1. Joomla! ACL tekst
Sander Potjer
@sanderpotjer
www.aclmanager.net
Joomla!Day Germany - 5 October 2012
2. Sander Potjer
• Involved in the local Joomla community
• Joomla Community Leadership Team
(CLT) member
• Company: Sander Potjer Webdevelopment
• ACL Manager developer
• E-mail: sander.potjer@community.joomla.org
3. Sander Potjer
• Involved in the local Joomla community
• Joomla Community Leadership Team
(CLT) member
• Company: Sander Potjer Webdevelopment
• ACL Manager developer
• E-mail: sander.potjer@community.joomla.org
• Slides: http://www.slideshare.net/sanderpotjer
5. It took a while... DrupalCon, October 2005
Johan Janssens
• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
7. ACL?!?!
• ACL = Access Control List
• Access to parts of the website
– e.g. menu / module visibility
– “view” action
8. ACL?!?!
• ACL = Access Control List
• Access to parts of the website
– e.g. menu / module visibility
– “view” action
• User actions on objects
– example: create / edit / edit state / delete article
9. ACL - Groups
2.5/3.0
• 7 fixed Groups
– Public, Registered, Author,
Editor, Publisher, Manager,
Administrator and Super-
Administrator
• Hierarchical structure
10. ACL - Groups
2.5/3.0
• 7 fixed Groups • Unlimited Groups
– Public, Registered, Author, – user defined
Editor, Publisher, Manager,
Administrator and Super-
• No Hierarchical Structure
Administrator
required
• Hierarchical structure
11. ACL - User in Group
2.5/3.0
• User can be assigned to
one group
12. ACL - User in Group
2.5/3.0
• User can be assigned to • User can be assigned to
one group multiple groups
13. ACL - Access Levels
2.5/3.0
• 3 fixed Access Levels
– Public
– Registered
– Special
14. ACL - Access Levels
2.5/3.0
• 3 fixed Access Levels • Unlimited Access Levels
– Public – user defined
– Registered
– Special
15. ACL - Access Levels & Groups relation
2.5/3.0
• Fixed relation between
Groups and Access
Levels
16. ACL - Access Levels & Groups relation
2.5/3.0
• Fixed relation between • Any combination of User
Groups and Access Groups can be assigned
Levels to any Access Level
17. ACL - Actions
2.5/3.0
• Fixed Actions per group
– Create / edit / delete /
admin access / etc.
• Permission scope for
entire site
– Same permission for all objects
• Permission inheritance
not applicable
18. ACL in Joomla! 1.5 & 1.6 (Actions)
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
19. ACL - Actions
2.5/3.0
• Fixed Actions per group • Custom Actions per group
– Create / edit / delete / – Create / edit / delete /
admin access / etc. admin access / etc.
• Permission scope for • Permission scope at
entire site multiple levels
– Same permission for all objects – Site/Component/Category/Item
• Permission inheritance • Permission can be
not applicable inherited
– Parent Groups / Categories
27. Group
• Users with same permissions
• Inherited permissions from
parent groups
• Unlimited nested groups
• Keep it simple! Only use
nested groups if needed
• Guest group in Joomla 3.0
29. Access Level
• What is visible for the
group (article, menu,
module, etc.)
• Permissions are not
inherited between Access
Levels
• Even Super Users can not
view content on frontend if
not assigned
33. Permissions - Not Set
• ‘soft’ deny
• can be overridden by ‘Allowed’ or ‘Denied’
34. Permissions - Inherited
• Value from a parent Permission level
• Value from a parent User Group
• Can be overridden by ‘Allowed’ or ‘Denied’
35. Permissions - Allowed
• Action for current permission level and lower levels
• Action for current user group and child groups
• Can be overridden by ‘Denied’
36. Permissions - Denied
• Action for current Permission level and lower levels
• Action for current User Group and child Groups
• Can not be overridden at all
• Always win!
39. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
40.
41.
42. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
43.
44.
45. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
46.
47.
48. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
49. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
• Override permissions of higher levels only works
if permission setting is not ‘Denied’!
50. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
51. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
52. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
53. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
69. Debug Permissions
• Turn on the ‘Debug System’ in the
Global Configuration
• Go to ‘User Manager’ or ‘Groups’
• Click on ‘Debug Permission Report’ next to the User
or User Group
75. Viewing or Action problem
• Define the problem, is it a viewing problem or action
problem (create/delete/edit/etc..)? Or both?
• Viewing: define the Viewing Access Levels
• Action: define the permissions for all actions
76. Think ahead! Maintenance?
• Structure your content properly to handle the
permissions
• Make usage of parent categories with nested
categories with same permissions
• No need to set permissions per article
78. User in multiple User Groups
• The Netherlands
– Allowed on edit ‘The Netherlands’ category
– Denied on edit ‘Germany’ category
79. User in multiple User Groups
• The Netherlands
– Allowed on edit ‘The Netherlands’ category
– Denied on edit ‘Germany’ category
• Germany
– Allowed on edit ‘Germany’ category
– Denied on edit ‘The Netherlands’ category
80. User in multiple User Groups
• The Netherlands
– Allowed on edit ‘The Netherlands’ category
– Denied on edit ‘Germany’ category
• Germany
– Allowed on edit ‘Germany’ category
– Denied on edit ‘The Netherlands’ category
• User in The Netherlands & Germany group
– Denied on edit ‘The Netherlands’ category
– Denied on edit ‘Germany’ category
– Denied always win (again)
– Solution: don’t use denied but not set/inherited (=soft deny)
82. What if I locked myself out?
• No need to access your database
• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions
• Great for playing around with the new ACL
• Don’t forget to remove the $root_user line!
84. ACL Tips
• Write down your ACL requirements for a website
before implementing
• Joomla 1.5 User Groups are for backward
compatibility in Joomla 2.5, you may remove them!
• Use multi-nested Groups only if needed / know what
you are doing
(so inheriting value only between levels, not groups as well)
85. ACL Tips
• Assign User Group with backend access to a Viewing
Access Level (often ‘Special’)
• Keep flexible for lower permission levels/groups:
Avoid the ‘Denied’ permission setting as long as possible
• Use role-based groups