Forkito ACL presentation at J and Beyond conference 2011

1. CUTTING CORNERS
FROM A WHEEL
// Forkito ACL //
FORKITO

2. FINAL GOAL
Easy to use and understand ACL system
Reusable ACL library compatible with most widespread Joomla
based projects
FORKITO

3. FORKITO ACL FLAVORS
Ţ Joomla fork flavor (working - oh yeah)
Ţ Molajo flavor (in progress)
Ţ Nooku flavor (planned)
FORKITO

4. JOOMLA FORK FLAVOR
FORKITO

5. JOOMLA FORK FLAVOR
Did he really say that?
FORKITO

6. JOOMLA FORK FLAVOR
Starting point for the whole project.
Used as proof of concept
FORKITO

7. Joomla fork form == contains changes to 70+ files
due to poor Joomla ACL implementation in application layer
Joomla - ACL hardcoded everywhere
revision 7
FORKITO

8. COVERED PARTS
New forkito ACL library
Joomla library methods are changed to proxies to a new library
methods
Includes internal methods that take care of backwards
compatibility with old Joomla ACL
FORKITO

9. COVERED PARTS
Web application framework layer
Ţ categories
Ţ menus,
Ţ modules,
Ţ plugins
Mainly changes to multiple items queries
FORKITO

10. COVERED PARTS
Application
Ţ Backend components: com_categories, com_menus,
com_modules, com_plugins
Ţ Content components: com_content (back and frontend)
Ţ Pagenavigation plugin-
Contains changes to 37 php and 15 xml files,
most extensive changes to com_users and com_content
FORKITO

11. WHERE I CAN GET IT
git clone git://git.forkito.org/forkito
FORKITO

12. MOLAJO FLAVOR
FORKITO

13. Completely new classes
Where most development goes at the moment
The most important part
FORKITO

14. Molajo ? - web application layer will be completely redone
together with components - layer includes hooks for ACL plugins
Just few library overrides (JUser, JCategories, JMenu … )
Joomla compatibility methods removed – extension either uses
Joomla or Forkito ACL
FORKITO

15. Molajo ? - web application layer will be completely redone
together with components - layer includes hooks for ACL plugins
Just few library overrides (JUser, JCategories, JMenu … )
Joomla compatibility methods removed – extension either uses
Joomla or Forkito ACL
yes, it can be done
FORKITO

16. NOOKU FLAVOR
FORKITO

17. Will come after Molajo flavour
it is expected that only minor changes will be needed in Forkito
ACl for it to work with Nooku framework.
Forkito will represent an addon library here
FORKITO

18. Unified ACL
// Forkito to Joomla ACL comparision//
FORKITO

19. REMOVED VIEW ACCESS LEVELS AND ADDED VIEW TO
ACTIONS
50% less users effort needed, 50% less complicated.
View == action
No need for a separate ACL system for managing view permissions.
onfusing for the user and inefficient from the system point of view.
FORKITO

20. RADICALLY IMPROVED AND SIMPLIFIED USER INTERFACE
Ţ Simple matryx of groups and actions
Ţ One-click permission changes
Ţ Instantly visible changes in inherited values
FORKITO

21. SIMPLIFIED OPERATIONAL LOGIC
Lower level always wins
Global >Component>(Category)>(Item)
Anything set on the lower level beats what was set on the higher
one (denied or allowed)
Assigned permission beats inherited
Users are auto assigned to parent groups, so anything that is set in
parents will affect user's permissions, but only if it is not set
explicitly in assigned groups.
FORKITO

22. SIMPLIFIED OPERATIONAL LOGIC
If one group gives you access you are in
(key analogy)
If you have a key that opens certain doors, it doesn't matter if
another key doesn't work, you still can get in.
When user is allowed to do something trough his membership in
one of the assigned groups, all others are irrelevant.
FORKITO

23. DRY-ED AND RE-ARCHITECTURED
No code repetition
A single method for a single purpose.
Classes reusing other classes methods and not replicating them.
Very low amount of code, will cut off even more in the future.
FORKITO

