Joomla 1.6 ACL - J and Beyond 2011 #jab11

@sanderpotjer

Joomla! 1.6 ACLSander Potjer

http://twitter.com/sanderpotjer

http://twitter.com/sanderpotjer

Sander Potjer• Co-founder of JoomlaCommunity.eu

• Organizer Joomla!Days Netherlands

• Organizer Joomla! User Groups in The Netherlands

• Company: Sander Potjer Webdesign

• Yireo/Jira ICT

• Student Architecture

Joomla! 1.6 ACL

It took a while...

• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation

DrupalCon, October 2005Johan Janssens

http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation


• ACL = Access Control List

• Access to parts of the website– e.g. menu / module visibility– “view” action

• User actions on objects– e.g. create / edit / delete article

ACL?!

• 7 fixed Groups– Public, Registered, Author, Editor,

Publisher, Manager, Administrator and Super-Administrator

– Hierarchical structure

• User can be assigned to one group

• Unlimited Groups– user-defined– not hierarchical

• User can be assigned to multiple groups

ACL in Joomla! 1.5 & 1.6 (Access)

• 3 fixed Access Levels– Public, Registered and Special

• Fixed relation between Groups and Access Levels

• Unlimited Access Levels– user-defined

• Any combination of Groups can be assigned to any Access Level

ACL in Joomla! 1.5 & 1.6 (Access)

ACL in Joomla! 1.5 & 1.6 (Actions)

• Fixed Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope for entire site– Same permission for all objects

• Permission inheritance not applicable

• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html




• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html



• Fixed Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope for entire site– Same permission for all objects

• Permission inheritance not applicable

• User defined Actions per group

– Create / edit / delete / admin access / etc.

• Permission scope at multiple levels

– Site, Component, Category, Object

• Permission can be inherited

– from parent Groups and parent Categories


Joomla! 1.6 ACL Overview

Joomla 1.6 ACL Overview

• http://community.joomla.org/blogs/community/1252-16-acl.html







Joomla 1.6 ACL: User• Guest is also a

user

• Users can be assigned to one or several groups





Joomla 1.6 ACL: Permissions• Assigned to group (not to a user!)

• 9 Actions– Site Login– Admin Login– Super Admin– Access Component– Create– Delete– Edit– Edit State– Edit Own





Joomla 1.6 ACL: Groups

• Users with same permissions

• User can be in multiple groups

• Inherit permissions from parent groups

• Unlimited (sub-)groups

• Keep it simple! Only use nested groups if needed





Joomla 1.6 ACL: Access Level

• Which group can view what (article, menu, module, etc.)

• Permissions are not inherited between Access Levels

• Even Super Users can not view content onfrontend





Permissions

How Permissions work

• 4 possible permission settings

– Not Set

– Inherited

– Allowed

– Denied

How Permissions work• Not set

– ‘soft’ deny– can be overridden by ‘Allowed’ or ‘Denied’

How Permissions work• Inherited

– value from a parent permission level– value from a parent user group– can be overridden by ‘Allowed’ or ‘Denied’

How Permissions work• Allowed

– action for current permission level and lower levels– action for current user group and child groups– can be overridden by ‘Denied’

How Permissions work• Denied

– action for current permission level and lower levels– action for current user group and child groups– can’t be overridden at all– always win!

Permission Hierarchy Levels

• Level 1: Global configuration – default permissions settings for actions for a group

Permissions: Global Configuration (Level 1)



• Level 2: Component Options – can override the permissions of Level 1

Permissions: Component Options (Level 2)

Permissions: Component Options (Level 2)




• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)

Permissions: Category (Level 3)

Permissions: Category (Level 3)





• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core

Permissions: Item (Level 4)

Permissions: Item (Level 4)

Permission Hierarchy Levels• Level 1: Global configuration

– default permissions settings for actions for a group




Permission Hierarchy Levels• Level 1: Global configuration

– default permissions settings for actions for a group




• Override permissions of higher levels only works if permission setting is not ‘Denied’!

Inheriting example for ‘Create’ action

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4




Level 1

Level 2

Level 3

Level 4





Level 1

Level 2

Level 3

Level 4





Level 1

Level 2

Level 3

Level 4




Available Permissions and Levelsfor a Group of Users

Action: Edit State

Many permission screens....

ACL Manager for Joomla! 1.6


ACL Managerfor Joomla! 1.6




www.aclmanager.net

http://www.aclmanager.net


Debug Permissions

Debug Permissions

• Turn on the ‘Debug System’ in the Global Configuration

• Go to ‘User Manager’ or ‘Groups’

• Click on ‘Debug Permission Report’ next to the User or User Group

Debug Permissions

• Need to turn ‘Debug System’ on...

Debug Permissions

So, what about the database?

Database: #__assets

Plan your ACL implementation

Describe the problem

• Most of the website is public available, specific content only for a group of users (e.g. teachers & students)

• A teacher can see content specifically for teachers, all student content and all public content

• Students can see content specifically for students and all public content

Viewing or action problem?

• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?

• Viewing: define the Viewing Access Levels

• Action: define the permissions for all actions

Think ahead! Maintenance?

• Structure your content properly to handle the permissions

• Make usage of parent categories with nested categories with same permissions

• No need to set permissions per article

Some Notes

User in multiple groups

• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category

• Belgium– Allowed on edit ‘Belgium’ category– Denied on edit ‘The Netherlands’ category

• User in The Netherlands & Belgium group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)

What if I locked myself out? :-)

What if I locked myself out? :-)• No need to access your database

• Open your configuration.php and add:– public $root_user = 'username';

• You can login again and perform all actions

• Great for playing around with the new ACL

• Don’t forget to remove the $root_user line!

Practical ACL Tips

ACL Tips

• Write down your ACL requirements for a website before implementing

• Joomla 1.5 User Groups are for backward compatibility in Joomla 1.6, you may remove them!

• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)

ACL Tips

• Assign User Group with backend access to a Viewing Access Level

• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible

• Idea: Make a Group for each Action so you can assign actions directly to a user

Joomla! ACL, what’s next?

Main suggestions

• View as action

• END user friendly interface

• Easy overview of your entire website

• Changes directly visible (no page reload)

• ...

Joomla! ACL:Good start, it is working but needs improvements for wide adoption by

the Joomla community

Resources• http://www.yireo.com/tutorials/joomla/joomla-administration/402-joomla-16-

acls-1-marketing-group• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-

permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-

access-controls.html• http://www.aclmanager.net

http://www.yireo.com/tutorials/joomla/joomla-administration/402-joomla-16-acls-1-marketing-group




http://community.joomla.org/blogs/community/1252-16-acl.html

http://community.joomla.org/blogs/community/1252-16-acl.html

http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6

http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6

http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html




http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-access-controls.html






Technology

Joomla 1.6 ACL - J and Beyond 2011 #jab11