Hey, guess what, as someone in charge of corporate security for a web development shop, I am not cool with this. I am like totally not cool with this.
I'm not talking about you sharing your personal Netflix account with friends and family (that may not be as security savy as you are). I'm talking about building systems that tightly couple user and resource or charge for additional accounts, thereby encouraging the user to share his or her credentials!
Do you want your websites users to log in? For certain types you would, but often there is no need. The Ibuildings website does not allow you to register an account and log in. Why would it?
However by default Drupal 8 (and earlier) considers logging in on /user part of the frontend theme. This means that either you have to theme it or accept a horribly broken login page.
Or you could convince Drupal to apply the admin theme to user pages.
Developers love object-oriented code. But how can this be achieved with Drupal 7 entities?
This is the first blog post in what will hopefully become a new series where we look at old Drupal 7 & 8 security advisories (at least 3 months ago so they should be patched everywhere) and try to learn from the mistakes of others.
As a first post I'd like to pick an older vulnerability, one I've used in presentations to demonstrate how hard it can be to properly apply HTML encoding for Drupal.
In the previous parts of this series we looked at how to get rid of complexity at the level of algorithms. After discussing the problem of nulls in your code, we looked at object lifecycles and how to encapsulate them properly. Now that we have objects that can be constructed and changed only in valid ways, we need to look at how they communicate with each other and how we can improve our code with regard to that aspect.
In the first part of this series we looked at ways to reduce the complexity of function bodies. The second part covered several strategies for reducing complexity even more, by getting rid of null in our code. In this article we'll zoom out a bit and look at how to properly organize the lifecycle of our objects, from creating them to changing them, letting them pass away and bringing them back from the dead.