24. JSON ENCODED RULES REPLACED WITH PERMISSIONS
TABLE
JSON encoded string of permissions, stored in simgle database
field was one of the most horrible ideas ever seen in Joomla
This kind of code crimes should be punishable with at least 100 hits
with a stick.
FORKITO

25. WHY ?
FORKITO

26. It totally disables any database relations, conditional searches etc.
with enormous impact on performance.
FORKITO

27. To retrieve a list of items user has a permission to view (or edit or
do any action) code would need to query for ALL items, unpack
json string item by item and check permissions each item
separately.
Now imagine you have 100.000 or even 1 million items to inspect
one by one and try to imagine how long that would take and e.g.
how much memory it would consume.
Get the picture?
FORKITO

28. Having JSON in a database == a performance problem
=> you need more efficient system for managing thousands of
users trying to view pages
=> you "solve" the problem by inventing another ACL system
called access levels
FORKITO

29. ALWAYS PRESENT BASIC SYSTEM GROUPS
Groups that cannot be removed or their role changed
While this might seem like a backwards step, this groups are really
corner stones that CMS ACL cannot work without. Equivalent to
unix wheel and anonymous groups roles.
Having groups system can always rely on -> RELIABILITY,
better performance and better security
// including root configuration hack that is not need anymore //
FORKITO

30. ALWAYS PRESENT BASIC SYSTEM GROUPS
Everyone
- Not-authenticated - anonymous visitors
- Authenticated – anyone that is logged in
-- Admins – replacing global core.admin permission (equivalent to
unix wheel group)
FORKITO

31. Simple API
// Hod do I implement it //
FORKITO

32. API GOAL
Create minimal number of humanly understandable (self
explaining) classes and method names.
FORKITO

33. CHECK AUTHORIZATION - MACCESS CLASS
Check single item's authorization :
isUserAuthorizedTo
+ shortcut: isUserAuthorisedToView
FORKITO

34. CHECK AUTHORIZATION - MACCESS CLASS
Check multiple items authorization (by automatically inserting
filtering sql in multiple items queries):
insertFilterQuery
FORKITO

35. MULTIPLE ITEMS AUTHORIZATION EXAMPLE
JPluginHelper::_load()
Joomla
$levels = implode(',', $user->getAuthorisedViewLevels());
...
$query->select('folder AS type, element AS name, params')
->from('#__extensions')
->where('enabled >= 1')
->where('type ='.$db->Quote('plugin'))
->where('state >= 0')
->where('access IN ('.$levels.')')
->order('ordering');
FORKITO

36. MULTIPLE ITEMS AUTHORIZATION EXAMPLE
Forkito ACL
$query->select('e.folder AS type, e.element AS name, e.params, e.extension_id,
e.asset_id')
->from('#__extensions AS e')
->where('enabled >= 1')
->where('type ='.$db->Quote('plugin'))
->where('state >= 0')
->order('ordering');
jimport('molajo.access.access');
MAccess::insertFilterQuery($db, $query, 'e.asset_id', 'core.view');
FORKITO

37. MULTIPLE ITEMS AUTHORIZATION EXAMPLE
The same function is used in categories helper, modules helper,
com_content articles model – anywhere where list of items needs
to be filtered
FORKITO

38. USER INTERFACE
Insert acl widget HTML: MHtmlPermissions::aclWidget
Get ready-made acl widget in shape of Joomla form field:
MFormFieldAclwidget
Very simple to include ACL widget in your component layout
FORKITO

39. Future
// Short term //
FORKITO

40. Testing, testing. Bugfixing.
Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
Testing, testing. Bugfixing.
Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
Testing, testing. Bugfixing.
Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
Testing, testing. Bugfixing.
Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
Testing, testing. Bugfixing.
Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
Testing, testing. Bugfixing.
Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
FORKITO

41. USER INTERFACE IMPROVEMENT
Inheritance breadcrumbs - show what this level is inheriting from
FORKITO

42. Future
// Long term //
FORKITO

43. MORE ROUNDS OF SIMPLIFICATION
Simple mode - flatten inheritance , keep only default and category
(or item) permissions
FORKITO