UPDATE: Turns out the developer has been offline due to illness but is now in the process of addressing these issues. Consequently my original article title "The Monthly Archive module for Drupal has been marked Unsupported and the maintainer doesn't seem to give a rats ass" is unfair in this instance. I have a right to be frustrated, but there are extenuating circumstances. Therefore I have changed the title to more appropriately match the content. Read on...
Drupal is pretty awesome in its own right, but one of the nicer things about it, and probably the main reason I have stuck with it even though it is well known as one of the least user friendly CMS systems out there, is the ability to quickly expand functionality to the site by installing third party modules.
Modules are typically developed by volunteers and submitted to the Drupal community. Once submitted, the developer typically will become a maintainer, and periodically submit updated versions of the module as problems are reported by people who use it. In the event that the maintainer is no longer able to maintain the project, they will try to find another volunteer to take over or they will should mark the project as unsupported, especially if there are known issues that have not been addressed.
On February 27th I noticed the Monthly Archive module was subverting the Content Access module I have deployed here, and was also affecting Brigitte's site. Content Access allows anyone contributing to the site to control visibility - in my case I like to use it for privacy purposes or to protect content that is in progress such as The Shroud Eaters of Ian's Hollow.
The (potentially dangerous) security bug in Monthly Archive was that when a certain displayed month was clicked, it would display every submission to anyone, regardless of whether it was supposed to be blocked from view by the Content Access module. So, for sake of example, if a business was using Content Access to protect proprietary information, and only wanted employees to have access to that information, the Monthly Archive module could potentially reveal that information to anyone without checking their access rights, depending on how the site was configured.
I reported this issue to Drupal Security, and the maintainer did not respond even with three requests from a response by two different security team members.
As the past month went by, I grew steadily more aggravated. What the fuck? Doesn't this guy care that his module has a big security hole in it? I did the right thing, I reported it to the right place to try to avoid people's websites from getting exploited. Seriously, guy...if you can't be bothered to even check your email on something like this and write reply to the bug report along the lines of "Oh hey, I'm really sorry but like real life is kicking my ass right now, is there anyone else out there who could possibly fix this?" why the hell did you even submit the module in the first place?
Not to mention, if you can't be arsed to maintain it, fucking mark it unsupported so the rest of the Drupal community at least knows. (* sorry about my frustrated language - please see the update at the top of this article)
A deadline for a response from the maintainer was established by the Drupal team for today, and since the maintainer did not respond the module has been marked unsupported and can no longer be downloaded. Anyone with this module installed should get a notification from their website that the module needs to be removed or replaced as a direct result of this status change.
Here's where Drupal gets much cooler than the competition.
Those in charge of these modules at Drupal.org were well within their rights to leave the module marked unsupported, letting various site administrators who use the module scramble for an alternative (if available) or be forced to try to come up with their own custom alternative. I'm fairly sure other the staff of other CMS packages wouldn't really care.
However, since there is no alternate module available that provides this monthly archive block functionality, the Drupal team added a link to the module entry with step by step instructions on how to create an alternate Monthly block using the Views module.
So that's what I get to do next. Thank you Drupal!
