The Joomla! Community Portal ™

Sat

03

Oct

2009

"You can't go in there"
Written by Hannes Papenberg   
Saturday, 03 October 2009 12:55

That's what you will be able to say from now on when you explain your new site to someone else. Yes, we finally found a solution for the access management problems in Joomla and it is also already implemented in the trunk.

One of Joomla's biggest weaknesses so far has been the missing control over who can do what in Joomla. You only had those three view levels (Public, Registered, Special) and seven usergroups that had fixed, site-wide permissions. New usergroups? Restricting a usergroup to one category only? Not possible in Joomla up to now. This is a problem that has been bothering us all for years and it was the initial reason why I got interested in helping out in the Joomla project and doing development. That's four years ago. And even before that, Andrew Eddie had been working on this issue for another two years. So this really has a long history already.

Some of you might think we are making this too big of a problem. Yes, you can just slap an access management solution in there and hope that it works and that people can use it. On the other hand, we have a huge developer community and Joomla is used in a wide range of situations. Nobody really cares how the access management looks and how fast it is, if the administrator has studied computer science and the site has no visitors. But we were aiming for the opposite. We wanted to make this easy, so that everybody can use this system and that at the same time you don't feel any performance issues. That took time.

As of last night, we finally have found a solution that provides the maximum of flexibility, is usable by a four year-old and wont have any really measurable impact on the performance. Now I've been talking about "we" all the time and before I dive into the specifics of the system, I want to explain who that "we" is. There are several people that had direct or indirect influence to this development. A lot of ideas have come up on the Joomla development mailing list and I want to thank everybody who participated in these discussions. I also want to thank Mike Benoit, who wrote phpGACL, which has been the basis for much of our ideas and gave us great inspiration for the different solutions. Directly involved in the final development of this solution (and thus deserving an extra round of applause) are the following people: Louis Landry, Andrew Eddie, Rob Schley, Sam Moffatt, Ron Severdia, Ercan Özkaya, Gergo Erdosi and myself. Thanks also to all the people that we had inspiring talks with about this and who provided new insights into the problem.

Ok, now to the interesting part: How does it work? As with most good and beautiful systems, the idea is pretty simple. First of all, of course you can now create new groups and assign users to more than one group. These groups are formed in a tree, which means that if you are a member of the group "Administrator," you automatically inherit access rights from the group "Manager" below you. You are basically not limited in how you create your usergroups, but we will most likely make the groups "Public," "Registered," and "Super Administrator" fixed, just to make sure no one accidentally destroys his whole website and has no access to anything anymore.

Now we want to assign access rights to these groups. We want to allow one group to create articles, weblinks, newsfeeds and just about everything that you can create in Joomla. We don't want them to be able to publish any of that, so we give them the global "create" permission, but not the "edit state" permission. They, however, should be able to publish articles, so we go into the article manager in the global preferences into the "Permissions" tab. There we see the same permissions like in the global permissions screen. Here we select the "edit state" permission for that group and now this group can create everywhere in the system, but only publish articles. We also want them to be able to delete articles in one special category. To set this, we edit that category and, again, see the same permissions like in the global permissions screen and the global preferences screen. Here we allow them to delete articles.

That group is pretty powerful now. Remember, we allowed them to create content in every component. But maybe we don't want them to be able to create modules. Now that is easy, we just go into the module manager and instead of letting it inherit from the global "create" permission, we deny that group that permission in this component. So, not only can you set allow permissions from global down to single content items, you can also set them both to "allow" or "deny."

While this system covers all the administrative tasks for the website, we have one "small" area left: Viewing permissions. Up to Joomla 1.6 you had the three viewlevels "Public," "Registered," and "Special." In Joomla 1.6, you will have those, too, but you will also be able to add additional view levels to this list and especially select who should be able to see these.

Now that we've covered the basic functions for the end user, some more information for the technically interested audience: How does the system work on a database level? The basis for the permissions is the #__assets table. This table is modelled after the nested sets model and first and foremost has a root node for the system wide permissions. The direct children of this root node are the different components that we have installed. If that component has content (in contrast to a system-tool like a file manager, for example) each content item has a child in an appropriate tree underneath the component node. In each row we have a JSON-encoded array of permissions. If you access a content item, the respective node is loaded and the complete tree down to the root node is loaded with it. Now that content item inherits down along the whole line of three the permissions. The view levels are a bit simpler. We just have a JSON-encoded array of the usergroup IDs that are allowed to see this view level.

You are most likely asking yourself at this moment, "how complicated it is going to be to add all this to your own component?" Explaining all this here in this posting would be a bit much, but let me reassure you that it is dead easy. We are of course going to write good documentation about this and with that documentation it shouldn't take you more than a good hour to get your component up and running.

I am very excited about all of this, because we've made a giant leap with this development and decision in the last days and although there is still some work to be done, we are a lot further with Joomla 1.6 towards a release. Very soon already we can declare the development features complete and begin bug fixing. Then its just a short jump to a stable release.

As I said, there is still some work to be done, like the global permissions screen, and we need a lot of polishing, but if you want to take a look at what is there so far, get yourself a copy of the SVN or a nightly build. Remember: This is not ready for production use!