Joomla! Discussion Forums

On possible solution to the unique id problem, would be to use an md5() hash which included the subsystem name and the id:  md5('Component' . $id) etc.

This would certainly work in checking ACL's, it would just be impossible to go from the ACL tables backwards, short of enumerating from that side and checking against the md5() hashes.

no worries, same time & same thoughts here in Switzerland.

That's what I'm suggesting...in case you really want an ACO per content/menu item: create a separate table similar to the #__core_acl_aro, called #__core_acl_aco and one called #__core_acl_axo.

add in that tables following fields:
aco_id (or axo_id)
section_value ("#__content" or "#__menu")
value (this is the unique "id" field of the content or menu table)
order_value
name
hidden

(same as the original #__core_acl_aro table).

Now each ACO has its unique correspondence using the section_value+value tuple.

-------

But do we really need/want this ?

I think it's preferable to define only "few" ACO and very few AXO, and do the apposite: add a way to assign to each content/menu item the ACO and the AXO (implement something similar to adding an ACO and an AXO field in content and menu tables). There is imho no problem that many content item have the same ACO as long as it can be assigned by the admin/security officer.

To my understanding, currently phpGACL handles groups for ARO and AXO, but not for ACO, so having one ACO for each content-detail will be a pain to administer.

(btw. thanks for the idea, bu sorry, I don't think MD5 hash is a solution for that problem)

Got a little problem and because I'm no php-pro...


This is where I execute the query and load the results into $group_result


This is the original ADODB-part where the results get put in an array?


That was the part I wrote to replace the $rs stuff, but naturally it does not work. Anybody a clou what this has to look like? Do I even have to split the values in $retarr when I got them as loadObjectlist in $group_result?
Hackwar

Then you should learn includes/database.php
There are other methods than loadObjectList() ... some which treat arrarys.

I'm testing at the moment and I would need a bit sample data for that. Anybody got a sql-dump with sample users and stuff?

Hackwar and Beat,

Just catching up on this thread.  Your work is most-definitely needed.  Thank you for all your efforts.  Know that there are a bunch of us here really watching your work carefully, in hopes of faster integration in the Joomla core.  You get this right, and we're all going to be very happy!

Best,
Ryan

While cozimek is praising me, I think i have to write a little update to "my" work.

When you look in the svn, spacemonkey allready included phpGACL in parts along with ADODB, he changed the useradministration to fill the ARO-table with user-values, too, and the user-groups have been put into the ARO-groups-table. As far as I can see, you could allready create ARO-groups, where you could put your users in by editing the database. Whats not done at the moment is the creation of ACOs and ACO-groups, as well as ACLs and ACL-groups and -sections. This is still somewhat hardcoded on the file includes/phpgacl/gacl.mambo.php. I took the liberty to transfer this into the according databases and created a dump from these standard-values. You can find this dump attached to this post. Notice that you have to change the table-names and replace the #__ with your table-prefix. Warning: Its all on your own risk.
The file gacl.mambo.php catches the querys to the real gacl.class.php and therefore has to be modified later to place the acl_check correctly. that will be the next thing I'm trying to do. Whats still completely missing is an administrative interface to this. Although Beat didn't like the phpGACL-admin-interface its still pretty advanced and after a few trys easy to use. You can try it on your Joomla-database after you applied the attached file. I would prefer to implement this as an admin-interface and with a few help-hints on the screen, it shouldn't be to difficult to use.
To create an ACO for ultimately creating an ACL for a component you have to do the following (notice the %-character where your values would go):

COMPONENT_ and ACTION_NAME are the strings that you get shown in the phpGACL-admin-interface, while the _IDENTIFIER-part is the stuff they recognize each other with. I think its preferable to name the identifier something like com_NAME or mod_NAME according to what it is. The ACL can be defined in the phpgacl-interface, don't know the right code at the moment... The functions return the identifier when creating was successfull, otherwise its just FALSE. Still not included, too,  is the AXO-part. At the moment you could just define rights for users and usergroups on components, but not on single articles and such. Therefor you have to include AXOs, but I think thats not a no. 1 priority.

