Phosphorus Five 7 released

Boy do I have something to show you! Lately I have completely rewritten the CSS structure of Micro, and I have created 7 new “skins”, hopefully making everybody satisfied. Below is a screenshot of how your desktop will look like with the “Air” skin.

When you login to Phosphorus Five for the first time, then click the “settings” button (the one with the “cog” symbol), and select your favourite skin, and all apps in Phosphorus Five will use your selected skin. Below you can see how Camphora Five looks like with the “Aztec” skin.

The structure of Micro CSS have been completely rewritten, and with only ~3KB of CSS (minified and GZip’ed), it allows for some pretty stunning effects, due to intelligent use of some cutting edge CSS technologies. In fact, the entire core CSS is the exact same file for all skins, and to create a new skin, completely changing the entire look and feel of the website – Simply requires creating a tiny CSS file, overriding a handful of CSS variables. You could probably create a new skin from scratch with 5 lines of code if you wanted to!

Below you can see how “Magic Forrest” looks like when you edit your settings in Sephia Five. Notice how even the checkbox is styled.

This implies that if you’re not satisfied with any of the skins that comes out of the box, you can probably create a new one in minutes yourself, by using one of the pre-defined skins as a “template”. Below is a screenshot of Sulphur Five using the “Blues” skin.

This allows you to “rebrand” Phosphorus Five in its entirety, according to your needs, and apply your own colour scheme for it, literally in minutes. In addition, I have also fixed dozens of “CSS bugs” with Micro, such as for instance preventing scrolling on the body when a modal window is open, eliminated the need for custom inline styling when combining buttons with shaded divs, etc. Arguably, Micro CSS is now a completely new CSS framework. Needless to say probably, but obviously it builds upon the “flexbox CSS grid model”.

There are a lot of (I think) intelligent design decisions in the core of Micro now, such as the fact of that (almost) everything is relative in size to the font size of your skin. This allows you to change a single pixel value in your CSS skin file, and everything else simply “adjusts automagically”. This makes it very easy to for instance create skins for people who needs larger text, etc – In addition to that it makes the skin system highly flexible, yet still easily reused, in all widgets. TabControl, Modal Window, Buttons, etc – They all modify their rendering according to the main font-size of your skin – Except the TreeView, which has static font size (unfortunately), since it relies upon images to render its folder lines. However, even the last point is something I believe I will have a solution for in the future.

Below you can see my favourite skin, and my favourite application; Hyper IDE with the “Air” skin.

Phosphorus Five is hence, as of now, a complete web operating system, and a web application development platform, with an integrated webmail client, file sharing system, web based IDE, and many more apps – And it is easily skinned, allowing for you to easily apply your own colour themes, to fit your existing company profile.

10 years ago, I wrote a business plan called “Gaia Toolbox, the ‘mother of all’ toolboxes for creating web apps” – Nobody can call me a quitter … 😉

Phosphorus Five is Open Source, and you can download it from here

I am looking for partners to help me distribute and sell licenses of the system. You can also test the system online here.


Access control in Phosphorus Five

One of the new features in the latest release of Phosphorus Five I am particularly proud of, is a much more mature access control implementation for users and roles. By default, any “root” account has access to *everything* and any non-root account has access to *nothing*. All accounts can however read from any files and folders in the system, since this is necessary to execute Hyperlambda – But writing to files is only (by default) allowed by root accounts. In addition, any non-root account, is by default only allowed to run the “desktop” module. This implies that if you create a non-root user, this user can’t do anything really, unless you explicitly open up for the role that the user belongs to to do something.

In addition, especially protected files, such as the “auth.hl” file (which contains users and their settings), in addition to the web.config, are impossible for any non-root account to read from (and of course write to).

Granting access

The easiest way to control access to the system, is to use the Peeples module. This module allows you to create new users, associate a role with these users, and edit existing user. However, and more important for this article; It also gives you complete control over access to the entire system as you see fit. Notice, the Peeples module is most easily installed through the “Bazar”, by a root account, and only root accounts can create new users and assign access rights to roles, etc.

If I have a role called for instance “developer”, users belonging to this role does not have write access to anything. In addition your “developers” can not read from neither the web.config file, nor the auth.hl file. Neither can they open any modules, or run any “programs” in your system. If you want this role to have access to for instance Hyper IDE, you can assign an authorisation object for that role to “run” Hyper IDE. Below is an example of how you can accomplish this. Hint; Click the “+” button in Peeples at the bottom of your screen to open up this wizard window.

