But how will you deal with the different actions from components? How will you list them somewhere to manage them in an easy way?
When a component is installed that requires ACL it calls to the PHPGACL subroutine to add it's required parameters to the user data. PHPCACL would be the go between the Core and the ACL module for all operations. think of it as the translator in a tri-language conversation.
When it comes time to check auth, the component again calls to the PHPGACL routine (passing parameters to it) and that routine passes them onto the ACL module to return True/False. that answer is then passed to the component and the comonent either runs the protected subroutine or returns saying you are not authorized.
the issue your concerned with RE:Components can not be solved any better by a built in core ACL system. If a component requires 50 shades of security that component is going to have to tell the ACL system at some point what those 50 shades are anyway and will have to have parameterized those shades in it's code so the built in (or module) ACL can run the checks.
Now I am not on any ACL design team and as I said Hackwar seems to have done the best work on this topic to date....
But here is what I would do in regards to ACL for components....
Each component has a finite number or access levels it will use. That may change after an upgrade but any changes can be handled at the time of the upgrade.
So lets say a component has three operations (for simplicity sake,) that it needs to do ACL checks for...
You install it and it calls to the ACL system and tells it to add a "COMPONENT A" column (or table with user IDs, you can go many ways with this) to the ACL DB.
It fills that column or table with a default flag of a binary number. One Bit for each security setting.
Since component "A" has three security settings, the binary number flag would look something like this "111"
First bit "110" sets read privs for pages, Second bit sets Write privs for pages "101" third Bit sets Edit Privs "011"
Note how I set flags to the opposite of usual in the binary....this helps me during an upgrade proccess cause if my new version adds a security level I simply do a simple operation to read the existing data from the old version
$bit =$bit + 1000
the bit was just changed to 1110 (if all they had was read privs before) adding a 4th level of security to the system.
The componet during checks will send a comparative to the ACL to see if that features bit is on or off and deal with the process of what to do in both cases. Either it finishes the subroutine or returns. Parameters would include "User" and component setting needed to run
the ACL takes the user parameter, looks up the ID, returns the bit for that ID (could even make the true false comparative if it wanted to but PHPGACL could just as easily do this!) and then sends that back to the component.
No matter how you do that (modular ACL or Core) that is going to have to be built into your component.
What the core needs to do (and as I said I think the PHPGACL is the way to go) is to make the interface that will allow those systems to talk to each other.
the hard part is organizing all the different settings a subsystem might need.
And a core ACL system is not going to do that any better than a modular one!
The core simply needs to define an arbitor to interface the core (and by extention the components) but in either case the component is going to have to have the security broken down into routines in it's core code and provide the parameters it will use to ask the ACL system for Auth!
If all (Core, Com and ACL module) are written to use the PHPGACL then the problem is standardized and easy for any 3PD to hook into any ACL module used.
But what I was referring to in regards to the MYSPACE concept is that ACL should be completely seperate from the core CMS system altogether...
In that case a MYSPACE component would handle it's own user data and ACL and even run it's own DB so that you do not have to worry about some user who has a private page getting access to the infrastructure those private pages were served from!
ACL for Joomla should be limited to Joomla operation only!
If you need something like a hosting solution that hosting component should run it's own ACL seperate and distinct from the ACL that can turn the entire site off!
If for no other reason than security!