Support

So I'm wondering if it is true that isolating front-end functionality from admin-side resources is standard practice for Joomla?

Correct. It's not just standard practice, it's a basic security precaution.

The administrator application runs privileged operations and must not be publicly accessible. Not even its login page, let alone its files. It is meant to be something insulated from the public eye.

The developer of JCB has stated that this type of protection and isolation of functionality between front-end and admin-side is not 'standard' for Joomla components (or Joomla core).

Bollocks. Sorry for the colourful language, I was trying to find a more eloquent phrase but there's nothing that can convey the utter inaneness, absurdity, ludicrousness and fatuousness of that statement.

Let's take a short history lesson of Joomla and static media file security.

Yes, Joomla 1.0 did not do this separation. Joomla 1.0, released in 2005, was based off Mambo 4 first released in 2003. The security landscape was very different two decades ago. Moreover, Mambo was little more than a side project of an Australian web agency which grew very fast and far beyond its original scope. Joomla 1.0 was merely a fork of that under a new name without any new work done on it. It had inherited 4 ½ years of bad decisions.

Joomla 1.5 was actually the first real Joomla release, meaning that it was code that was specifically written by what was then called the Joomla Core Team as opposed to code inherited from a project with many shortcomings. One of the FIRST things the Core Team did was create the media directory so that all static resources would be placed there, one folder per extension. No more loading static resources from the administrator directory UNLESS it's an administrator page — this allows admin–only templates and admin–only modules and components to operate without placing their static assets to the world–readable media folder. We actually do that in Admin Tools 6, only moving static assets to media/com_admintools in Admin Tools 7 for Joomla 4 for reasons which will become clear further below.

Joomla 3 further entrenched the status of the media folder. Now you didn't just have to place your static assets in one directory per extension, the name of the folder was also prescribed in that it has to use the same naming conventions Joomla uses for extensions e.g. com_something, tpl_whatever, mod_example, plg_folder_something and so on.

Joomla 4 fully made use the media folder mandatory for all static files by having the WebAssetsManager look for the assets manifest (joomla.asset.json) in the prescribed, extension–specific folder in the media directory. You have to go way out of your way to do anything different and it's definitely frowned upon.

These facts are FUNDAMENTAL to developing Joomla extensions. You can't possible write extensions without being aware that the media folder has been around since 2007 (yup, two thousand seven, 15 years ago!) and why it exists. Anyone trying to argue the point is a blathering ignoramus, especially now that Joomla 4 is released and has proven beyond any shred of doubt that using the media folder is a REQUIREMENT for Joomla extensions.

I rest my case.

You're welcome!

The funny thing is, reworking the extension is trivial...

Assuming you have a JavaScript file in /media/com_foobar/js/example.min.js the code to include it in Joomla is

Joomla\CMS\HTML\HTMLHelper::_('script', 'com_foobar/example.min.js')

If it's a CSS file the file is /media/com_foobar/css/example.css and the code to include it in Joomla is

Joomla\CMS\HTML\HTMLHelper::_('style', 'com_foobar/example.css')

For images the file is /media/com_foobar/images/example.jpg and the code to include it in Joomla is

echo Joomla\CMS\HTML\HTMLHelper::_('image', 'com_foobar/example.jpg', 'Alt attribute content here')

The js, css and images subfolders are prescribed i.e. they cannot be changed. They are also standard.

Given a template /templates/foobar you can also override these static media files in the folders:

/templates/foobar/media/com_foobar/js/example.min.js

/templates/foobar/media/com_foobar/css/example.css

/templates/foobar/media/com_foobar/images/example.jpg

That's the other two reason why using the Joomla core makes more sense than going full cowboy: i. it's far less and more standardised code; ii. it supports template media overrides. The latter are a massive hidden feature of Joomla. You can ship an extension with CSS (and its SCSS or LESS sources if that's your jam) and your client can completely override it to match their template. Compare that to the Joomla 1.0 way of doing things: load the extension's CSS then load yet another complex file to override the extension's CSS. Lunacy! Joomla 1.5 restored sanity 15 years ago. Why would anyone in their right mind go back to the lunacy of the Joomla 1.0 way once they have found out there's a better way is beyond me. If they have not figured out there's a better way in 15 years... I can understand 1 year, 3 years, maybe 5 years. But 15?!