After the last few days, I've gained a lot of respect for the core development-team, because I sat here for at least 30 hours and read through the whole stuff and tried to understand it and made VERY slow progress. And after understanding filling this into code is still another thing.
My work is at the moment just this database-dump, I hope I can come with something more valuable soon, after I had such a big mouth and promised to have this done yesterday. 
Writing soon.
Hackwar

//EDIT: Took out the url/file cause its outdated

You should really include AXO from the start. Doing it now will take you 10% time more, later 250% time more, if even still feasible. The error of partial implementation has already been done once with ACL, please don't repeat  it a second time

Don't underestimate the usefulness of AXO in a CMS... Main reasons for AXO support:

1) AXO provide for AXO groups in phpGACL, which is not the case of ACO. This means simplified rules for the site-security-admin
2) it adds a level of total flexibility to the site security-admin.
3) it allows to set additional access permissions (or more precisely restrictions ) depending on business logic, instead of "joomla-logic".

You can use ACO as suggested for defining components, content and sub-content. But please while doing something similar as suggested, don't redo the error to hardcode the component name into the ACL request. Instead use a parameter of the component, which defaults to that value , but which is site-admin editable in the backend independently for each ACL definition (just provide a simple way for 3PD and core components to define those SEPARATELY from other settings (so these definitions themselves can be protected by ACL for access by security-officer-admins only ).

AXO will give to the site admin an additional layer of access-control to be used for instance on a "by project" or "by projects-group" granularity, or on a definition of "workgroups-data" and "department-data" aka "workgroups-groups-data". AXO groups allow that.

Btw., Andrew already ported phpGACL-admin into Mambo backend earlier this year as i noticed on another forum. Maybe someone can point you to that code ?

Keep the faith, you are on a steep but fast learning curve, with lots of rewards in terms of learning a lot of good things from the great work of the core team. Yes, studying and understanding the code of Joomla! is a good start.

Little bit offtopic, but anyway...
In the german forum a guy wanted to blend out the item navigation at the bottom of each article and found only the solution to turn this off for the whole page. I thought, why shouldn't this be done with an ACL-rule? At the moment wie have for AROs just the section 'users', why not put another one into it and make it possible to define wether a module is allowed to take this action onto that content? I'm wondering because this is probably not really an access related thing, but you even could put this into joomla without interfering with the module. You just would have to make an acl_check befor you trigger the module.

My question to the decision-makers: Do we stick with ACLs just to user restriction or will it be possible to define module-behaviour with it, too.

Hackwar

Hi folks,
its me again. I've completet the first basic implementation of phpGACL into Joomla!. Now I want you to try this out and give me some feedback. BE WARNED TO ONLY TRY THIS ON A TEST SYSTEM!!! THIS IS NOT STABLE!!!

Installation:
Needed:
- A recent SVN-copy of Joomla!
- This .zip-file: //EDIT: Took out the url/file cause its outdated
- phpMyAdmin
- a texteditor
- a TEST-system!!!
Action:
0. Install the recent Joomla-SVN-copy and create as many users as you like.
1. unpack the files in the .zip into a folder of your choice while keeping the folder-structure.
2. copy the folders "administrator", "components", "includes" into your Joomla-folder and overwrite the files.
3. open the file "tablestructure.txt" and replace "#__" with your databaseprefix. Save the file.
4. open your phpMyAdmin and import the file "tablestructure.txt" into your Joomla-database.

-- The phpGACL-support is now "complete". At the moment there is no admin-interface. The next step is something of a workaround.

5. copy the folder "gacl_admin" into a folder of your choosing on your Joomla-testinstallation. You have to get to this folder by manually typing in the URL, so don't hide it to good.  ;)
6. open the file "gacl.ini.php" in the folder "gacl_admin" and change the values that they fit your database. The databasename has to be your joomla-database and the prefix must be "%YOUR_DB_PREFIX%core_acl_". Save the file.

-- Now we have an ACL-Interface, but the users are not sorted into their respective groups, which means we don't have an Admin/Super Admin or anything similar.

7. In your webbrowser type in the address to the "gacl_admin"-folder and go to the folder "admin".
8. Go to the tab "ARO Group Admin" and click on "Assign ARO" behind the usercategorie you want to add a user. (You will have to add your Administrator first to Super Administrator get into your back end later)
9. Click in the new window in sections on "Users" and in the field next to it on the username you want to add. Then click the button with the ">>". Repeat this for every user you want to have in that group. Then click "Submit".

