Evaluation of Drupal

This is an evaluation of Drupal against GnomeWeb/CmsRequirements, at the test site http://gnomedotorg.ourproject.org/drupal/. Feedback is welcomed, especially from people with Drupal admin experience.


Only testers going through the whole GnomeWeb/CmsRequirements/CmsTest can add their points. You can add your comments on the evaluations made.

Ranks: 0 Not supported - 1 Partially possible - 2 Possible but complex - 3 Possible and easy










Publish static pages

2 - First attempt says 'Page not found'. 2nd attempt appears as news item on the front page.

Sayamindu: This has probably something to do with enabling the pathauto module and with the fact the mod_redirect is not enabled. The page is available at http://gnomedotorg.ourproject.org/drupal/index.php?q=node/5. This was fixed when I disabled pathauto and recreated the page. The appearance as news item can be disabled by unchecking Promoted to front page in the Publish Settings of the edit form. Joachim: Thanks. I figured out the 'promoted' thing but it's not very clear.

Publish news


Define friendly URL of a page, including subdirectories


Sayamindu: The setup at ourproject.org seems to have mod_redirect disabled, so I can't enable clean URLs atm

Publish images in a page


Sayamindu: The normal way to add an inline image is to click on the Add image button (graphical) just below the large text area where the actual content is put in. Attaching an image file is another possible process, but it won't suit our needs

Publish attached files in a page

Publish podcasts / screencasts

Sayamindu: two seperate modules have been enabled for this, video for screencasts (it can use Cortado if required) and audio (this thing uses a flash based player)

Integrate aggregated feeds in a page

Pre-publish a page making it available only to users with editing permissions

Customization of forms for different content types (i.e. case studies)

Set feeds for new content

Track and diff of all changes made

Sayamindu: The diff module has not been ported to 4.7x series of Drupal (if you want, I can try to port it)

Notify that a page has been updated

Revert changes

Display when a page was last updated

Create localizations in the GNOME supported languages

Get language settings from browser

Edit interface strings in all languages

Content as PO files or at least XML import/export

Set links between different versions of the same page

Control version system to detect outdated pages

Visualization of status of translations

Create and edit menus and submenus

Assign pages to menu entires

Stablish relations between pages

Create an automatic sitemap

Sayamindu: I have installed a google sitemap module for this

Assign keywords to pages

Customize homepage to make it look like the mockups

Sayamindu: Needs a new theme

Customize theme to make it look like the mockups

Set different templates for different sections

Search performance (probably to be tested in a big website)

Search results per type of content

Index content in the server not produced by the CMS

Sayamindu: Can http://drupal.org/project/nutch help??

Create new accounts and assign permissions

Set permissions policies

Set permissions at a page/section level

Check documentation for help

Activate caching system

Check statistics

Backup database

Sayamindu: mysqldump

Upgrade new version

Additional comments:

  • Explain here anything relevant not covered by the table above.

CMS Platform

  • Drupal 4.7.3
  • PHP
  • Running on MySQL 4.0 based backend
  • Architecture
    • runs in mod_php


  • robust against attack attempts

Drupal developers seem to take security seriously as the post at http://drupal.org/node/36526 indicates. There have been cases of break in-s at major Drupal powered websites (IIRC, SpreadFireFox was one of them). However, as far as my personal experience goes (there was a time when I was managing around 4/5 drupal powered sites simultaneously), I have not experienced any major security related issues. One just needs to subscribe to the drupal announcement list and upgrade whenever there is a security related release. My only major gripe is that they don't release any patch (in *.diff format, that is) - that would have made my life much easier.

  • - This belongs in the "active in releasing security updates" section, and has nothing to do with it being robust against attack attempts which, as far as I know, is not something we can count on with Drupal -- GuilhermePastore - IMO developers taking security seriously says nothing about if the software is currently robust. Patches are workarounds (proper way of working is to prevent them from happening / auditing every change). Security problems should be avoided to appear in the first case. Breakins makes me question robustness -- OlavVitters - I am also reasonably concerned about the upgradability of Drupal. I do not follow the project at all currently, so it would be great if someone more knowledgeable could say a word about this, but I have had headaches because of that in the past. If for some reason we cannot upgrade Drupal immediately or in a reasonable time frame, for example due to outdated software, such as we have been facing with RHEL3, and other Drupal versions are released meanwhile, how easy and reliable is it to upgrade from x.y to x.y+3 skipping x.y+1 and x.y+2 or even x+1.y? -- GuilhermePastore

  • - Drupal (since version 4.7) has a good upgrade system in place. You can either apply the patch file to update the php code, or download and unpack the new tarball, and then run update.php which will take care of any database changes that may be required between versions.
  • Also, regarding the break-ins ... that was an error in the XML-RPC library that was employed not only by Drupal, but many other PHP based web applications. Since then, the XML-RPC library has been replaced with an in-house version that is better audited and easier to use. -- RowanKerr

  • * some features protected by authentication

Drupal has support for user authentication, and the ACL system works fine for most scenarios (You can different classes of users, who can have permissions over different aspects of the site). Details are athttp://drupal.org/handbook/modules/user

  • - There are a few places where the ability to finely control permissions is limited. For instance, on FootNotes I have wanted to get a large group of people moderating and approving comments. But I cannot give them this permission without giving then permission to modify/delete all existing comments in the entire system -- LukeStroven

  • - The taxonomy_access module might work for your situation. It adds crud permissions to individual taxonomy terms within Drupal. Also, there is the Organic Groups module(s) that might help. -- RowanKerr

  • * option to communicate over a secure channel (SSL)

That's more of an apache related issue - right ??

