 OK. Čakaj, čakaj? Vsem Balind Kliere. Vsem z Hungary. Čakaj je to tajtovom projekta Google Summer of Code. Vsih projekta smo počkali s mojej mentori Kajro in Ejdeši. Vse je vse, da je vse, da je vse. Čakaj je vse, da je vse, da je vse, da je vse. tako, nekaj nekaj prejšanosti sečno zpr으vali. Prvno je transparancija. Prvno, za drupanje, je završena, da se ko se pošal. Tama nekaj nekaj nekaj nekaj prejšanosti. Zelo, da smo lahko lahko labov, diskriptičnih, a počnem, da smo lahko lahko v vernih. Ako imajo lahko na svoj stvari? Zelo, da mimo pomečimo, če bomo všimeljamo, če imamo, da nečo se zrešimo, če imamo dokumentacijo, kako je, če vse res bil. that sometimes we have read the code itself, which is not so convenient and if we don't know the exact meaning of a permission it can lead us to ambiguous outcomes. One more big issue is the overlapping. Some permissions overlap with others, for example administer content ne zvomilite očil 1974. Pratvo je izgleda nabźat, ki je tega nekako v početku, potem ampak nabil doča in zelo. Svoj moguš kreži posledati očil, kako je odpozor na naša, ki pričeš zakavo, zelo pričeš, ki doflori, dokajo dožWaiti sder, ki se nabiji, ki se zelo, ki je začinhto, ma tako nekaj dokatelo. izgledajte prejzosti za naši zelo. Tako, nekaj da se poživamo? Zelo, da se poživamo naši zelo. Vse imamo, da imamo naši naši zelo. Zelo, da se poživamo naši zelo. Zelo, da se poživamo naši zelo. There are security implications. I would like to mention these two permissions. The administrator permissions is if we have this permission, we can control the whole website. If we have the administrator users, the situation is the same, because we can edit the first administrator user as well. So, again, full control. And the user interface is basically CF checkboxes. If we are working on a small website, it's okay. It's not so hard. There are a few checkboxes. We can use this easily. But when we are working on a larger website, this can be scary and needs serious concentration to use. And let me show you the permission screen of the examiner.com. This is it. And this is it in big. Of course, I have changed the modules' names and the permission names. But this is the screen of the examiner.com's permission page. What do you think? How many checkboxes? 700? 1200? Nearly 5000 checkboxes. And that's hardly a friendly UI. I mean, I don't want to use this permission screen because it's very scary. And our proposed solution is implementing a hierarchical permission system. What does it mean? We have a new concept, permission trees. You know, currently the modules determine simple list when they define their permissions. But in a hierarchical way, the modules can define their permission sets as a hierarchical structured list. And that's what we call permission tree. Now, a single permission is a path from a permission tree. I'm going to show you a permission tree. And if we have a system like this, the overlapping is not an issue anymore. And we have to deal with only the necessary permissions if we have a good UI. And we will have a good one. So let me show you a permission tree. This is the permission tree of the user module. I'm going to work through under main branches. The first is the user profiles. People dot user profiles. I'm going to use the dot delimiter. And the main idea is here to make possible to control the access of fields and the other properties of the users. For example, the username, signature, and the other custom fields. And we organized it by roles. Plus we have the own profile, which is similar to what node module do. We don't content. So it means our own profile. And the other roles, role x, role y, and so on, means other users' profiles. And as you can see, we put the view permissions under the edit permissions. It can be weird at the first site, but it's logical, because if we can edit a property, we can view it as well. Something here that wasn't clear about, I think, that you can grant any permission in the tree. So you can say that I want to grant people dot user profiles dot role x to somebody. And that will mean that you have granted that permission and everything under it. That's how this hierarchy works. Yes. And let me show another example. People dot user profiles dot role x dot edit property x. So this. That means I can edit that property in users, which are in that role. And I can view it as well, because it's under the edit property. OK. The add users, I think, no need to explain. It's the same. What we have now. And the grant roles can be tricky. It means assign roles for other users in other roles. And we organized it by roles similar to above example. And we can control which roles can be assigned to users. The next one is canceled profiles. The organization is similar than user profiles. You can see the roles and the own profile. And you can select methods for the cancelling. We have two new permissions. User list and configure account settings. These two are very similar. We can narrow them. So we can narrow the access by roles in the access user list. And we can narrow the access by setting fields here at the configure account settings. For example, if we have an editor role and we want to allow them to edit the welcome email messages, we can just grant them this permission. So people that configure account settings, that setting Y, which can means edit welcome email messages. And the last one is administer permissions. It's