FORKITOK

CUTTING CORNERSFROM A WHEEL

// Forkito ACL //

FORKITOK

// Cache types coverage //FINAL GOAL

Easy to use and understand ACL system

Reusable ACL library compatible with most widespread Joomla based projects

FORKITOK

FORKITO ACL FLAVORS

Ţ Joomla fork flavor (working - oh yeah)Ţ Molajo flavor (in progress)Ţ Nooku flavor (planned)

FORKITOK

JOOMLA FLAVOR FORK

FORKITOK

JOOMLA FLAVOR FORK

Did he really say that?

FORKITOK

JOOMLA FORK FLAVOR

Starting point for the whole project.

Used as proof of concept

FORKITOK

Joomla fork form == contains changes to 70+ files due to poor Joomla ACL implementation in application layer

Joomla - ACL hardcoded everywhere

revision 7

FORKITOK

COVERED PARTS

New forkito ACL libraryJoomla library methods are changed to proxies to a new library methods

Includes internal methods that take care of backwards compatibility with old Joomla ACL

FORKITOK

COVERED PARTS

Web application framework layerŢ categoriesŢ menus, Ţ modules,Ţ plugins

Mainly changes to multiple items queries

FORKITOK

COVERED PARTS

ApplicationŢ Backend components: com_categories, com_menus,

com_modules, com_pluginsŢ Content components: com_content (back and frontend)Ţ Pagenavigation plugin-

Contains changes to 37 php and 15 xml files,most extensive changes to com_users and com_content

FORKITOK

WHERE I CAN GET IT

git clone git://git.forkito.org/forkito

FORKITOK

MOLAJO FLAVOR

FORKITOK

Completely new classes

Where most development goes at the moment

The most important part

FORKITOK

Molajo - web application layer will be completely redone

together with components - layer includes hooks for ACL plugins

Just few library overrides (JUser, JCategories, JMenu … )

Joomla compatibility methods removed – extension either uses Joomla or Forkito ACL

?

FORKITOK

Molajo - web application layer will be completely redone

together with components - layer includes hooks for ACL plugins

Just few library overrides (JUser, JCategories, JMenu … )

Joomla compatibility methods removed – extension either uses Joomla or Forkito ACL

?

yes, it can be done

FORKITOK

NOOKU FLAVOR

FORKITOK

Will come after Molajo flavour

it is expected that only minor changes will be needed in Forkito ACl for it to work with Nooku framework.

Forkito will represent an addon library here

FORKITOK

Unified ACL// Forkito to Joomla ACL comparision//

FORKITOK

REMOVED VIEW ACCESS LEVELS AND ADDED VIEW TO ACTIONS 50% less users effort needed, 50% less complicated.

View == action

No need for a separate ACL system for managing view permissions.onfusing for the user and inefficient from the system point of view.

FORKITOK

RADICALLY IMPROVED AND SIMPLIFIED USER INTERFACE

Ţ Simple matryx of groups and actionsŢ One-click permission changesŢ Instantly visible changes in inherited values

FORKITOK

SIMPLIFIED OPERATIONAL LOGIC

Lower level always wins

Anything set on the lower level beats what was set on the higher one (denied or allowed)

Assigned permission beats inherited Users are auto assigned to parent groups, so anything that is set in parents will affect user's permissions, but only if it is not set explicitly in assigned groups.

Global >Component>(Category)>(Item)

FORKITOK

SIMPLIFIED OPERATIONAL LOGIC

If one group gives you access you are in(key analogy)

If you have a key that opens certain doors, it doesn't matter if another key doesn't work, you still can get in.When user is allowed to do something trough his membership in one of the assigned groups, all others are irrelevant.

FORKITOK

DRY-ED AND RE-ARCHITECTURED

No code repetitionA single method for a single purpose. Classes reusing other classes methods and not replicating them.Very low amount of code, will cut off even more in the future.

FORKITOK

JSON ENCODED RULES REPLACED WITH PERMISSIONS TABLE

JSON encoded string of permissions, stored in simgle database field was one of the most horrible ideas ever seen in Joomla

This kind of code crimes should be punishable with at least 100 hits with a stick.

FORKITOK

WHY ?

FORKITOK

It totally disables any database relations, conditional searches etc. with enormous impact on performance.

FORKITOK

To retrieve a list of items user has a permission to view (or edit or do any action) code would need to query for ALL items, unpack json string item by item and check permissions each item separately.

Now imagine you have 100.000 or even 1 million items to inspect one by one and try to imagine how long that would take and e.g. how much memory it would consume.

Get the picture?

FORKITOK

Having JSON in a database == a performance problem

=> you need more efficient system for managing thousands of users trying to view pages

=> you "solve" the problem by inventing another ACL system called access levels

FORKITOK

ALWAYS PRESENT BASIC SYSTEM GROUPS

Groups that cannot be removed or their role changed

While this might seem like a backwards step, this groups are really corner stones that CMS ACL cannot work without. Equivalent to unix wheel and anonymous groups roles.

Having groups system can always rely on -> RELIABILITY, better performance and better security

// including root configuration hack that is not need anymore //

FORKITOK

ALWAYS PRESENT BASIC SYSTEM GROUPS

Everyone - Not-authenticated - anonymous visitors- Authenticated – anyone that is logged in-- Admins – replacing global core.admin permission (equivalent to unix wheel group)

FORKITOK

Simple API// Hod do I implement it //

FORKITOK

API

Create minimal number of humanly understandable (self explaining) classes and method names.

GOAL

FORKITOK

CHECK AUTHORIZATION - MACCESS CLASS

Check single item's authorization :

isUserAuthorizedTo

+ shortcut: isUserAuthorisedToView

FORKITOK

CHECK AUTHORIZATION - MACCESS CLASS

Check multiple items authorization (by automatically inserting filtering sql in multiple items queries):

insertFilterQuery

FORKITOK

MULTIPLE ITEMS AUTHORIZATION EXAMPLE

JPluginHelper::_load()

Joomla$levels = implode(',', $user->getAuthorisedViewLevels());. . .$query->select('folder AS type, element AS name, params')->from('#__extensions')->where('enabled >= 1')->where('type ='.$db->Quote('plugin'))->where('state >= 0')

->where('access IN ('.$levels.')')->order('ordering');

FORKITOK

MULTIPLE ITEMS AUTHORIZATION EXAMPLE

Forkito ACL

$query->select('e.folder AS type, e.element AS name, e.params, e.extension_id, e.asset_id')->from('#__extensions AS e')->where('enabled >= 1')->where('type ='.$db->Quote('plugin'))->where('state >= 0')->order('ordering');

jimport('molajo.access.access');

MAccess::insertFilterQuery($db, $query, 'e.asset_id', 'core.view');

FORKITOK

MULTIPLE ITEMS AUTHORIZATION EXAMPLE

The same function is used in categories helper, modules helper, com_content articles model – anywhere where list of items needs to be filtered

FORKITOK

USER INTERFACE

Insert acl widget HTML: MHtmlPermissions::aclWidget

Get ready-made acl widget in shape of Joomla form field: MFormFieldAclwidget Very simple to include ACL widget in your component layout

FORKITOK

Future// Short term //

FORKITOK

Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.

Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.

FORKITOK

USER INTERFACE IMPROVEMENT

Inheritance breadcrumbs - show what this level is inheriting from

FORKITOK

Future// Long term //

FORKITOK

MORE ROUNDS OF SIMPLIFICATION

Simple mode - flatten inheritance , keep only default and category (or item) permissions