the_real_svempa wrote:This is exactly the way I can see a basic permission system be implemented.
lol - This is really not a viable solution. A drop down list of all
users! blimey, that in itself would be completely unmanageable in sites with a large number of users.
On a far more positive note, I agree that access-control is an important issue. I remember back when I discovered Joomla! (at the time it was Mambo) and thinking how important this was and that it needed addressing. Sadly X years on it has still not been fully realised.
OK, a quick bit of background, Joomla! uses PHP GACL, sort of, or rather, in a very limited way. PHP GACL consists of four `concepts`:
ACL - Access Control List - Permissions list for an object
ACO - Access Control Object - Object to deny or allow access to
AXO - Access eXtension Object - Extended object to deny or allow access to
ARO - Access Request Object - Object requesting access
To explain this a bit better I'll grab a quote from a Joomla! book:
In phpGACL, permissions are given to ARO groups and AROs, to access ACOs and AXOs. In Joomla! we only give permissions to ARO groups, and Joomla! users can only be a member of one group, whereas in phpGACL AROs can be members of multiple groups
These differences between Joomla! and phpGACL are due to one major factor. In phpGACL when we check permissions, we ask the question ‘does ARO X have access to ACO Y?’. In Joomla! we ask the question ‘does ARO group X have access to ACO Y?’. The way in which we assign permissions in Joomla! will be altered in the future to use the same principals as phpGACL.
Fully implementing PHP GACL fully is a major issue, mainly because of backwards compatibility. J! 1.5 has made some additional contributions to the setup that make some big differences, it's just that its all pretty invisible to the end user and admins. For example, the MVC framework includes permission checking and the JUser class includes a handy authorize() method. Also the three groups public, registered, special, I think have technically been deprecated...?
OK, I'm getting a bit bogged down in the technicalities, so rather than bore us all to death (myself included) let's address the real issue here. Not 'we want better access-control', but 'What are the ramifications of implementing PHP GACL fully on both the J! core and third party extensions, and what is the best way to deal with the transition period'.
I remember some time ago, I saw something stating that this would be addressed in J! 2... but I'm not sure if I just imagined that