> On Thursday, 25 October 2012, Herman Peeren wrote:

>> (...) I personally see the current ACL as temporary and a good
>> opportunity to learn from our mistakes.

> On Thursday, 25 October 2012 23:26:31 UTC+2, Andrew Eddie wrote:

>> There was no "mistake" in the design. (...)

> With "mistakes" I mainly meant JAccess (with it's static methods and
> datacentric/procedural approach instead of proper OOP), the way it is
> implemented in the CMS (scattered over a myriad of files and thereby very
> inflexible), the use of the asset_id outside the access-package itself (the
> asset name and asset_id both point to the same asset; the asset_id should
> only be used internally), the separate ACL for view access (if the
> implementation needs a different approach doesn't imply the interface
> should be separate), the 3rd access control by needing a login to a
> separate administrator application (5 years ago I was using DNN just at the
> moment they had implemented an ACL and therefore got rid of their seperate
> administrator login) and the implementation of a "deny always wins" (when
> someone is added to an extra, not hierachical related user group, she
> should not loose access rights). Storing a blob of rules in JSON was just a
> minor concern of me (I even learned to see some advantages of it in some
> cases)

> I don't mean it as critique, but just to sum up some points I want to
> learn from. I understand the difficulty you and other developers had in
> that time when many wanted to keep everything in Joomla! the same as much
> as possible. And also: access control is a very difficult subject, for it
> has impact on the code in many places, yet you want to seperate all
> concerns as much as possible.

> Your authorisation package proposal certainly is a step in the good
> direction. I smiled when I saw it for the first time (with Louis' first
> UCM-code proposal); also because for me it confirmed the current ACL
> implementation needed some improvement. Thanks for spending time on it.