A couple of days ago we released a new version of Habari. I think this release is particularly exciting, not just because of the more than 1000 improvements and bug fixes, but because of the main feature new included; Access Control Lists (ACL).

The ACL system gives plugin developers an extensible foundation for controlling who has access to things in a Habari installation, based on group membership. Here "access" means control over read, write, edit, and delete privileges, and "things" means, well anything you can think of, but it could be posts, or admin pages, or tags, or users, or content types, anything.

A default installation has three groups; admin, authenticated, and anonymous. The user that's created when you install Habari is put into the admin group, and has superuser privileges; they can do anything. If new users are created, they get put in the authenticated group. Anyone accessing Habari without signing in is in the anonymous group. Of course, new groups can also be created. There are a bunch of pre-defined access tokens that can be assigned to groups. Here's a few of them, as shown on a group page.

permissions-eg.png

On top of the default tokens, plugins can add their own. For example, the simple private posts plugin that's now bundled with Habari creates a 'private' token, which can be used to restrict access to posts to people in groups with that token.

ACL::create_token('private','Permissions on posts marked as "private"');

With this code, there's an extra permission that can be assigned to groups.

private-permission.png

The plugin also adds a checkbox to the publish page to mark a post private. Incredibly simple.

Without the ACL, the registration plugin just wouldn't have been possible. Users can now sign up to a Habari blog and be put in a group, with associated permissions. What group? Again, anything you can think of. Maybe they could rate posts, or mod comments, or write posts.

With the ACL, and Habari's support for content types, the possibilities are limited only by imagination. An author group with write but not publish permissions and an editor group with publish permissions and you've got a simple workflow. A wikipage content type and an editor group that can create and edit them, along with the registration plugin, and you've got a simple wiki. Hopefully you get the idea.

Owen has written a good overview of how Habari's ACL system works internally, if you want to get into the nitty gritty.