still a powerful permission, but we can choose which permissions can be controlled. And we introduce one more level, only if a user have it. Because at time, when we grant this permission, for example, people that administer permissions that permission X, we don't know what permissions have that user. So we can say only if the user have it and it solved this problem. And other problems are solved. So the overlapping is noticeable. It's obvious and it's understandable for everyone. And the options are well covered. So I think transparency issue is done. And we can introduce a lot of new options. So the fine tuning problem is solved. And we kill the problematic permissions, so we don't have security implications anymore. And the real challenge is the user interface. So because we have hierarchical structure, using a tree visualization offers itself. Yes, there are a bunch of JavaScript tree visualizations out there, so why don't we use just one of them? Because it's not a good idea. Trees with collapsing options are hard to explore and hard to review. So that's not a friendly UI. We have interactions, which have to be easy. Explore the obtainable permissions, grant permissions to roles, review assigned roles and permissions and revoke permissions from roles. These are our main interactions. We worked out a new concept called permission rules. Permission rule is a single permission plus the assigned roles. So we have many permissions, but why don't we show only that ones, which are in use in the website? That's the main idea. So let me show you a wireframe. At the last two weeks, we have been working with Boyan Zomers and this wireframe created by him based on our permission rule concept and our earlier prototype demo. And I'm going to show you this separated. So what you can see here is the permission tree of user module, which I showed you before. You can explore the main branches, the first level children, access user list, add users, cancer profiles and user profiles. And we added labels for the deeper levels, like all, edit and view. And you can select permissions from each level and assign roles. And you can create permission rules. You can create many permission rules on the fly. And when you create some, sorry, we have a list about this permission rules, we have default ones, which can be provided by install profiles or other modules or anything else. And it can be assigned to the administrator role. And the other ones can be deleted, as you can see the icons. And we can change the assigned roles for a certain permission rule. So this is the concept of permission rules. And I have no more slides. Right. So questions. You need to put the mic on, because it's recording? Yeah. We're gonna share this single one. So questions. Peter? So do you have a scheme to make permission matching efficient? Absolutely. That was basically the first thing that Balin did. I think we went over about maybe eight different implementations and we definitely have one that's pretty speedy, because that was the first thing to verify before going in and creating the user tree, creating a user interface, we needed to see whether such a time critical function can be implemented reasonably fast. It is going to be slower, of course, because it's much more complicated. But there are a few compromises made. For example, you cannot have valid cards in the path, because that wouldn't be... That's just impossible to match fast enough. So what it does, basically, is that when you run user access, x.y.z, it begins to slice those off and checks whether you have those basically in a preloaded array. So the only thing that's slower than the current one is because it needs to do the shrink slicing and it needs to run a few iterations, but it's not horrible. As I say, it's, of course, slower than the current user access function, because the current user access function, once you have run it over a user, basically, one is set function. So this necessarily needs to be slower, but within that frame we have found what we think is the fastest possible solution, and I think it's going to be fast enough. And the reality here is that, yes, user access by default is very fast, but the moment you have problems with user access, right now the only thing you can do is to resort hacks, and those are going to be slower. So instead we have a better solution at the little performance price. Salis? Is there some logging or auditing? Like, can you, a week after something has been changed, look up who changed what? We haven't yet sort of auditing an audit log to this. That's a very good question, I must admit, but I don't think that would be too hard. I mean, I would imagine that if you have a site which needs an audit log, that probably needs to be much more than just the user than the user edit actions. If you have such a site, then you probably need a full audit log about many things, which, of course, immediately begins to trail into the things where we want more of Drupal to be API driven so that you can hook into these things and make such an audit possible. More questions? Yes? Sorry, I didn't hear the question. Let me come up to you. Sorry. Is it also in your VIA frame slide? Yeah, I will. Basically, the question is that how does this wireframe solve the problem of the discovering permissions? That was your question, right? As you can see, it shows the top-level permissions and under the top-level