Yesterday I had a chance to start poking around Joomla, as one of my customers was moving his site to it. I have to say, I'm impressed. From a development perspective, Joomla is really an extensible framework that offers a clean MVC PHP library, and a CMS with lots of pre-built modules to go with it.
There's only one minor catch - the docs really only appear to cover version 1.5. Which means that, when I needed to build a custom component in a version 1.0 environment there wasn't exactly a clear how to to refer to.
So here are some dev tips I've picked up while trying to work with a 1.0 based system. Hopefully, they can save you some time if you end up in a similar situation.
- The best example of a 1.0 component I could find was here. The good news is that a 1.0 component is more straightforward to implement than a 1.5 version one. There's no framework to mess with - just create a top level PHP file that will kick off the entire process and name it appropriately. That is, if you have the foo component you'll want to create: foo.php and foo.xml (more about the XML in a second). You can, if you want, put these items in a zip file and use the installer to install them, or just push them via FTP to the directory: [Joomla root]/components/com_foo/.
- The docs mention it, but it's worth mentioning again: _JEXEC is not defined in version 1.0. If you include:
defined( '_JEXEC' ) or die( 'Restricted access' );
You'll always get a Restricted access message. You want to start your scripts with:defined( '_VALID_MOS' ) or die( 'Restricted access' );
- The variable $task is automagically available to you in your top level script.
-
If you want your component to add custom CSS files to the page, or JavaScript tags in the head component you can do following from anywhere in your code:
$mainframe->addCustomHeadTag( "<link type='text/css' ...>" ); ...
$mainframe is another magic variable. Don't forget to use global to get at it from inside a function. -
To have your component break out of the page structure and return back a different content type, you can do:
header('Content-Type: text/xml'); echo "<?xml version='1.0' ?>"; ... more echo statements... exit();
This seems like the wrong way to do this. But, from [Joomla root]/includes/feedcreator.class.php, it appears that's how it's done. - I had a bunch of trouble finding the format description of a 1.0 xml package description. Turns out, this page has one. Note that the format is very close to the 1.5 format, but uses the outer tags: <mosinstall type='component'> ...</mosinstall>.
- I find the 1.0.11 user manual to be relatively helpful. And I found the best source of components to examine to be in the Joomla source tree under /components.
Happy 1.0 Hacking!
Honestly, I think the words "Joomla" and "clean" should never be used in the same sentence.
ReplyDeleteWe've used it before and it's a security nightmare. Most of the code is very messy. You say MVC, but what I remember from back when we used it is that it mixed presentation and logic in its templates pretty freely. No MVC in sight! Afaik its HTML output is pretty rigid (often using tables for layout) and hard to style using CSS.
Just my $0.02
Peter -
ReplyDeleteWhat you're describing sounds like what I saw for 1.0.
For 1.5, the docs at least, paint a significantly different picture.
Have you played around with 1.5 at all?
No, I haven't really looked at version 1.5 yet and I don't intend to, really.
ReplyDeleteYour description of the "defined(_JEXEC) or die()" check is a good example of why. If everything really was done purely with clean templating separating the logic out, and putting just classes in non-template PHP files, this is totally unneccessary. If only a class definition is loaded, that can do no harm when you request it directly - same for a template with no logic and just variables that get filled in.
Things like this are what I remember from back in the day with 1.0 - the Joomla people seem to be pretty clueless about security in general (just follow any security newsfeed for a bit and you'll know). I'd be surprised if that suddenly turned 180 degrees, so I'm not touching this CMS with a 10 foot pole.
I certainly don't want to get into the position of defending Joomla, as I know so little about the system...but...
ReplyDeletedefined(_JEXEC) or die()
Seems like a necessary evil with PHP, where every script can run if an attacker knows the URL to do so.
From this hello world component, it looks like the API is relatively clean.
But again, what the heck do I know...