=========================================================================
At the moment the ACLs are the standardvalues of Joomla. I haven't tried changing these, but at the moment it doesn't matter, because the components and such don't work in the recent SVN-copy.

Beat said earlier that Andrew has allready ported the phpGACL-admininterface into the backend of Joomla. I haven't asked him yet, but going to right now.  AXOs are not really included right now, there are values in the AXO-tables, but those are only the standard-values that where hardcoded in gacl.mambo.php before.

My Mini-Roadmap:
1. getting the ported phpGACL-admininterface from Andrew.
2. Including AXOs completely.
3. Writing guide for developers how to use the ACL-API

I have two questions to the developers and decision makers:
1. What are the _core_acl_*_seq-Tables for?
2. Repeating my question from my post before: Will the ACL-API be used to control the output of modules/components/mambots, too, or just userrestrictions?

I hope for some feedback and am now going to bed.
Hackwar

============EDIT==============
I've corrected a few more files, now the components-manager works. The new file can be downloaded from the same location..

Well, I followed your procedure, and came till step 8: Go to the tab "ARO Group Admin"

There, I got a warning:
Warning: Invalid argument supplied for foreach() in /home/amcg/public_html/gacl_admin/admin/group_admin.php on line 54
And no: Assign ARO, only Functions Add and Delete. And they are not working.

I used Joomla 1.0.2 as baseline, and dropped all existing tables mentioned in "tablestructure.txt", before re-created them.
I don't know what Joomla SVN stand for.

The SVN is the system that manages the developerversion of Joomla. Joomla 1.0.2 is the latest release, but the latest developerversion has a lot more features and it has a kind of ACL to which this is a improvement. You will have to get this SVN-version to try this.
I don't know why you got the error. I'm not sure, I had this error when I accidentally used php 5 on my testserver.

I, too, am watching this thread with great eagerness, and learning quite a bit.

On the possibility it might be helpful, here is a picture of how zOOm Gallery presents access control in the backend.

I didn't check anything but the standard-components that are shipped with the release-package. Zoom Gallery most possibly does not set the values right in the beginning...
At the moment I'm working on the AXO-part (probably allready done tomorrow) and directly there after, I'm going to look into Zoom gallery.
I'm going to wait with the Joomla ACL-backend till Andrew returns from the conference. I think the interface shipped with phpgacl is, for now, sufficient. So it has a lower priority

Hackwar,

Just a pep-rally posting:  keep up the good work, you're really providing great insight to all of this watching your work carefully.

Looking forward to your continued efforts, and work with Andrew.

Best,
Ryan

What about this problem?

* groupA is permitted item1 and item2
* groupB is permitted item2 and item3
* there are dozens of groups and thousands of items

The groupA/groupB would be a problem of the AXOs and their groups. You can put AROs and AXOs into groups and assign rules to these groups. If you have conflicting rules (Group "Root" has access to all articles, Group "Stupid User" has only access to "failsafe" articles, User "Me not stupid" has access to "advanced user" article,too) the last one "wins". In my hopefully not to short example this would mean, the user "Me not stupid" would have rights to all articles in group "failsafe" and the article "advanced user". You could create as many groups as you like, while an item can be in more than one group.

To the big no. of items thing: phpGACL is very good scalabel, the author wrote on his site, that he used it with over 100,000 items and there was no real performance problem. As to the admin-part: Joomla will be delivered with a set of standard rules, that will hopefully reduce the work for the admin. If you need to set rights for a lot of groups and a lot of items in a special way, i think you will have to do this manually. At least I don't now how this could be done manually.

I think it will be possible to update existing databases with little effort.
hackwar

Ah I understand! The murk clears. I'm quite interested--in this going to have its own project? How stable is "unstable" currently? Folks have very different ideas about what constitutes stability. I'd be glad to try it out and report on findings if that's helpful.

- Ernest

Hi emeyer,
there wont be a project for this, because it will be a part of the Joomla-core. The devs are just at the moment to busy to include it into the SVN. Unstable means, that no Add-On that uses the function $acl->acl_check will work at the moment. They will have to replace the $my->usertype by $my->id. I haven't tested the whole stuff other than starting the Joomla-Admininterface and trying the different menuitems. Unstable also means, that the content-items are not saved as AXOs in the database and that there is no admin-interface.
Youre welcome to try this, but as I said, its just a part of the implementation, a version to work with for the devs.
Hackwar

ok. I'm learning the developer guide docs at the moment. I think I need a little more time before I venture into the core itself and try doing some things around the outside firstly. Thanks for the info, I'm beginning to understand how this community works.

