Hi I'm creating a Drupal 9 custom module, and the module uses a 3rd party API key that the site admin will obtain and enter on the settings page. What's the best practice for storing this data? Is it as a custom configuration entity item? The API key is necessary for the module but that doesn't seem quite right since its not really config. Thank you!
The best way to approach this is by using the Key module.
It allows you to store your keys in config or files. See also the official Drupal documentation on the module at https://www.drupal.org/docs/contributed-modules/key. Quoted from the project page:
Key provides the ability to improve Drupal security by managing sensitive keys (such as API and encryption keys). It gives site administrators the ability to define how and where keys are stored, which allows the option of a high level of security and allows sites to meet regulatory or compliance requirements.
Related
I am building a simple ASP.NET 5 admin site, using ASP.NET Identity 2 to password protect the actual admin pages. It will be used by 2 to 4 users.
My employer doesn't want me to use a database for various reasons beyond my control. The plan is to store all user info in a text file. When a user needs to be added/removed, a dev will log into the server and update the text file. So users can only login, they can't register, change password, etc.
I would still like to use ASP.NET Identity so I can use the Authorize attribute on my MVC controllers, etc. It also makes it easier to start using a database later on.
I haven't been able to find an ASP.NET Identity provider that uses an unencrypted text file. Does such a provider exist somewhere?
I have not came across the text-file storage, but I've seen a lot of samples using some other storage mechanisms. Take a look on this post for samples and have a look on documentation about implementing custom storage.
In your case I'd store all user objects in a list and then serialise that into a JSON-string that is persisted into a file.
However it is strongly advised not to use plain text for password storage and use provided hashing mechanisms. (I'm sure you are aware of this). Just point your employer on http://plaintextoffenders.com/ for samples of why it is best not to store plain-text password.
While I was trying to understand how asp.net Indentity works I put together a sample solution where I explore the customization of the provider to use a simple storage.
You can find the code on github.
In the folder Custom.Identity you can see how I've implemented the different classes and managers.
Trailmax has written a lot about it on his blog.
Taiseer Joudeh has a written a series of articles which will help you to understand all the pieces involved.
I'm looking to develop a website that collects information that a user provides about their company, analyzes it based on industry trends I've saved into the system, and does something based on the information received (i.e. make recommendations, creates reports, sends out emails, and/or asks the user additional questions) using my industry knowledge. In addition to needing a rule engine to to provide information back to a user, I also will need to initiate workflow tasks that are assigned to my employees, vendors, or back to the user based on the rule engine logic.
I understand the business logic behind my idea, and how to use content management systems such as drupal. However, I'm not sure how to integrate my business logic, rules based on external market trends, and workflow technology into a content management system I can update as things change. I am looking for a solution that has a user interface to allow me to update the questions required (such as editing content types in Drupal), update my consultative knowledge database, and update the rules on how to apply them without having to hire a programmer when the business landscape changes.
In my research, I understand drupal rules module is not a true rete rules engine - so I don't believe I can use.
The concept of combining Drupal's content types (for collecting user information and editing fields), Jboss Drools' rule engine (for creating rules), and salesforce.com's workflow editor (for creating and assigning workflow tasks) is what I'm looking for. Is there anything out there that brings all of this together, in one web based user/admin solution that can be set up and used similar to Drupal's UI experience? In addition, am I even on the right track as far as the best way accomplish?
The Rules module is the de-facto standard Drupal rule engine. Could you elaborate about how it is not fit for your tasks.
A lot of contrib module supports it out of the box (ie. they provide new actions, event types, etc.). The Maestro module provides a generic workflow engine, with support for various tasks.
I have a question. I am looking at the newly implemented Simple Membership Provider and it suits my needs out of the box. I am however a little concerned about this provider as I am looking at creating a custom web application for myself and would like to know the security pros and cons of using it and if there is any best practices to go about building a secure web application. Is simple membership secure ? I am a noob when it comes to security.
I recommend not writing your own authentication and session management routines. Security is difficult and any flaws in your design or code could lead to exposure or breaches.
We have used Simple Membership in several web portals that handle PHI (protected health information). Our clients routinely audit our development methods and none so far have considered this a risk. Had we developed our own, they would raise a red flag.
