Brian's Blog Homepage
access control
access control

Since the beginning of Mambo "I want/need/demand ACL" (access control lists) must be one of the most common threads in the forums. But what do I/you mean by ACL and why is it just so dam hard to implement. (I assume it must be hard or it would have been done by now in the core)

Before you can write an ACL system for Joomla you need to define what it is aiming to achieve, and this is where the problems start. I've sat at a computer with Andrew Eddie in his house whilst he explained his "vision" for ACL, I've evaluated most, if not all, third party solutions and I've read long discussion papers on the subject and yet I'm still not convinced that:-

  1. what a developer means by ACL is what a user means by ACL
  2. a true ACL system will ever be understood by the regular site builder

ACL can probably be broken down into two separate parts:-

  1. What can I see?
  2. What can I do?

And then you need to address some common misconceptions:-

  1. all backend users have the same permissions
  2. I need ACL to show different content to registered and non-registetred users
  3. if ACL is added to the core of Joomla then all my third party extensions will automaticaly have ACL
  4. Joomla has no ACL

Some facts

  1. Joomla does have ACL.
    It is a rudimentary system that is heirarchical with each subsequent level of users inheriting the permissions of all those beneath it.
  2. Managers only have access to the content menu and no other component.
    So they need to have administrator level if they are to use any third party extensions or even core components such as weblinks and contacts.
  3. "What can I see?" is the only reason for ACL on the majority of sites.
    Site owners want to restrict viewing access to content areas based on a user group, they are not bothered about creating restricted access for creation of content as they have far fewer content creators and they are all trusted.

I would love to see a fully fledged ACL system in Joomla that would satisfy both the needs of the site that wants to restrict the viewing of content and the enterprise site that allows restrictions to be placed on every part of the site, both content creation and content viewing.

However my experience tells me that this is just isnt possible without some major compromises as a true ACL system is just too complex a beast. Joomla, and Mambo before it, owes its success in part to the ability for anyone with reasonable keyboard skills to create a web site. If they are faced with a complex ACL system with its ARO, AXO etc they will drop Joomla like a hot potato. They wont even realise its not necessasary to implement as they dont understand it at all. (I count myself in the crowd of users who dont understand ARO, AXO etc and I've had personal demonstrations from the best)

So what is the solution, or is there even a solution at all?

Clearly the status quo is no longer acceptable and yet as I've suggested the inclusion of full ACL would not work either. Instead I'd like to propose the adoption of a long forgotten idea that dates from the creation of Joomla, Officialy supported extensions.

... we are now committing to release and/or support certain popular components as "Officially Supported Components", the first of which will be JoomFish. This means some of the features the community has been asking for will be supported by Joomla!...

The principal behind these "officialy supported extensions" was to allow a developer or group of developers to work on an extension that whilst important to a significant number of users was not deemed to be essential for all users. In addition the "official" status would mean that any API hooks or calls that might be needed in the core of Joomla would be implemented.

 

J o o m l a !

Brian Teeman

Brian Teeman

Who is Brian?

As a co-founder of Joomla! and OpenSourceMatters Inc I've never been known to be lacking an opinion or being too afraid to express it.

Despite what some people might think I'm a shy and modest man who doesn't like to blow his own trumpet or boast about achievements.

Where is Brian?