- Ernest

I wrote a little Developerguide for the use of the ACL-API. Its not professional and open for change. As allways, I'm glad for any feedback.

Developerguide for the use of the ACL-API

Table of Content
1. What are ACLs
  1.1 ACLs
  1.2 ACOs
  1.3 AROs
  1.4 AXOs
  1.5 ACLs
  1.6 Sections
  1.7 Groups
2. ACL-Check
3. Managing Sections and Groups
  3.1 Managing Sections
    3.1.1 Add
    3.1.2 Edit
    3.1.3 Delete
    3.1.4 Get information
  3.2 Managing Groups
    3.2.1 Add
    3.2.2 Edit
    3.2.3 Delete
    3.2.4 Get information
4. Managing ACLs
  4.1 Add
  4.2 Edit
  4.3 Delete
  4.4 Get
5. Manage Objects
  5.1 Add
  5.2 Edit
  5.3 Delete
  5.4 Manage objects and their groups
    5.4.1 Add
    5.4.2 Delete
  5.5 Get
6. Guidelines for naming Objects
7. Porting Add-Ons to the new ACL-system

1. What are ACLs?
In short term: ACLs are the restrictions you can place on a user. You can tell if a user can do a special action, like editing or deleting stuff and you can do this very effectively by grouping users and assigning rules to the groups instead of the users. A good explanation of ACLs can be found at the homepage of phpGACL, which is the real API thats behind the Joomla!-ACLs. You can find it on the site and in the downloadable API-package here: http://phpgacl.sourceforge.net/

1.1 ACLs
The ACL is the actual rule. It connects the ARO with the ACO and optionally with the AXO and defines if that combination should be allowed or denied.

1.2 ACOs
The ACO is the Access Controlling Object, which is an action you can assign to an ACL and by that allow this action to be executed by a user.

1.3 AROs
The AROs are Access Requesting Objects, which would be the user in our case. It would be possible to put an Add-On as ARO in here to regulate its rights. If this is necessary I'm not sure...

1.4 AXOs
The AXOs are Access eXtension Objects, the single content-items in Joomla! These are optional, but allow to create control rules down to a level where you define it for every single content-item.

1.5 Sections
All 4 groups of objects can be grouped into sections for structuring purposes. Sections can not be a child of another section, they are just to group the objects of the respective object into more administrable parts.

1.7 Groups
To have as little as possible rules and to not creating a single rule for every user and every action, it is possible to put AROs and AXOs into groups and assign rules to this group. Groups can form a tree and inherit the rules from their parents. When a rule conflicts with a rule of a parentgroup, the rule of the child is the dominant one.

2. ACL-Check

To include the ACL-check into your Add-On, you just have to include the above code and replace the corresponding variables with your data. You wont need $root_aro_group and $root_axo_group and $axo_section_value and $axo_value are optional, too. Normally you would replace $aro_section_value with 'users' and $aro_value with $my->id, which would mean, the current user is the requesting object. When you create another kind of requesting object, like an Add-On, you have to replace 'users' by its respective sectionvalue and $my->id by the corresponding objectvalue.

3. Managing Sections and Groups
3.1 Managing Sections
3.1.1 Add
To add a section, put this into your code:

Replace $name with the name for the section. This will be displayed in the ACL-admin-interface. Replace $value with the internal name of the section. This will be the string you have to use as a parameter. Replace $object_type with the kind of object you would like to add (ACL, ACO, ARO, AXO).

3.1.2 Edit
To edit a section, put this into your code:

Replace $object_section_id with the nummerical ID of the section you want to edit. Replace the other variables to the new values you want them to have. Be sure to set the $object_type correct (ACL, ACO, ARO, AXO).

3.1.3 Delete
To delete a section, put this into your code:

Replace $object_section_id with the ID of the section you want to delete. Set the $object_type (ACL, ACO, ARO, AXO). If you want all the objects in the section to be deletet, set $erase to TRUE. ATTENTION: You're not just deleting there logical connection, but the whole ACL-rule!!

