Joomla 1.6 ACL - J and Beyond 2011 #jab11

Joomla! 1.6 ACL
Sander Potjer
@sanderpotjer

Sander Potjer
• Co-founder of JoomlaCommunity.eu

• Organizer Joomla!Days Netherlands

• Organizer Joomla! User Groups in The Netherlands

• Company: Sander Potjer Webdesign

• Yireo/Jira ICT

• Student Architecture

It took a while...
DrupalCon, October 2005
Johan Janssens

• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation

ACL?!
• ACL = Access Control List

• Access to parts of the website
– e.g. menu / module visibility
– “view” action

• User actions on objects
– e.g. create / edit / delete article

ACL in Joomla! 1.5 & 1.6 (Access)

• 7 fixed Groups • Unlimited Groups
– Public, Registered, Author, Editor, – user-defined
Publisher, Manager, Administrator – not hierarchical
and Super-Administrator
– Hierarchical structure

• User can be assigned to • User can be assigned to
one group multiple groups

ACL in Joomla! 1.5 & 1.6 (Access)

• 3 fixed Access Levels • Unlimited Access Levels
– Public, Registered and Special – user-defined

• Fixed relation between • Any combination of
Groups and Access Levels Groups can be assigned
to any Access Level

ACL in Joomla! 1.5 & 1.6 (Actions)

• Fixed Actions per group
– Create / edit / delete /
admin access / etc.

• Permission scope for
entire site
– Same permission for all objects

• Permission inheritance
not applicable
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html


• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html


• Fixed Actions per group • User defined Actions per
– Create / edit / delete / group
admin access / etc. – Create / edit / delete / admin
access / etc.
• Permission scope for • Permission scope at
entire site multiple levels
– Same permission for all objects – Site, Component, Category,
Object

• Permission inheritance • Permission can be
not applicable inherited
– from parent Groups and parent
Categories

Joomla 1.6 ACL Overview

• http://community.joomla.org/blogs/community/1252-16-acl.html

Joomla 1.6 ACL: User
• Guest is also a
user

• Users can be
assigned to one or
several groups

Joomla 1.6 ACL: Permissions
• Assigned to group (not to a user!)

• 9 Actions
– Site Login
– Admin Login
– Super Admin
– Access Component
– Create
– Delete
– Edit
– Edit State
– Edit Own

Joomla 1.6 ACL: Groups

• Users with same permissions

• User can be in multiple groups

• Inherit permissions from
parent groups

• Unlimited (sub-)groups

• Keep it simple! Only use
nested groups if needed

Joomla 1.6 ACL: Access Level

• Which group can view
what (article, menu,
module, etc.)

• Permissions are not
inherited between
Access Levels

• Even Super Users can
not view content on
frontend

How Permissions work

• 4 possible permission settings

– Not Set

– Inherited

– Allowed

– Denied

• Not set
– ‘soft’ deny
– can be overridden by ‘Allowed’ or ‘Denied’

• Inherited
– value from a parent permission level
– value from a parent user group
– can be overridden by ‘Allowed’ or ‘Denied’

• Allowed
– action for current permission level and lower levels
– action for current user group and child groups
– can be overridden by ‘Denied’

• Denied
– action for current permission level and lower levels
– action for current user group and child groups
– can’t be overridden at all
– always win!

Permission Hierarchy Levels

• Level 1: Global configuration
– default permissions settings for actions for a group

Permissions: Global Configuration (Level 1)


• Level 2: Component Options
– can override the permissions of Level 1

Permissions: Component Options (Level 2)


• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)

Permissions: Category (Level 3)


• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for articles in Joomla 1.6 core

• Level 4: Item

• Level 4: Item
• Override permissions of higher levels only works
if permission setting is not ‘Denied’!

Inheriting example for ‘Create’ action

Level 1

Level 2

Level 3

Level 4

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Available Permissions and Levels
for a Group of Users

ACL Manager for Joomla! 1.6

www.aclmanager.net

Debug Permissions

• Turn on the ‘Debug System’ in the
Global Configuration

• Go to ‘User Manager’ or ‘Groups’

• Click on ‘Debug Permission Report’ next to the User
or User Group

Debug Permissions
• Need to turn ‘Debug System’ on...

Describe the problem
• Most of the website is public available, specific
content only for a group of users (e.g. teachers &
students)

• A teacher can see content specifically for teachers, all
student content and all public content

• Students can see content specifically for students and
all public content

Viewing or action problem?
• Define the problem, is it a viewing problem or action
problem (create/delete/edit/etc..)? Or both?

• Viewing: define the Viewing Access Levels

• Action: define the permissions for all actions

Think ahead! Maintenance?
• Structure your content properly to handle the
permissions

• Make usage of parent categories with nested
categories with same permissions

• No need to set permissions per article

User in multiple groups
• The Netherlands
– Allowed on edit ‘The Netherlands’ category
– Denied on edit ‘Belgium’ category
• Belgium
– Allowed on edit ‘Belgium’ category
– Denied on edit ‘The Netherlands’ category
• User in The Netherlands & Belgium group
– Denied on edit ‘The Netherlands’ category
– Denied on edit ‘Belgium’ category
– Denied always win (again)
– Solution: don’t use denied but not set/inherited (=soft deny)

What if I locked myself out? :-)

What if I locked myself out? :-)
• No need to access your database

• Open your configuration.php and add:
– public $root_user = 'username';

• You can login again and perform all actions

• Great for playing around with the new ACL

• Don’t forget to remove the $root_user line!

ACL Tips

• Write down your ACL requirements for a website
before implementing

• Joomla 1.5 User Groups are for backward
compatibility in Joomla 1.6, you may remove them!

• Use multi-nested Groups only if needed / know what
you are doing
(so inheriting value only between levels, not groups as well)

ACL Tips

• Assign User Group with backend access to a Viewing
Access Level

• Keep flexible for lower permission levels/groups:
Avoid the ‘Denied’ permission setting as long as possible

• Idea: Make a Group for each Action so you can assign
actions directly to a user

Main suggestions

• View as action

• END user friendly interface

• Easy overview of your entire website

• Changes directly visible (no page reload)

• ...

Joomla! ACL:
Good start, it is working but needs
improvements for wide adoption by
the Joomla community

Resources
• http://www.yireo.com/tutorials/joomla/joomla-administration/402-joomla-16-
acls-1-marketing-group
• http://community.joomla.org/blogs/community/1252-16-acl.html
• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6
• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-
permissions-in-joomla-16.html
• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-
access-controls.html
• http://www.aclmanager.net

Joomla 1.6 ACL - J and Beyond 2011 #jab11

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Joomla 1.6 ACL - J and Beyond 2011 #jab11

Similar to Joomla 1.6 ACL - J and Beyond 2011 #jab11 (20)

More from Sander Potjer

More from Sander Potjer (20)

Recently uploaded

Recently uploaded (20)

Joomla 1.6 ACL - J and Beyond 2011 #jab11