feat: access.xml ACL permission configuration #95

New Issue

Closed

opened 2026-06-29 14:05:21 +00:00 by jmiller · 3 comments

jmiller commented 2026-06-29 14:05:21 +00:00

Owner

Copy Link

Copy Source

Summary

The component has no access.xml file defining Joomla ACL permissions. Without it, the component relies only on core permissions and cannot define component-specific actions.

Proposed permissions

<?xml version="1.0" encoding="UTF-8"?>
<access component="com_mokoog">
    <section name="component">
        <action name="core.admin" title="JACTION_ADMIN" />
        <action name="core.manage" title="JACTION_MANAGE" />
        <action name="core.create" title="JACTION_CREATE" />
        <action name="core.delete" title="JACTION_DELETE" />
        <action name="core.edit" title="JACTION_EDIT" />
        <action name="core.edit.state" title="JACTION_EDITSTATE" />
        <action name="mokoog.batch" title="COM_MOKOOG_ACTION_BATCH" />
        <action name="mokoog.import" title="COM_MOKOOG_ACTION_IMPORT" />
    </section>
</access>

Files

• Create: source/packages/com_mokoog/access.xml
• Update: source/packages/com_mokoog/mokoog.xml — ensure manifest references access.xml
• Add language strings for custom actions

Acceptance Criteria

• access.xml exists with standard + custom actions
• Component manifest references access file
• Permissions tab appears in component Options
• Batch and Import/Export controllers check appropriate permissions

## Summary The component has no `access.xml` file defining Joomla ACL permissions. Without it, the component relies only on core permissions and cannot define component-specific actions. ## Proposed permissions ```xml <?xml version="1.0" encoding="UTF-8"?> <access component="com_mokoog"> <section name="component"> <action name="core.admin" title="JACTION_ADMIN" /> <action name="core.manage" title="JACTION_MANAGE" /> <action name="core.create" title="JACTION_CREATE" /> <action name="core.delete" title="JACTION_DELETE" /> <action name="core.edit" title="JACTION_EDIT" /> <action name="core.edit.state" title="JACTION_EDITSTATE" /> <action name="mokoog.batch" title="COM_MOKOOG_ACTION_BATCH" /> <action name="mokoog.import" title="COM_MOKOOG_ACTION_IMPORT" /> </section> </access> ``` ## Files - Create: `source/packages/com_mokoog/access.xml` - Update: `source/packages/com_mokoog/mokoog.xml` — ensure manifest references access.xml - Add language strings for custom actions ## Acceptance Criteria - [ ] `access.xml` exists with standard + custom actions - [ ] Component manifest references access file - [ ] Permissions tab appears in component Options - [ ] Batch and Import/Export controllers check appropriate permissions

jmiller commented 2026-06-29 14:05:23 +00:00

Author

Owner

Copy Link

Copy Source

Branch created: feature/95-feat-access-xml-acl-permission-configura

git fetch origin
git checkout feature/95-feat-access-xml-acl-permission-configura

Branch created: [`feature/95-feat-access-xml-acl-permission-configura`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteOpenGraph/src/branch/feature/95-feat-access-xml-acl-permission-configura) ```bash git fetch origin git checkout feature/95-feat-access-xml-acl-permission-configura ```

jmiller commented 2026-06-29 14:18:30 +00:00

Author

Owner

Copy Link

Copy Source

Status: confirmed NOT done (audit of current dev). source/packages/com_mokoog/access.xml does not exist; mokoog.xml defines no custom actions; controllers check only core permissions (BatchController → core.create; ImportExportController → core.manage/core.create/core.edit).

Scope addition: the component also ships no config.xml, yet HtmlView::addToolbar() renders a ToolbarHelper::preferences('com_mokoog') Options button — which opens an empty/broken Options modal. This issue should also cover adding a config.xml (or removing the Options button). Both access.xml and config.xml are needed for the Permissions and Options tabs to function.

**Status: confirmed NOT done** (audit of current `dev`). `source/packages/com_mokoog/access.xml` does not exist; `mokoog.xml` defines no custom actions; controllers check only core permissions (`BatchController` → `core.create`; `ImportExportController` → `core.manage`/`core.create`/`core.edit`). **Scope addition:** the component also ships **no `config.xml`**, yet `HtmlView::addToolbar()` renders a `ToolbarHelper::preferences('com_mokoog')` Options button — which opens an **empty/broken Options modal**. This issue should also cover adding a `config.xml` (or removing the Options button). Both `access.xml` and `config.xml` are needed for the Permissions and Options tabs to function.

jmiller referenced this issue 2026-06-29 14:19:19 +00:00

AI meta-generation AJAX endpoint lacks ACL check and HTTP error handling #99

jmiller referenced this issue from a commit 2026-06-29 15:26:05 +00:00

fix: features & quality batch (#95, #103, #104, #107)

jmiller referenced a pull request that will close this issue 2026-06-29 15:26:28 +00:00

fix: features &amp; quality — access.xml/config.xml, CSV import UI, dead-code/leak, packaging (#95 #103 #104 #107) #111

jmiller closed this issue 2026-06-29 15:26:42 +00:00

jmiller referenced this issue from a commit 2026-06-29 15:26:42 +00:00

Merge pull request 'fix: features &amp; quality — access.xml/config.xml, CSV import UI, dead-code/leak, packaging (#95 #103 #104 #107)' (#111) from fix/features-quality-batch into dev

jmiller commented 2026-06-29 15:26:58 +00:00

Author

Owner

Copy Link

Copy Source

Fixed in PR #111 (merged to dev). Added access.xml (core actions + custom mokoog.batch/mokoog.import) and config.xml (Permissions tab + a note pointing OG/SEO settings to the system plugin); both declared in the manifest. BatchController/ImportExportController now authorise the custom actions with a fallback to the prior core checks (no lockout). Closing.

Fixed in PR #111 (merged to `dev`). Added `access.xml` (core actions + custom `mokoog.batch`/`mokoog.import`) and `config.xml` (Permissions tab + a note pointing OG/SEO settings to the system plugin); both declared in the manifest. `BatchController`/`ImportExportController` now authorise the custom actions with a fallback to the prior core checks (no lockout). Closing.

jmiller referenced this issue 2026-06-29 16:00:44 +00:00

docs: CHANGELOG + README for the current development cycle #114

jmiller referenced this issue 2026-06-29 16:26:51 +00:00

Release: promote dev → main (dashboard, edit UI, ACL, security &amp; forward-compat) #115

Sign in to join this conversation.

Labels

Clear labels

bug

Something is broken

documentation

Documentation improvements

enhancement

production-readiness

Required before v1.0 release

security

Security vulnerability or hardening

testing

Test coverage and QA

No labels

Priority Medium

Type Feature

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteOpenGraph#95