3.1.4 Get information
To get the ID of a section, put this into your code:

Put a value in either $name, $value or both and set the object-type. Returnvalue will be the ID or FALSE.

3.2 Managing Groups
3.2.1 Add
To add a group, put this into your code:

Replace $value with the internal name of the group. Replace $name with the name of the group. This will be shown in the admin-interface. To structure the groups you can build a tree with them. To place the group inside another, you have to set $parent_id to its parent group-ID. Be sure to set the group-type (ARO, AXO).

3.2.2 Edit
To edit a group, put this into your code:

Replace $group_id with the nummerical ID of the group you want to edit. Replace the other variables to the new values you want them to have. Be sure to set the $group_type correct (ARO, AXO).

3.2.3 Delete
To delete a group, put this into your code:

Replace $group_id with the ID of the group you want to delete. Set the $group_type (ARO, AXO). If you want all the child-groups in the group to be signed over to the parent of the group to be deletet, set $reparent_children to TRUE.

3.2.4 Get information
To get the children of a group, put this in your code:

Replace $group_id with the ID of the group whos children you want. Set the $group_type (ARO, AXO). If you want to get all groups below your parent, set $recurse to 'RECURSE'. Returns an array of child IDs.

To get the ID of a group, put this into your code:

Put a value in either $name, $value or both and set the object-type (ARO, AXO). Returnvalue will be the ID or FALSE.

To get the ID of the parent of your group, put this into your code:

Replace $id with the childs ID and set the object-type (ARO, AXO).

To get the data of a group, put this into your code:

Replace $group_id with the ID and set the $group_type (ARO, AXO).

4. Managing ACLs
4.1 Add
To add an ACL, put this into your code:

The $aco_array, $aro_array and $axo_array are associative arrays of the objects the ACL-rule applies to. Structure:
item={Section Value}, key={Array of Object Values}
i.e. ("

" => ("", "", ""), ...)
The $aro_group_ids and $axo_group_ids are arrays of the groups the ACL-rule applies to.
With $allow you can set, if the rule allows or denys the AROs the access to the AROs and AXOS. With $enabled you can set, if the rule is active or not. Both switches are on when set to 1. With $return_value you can define a special returnvalue. With $note you can add a description to the ACL. Setting $section_value, you can assign the ACL to a section. This is optional and will be set to 'system' if not set.

4.2 Edit
To edit an existing ACL, put this into your code:

Code:

$acl->edit_acl($acl_id, $aco_array, $aro_array, $aro_group_ids, $axo_array, $axo_group_ids, $allow, $enabled, $return_value, $note, $section_value)

For an explanation of the parameters read "4.1 Add". The parameters are named equally. Notice that you have to set $acl_id to the ACL to be edited.

To add objects to an ACL, put this into your code:

Code:

$acl->append_acl($acl_id, $aro_array, $aro_group_ids, $axo_array, $axo_group_ids, $aco_array)

For an explanation of the parameters read "4.1 Add". The parameters are named equally. Notice that you have to set $acl_id to the ACL to be edited.

To delete objects from an ACL, put this into your code:

Code:

$acl->shift_acl($acl_id, $aro_array, $aro_group_ids, $axo_array, $axo_group_ids, $aco_array)

For an explanation of the parameters read "4.1 Add". The parameters are named equally. Notice that you have to set $acl_id to the ACL to be edited.

To check if the ACL is conflicting with an older rule, put this into your code:

Code:

$acl->is_conflicting_acl($aco_array, $aro_array, $aro_group_ids, $axo_array, $axo_group_ids, $ignore_acl_ids)

The $aco_array, $aro_array and $axo_array are associative arrays of the objects the ACL-rule applies to. Structure:
item={Section Value}, key={Array of Object Values}
i.e. ["

" => ["", "", ""], ...]
The $aro_group_ids and $axo_group_ids are arrays of the groups the ACL-rule applies to.
With $ignore_acl_ids you can define a number of ACLs to be ignored in the search process. The array consists of the ACLs IDs.

4.3 Delete
To delete an ACL, put this into your code:

Code:

$acl->del_acl($acl_id)

Replace $acl_id with the ID of the ACL to be deleted.

