Joomla 2.5 & 3.0 ACL - JoomlaDay Denmark 2012

Joomla! ACL tekst

Sander Potjer
@sanderpotjer
www.aclmanager.net

Joomla!Day Denmark - 26 October 2012

Sander Potjer
• Involved in the local Dutch Joomla
community

• Joomla Community Leadership Team
(CLT) member

• Company: Sander Potjer Webdevelopment

• ACL Manager developer

• E-mail: sander.potjer@community.joomla.org

Sander Potjer
• Involved in the local Dutch Joomla
community

• Joomla Community Leadership Team
(CLT) member

• Company: Sander Potjer Webdevelopment

• ACL Manager developer

• E-mail: sander.potjer@community.joomla.org

• Slides: http://www.slideshare.net/sanderpotjer

It took a while... DrupalCon, October 2005
Johan Janssens

• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation

ACL?!?!
• ACL = Access Control List

ACL?!?!

• Access to parts of the website
– e.g. menu / module visibility
– “view” action

ACL?!?!

• Access to parts of the website
– e.g. menu / module visibility
– “view” action

• User actions on objects
– example: create / edit / edit state / delete article

Example
• Allow backend access to just one specific component

ACL - Groups
2.5/3.0

7 Groups, fixed structure
– Public
– Registered
– Author
– Editor
– Publisher
– Manager
– Administrator
– Super-Administrator

ACL - Groups
2.5/3.0

7 Groups, fixed structure Unlimited Groups, flexible
– Public structure
– Registered – user
– Author – group
– Editor – names
– Publisher – up
– Manager – to
– Administrator – you
– Super-Administrator

ACL - User in Group
2.5/3.0

User can be assigned to
one group

ACL - User in Group
2.5/3.0

User can be assigned to User can be assigned to
one group multiple groups

ACL - Access Levels
2.5/3.0

3 fixed Access Levels
– Public
– Registered
– Special

ACL - Access Levels
2.5/3.0

3 fixed Access Levels Unlimited Access Levels
– Public – default access levels
– Registered – user defined
– Special

ACL - Access Levels & Groups relation
2.5/3.0

Fixed relation between
Groups and Access Levels

ACL - Access Levels & Groups relation
2.5/3.0

Fixed relation between Any combination of User
Groups and Access Levels Groups can be assigned to
any Access Level

ACL - Actions
2.5/3.0

Fixed Actions per group
Create / edit / delete / admin
access / etc.
Permission scope for
entire site
Same permission for all objects

ACL in Joomla! 1.5 & 1.6 (Actions)

• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html

ACL - Actions
2.5/3.0

Fixed Actions per group Custom Actions per group
Create / edit / delete / admin Create / edit / delete / admin
access / etc. access / etc.
Permission scope for Permission scope at
entire site multiple levels
Same permission for all objects Site/Component/Category/Item

Joomla! 2.5
ACL Overview
(but the same for Joomla 3.0)

• http://community.joomla.org/blogs/community/1252-16-acl.html

User
• Guest is also a
user

• Users can be
assigned to one or
multiple groups

Core Permissions
• Assigned to group
(not to a user!)

• 10 Actions
– Site Login
– Admin Login
– Offline Access (since 1.7)
– Super Admin / Configure
– Access Component
– Create
– Delete
– Edit
– Edit State
– Edit Own

Group

• Users with same permissions

• Inherited permissions from
parent groups

• Unlimited nested groups

• Keep it simple! Only use
nested groups if needed

• New: Guest group in Joomla
3.0

Access Level

• What is visible for the
group (article, menu,
module, etc.)

• Permissions are inherited
between Access Levels

• Even Super Users can not
view content on frontend if
not assigned

Permissions
• 4 possible permission settings

– Not Set

– Inherited

– Allowed

– Denied

Permissions - Not Set
• ‘soft’ deny
• can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Inherited
• Value from a parent Permission level
• Value from a parent User Group
• Can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Allowed
• Action for current permission level and lower levels
• Action for current user group and child groups
• Can be overridden by ‘Denied’

Permissions - Denied
• Action for current Permission level and lower levels
• Action for current User Group and child Groups
• Can not be overridden at all
• Always win!

Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group

• Level 2: Component Options
– can override the permissions of Level 1

• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)

• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core

• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
• Override permissions of higher levels only works
if permission setting is not ‘Denied’!

Inheriting example for ‘Create’ Action

Level 1

Level 2

Level 3

Level 4

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Available Permissions and Levels
for a Group of Users

ACL Manager for Joomla! 1.6

www.aclmanager.net

Debug Permissions
• Turn on the ‘Debug System’ in the
Global Configuration

• Go to ‘User Manager’ or ‘Groups’

• Click on ‘Debug Permission Report’ next to the User
or User Group

Debug Permissions
• Need to turn ‘Debug System’ on...

Viewing or Action problem
• Define the problem, is it a viewing problem or action
problem (create/delete/edit/etc..)? Or both?

• Viewing: define the Viewing Access Levels

• Action: define the permissions for all actions

Think ahead! Maintenance?
• Structure your content properly to handle the
permissions

• Make usage of parent categories with nested
categories with same permissions

• No need to set permissions per article

User in multiple User Groups
• The Netherlands
– Allowed on edit ‘The Netherlands’ category
– Denied on edit ‘Germany’ category

• The Netherlands
– Denied on edit ‘Denmark’ category
• Denmark
– Allowed on edit ‘Denmark’ category
– Denied on edit ‘The Netherlands’ category

• The Netherlands
• Denmark
– Allowed on edit ‘Denmark’ category
• User in The Netherlands & Denmark group
– Denied always win (again)
– Solution: don’t use denied but not set/inherited (=soft deny)

What if I locked myself out?
• No need to access your database
• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions
• Great for playing around with the new ACL
• Don’t forget to remove the $root_user line!

ACL Tips
• Write down your ACL requirements for a website
before implementing

• Joomla 1.5 User Groups are for backward
compatibility in Joomla 2.5, you may remove them!

• Use multi-nested Groups only if needed / know what
you are doing
(so inheriting value only between levels, not groups as well)

ACL Tips
• Assign User Group with backend access to a Viewing
Access Level (often ‘Special’)

• Keep flexible for lower permission levels/groups:
Avoid the ‘Denied’ permission setting as long as possible

• Use role-based groups

Quick ACL example
(do we have time?)

Resources
• http://community.joomla.org/blogs/community/1252-16-acl.html
• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6
• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-
permissions-in-joomla-16.html
• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-
access-controls.html
• http://www.aclmanager.net
• http://www.aclmanager.net/news/general/28-is-your-extension-really-
joomla-17-ready
• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-
your-extension
• http://magazine.joomla.org/issues/issue-sept-2012/item/856-Implementing-
Role-Based-ACL

Joomla 2.5 & 3.0 ACL - JoomlaDay Denmark 2012

Recommended

Recommended

More Related Content

More from Sander Potjer

More from Sander Potjer (20)

Recently uploaded

Recently uploaded (20)

Joomla 2.5 & 3.0 ACL - JoomlaDay Denmark 2012