Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

  • 2,460 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,460
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
55
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. User Access Levelsfor Joomla! 1.5 – 1.7 Sander Potjer @sanderpotjer www.sanderpotjer.nl
  • 2. Who is Sander Potjer?• Co-founder of JoomlaCommunity.eu• Organizer Joomla!Days Netherlands• Organizer Joomla! User Groups in The Netherlands• Joomla Community Leadership Team (CLT) member• Company: Sander Potjer Webdevelopment• E-mail: sander.potjer@community.joomla.org
  • 3. Joomla! ACL
  • 4. It took a while... DrupalCon, October 2005 Johan Janssens• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
  • 5. ACL?!?!• ACL = Access Control List
  • 6. ACL?!?!• ACL = Access Control List• Access to parts of the website – e.g. menu / module visibility – “view” action
  • 7. ACL?!?!• ACL = Access Control List• Access to parts of the website – e.g. menu / module visibility – “view” action• User actions on objects – example: create / edit / edit state / delete article
  • 8. ACL - Groups• 7 fixed Groups – Public, Registered, Author, Editor, Publisher, Manager, Administrator and Super- Administrator• Hierarchical structure
  • 9. ACL - Groups• 7 fixed Groups • Unlimited Groups – Public, Registered, Author, – user defined Editor, Publisher, Manager, Administrator and Super- • No Hierarchical Structure Administrator required• Hierarchical structure
  • 10. ACL - User in Group• User can be assigned to one group
  • 11. ACL - User in Group• User can be assigned to • User can be assigned to one group multiple groups
  • 12. ACL - Access Levels• 3 fixed Access Levels – Public – Registered – Special
  • 13. ACL - Access Levels• 3 fixed Access Levels • Unlimited Access Levels – Public – user defined – Registered – Special
  • 14. ACL - Access Levels & Groups relation• Fixed relation between Groups and Access Levels
  • 15. ACL - Access Levels & Groups relation• Fixed relation between • Any combination of User Groups and Access Groups can be assigned Levels to any Access Level
  • 16. ACL - Actions• Fixed Actions per group – Create / edit / delete / admin access / etc.• Permission scope for entire site – Same permission for all objects• Permission inheritance not applicable
  • 17. ACL in Joomla! 1.5 & 1.6 (Actions)• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
  • 18. ACL - Actions• Fixed Actions per group • Defined Actions per group – Create / edit / delete / – Create / edit / delete / admin access / etc. admin access / etc.• Permission scope for • Permission scope at entire site multiple levels – Same permission for all objects – Site/Component/Category/Item• Permission inheritance • Permission can be not applicable inherited – Parent Groups / Categories
  • 19. Joomla! 1.6/1.7/2.5 ACL Overview
  • 20. • http://community.joomla.org/blogs/community/1252-16-acl.html
  • 21. • http://community.joomla.org/blogs/community/1252-16-acl.html
  • 22. User • Guest is also a user • Users can be assigned to one or multiple groups
  • 23. • http://community.joomla.org/blogs/community/1252-16-acl.html
  • 24. Permissions• Assigned to group (not to a user!) • 10 Actions – Site Login – Admin Login – Offline Access (since 1.7) – Super Admin / Configure – Access Component – Create – Delete – Edit – Edit State – Edit Own
  • 25. • http://community.joomla.org/blogs/community/1252-16-acl.html
  • 26. Group • Users with same permissions • Inherited permissions from parent groups • Unlimited nested groups • Keep it simple! Only use nested groups if needed
  • 27. • http://community.joomla.org/blogs/community/1252-16-acl.html
  • 28. Access Level • What is visible for the group (article, menu, module, etc.) • Permissions are not inherited between Access Levels • Even Super Users can not view content on frontend if not assigned
  • 29. • http://community.joomla.org/blogs/community/1252-16-acl.html
  • 30. Permissions
  • 31. Permissions• 4 possible permission settings – Not Set – Inherited – Allowed – Denied
  • 32. Permissions - Not Set• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’
  • 33. Permissions - Inherited• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’
  • 34. Permissions - Allowed• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’
  • 35. Permissions - Denied• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!
