cutting corners from a wheel -
Post on 08-May-2015
1.171 Views
Preview:
DESCRIPTION
TRANSCRIPT
FORKITOK
CUTTING CORNERSFROM A WHEEL
// Forkito ACL //
FORKITOK
// Cache types coverage //FINAL GOAL
Easy to use and understand ACL system
Reusable ACL library compatible with most widespread Joomla based projects
FORKITOK
FORKITO ACL FLAVORS
Ţ Joomla fork flavor (working - oh yeah)Ţ Molajo flavor (in progress)Ţ Nooku flavor (planned)
FORKITOK
JOOMLA FLAVOR FORK
FORKITOK
JOOMLA FLAVOR FORK
Did he really say that?
FORKITOK
JOOMLA FORK FLAVOR
Starting point for the whole project.
Used as proof of concept
FORKITOK
Joomla fork form == contains changes to 70+ files due to poor Joomla ACL implementation in application layer
Joomla - ACL hardcoded everywhere
revision 7
FORKITOK
COVERED PARTS
New forkito ACL libraryJoomla library methods are changed to proxies to a new library methods
Includes internal methods that take care of backwards compatibility with old Joomla ACL
FORKITOK
COVERED PARTS
Web application framework layerŢ categoriesŢ menus, Ţ modules,Ţ plugins
Mainly changes to multiple items queries
FORKITOK
COVERED PARTS
ApplicationŢ Backend components: com_categories, com_menus,
com_modules, com_pluginsŢ Content components: com_content (back and frontend)Ţ Pagenavigation plugin-
Contains changes to 37 php and 15 xml files,most extensive changes to com_users and com_content
FORKITOK
WHERE I CAN GET IT
git clone git://git.forkito.org/forkito
FORKITOK
MOLAJO FLAVOR
FORKITOK
Completely new classes
Where most development goes at the moment
The most important part
FORKITOK
Molajo - web application layer will be completely redone
together with components - layer includes hooks for ACL plugins
Just few library overrides (JUser, JCategories, JMenu … )
Joomla compatibility methods removed – extension either uses Joomla or Forkito ACL
?
FORKITOK
Molajo - web application layer will be completely redone
together with components - layer includes hooks for ACL plugins
Just few library overrides (JUser, JCategories, JMenu … )
Joomla compatibility methods removed – extension either uses Joomla or Forkito ACL
?
yes, it can be done
FORKITOK
NOOKU FLAVOR
FORKITOK
Will come after Molajo flavour
it is expected that only minor changes will be needed in Forkito ACl for it to work with Nooku framework.
Forkito will represent an addon library here
FORKITOK
Unified ACL// Forkito to Joomla ACL comparision//
FORKITOK
REMOVED VIEW ACCESS LEVELS AND ADDED VIEW TO ACTIONS 50% less users effort needed, 50% less complicated.
View == action
No need for a separate ACL system for managing view permissions.onfusing for the user and inefficient from the system point of view.
FORKITOK
RADICALLY IMPROVED AND SIMPLIFIED USER INTERFACE
Ţ Simple matryx of groups and actionsŢ One-click permission changesŢ Instantly visible changes in inherited values
FORKITOK
SIMPLIFIED OPERATIONAL LOGIC
Lower level always wins
Anything set on the lower level beats what was set on the higher one (denied or allowed)
Assigned permission beats inherited Users are auto assigned to parent groups, so anything that is set in parents will affect user's permissions, but only if it is not set explicitly in assigned groups.
Global >Component>(Category)>(Item)
FORKITOK
SIMPLIFIED OPERATIONAL LOGIC
If one group gives you access you are in(key analogy)
If you have a key that opens certain doors, it doesn't matter if another key doesn't work, you still can get in.When user is allowed to do something trough his membership in one of the assigned groups, all others are irrelevant.
FORKITOK
DRY-ED AND RE-ARCHITECTURED
No code repetitionA single method for a single purpose. Classes reusing other classes methods and not replicating them.Very low amount of code, will cut off even more in the future.