permissions, you can see immediately every single one. So, instead of having a tree where you need to open every level to see below it, in here, you only need to open up the top-level, which for user module there are like four. So, this wireframe, this idea gives you a pretty good visibility without drowning the screen with 5,000 checkboxes. There needs... It's an untrivial exercise, right? If you want to show everything, it's not gonna work. Because with this system, there are certainly gonna be even for medium size, probably a couple of thousand different permissions possible. So, you cannot really show every single one of them at the same time, and yet you want to show as many as possible, which is how we came up with this type of thing where you see, where you click on the top-level and then you see each level side-by-side and you can pick by checkboxes on them. That's pretty much about that. I guess live demo would work better, but we only have a live demo for previous iterations, so I can't really show this right now. I only have wireframes. We still have time for... We still have a few more minutes, not much, but any more questions? Describe some of the hacks. So, hacks that you've seen... Yeah, so for example, right now if you need a field level, if you need to grant added access to a field, you need to install a contrap which will give you the possibility to generate a permission to actually to be able to grant added access to it. Now, the discoverability of this is plain horrible. It's absolutely untrivial that you install the field permission module. You need to go to the field UI screen for that field, generate the permission, and then you cannot do it. It's not gonna exist for every field because with the current UI that will be that. If you would have all the possible permissions for every field that you have. So, that's one thing that the system solves because of this hierarchy thing and this wireframe solves it because instead of showing edit, create, update, and so on, permissions for every single one, you need to list them once you have besides the content types that's probably how it's gonna work or the field names, so you only have the number of fields the permissions that the field permission module wants to work. So, it's basically n plus m instead of n times m. That's why particular wireframe works a lot better than the current one. So, you're envisioning this as being part of poorer field level access? Absolutely. It's pretty easy. Right now core already basically has the mechanism for it. The field access system itself is in core already. The field permission system to actually put a life into it because core produces hooks for field permissions currently, which are not implemented by anything. The title of the talk also mentions node access control. Ken Rickert was supposed to do that but he have merged that into his workflow talk. We very deliberately have chosen users instead of nodes because we are definitely not going there. That's basically a different bag of heart. When is that talk? I have no idea. It's editorial workflow talk. You can find it under that name. Well, thanks everybody for attending. If we do not have anything scheduled then I think I'm going to hijack this time and talk about things that I wasn't ready to go public yet but I think even half baked they are interesting enough to begin talking about them. So that's not a problem. That's not a problem. At some point I need to begin to ask the community what you guys think and why not now. I have it written down. I don't have slides. I have had it written down for quite some time. Some of you might have remembered that I have created a blog post whether it was time to talk but the consensus was that not. At some point I had a document ready which I have discussed with a few prominent contributors about what could be done. I have tentatively named this jury. Oh. Well, they are not slides as such but let me see what I can do about that. Yeah. Well. Oh, good. We have something here so let me switch my laptop screen as well. I presume it does. I presume I don't need to. That doesn't stop me from doing it, right? Figuring out you takes so much more time than doing it. Ah, okay. Let me try that. It's not Ubuntu in the first place, by the way. No. I'm using KD. This didn't work, okay. Let me redo this. Yeah, I'm trying to fix that but I'm going to talk while I'm doing it. There is a meta framework talk. There is a framework thread where we were talking about how to make it more yeah. It's gonna be enough. I am going to move this into a separate window and resize it until it works. That's not gonna be a big problem. Okay. That's good enough. So, and in that thread somebody said that there are a lot of smelly fruits. There are a lot of very low hanging fruits, which I said that probably that should be called durian and so this one is about, that's why it's called durian. So, what we are going, what I was planning to do here better. So, I was planning to use the CMI style config files where we are storing config files in the database as well. You must be familiar with this if you were following the CMI threads on groupsreport.org. Now, the biggest change that I was planning to do is that right now we are struggling with rebuilding various registries because there's a chicken egg problem here. You need to have a working Drupal to fire those info hooks, but in order to have a