As I click the “Add” button above, I will have allowed my “developer” user to access Hyper IDE. This will create an “access object” looking like the following.

The thing to notice above, is first of all how the role becomes the root node’s name above. For our above example, this is the part that says “developer”. The GUID in the above screenshot, is just an automatically generated ID, which is necessary to be able to later delete a specific access object. Below our “developer” node though, we have a [p5.module.allow] node. This happens to be a specific type of access object, which the URL resolver will use, during loading of our apps and modules. You can see the code for it here if you wish. The [p5.auth.has-access-to-path] event is an integral part to the access control logic, and is implemented in the project “extras/p5.auth”.

The above access control object, will have granted access for our “developer” role, to execute the module in our “/modules/hyper-ide/” folder. Notice, you can also edit your access control objects by hand, since it’s simply a CodeMirror editor, and the access control objects are declared as Hyperlambda. If you do, remember to click the “Save” button afterwards, to have your new access control objects take effect.

Access to the file system

The above access control object will only give your “developer” users execution access to the Hyper IDE module. If you want to, you can also give it access to write to specific files and folders, by using similar logic. This part doesn’t have a GUI, but adding it by hand, by creating an access control object yourself, is quite easily accomplished. You could for instance write something like the following into the access control editor. Notice, you don’t need to give your access control object an ID, since one will be automatically assigned, if you choose to omit it.


The above access control object, would give any “developer” user access to write to any files beneath the folder “/modules/sephia-five/”, allowing him or her to effectively work on Sephia Five. The access control objects are “cascading” in nature, implying that your “developer” users, would also have access to write to for instance the “/modules/sephia-five/foo/bar/” folder for our above example. If you wish to explicitly deny access to some folder beneath your “/modules/sephia-five/” folder, yet still have the developer role being able to write to the Sephia Five folder in general, you could accomplish something like that by combining the above “allow” with the following “deny”.


Notice how we use the “deny” verb, instead of the “allow” verb. You can also allow and deny read access, by exchanging the above “write” verb to “read”. And finally, you can grant access to all roles, by exchanging the role name from “developer” to an asterix “*”. If you have some module, called for instance “sulphur-five”, which is an actual module in Phosphorus Five, you could grant access to all roles, including the “guest” account, with the following code.


This would of course give access to everyone to your Sulphur Five module, including any random visitor, belonging to the impersonated “guest” account too. If you only want logged in users to be able to access Sulphur Five, you could combine the above with an additional “deny” object, such as the following illustrates.


Since your “deny” have precedence, this would allow all non-guest users (users with a username and a password) to access your Sulphur Five module. While a guest account would have no access to it. Combining multiple access control objects like the above illustrates, basically give you 100% perfect control over who gets to access both your modules, and your file system.

Extendible access control

The access control logic is actually extendible. This allows you to create your own types of access control objects, and verify access in your own code. The [p5.system.platform.execute-file] event for instance, which will execute some shell script, will check for the existence of access to execute the file you try to execute. If you want users to for instance be able to execute anything within their private “temp” folders as shell scripts, you could use something such as the following.


The above access control object would allow “developer” accounts to execute any shell scripts that exists in their “/temp/” folders. The above example is actually quite relevant too in fact, since Hyper IDE will use the “temp” folder as a cache, while creating scripts it executes, to do stuff such as Git checkins, compilations, etc. Yet again, notice the “allow” verb in the above code.

All in all, I am very proud of how I have implemented access control in Phosphorus Five, which adds more security, to an already very secure system, which has features such as salted hashed passwords, stored such that only “root” account have access to it, etc, etc, etc. If you want to play around with Phosphorus Five or Hyper IDE, the easiest way to accomplish that, is to download the lates release of Phosphorus Five, since it contains also Hyper IDE in fact. My next major feature in regards to security, will be to implement brute force password cracking, where the idea for how to do this, actually came from

Brute force password attack prevention (TODO)

Basically, my idea for how to implement this, is to not allow the same username to try more than one login attempt every “n seconds”. Since a brute force password crack, implies trying millions of different passwords, over some time period – Denying the same username to attempt to login, more than once every 10/20 seconds for instance, would increase the timespan necessary to successfully brute force attack a server, to such an extent, that it would be considered impractical.

