Drupal Association blog: The Drupal Association Supports ICFOSS/Zyxware Back-to-work Programme

The Drupal Association is honored to be included in this month’s cycle of the Back-to-work Programme, an initiative by the International Centre for Free and Open Source Software in collaboration with Zyxware Technologies. Zyxware Technologies is one of our amazing Drupal Certified Partners, and we are excited to contribute to the success of this program for many cycles to come.

The Back-to-work Programme provides Drupal training to women professionals who have been on a career break due to various reasons. This program not only aims to induct them into the talent pool of Drupal developers but also provides an opportunity to reintroduce them to the Free Software community.

The Drupal Association is committed to ensuring that the Open Web thrives and to providing talent and education opportunities to communities who need them most. It is our hope that by supporting ICFOSS, Zyxware, and the Back-to-work Programme, we can continue to expand access to the Drupal community and professional opportunities in the Drupal ecosystem and empower women everywhere in their pursuit of professional equity.

Von R. Eaton, Director, Programs for the Drupal Association, will present to this current cohort on the work being done at the Drupal Association in Open Source, DEI, and talent cultivation on Thursday, 16 March.

We are so excited about this collaboration and are very grateful to have been invited to participate. We look forward to working with Zyxware and ICFOSS to make a positive impact on women in the Drupal community.

Jacob Rockowitz: Providing JSON:API and GraphQL support for the Schema.org Blueprints module

The Schema.org Blueprints module builds content models based on Schema.org's specification for structured data. The generated Schema.org content models are understandable, shareable, and reusable by people, machines, and search engines. To share these content models, we need to expose our data using an API. This post will explore reasonable recommendations for exposing our Schema.org based content inside Drupal to decoupled front-ends and machines.

Currently, in the Drupal community there are two popular API specifications/web services implementations: JSON:API and GraphQL. JSON:API is included in Drupal core and GraphQL is built and maintained as a contributed module. To understand the current state of these different web services implementations, it helps to look back at the history of the decision to include JSON:API in Drupal core and why GraphQL is a contributed module.

In 2019, Dries Buytaert, Drupal's project lead, thoroughly compared REST vs JSON:API vs GraphQL. Dries summarizes the goal of the post.

Dries' conclusion led to the JSON:API module being added to Drupal core.

Philipp Melab, for Amazee Labs, wrote a thoughtful response re-examining the value of GraphQL even though it is not included in Drupal core.

One of Philipp's concerns about exposing Drupal data structure via JSON:API is that the API will contain a lot of Drupal'ism.

Philipp ends his response by stating.

The decision to include JSON:API into Drupal core is very sound. As a backend developer, I found...Read More

Security advisories: Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: Fixed By: 

Security advisories: Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.

Reported By: Fixed By: 

Security advisories: Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

This release was coordinated with SA-CONTRIB-2023-010.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media Library module and therefore is not affected.

Reported By: Fixed By: 

Nonprofit Drupal posts: March Drupal for Nonprofits Chat

Join us on Thursday, March 16 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

No pre-defined topics on the agenda this month, so join us for an informal chat about anything at the intersection of Drupal and nonprofits.  Got something specific on your mind? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone. 

  • Join the call: https://us02web.zoom.us/j/81817469653

    • Meeting ID: 818 1746 9653
      Passcode: 551681

    • One tap mobile:
      +16699006833,,81817469653# US (San Jose)
      +13462487799,,81817469653# US (Houston)

    • Dial by your location:
      +1 669 900 6833 US (San Jose)
      +1 346 248 7799 US (Houston)
      +1 253 215 8782 US (Tacoma)
      +1 929 205 6099 US (New York)
      +1 301 715 8592 US (Washington DC)
      +1 312 626 6799 US (Chicago)

    • Find your local number: https://us02web.zoom.us/u/kpV1o65N

  • Follow along on Google Docs: https://nten.org/drupal/notes

View notes of previous months' calls.

Community Working Group posts: Call for creators for crafting future Aaron Winborn Awards

The Drupal Community Working Group started the Aaron Winborn Awards in 2015 with the support of the Drupal Association, in honor of long-time Drupal contributor Aaron Winborn (see his Community Spotlight), who lost his battle with Amyotrophic lateral sclerosis (ALS (also referred to as Lou Gehrig's Disease in the US and Motor Neuron Disease in the UK) in early 2015.

A few years ago, during our preparations for the 2018 Aaron Winborn Award, we had the idea that the award would be created by a community member. Rachel Lawson, a former member of the Drupal Community Working Group's conflict resolution team, created hand-blown glass awards for both the 2018 and 2019 winners, Kevin Thull and Leslie Glynn

In 2020 and 2021, Bo Shipley hand-crafted the award from leather for Baddý Breidert and AmyJune Hineline

Last year in 2022, the award was crafted for Angie Byron by Caroline Achee and her husband, Louis Achee. Both Caroline and Louis are woodworkers, and often donate their time and skills to community-focused organizations in their local area.

We are looking for community members to volunteer their time and show off their skills for the 2023 Aaron Winborn Award.
We would like to have a design idea or commitment by March 31st (or sooner). 
The deadline for this year’s award to be ready by May 22, 2023.

If you are interested in crafting this year’s award (or any following year), please reach out to the Drupal Community Working Group.
 

Community Working Group posts: Nominations are now open for the 2023 Aaron Winborn Award

The Drupal Community Working Group is pleased to announce that nominations for the 2023 Aaron Winborn Award are now open. 

This annual award recognizes an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. It includes a scholarship and travel stipend for the winner to attend DrupalCon North America and recognition in a plenary session at the event.

Nominations are open to all Drupal community members*, including but not limited to people who have made a big impact in their local or regional community. If you know of someone who has made a big difference to any number of people in our community, we want to hear about it. 

This award was created in honor of long-time Drupal contributor Aaron Winborn, whose battle with Amyotrophic lateral sclerosis, or  ALS (also referred to as Lou Gehrig's Disease) came to an end on March 24, 2015. Based on a suggestion by Hans Riemenschneider, the Community Working Group, with the support of the Drupal Association, launched the Aaron Winborn Award.

Nominations are open until Friday, March 25, 2022. A committee consisting of the Community Working Group members (Conflict Resolution Team) as well as past award winners will select a winner from the nominations. 
* Current members of the CWG Conflict Resolution Team and previous winners are not eligible for winning the award.

Previous winners of the award are:

2015: Cathy Theys https://www.drupal.org/u/yesct 
2016: Gábor Hojtsy https://www.drupal.org/u/gábor-hojtsy
2017: Nikki Stevens https://www.drupal.org/u/drnikki 
2018: Kevin Thull https://www.drupal.org/u/kthull 
2019: Leslie Glynn https://www.drupal.org/u/leslieg 
2020: Baddý Breidert https://www.drupal.org/u/baddysonja
2021: AmyJune Hineline https://www.drupal.org/u/volkswagenchick
2022: Angie Byron  https://www.drupal.org/u/webchick 

Now is your chance to show, support and recognize an amazing community member!

If you know someone amazing who should benefit from this award please submit a nomination.

Also, if you are a creator and would like to help craft one of our future Aaron Winborn Awards, please reach out to the Drupal Community Working group.

Subscribe to