working Drupal, you need to have those registries rebuilt already. We are desperately coding around this by changing the order various things are rebuilt and it's much works right now by applying a lot of preying and duct tape. Instead, what we could do is to switch part of it into static parsing. So, have a rebuilt phase where you run a rebuilt script which loads every file based on extensions and parses out things. So, this means that Drupal wouldn't run there, so the chicken egg problem is solved. Now, the other big change I wanted to do is that the hook implementations got a naming schema where it is absolutely trivial that they are hooks. So, there is already an issue about it where we want to change the separator from a simple underscore to underscore hook underscore, but I was thinking that we should call them actually hooks. So, the function name starts with hook followed by the hook name underscore, you have the module name. Yes. One of the things that this would allow us is to have include files implement hooks. Right now we have a module called system module which is just an abomination because it implements a lot of things it's basically like a potpory, it implements so called hooks for everything basically because include files just cannot implement hooks. This would solve it, right? Because we have a parsing script it would parse out includes as well without knowing anything you do not actually need to write existing module name after the hook name it doesn't matter what you write after it you can write after it say include or whatever is just gonna work now. Oh sure of course as long as you namespace it so that there are no collisions, why not? I can see in region why that wouldn't be possible. You can have such a problem right now as well, right? It's pretty much voluntarily namespacing right now. What's nicer with this concept is because you have a parser instead of including them you could get an error instead of just ph fataling out because you have defined a function named two times. So actually we could handle that much nicer. Yeah hmm hook implementations with the various iterations of the form API we have found that it is very handy to have a form state object, well it's not an object it's an array, but that's a semantics so I'm going to call it an object I don't care about whether it's an array or an object so have a hook state object that you hand to every hook implementation and it is going to record basically whatever we want but what we want most of all is what hooks have fired already and what hook implementations fired already and which one are going to fire with this what we could do is to get rid of altars and just make every hook operate much like altars right now because what you could do is that if you have a module which currently wants to alter a form structure it wants to alter something in a form structure that was added by toxinomi module then you could just look at the hook state whether toxinomi has already fired if it didn't yet then tell the system that you want to fire later yes, yes move yourself that you want to fire again obviously we need some watchdog there so that two modules fighting each other cannot trigger an infinite loop but yeah, basically after like I don't know like 20 iterations going over the list just trigger an exception that's very easy to solve because you still have module invoke right so that's good another thing so this would immediately solve a huge bunch of issues if you are following the bug report where we are trying to solve the problem where if you have multiple altars firing which of course the worst case is forms because now you have the form ID specific alter firing you have the base specific alter firing and you have the generic alter firing then ordering that which module fires when is a downright nightmare we could get rid of that because modules can decide dynamically who wants to fire when you don't need to do waiting you don't need to do module implement alter nothing of this is necessary you just look at it whether the module you want to alter have already fired or not easy very easy and this is literally a bug that within the current system you just can't solve because whatever solution you pick it's gonna be an ordering that doesn't work for some use case my solution on the idea hand because it's dynamic and it's actually going to work for every case because you just decide the front time what you want to do so that's good next thing to loosen up the wall without changing it too much we have a problem where as any module can call any other module as it wants there is basically and this creates a lot of problems whereas we need to load everything when we have tried to split up Drupal in 6 into includes files it turns out to be more or less impossible because people were just calling across modules pretty much 100 so what you can do is that if you want to provide an api then provide it in a class even if it's just a function you can create a class with a single static function because a class can be auto-loaded I can't have the PHP sub-brain that you cannot auto-load functions you can auto-load classes so you can do that and once again we have the pre-parcer which are going to find every class and store them and right now we have the problem whereas we have the pre-database stage and we have the pulse-database stage and we pretty much need to operate separate registers for