You probably can get further by creating a library class of helper functions to add the features you feel are missing from existing providers, or subclass an existing provider (I don't think they are sealed/final).
In any case, your first step would be to draw up a list of features you want, check to see if an existing provider already does that (for example if you want an XML file provider, one exists on CodePlex), and if none do, either extend or write your own. If you write your own, you would want to make sure that there is another layer of security, like being on an intranet, or local access only or some other layer of defense.
my next assignments is to build 2 information portals for customers. These portals will be login protected sites and contain a set of pages displaying information like orders, invoices, pdf-files ... for the authenticated user (all presented as lists with links to detail pages). The users and the data are stored in an Oracle database. The portals differ in some of the features and in the layout.
My standard approach is to build an individual ASP.net Web Application for every portal.
But this is not the best way to get something reusable. So for these two projects my idea is to create a set of WCF services to get the Data from the Oracle database and to build user controls to display the different elements in Umbraco. This way I hope to get a set of independent, reusable “modules” which can be used to build these portals.
Now my question: is Umbraco a good platform for this type of projects? And is my “concept” a valid approach?
Kind regards
Volkmar
Umbracois very flexible. ON the one hand there is the question about security: With Umbraco you can use any Membership Provider you want for all visitors ( also with member roles).
On the other hand you have the question of the integration: With Umbraco you can create usercontrols, xslts or razor files as macros (which can be seen as the reusable modules).
For Xslt you can implement your own XsltExtension which pulls the external content as XPathNodeIterator you can use in every Xslt macro. For ascx files or razor you can use LinQ2Umbraco, your own objects etc to connect to the oracle database.
You also can use some sort of caching functionality to reduce the db-calls. On the other hand is one of the biggest advantages that Umbraco stores all the content as xml and object tree in memmory. So it is very fast in content rendering. With every database call you are loosing a little bit of this advantage.
hth, Thomas
Ruben Verbourgh began the Oracle4Umbraco project to create an abstracted fork for the Datalayer to support running on an Oracle DB. You can find it at http://oracle4umbraco.codeplex.com/, although it has no active releases, so build from source and YMMV.
Volkmar, your concept is perfectly sound - although you might want to consider using the Umbraco data store as the persistence layer for your data rather than in the Oracle DB itself. You get XML content versioning, caching, and all the benefits of the content-management side of things, in a robust and flexible framework which you can expose to other apps later should you so need to, through the Umbraco APIs and web services.
HTH,
Benjamin
content management of website becomes simplified with Umbraco.
But if you are planning to use Oracle as backend, Umbraco does not have support for it.
So decide carefully as to what parameters can be compromised.
Good luck.
When my user registers in Drupal and his account is created, I'd like to be able to create an account in a 3rd-party system (e.g. some moodle site).
Is that possible with an existing module? If not, what would be the preferred way to add this functionality?
You'll need to create a new custom module and implement the hook_user().
Specifically, you'll need to support the 'insert' operation, but of course you could add support for many others (such as delete or update) so you can manage users from your Drupal installation as well.
BTW: no existing module will couple exactly with your system, unless you're referring to a 3rd party application - in which case it'd help if you could tell us which one you're using :)
I second Sebs suggestion of using hook_user() for this, either after the fact on the 'insert' action, or upfront on 'validate', or on both, depending on how you need to deal with an eventual failure of Drupal itself or the 3rd-party-system.
Also, given your other question in this context, it looks like you might be interested in the following posts/discussions concerning external authentication in general:
Distributed Authentication changes (A short note/description of changes compared to Drupal-5)
Refactor distributed auth out of user.module (lengthy but informative discussion leading to the current state of things)
External Authentication in Druapl 6 (Some user experiences with the current state)
You might also want to take a look at the OpenID integration in Drupal core as a somewhat 'authoritative' source of examples.
You might also check out the Moodle module for Drupal. I used it a couple years ago and it was kind of a headache, but I'd guess that it's come a long way since then.
Interestingly, they recommend using OpenID to manage users between the sites. That may be easier than implementing your own hook_user instance if you aren't very comfortable writing Drupal modules. Just a thought.