4.4 Get
To get the data of an ACL, put this into your code:

Code:

$acl->get_acl($acl_id)

Replace $acl_id with the ID of the ACL who's data you want.
The returnvalue is an associative array with the following items:
- 'aco' => Associative array, item={Section Value}, key={Array of Object Values} i.e. ["

" => ["", "", ""], ...]
- 'aro' => Associative array, item={Section Value}, key={Array of Object Values} i.e. ["

" => ["", "", ""], ...]
- 'axo' => Associative array, item={Section Value}, key={Array of Object Values} i.e. ["

" => ["", "", ""], ...]
- 'aro_groups' => Array of Group IDs
- 'axo_groups' => Array of Group IDs
- 'acl_id' => int ACL ID #
- 'allow' => int Allow flag
- 'enabled' => int Enabled flag
- 'return_value' => string Return Value
- 'note' => string Note

To find one or more ACLs with specific values, put this into your code:

Code:

$acl->search_acl($aco_section_value, $aco_value, $aro_section_value, $aro_value, $aro_group_name, $axo_section_value, $axo_value, $axo_group_name, $return_value)

The returnvalue is an array of ACL-group IDs.

5. Manage Objects
5.1 Add
To add an object, put this into your code:

Code:

$acl->add_object($section_value, $name, $value, 0, 0, $object_type)

Fill in the values for the different parameters. Be sure to set the object-type (ARO, ACO, AXO). $section_value is the section the new object will be attached to. Returnvalue is the new object-ID.

5.2 Edit
To edit an object, put this into your code:

Code:

$acl->edit_object($object_id, $section_value, $name, $value, $order, $hidden, $object_type)

Fill in the values for the different parameters. Be sure to set the object-type (ARO, ACO, AXO). $section_value is the new section the object will be attached to.

5.3 Delete
To delete an object, put this into your code:

Code:

$acl->del_object($object_id, $object_type, $erase)

Replace $object_id with the objects ID and set the object-type (ARO, ACO, AXO). By setting $erase to 'TRUE', all referencing objects get erased, too. Leaves them alone otherwise.

5.4 Manage objects and their groups
5.4.1 Add
To add an object to a group, put this into your code:

Code:

$acl->add_group_object($group_id, $object_section_value, $object_value, $group_type)

Replace the parameters with your values. Notice that only AROs and AXOs can be put into groups.

5.4.2 Delete
To delete an object, put this into your code:

Code:

$acl->del_group_object($group_id, $object_section_value, $object_value, $group_type)

Fill in your values for the parameters. Returnvalue is True when successfull.

5.5 Get
To get the data of all objects, put this into your code:

Code:

$acl->get_object($section_value, 1, $object_type)

You can narrow your search down by selecting a section. The return is an ADORecordSet with object ID only selected. Be sure to set the object_type (ARO, ACO, AXO).

To get all objects not assigned to a group, put this into your code:

Code:

$acl->get_ungrouped_objects(1, $object_type)

Object-type can be ARO and AXO. Returnvalue is an array of group-IDs

To get the data of all objects, put this into your code:

Code:

$acl->get_objects($section_value, 1, $object_type)

You can narrow your search down by selecting a section. The return is an associative array with the following structure:
- i.e. Associative array, item={Section Value}, key={Array of Object Values} i.e. ["

" => ["", "", ""], ...]
This array is suitable for $acl->add_acl and $acl->is_conflicting_acl. You can narrow your search down by selecting a section. Be sure to set the object-type (ARO, ACO, AXO).

To get the data of a single object, put this into your code:

Code:

$acl->get_object_data($object_id, $object_type)

The return is a 2-dimensional array of rows with columns ( section_value, value, order_value, name, hidden).

To get the ID of an object, put this into your code:

Code:

$acl->get_object_id($section_value, $value, $object_type)

Be sure to set the object-type (ARO, ACO, AXO).

To get the section-value the object is in, put this into your code:

Code:

$acl->get_object_section_value($object_id, $object_type)

Be sure to set the object-type (ARO, ACO, AXO).

To get all groups the object is part of, put this into your code:

Code:

$acl->get_object_groups($object_id, $object_type, $option)

Be sure to set the object-type (ARO, AXO). If $option is set to 'RECURSE' it will get all ancestor groups. Default is only parent. Return is an array of group-IDs.