  • 36. Permission Hierarchy (levels)• Level 1: Global configuration – default permissions settings for actions for a group
  • 37. Permission Hierarchy (levels)• Level 1: Global configuration – default permissions settings for actions for a group• Level 2: Component Options – can override the permissions of Level 1
  • 38. Permission Hierarchy (levels)• Level 1: Global configuration – default permissions settings for actions for a group• Level 2: Component Options – can override the permissions of Level 1• Level 3: Category – can override the permissions of Level 1 & Level 2 – available for components with categories (Articles, Banners, etc...)
  • 39. Permission Hierarchy (levels)• Level 1: Global configuration – default permissions settings for actions for a group• Level 2: Component Options – can override the permissions of Level 1• Level 3: Category – can override the permissions of Level 1 & Level 2 – available for components with categories (Articles, Banners, etc...)• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3 – only available for articles in Joomla 1.6 core
  • 40. Permission Hierarchy (levels)• Level 1: Global configuration – default permissions settings for actions for a group• Level 2: Component Options – can override the permissions of Level 1• Level 3: Category – can override the permissions of Level 1 & Level 2 – available for components with categories (Articles, Banners, etc...)• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3 – only available for articles in Joomla 1.6 core
  • 41. Permission Hierarchy (levels)• Level 1: Global configuration – default permissions settings for actions for a group• Level 2: Component Options – can override the permissions of Level 1• Level 3: Category – can override the permissions of Level 1 & Level 2 – available for components with categories (Articles, Banners, etc...)• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3 – only available for articles in Joomla 1.6 core• Override permissions of higher levels only works if permission setting is not ‘Denied’!
  • 42. Inheriting example for ‘Create’ Action Level 1 Level 2 Level 3 Level 4• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
  • 43. Inheriting example for ‘Create’ Action Level 1 Level 2 Level 3 Level 4• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
  • 44. Inheriting example for ‘Create’ Action Level 1 Level 2 Level 3 Level 4• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
  • 45. Inheriting example for ‘Create’ Action Level 1 Level 2 Level 3 Level 4• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
  • 46. Available Permissions and Levels for a Group of Users
  • 47. Action: Edit State
  • 48. ACL Manager for Joomla! 1.6
  • 49. ACL Manager for Joomla! 1.6
  • 50. ACL Manager for Joomla!
  • 51. ACL Manager for Joomla! 1.6 www.aclmanager.net
  • 52. Debug Permissions
  • 53. Debug Permissions• Turn on the ‘Debug System’ in the Global Configuration• Go to ‘User Manager’ or ‘Groups’• Click on ‘Debug Permission Report’ next to the User or User Group
  • 54. Debug Permissions• Need to turn ‘Debug System’ on...
  • 55. So, what about the database?
  • 56. Database: #__assets
  • 57. Plan your ACL implementation
  • 58. Describe the problem• Most of the website is public available, specific content only for a group of users (e.g. teachers & students)• A teacher can see content specifically for teachers, all student content and all public content• Students can see content specifically for students and all public content
  • 59. Viewing or Action problem• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?• Viewing: define the Viewing Access Levels• Action: define the permissions for all actions
  • 60. Think ahead! Maintenance?• Structure your content properly to handle the permissions• Make usage of parent categories with nested categories with same permissions• No need to set permissions per article
  • 61. Some Notes
  • 62. User in multiple User Groups• The Netherlands – Allowed on edit ‘The Netherlands’ category – Denied on edit ‘Belgium’ category• Belgium – Allowed on edit ‘Belgium’ category – Denied on edit ‘The Netherlands’ category• User in The Netherlands & Belgium group – Denied on edit ‘The Netherlands’ category – Denied on edit ‘Belgium’ category – Denied always win (again) – Solution: don’t use denied but not set/inherited (=soft deny)
  • 63. What if I locked myself out?
  • 64. What if I locked myself out?• No need to access your database• Open your configuration.php and add: – public $root_user = username;• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!
  • 65. Practical ACL Tips
  • 66. ACL Tips• Write down your ACL requirements for a website before implementing• Joomla 1.5 User Groups are for backward compatibility in Joomla 1.6, you may remove them!• Use multi-nested Groups only if needed / know what you are doing (so inheriting value only between levels, not groups as well)
  • 67. ACL Tips• Assign User Group with backend access to a Viewing Access Level• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible• Idea: Make a Group for each Action so you can assign actions directly to a user
  • 68. Joomla! ACL, what’s next?
  • 69. Suggestions• View as action• END user friendly interface• Easy overview of your entire website• Changes directly visible (no page reload)• ...
  • 70. Resources• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new- permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video- access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really- joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to- your-extension