Since this is to be implemented on usernames, and not on IP addresses or something similar – This implies that it wouldn’t even matter if a hacker had access to millions of different servers to attempt to crack your system. Sure, he could DOS your system, but he won’t be able to guess your password, using for instance a password dictionary or something similar.

Security in your underlaying operating system

I want to emphasise that these security measures comes in *addition* to the security that is in your underlaying operating system, such as for instance Linux/Apache – And that you can also use the underlaying operating system’s security features. An example would be to for instance during installation, allow the Apache process write access to the entire “html” folder, for then to install all modules you want to install. After this, you could explicitly deny write access to anything except the “/common/” and the “/users/” folders, editing your “apache2.config” file, or changing ownership of these folders using for instance “chown” in Linux.

This would make sure that even if there was a security flaw in Phosphorus Five, it would still be impossible to tamper with anything but the users’ files. All in all, security is like a condom; It’s better with 5 than only 1, and you should use as much of it as you can. Depending upon your needs though, the above might be impractical, especially if you want to setup a “developer server” using Hyper IDE. However, you could also add additional security by explicitly denying access to special modules, while granting access as a whole to the “/modules/” folder. In addition you can also create a special MySQL user, which doesn’t for instance have access to drop tables, create databases, etc, etc, etc – And only use this user to allow Phosphorus Five access to your MySQL instance (after having installed all apps you need, since this will need “create database” access to your MySQL server). In addition, if you’re extremely paranoid, there’s nothing preventing you from installing Phosphorus Five on your company’s intranet, having only access to it through e.g. a VPN client, etc, etc, etc …

Even though I have done my best to implement strong security in Phosphorus Five, you should still use the security features of your underlaying operating system. And in fact, the installation script for Phosphorus Five, which you can find here (“”) – will add tons of additional security to your underlaying Apache/Linux system, such as installing the “uncomplicated fire wall” (ufw), and shut down everything except port 80, 443 and 22 (SSH), in addition to adding lot of additional security features, such as denying Apache to serve files in your “/users/x/document/private/” folder, etc, etc, etc. In general, I’d like to echo the words of one of the father’s of Intel, the company …

Only the paranoid survives …

Web Operating Systems, and why you don’t realise you need one

50 years ago, developers used to code directly to the underlaying hardware platform. This implied that if they were going to move their applications to another hardware platform, it would require a complete rewrite of every aspect of their own apps. Steve Ballmer was once asked what he thought of HAL from the movie 2001, a space Odyssey. At which he replied “HAL means Hardware Application Level for us in Microsoft, and is at the core of our ability to make money”. Ignoring the fact that HAL actually means Hardware Abstraction Level, the story implies a crucial historical turning point for software developers.

Before we had “Hardware Abstraction Layers”, we needed to write the same app, for every hardware platform we wanted to support with our app. After “HAL”, we could write our app once, compile it, and run it on a million different platforms. This arguably became the dawning of the “computer age”. In fact, similar arguments were used as the main selling points of both C++ and Java. When it comes to Web Operating Systems, they arguably supply the same function, except at a much higher level. Notice though, I catch myself at “renaming” Phosphorus Five once a month, and tend to sometimes use the category of “web application framework”. However, even though the overlap is obvious, there are some differences.

Phosphorus Five is a “Web Operating System”, and serves as a “host” for your applications, on top of the underlaying operating system. This implies that it doesn’t matter if you are developing on a Linux Machine, running Phosphorus Five on XSP4, building it on a Mac OSX machine, and deploying it to a windows IIS web server – It simply works, regardless of where and how you created it, or built it, or choose to run it! When it comes to devices, the same is true. If you have created a Phosphorus Five application (correctly), it’ll run just as well on an iPhone, Android, Tablet, Linux, Windows and Mac OSX computer!

When IBM developers created their apps back in the 50s or 60s, they probably employed dozens of developers, simply to create their “SaveFile()” function. Today we take it for granted that the underlaying operating system is capable of saving our files. However, today, as you create web apps, you still need to create some sort of Ajax mapping, between your server and your clients. In Phosphorus Five Ajax is simply solved. Today creating a dynamic C# web application is a nightmare, with Phosphorus it’s simply solved. And if there’s something needed from a lower level than that which Phosphorus Five supplies, no problem! Need to create a PGP encrypted email? No problem. Need a button on your page, that invokes the server when clicked? No problem!