that we won't need to do that because we can store these pre-parced things in simply a config file on the desk so that's there is parsing scripts or somehow invoked there is nothing somehow invoked you invoke it yes more or less there are many ways to do this one way so ideally the way things would be easiest to be honest is that if you don't need a module then you delete it and reparse if you want to install a module you copy it in place and reparse which means that how do you install a module? there are two ways one is that you use the Drupal built-in module installer which already exists in 7 it's not a new thing it's actually going to get a module browser as well I have seen there was a GSoc project for that that's one way the other way is that you have command line and you use drush already right? there are no other ways I'm not going to support the case where you have FTP of stuff that's deprecated that's just deprecated if you do that it's your problem basically how you reparse because at that point we begin to delve into the problem where it is not sure whether the web server is able to write the disk the install system in 7 solve this problem that's what the big thing is in 7 about that so I'm just basically not going to solve that problem twice there's no point in that and so and the last thing I want to say here about although I have a lot more listed here I don't want really to go into every single piece of this is that we really want and that's basically just a footnote much smaller than this but it's very important that we really need to get rid of the current pager system where it actually counts how many items you have for a given query and use something like google does do a google search what you are going to see is you have 1 to 10 and then you have an error google is not going to give you because google tells you that there are approximately 3 million or 100 million results it's not going to give you a precise number in the first place it's definitely not going to show a last link where you can jump to the page number 1 million 25 it's not doing that because it's a performance killer so what we could do what we should do is that we should kill this sort of paging and just give you an opportunity to page more and more in by the way I don't know whether you have seen statistics nobody pages in that's basically nobody so there is no point in doing those to be honest the number of clicks past page 1 drops so fast that they become a statistic anomaly very very quickly so these are some of the big changes in dropol and when I have looked at how dropol is currently handled I have found that it would be next impossible to introduce these changes because with the testing system and our procedures right now you would need to convert for example every single hook in one patch to this which borders impossible what we have come to is that since we have talked about procedures a lot so some solutions that we might want to introduce as timing big patches actually there is now some of the big I think that the rename everything into a course of directory is scheduled already November 3 I think I wasn't following enough apparently so it's actually scheduled for November 1 so that you don't need to endlessly reroll once the community reached an agreement that this is going to be a good idea you know when you need to get rerolled by the other thing that we were talking about is that for example we were doing with Peter where we wanted Peter parts hook menu into hook router hook tabs save your links separately and there we have stopped because we weren't able to come up with good ideas about what do you do about local actions and contextual links which have been grafted on the poor hook menu in 7 what we would do what we could do we could comment out tests we could comment out failing tests commit the big change open criticals for those failing tests which along with the gates would mean that if there were so many failing tests that we go over 15 then we first need to fix those but still you could get in a large change without doing all of core in one step because with the current title coupled Drupal there's just too much work so these are some process changes which were somewhat triggered by this because the problem is that Drupal has became something that with the current let's do a patch method is not easily fixable anymore you will hear probably about some of Larry's plans which are not a bit distinct from mine because what I am planning to do here if you watch this it's fundamentally still going to be Drupal I'm not changing over to another pattern of things I'm just drawing some conclusions about several versions of Drupal that we were working on and try to do something a little bit better while while loosening the very tight coupling of Drupal which basically causes the most problems so for example if you want to unit task invocation you can mock the hook state object and just call a single implementations because it only depends on the hook state object and the data structure it gets it is not going to depend on every other module that actually that data structure so these changes are moving into a much looser coupled state so Jennifer yes well if you do that then you basically need to initiate the same sequence as you would do if you would use the installer and at that point the question why are you not using the installer let me tell you why yes