FORKITOK
JSON ENCODED RULES REPLACED WITH PERMISSIONS TABLE
JSON encoded string of permissions, stored in simgle database field was one of the most horrible ideas ever seen in Joomla
This kind of code crimes should be punishable with at least 100 hits with a stick.
FORKITOK
WHY ?
FORKITOK
It totally disables any database relations, conditional searches etc. with enormous impact on performance.
FORKITOK
To retrieve a list of items user has a permission to view (or edit or do any action) code would need to query for ALL items, unpack json string item by item and check permissions each item separately.
Now imagine you have 100.000 or even 1 million items to inspect one by one and try to imagine how long that would take and e.g. how much memory it would consume.
Get the picture?
FORKITOK
Having JSON in a database == a performance problem
=> you need more efficient system for managing thousands of users trying to view pages
=> you "solve" the problem by inventing another ACL system called access levels
FORKITOK
ALWAYS PRESENT BASIC SYSTEM GROUPS
Groups that cannot be removed or their role changed
While this might seem like a backwards step, this groups are really corner stones that CMS ACL cannot work without. Equivalent to unix wheel and anonymous groups roles.
Having groups system can always rely on -> RELIABILITY, better performance and better security
// including root configuration hack that is not need anymore //
FORKITOK
ALWAYS PRESENT BASIC SYSTEM GROUPS
Everyone - Not-authenticated - anonymous visitors- Authenticated – anyone that is logged in-- Admins – replacing global core.admin permission (equivalent to unix wheel group)
FORKITOK
Simple API// Hod do I implement it //
FORKITOK
API
Create minimal number of humanly understandable (self explaining) classes and method names.
GOAL
FORKITOK
CHECK AUTHORIZATION - MACCESS CLASS
Check single item's authorization :
isUserAuthorizedTo
+ shortcut: isUserAuthorisedToView
FORKITOK
CHECK AUTHORIZATION - MACCESS CLASS
Check multiple items authorization (by automatically inserting filtering sql in multiple items queries):
insertFilterQuery
FORKITOK
MULTIPLE ITEMS AUTHORIZATION EXAMPLE
JPluginHelper::_load()
Joomla$levels = implode(',', $user->getAuthorisedViewLevels());. . .$query->select('folder AS type, element AS name, params')->from('#__extensions')->where('enabled >= 1')->where('type ='.$db->Quote('plugin'))->where('state >= 0')
->where('access IN ('.$levels.')')->order('ordering');
FORKITOK
MULTIPLE ITEMS AUTHORIZATION EXAMPLE
Forkito ACL
$query->select('e.folder AS type, e.element AS name, e.params, e.extension_id, e.asset_id')->from('#__extensions AS e')->where('enabled >= 1')->where('type ='.$db->Quote('plugin'))->where('state >= 0')->order('ordering');
jimport('molajo.access.access');
MAccess::insertFilterQuery($db, $query, 'e.asset_id', 'core.view');
FORKITOK
MULTIPLE ITEMS AUTHORIZATION EXAMPLE
The same function is used in categories helper, modules helper, com_content articles model – anywhere where list of items needs to be filtered
FORKITOK
USER INTERFACE
Insert acl widget HTML: MHtmlPermissions::aclWidget
Get ready-made acl widget in shape of Joomla form field: MFormFieldAclwidget Very simple to include ACL widget in your component layout
FORKITOK
Future// Short term //
FORKITOK
Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.Testing, testing. Bugfixing. Testing. Bugfixing. Bugfixing. Testing. Testing. Bugfixing.
FORKITOK
USER INTERFACE IMPROVEMENT
Inheritance breadcrumbs - show what this level is inheriting from
FORKITOK
Future// Long term //
FORKITOK
MORE ROUNDS OF SIMPLIFICATION
Simple mode - flatten inheritance , keep only default and category (or item) permissions
top related