6. Guidelines for naming Objects
To preserve a good structure in the ACL-tree and make it readable for human beings, a few rules should be followed regarding naming the different objects.

ACO-sections should have as a value a three character identifier of their kind of Add-On i.e. 'com_*' or 'mod_*' and as name a describing word. See in the admin-interface for an example.
ACO-objects can have any kind of name and value you like, just remind, that later the user probably wants to administer the rights and has to understand what this ACO represents.

ARO-sections are something special. In the section 'users' only users are supposed to be enlisted. If you want an Add-On such as a mambot or component to be registered as an ARO, put them in their respective section ('mambot', 'component').
AROs can have any kind of name and value you like, just remind, that later the user probably wants to administer the rights and has to understand what this ARO represents.
If you need to create a new group for your components, you either create it inside of 'Public Backend' or 'Public Frontend' or create a new group outside of 'USERS'

AXO-sections should represent their content. If you have content, that's created by your Add-On, create a section with a value like 'content_add_on' and a name like 'Content - add_on'.
AXOs can have any kind of name and value you like, just remind, that later the user probably wants to administer the rights and has to understand what this AXO represents.
AXO-groups should represent the section/categorie-structure of Joomla. However, you can create a group, thats outside of 'Content'.

7. Porting Add-Ons to the new ACL-system
Porting existing Add-Ons to the new ACL-system is fairly easy. When your Add-On till now had to add its ACL-rules every time it was triggered, you now have to make this only once in the installation. How this will be done, if the XML-scheme for installation-files for Joomla will be extended, is at the moment undecided.
when your Add-On calls the function $acl->acl_check, you have to notice only one thing thats changed to the old system. In the old system the rights of a user were defined by his user-group, now you call this function directly for this user with his ID. Normally replacing the '$my->usertype' by '$my->id' will do the trick.

Looks good! Only thought was, it may be worth clarifying what the objects actually do.

I thought it was explained shortly in 1.
Otherwise I can only refer to the link to phpGACL. The explanation there is excelent.

The second is a good solution--why duplicate when not necessary.

Hey everyone,

Man, this thread is awesome work.  Just talked to someone I know that's looked carefully at phpGACL and his comment was, "phpGACL has a few major holes (i.e. not scalable) that needs to be fixed and on their roadmap."

"holes", "scalable", and "needs to be fixed" aren't good words in my development vocabulary. =)

Can anyone speak to these issues, or know of them?

Best,
Ryan

I read a similar thread from around spring this year on the old mamboserver.com-forum. I can't say anything for the performance because i don't have enough data to create a high-stress-test, but on the project-page, they claim the following:

Thats to the volume they claim to handle. To the speed, I quote from the manual, last page:


The caching-system behind it is, in my eyes, well developed and I think in a normal surrounding, you will have no problems.

I don't know on which basis the guy in the post mentioned earlier, grounds his statement. I just found the thread: http://forum.mamboserver.com/showthread.php?t=292  In my eyes it takes way more time to load all the permissions for everythign when the user loads the page than doing these look-ups...

I can't really tell which is right, but I tend to stick with the creator of the API and not with a guy that wrote 2 posts in allmost 2 years.
I welcome a discussion. Please let me know what you think.
hackwar

Hackwar,

Yeah, to be honest, it's all a little out of my league, but I'll keep facilitating conversations.  It sounds like it's promising, for sure!

-Ryan

Hey, its not as if I'm a pro. You could call me a bloody newbie. Just catched a few phrases and coding in the last years.

A little update on the current status of ACL-implementation:

After I had a very good discussion with jinx, I had to review the ACL-stuff. My approach was just using the ADOdb-API that I thought was supposed to be in hte next release. From jinx I heard ADOdb is a resource-killer and that they wanted it to work without it. I'm currently rewriting all the database-calls to match with the Joomla-db-layer. After the discussion, I'm not sure if I'll make it into 1.1 (although I don't even know when it will come). Some of the Joomla-db-functions behave differently than the corresponding ones from ADOdb. I'm doing my best and will update you as soon, as something new comes up.

Hackwar

Keep-up the good work !!!
For me, this feature, next to multi-linguality, will be the most important extention of Joomla, I'm waiting for.