eccentric ass i don't know what else to say. stunningly small and gorgeous figures

Yahoo has shared their Design Pattern Library with the world. Thats quite a gift; I bet there are thousands of hours of user interaction expertise summarized here. Thanks!

One of my contributions to the Drupal project is the bootstrap. This is the part of the code which executes at the very beginning of each request. Since this code executes even for cached pages, we optimize it as much as possible.

Anyway, I just learned that this term derives from

a German legend about Baron Münchhausen, who was able to lift himself out of a swamp by pulling himself up by his own hair. In later versions he was using his own boot straps to pull himself out of the sea which gave rise to the term bootstrapping.

Details

In Drupal 4.7, we access the url_alias very often compared to 4.6, This was a wise decision for performance reasons, but it is annoying to see the devel.moduel query log clutterred with these queries. The solution is simple: empty your URL alias table and Drupal becomes smart enough to access it only once. This query will do it:


DELETE FROM url_alias