The drop is always movingYou know that saying about standing on the shoulders of giants? Drupal is standing on a huge pile of midgetsAll content management systems suck, Drupal just happens to suck less.Popular open source software is more secure than unpopular open source software, because insecure software becomes unpopular fast. [That doesn't happen for proprietary software.]Drupal makes sandwiches happen.There is a module for that

Good bye

Submitted by nk on Thu, 2015-02-05 00:37

This is the last post this blog sees; professional content will continue to be posted on the Tag1 Consulting blog, personal ramblings will disappear. I already asked for this blog to removed. I would like to say in closing: the future of Drupal blog post was not meant to be a critique of Acquia who puts several people full time on Drupal core and contributes more money on top.

The brutal truth about security

Submitted by nk on Tue, 2015-02-03 02:00

I have cared a lot, even too much about designing secure APIs for Drupal. To create a software which made it easy to write secure custom code and hard to write insecure. I placed this in front of other concerns including developer and user experience. Sounds nice, isn't it? But in truth, I was trying to tend a garden in the nuclear winter. By and large the Internet is so insecure that making it slightly easier to write more secure code is a trifling concern. It is enough that Drupal is not a house of cards of security wise and indeed it is not. Let other concerns win over security in API design. I was wrong. And I am out.

This is the future of Drupal

Submitted by nk on Mon, 2015-02-02 17:36

I got these gems from a person at Acquia. I followed up with someone supposedly higher up in the chain but never got an answer. Needless to say I was just an expert helping [redacted] and not someone who makes the decisions for them:


Our colleagues have previously spoken regarding [redacted] web properties. I’m reaching out to introduce myself and see if it would make sense to discuss your web plans for 2015.

static methods

Submitted by nk on Fri, 2015-01-09 05:27

Here's something I learned from Wim Leers: the static keyword has a bad rep in PHP but that's because static variables can be problematic. static methods, especially protected static methods on the other hand are useful to indicate and enforce a method not changing the state of the object.

Where does migrate in core stand?

Submitted by nk on Thu, 2014-11-20 22:48

Migrate is horribly broken! Migrate works awesome! Both are true. (Yes!) So Keith Dechant reported migrating a live Drupal 7 site to Drupal 8. Melissa Anderson is migrating a Drupal 6 site and gets mostly bugs. How is this possible? Well, Keith was coding his way around bugs, not just using what core provided (this should be obvious since we do not yet provide Drupal 7 sources in core) and Melissa had a site builder approach to it.

Drupal 8 critical issues office hours November 14, 2014

Submitted by nk on Wed, 2014-11-19 18:27

cilefen begin to work on the When a content entity type providing module is uninstalled, the entities are not fully deleted, leaving broken references issue. Turned out that a necessary dependent issue is already being worked on so he was able proceed well. I am reasonably confident this issue will get resolved in due time.

Adding comma separated username autocomplete to a D7 form

Submitted by nk on Mon, 2014-11-17 21:20

Today I needed to add autocomplete to a field that could contain comma separated usernames and obviously the requirements included autocomplete. I thought this problem must be solved already in the ecosystem and sure, Views has it already. So I have added '#autocomplete_path' => 'admin/views/ajax/autocomplete/user', '#element_validate' => array('my_module_usernames_validate') and then

function my_module_usernames_validate(&$element) {
if ($values = drupal_explode_tags($element['#value'])) {
// Good thing Views doesn't use the native constructor.

MongoDB and Drupal 8: what and why?

Submitted by nk on Sat, 2014-11-01 15:22

Now that we have a fairly good idea how Drupal 8 and data looks let's discuss what can MongoDB provide and why would you want to run it. In Drupal 8, every kind of data can be stored independently. I fully expect that people will indeed mix storages. For example, D8 by default runs a config query on every page to find the blocks to be displayed for the current theme. Again, by default, config entities are stored as serialized PHP arrays so the only way a query like that can run is to load every single block entity from the database and iterate over them.

Drupal 8 critical issues office hours Oct 24, 2014

Submitted by nk on Sat, 2014-10-25 20:46

This was our first critical office hours. webflo have forward ported a Views SA (turned out that Twig autoescape made short work of the security hole -- yay! so now it's just a test) and even past the office hours followed up with a patch that now passes. I will monitor the issue further and make sure it gets reviewed and committed.

Following up on Doctorow's keynote

Submitted by nk on Fri, 2014-10-03 02:14

You will often find the less you are allowed to do with a computer the more user friendly it seems. This is hardly a coincidence. You need to make your decisions on how much inconvenience you are willing to take in exchange for your freedom in computing. The first and most important step is to make these decisions deliberate. Perhaps after the keynote this necessity is clear.