It doesn’t take a rocket scientist to understand that being able to create 4 lines of code, compared to writing 4,000 lines of code, to accomplish the same, makes you more productive. To the extent that I was able to create a fully fledged integrated development environment, with ~3,000 lines of code. If you compare it to the alternatives, I imagine they probably contains tens of thousands of lines of code, if not hundreds of thousands of lines of code – To accomplish the same as Hyper IDE does with 3,000 lines of code.


The reasons are all the things I didn’t have to do! I never had to implement security, simply because it is already a commodity in Phosphorus Five. I didn’t even have to implement a login box, or for that matter a GUI to edit my access right objects. I didn’t have to create a CSS framework, or a modal window, or an Ajax TreeView control either for that matter. I simply needed to figure out which code editor to use at the JavaScript side of things, and wrap it on top of my existing components, from Phosphorus Five, and VOILA! It works!

Maybe you believe this was because of that Phosphorus Five is geared towards developing IDEs? Well; There’s also a PGP webmail client in there somewhere. There’s also a CRUD app creator in it, etc, etc, etc. Phosphorus Five is at its heart a general purpose web application development framework, and it allows me to create almost anything, up to 1,000 times faster, than anything else out there does – To the extent of that the question of whether or not you need a Web Operating System, is arguably condensed down to the following …

Do you want to be 1,000 times more productive?

And that’s really what it’s all about …

Is Phosphorus Five an operating system?

I just had this interesting question from a user, which was asking if Phosphorus Five is an operating system. He proceeded to tell me, that all he wanted to do, was to create web apps, and consume these apps in IIS.

Hence, I feel obliged to answer that question, realising it’ll probably be a frequently asked question – Especially considering I am explicitly labelling it as a “Web Operating System” on its GitHub site. The short answer to that question is as follows; “Errhhhh, I don’t know”

The reason why, is because I have no freakin’ idea about how to categorise P5, since it doesn’t resemble anything out there. At least not anything I have seen before. Below is an excerpt from “the guide”, which is the primary documentation for P5.

Phosphorus Five, also referred to as P5 in this guide, is a lot of different things. It is a simple design pattern, it is an Ajax library, it is a programming language, and it is a framework. Some would also argue that it is a web operating system. What you choose to refer to it as, is really quite irrelevant. The point is that it solves your problems, particularly the ones you’re having, as you try to create rich and interactive web apps.

The short answer is that Phosphorus Five solves your web app problems – Simple and plain. You could refer to it as a collection of libraries. Arguably a framework too. In fact, you could also refer to it as a programming language. However, none of these categories are correct, according to the definition of all of the above mentioned categories.

Hyperlambda for instance, is not technically a programming language, it’s actually simply a file format. P5 is definitely not a framework, since it doesn’t provide the traditional hooks, that frameworks normally supplies – Such as abstract base classes and interfaces. Arguably it could be labelled as a bunch of libraries. However, the Active Event design pattern, doesn’t force you to even explicitly link in the assemblies. Hence, even “collection of libraries” is not entirely correct. You could explain it as a design Pattern, but design patterns can’t create Ajax widgets – At least none of the ones I know …

For these reasons, I have chosen to categorise it as a “web operating system”, which also is not entirely right BTW – It’s not (entirely) an operating system, since it is installed on top of either Linux, Windows or Mac – Which are pre-existing operating systems. However, from a logical point of view, it solves many of the same problems, both a framework, collection of libraries, design pattern, and operating system solves – Therefor, what you like to refer to it as, is up to you I guess. Regardless of what you refer to it as, one thing is certain.

It solves your problems!

In fact, if you wish to refer to it as a Unidentified Flying Object, I couldn’t care less to be honest with you! Simply put, because it solves your problems!

When that is said; Yes, you can use it to create apps you host in IIS, or Apache, or UltiDev. You can also use it to create console applications. If you create your own hosting process, you could also probably easily create Windows Services out of it. Probably have it contain the logic for your COM objects too, if you really dived deep into it. In fact, if washing machines ever had rocket boosters installed unto them, I betcha the controller system will be entirely made from Hyperlambda …

Hopefully that answers your questions about P5. It certainly didn’t answer any of mine though … 😉