Theres a module to define secured areas like administration. See http://drupal.org/node/65632 -- StefanAuditor

  • upstream is active releasing security updates

Releases are made regularly, and the response to vulnerabilities is pretty fast. The issue here is not really upstream, it is more the ability of GNOME sysadmins to quickly and promptly be able to apply these patches. The Drupal project has a security mailing list to help keep us informed as issues arise


Drupal can take advantage of Apache's mod_rewrite engine to have support for clean URLs. Example

A module to do this is also available http://drupal.org/project/pathauto. Thanks to Tom Chance for pointing it out.


  • ways to translate CMS strings

Drupal is localisable - but I have no first hand experience - feel free to populate this section

There is a module for Internationalization. See http://drupal.org/project/i18n -- StefanAuditor

  • Not using PO files which means we can't use our status pages and existing tools (DaniloSegan)

  • Asked them about PO Files and revision control: http://drupal.org/node/75364

  • preferably show translators what changed and what needs updating
  • preferably get language settings from browser (Accept-Language) and session (cookies)
  • have URLs to translated pages, so they can be directly referenced


  • a comfortable framework for editing content
    • can be wiki style, but does not have to

There are multiple input filters and editors. See http://drupal.org/project/Modules/category/63 -- StefanAuditor

  • "draft" content, which is already managed in the system, but not yet published
    • translators can do their job before content appears to the public
    • pre-edit text to be published at a specific date and time

There is some kind of workflow integrated in core. Additionally you may define your own by using http://drupal.org/project/workflow -- StefanAuditor

  • perhaps automatically publish on a specific date and time

See http://drupal.org/project/scheduler -- StefanAuditor

  • track who has rights to edit a page

There are different possibilities to do that. See http://drupal.org/project/Modules/category/74 -- StefanAuditor

  • track who did edit a page
  • can display when a page was last updated

This is possible too. -- StefanAuditor

  • perhaps change management, so older version of a page can be recalled

Some kind of revision-system is integrated, theres also a module to show diff http://drupal.org/project/diff -- StefanAuditor

  • copyright and licensing information can be displayed on the pages

See http://drupal.org/node/17497 -- StefanAuditor


  • the served html should be accessible
    • with a wide range of browsers (desktop and mobile)
    • for people with disabilities
  • the markup should primarily capture content structure not representation
    • (i.e. "heading" versus "big bold font")

This is more of a theme issue. See http://drupal.org/node/44661 for more on this.

  • support hierarchical URLs (subdirs)
  • support hierarchical navigation (submenus)

Above two issues are probable addressed viaTaxonomy and the related modules. - Could also be done with the menu module, or ook pages -- RowanKerr

  • preferably have a site map

Have a look at http://drupal.org/project/site_map -- StefanAuditor


  • shall provide feeds (RSS, Atom, etc)
    • news (for visitors)
    • site updates (for content authors)

Drupal generates feeds for almost all content it provides. There is module with a centralized view on all feeds http://drupal.org/project/syndication

  • peferably shall integrate external feeds (e.g. from gnomefiles.org)

Check http://drupal.org/handbook/modules/aggregator


  • shall be themeable to adopt the gnome look

Drupal is themable - and it supports a number of theme engines. We ported the Box Grey theme to look like the older version of www.gnu.org.in and it took us around one hour to do so.

Drupal offers several different theming engines (http://drupal.org/node/509).

  • PHPTemplate - PHPTemplate is the standard being shipped with the latest stable (4.7). PHPTemplate uses PHP as the template language.

  • XTemplate - XTemplate was the standard engine previous to 4.7. It will not supported in future releases.

  • SmartyTemplate - Uses Smarty.

PHPTemplate in particular is very powerful b/c it allows overloading. Each module defines overloadable functions by labeling the function with the "theme_" prefix. These "theme_" functions can be overloaded by defining an equivalent "phptemplate_" function which provides callbacks. Once you create a callback function (there are several defined by default), you can simply create a template file with the node/field/view prefix and PHPTemplate will use the newly created template to display the content.

Issues - Comments

Just thought I would share some of the issues and experiences I have had with drupal on FootNotes over the last few years. - LukeStroven

  • It's dynamic CMS, with it does have a very good caching system, it still generates many pages on the fly which requires a certain amount of horse power to weather the traffic spikes without falling down.
  • It creates a new session everytime someone logs in or for every anonymous visit. I had problems with the database table that stores these sessions growing extremely large within a few days and crashing the table. I ended up adding a cron job to clear these sessions out every few hours for anonymous users and every few days for logged in users.

Session lifetime is easy adjustable via .htaccess or php.ini. See http://php.net/session for this. -- StefanAuditor

  • The cache system works good, but as the cache database grows large, its performance decreases. Here I also had to add a cron job to clear the cache out every few hours so that the performance benifit was still good.

- There are solutions being discussed to improve caching performance in the next version of Drupal. Code freeze is in September. -- RowanKerr

  • Comment Spam - hasn't been a major issue by using captchas and holding anonymous comments for moderation.

There's a nice AntiSpam module, which work for every note-type and uses learning algorythms. See http://drupal.org/project/spam for this. -- StefanAuditor

  • As you add more an more modules to drupal the administration tends to get cluttered. Many modules spread the settings pages under numerous areas in the drupal menu sometimes making it difficult to find the option you are looking for.

- The administration area has been redesigned and will be more task-oriented and clearly organized in the next version. -- RowanKerr

  • The drupal API is very good.
  • Many CMS have horribly designed comment systems that make hundreds of sql queries for each page, killing performance. Not drupal, a page with a comment structure is pulled in one query.

GnomeWeb/CmsRequirements/DrupalEval (last edited 2008-02-03 14:44:51 by localhost)