The document discusses Joomla access control lists (ACL). It begins with defining ACL as access control lists and discussing how they control the visibility of content and actions on objects. It then provides an overview of how ACL permissions are set at the global, component, category, and individual object levels, including how permissions are inherited between levels. It discusses how the ACL Manager extension for Joomla simplifies complex permission settings for user groups based on categories. Resources for further information on Joomla ACL and developing extensions with ACL support are also listed.

1. Joomla ACL
Sander Potjer - @sanderpotjer
www.sanderpotjer.nl
JUG Breda - 29 september 2015

5. Sander Potjer

6. - Draag graag bij aan Joomla

7. - Draag graag bij aan Joomla
- Bedrijf: Perfect Web Team

8. - Draag graag bij aan Joomla
- Bedrijf: Perfect Web Team
- Extensie: ACL Manager

9. Sander Potjer
- Draag graag bij aan Joomla
- Bedrijf: Perfect Web Team
- Extensie: ACL Manager
- sander@sanderpotjer.nl
- Slides: sanderpotjer.nl

10. Photo by: Mark Fischer
Joomla ACL

11. ACL?!?!
ACL = Access Control List

12. ACL?!?!
ACL = Access Control List
1) Visibility of content

13. ACL?!?!
ACL = Access Control List
1) Visibility of content
2) Actions on objects

15. Photo by: Chris Smith
Overview

16. user

17. user permissions

18. user permissionspermissions
Site Login
Admin Login
Offline Access
Super Admin / Configure
Access Admin. Interface
Create
Delete
Edit
Edit State
Edit Own

19. user permissions
group

20. user permissions
access level
group

21. user permissions
access level
group

22. user permissions
access level
group

23. user permissions
access level
group

24. user permissions
access level
group

25. user permissions
access level
group

26. user permissions
access level
role

27. user permissions
Site Login
Admin Login
Offline Access
Super Admin / Configure
Access Admin. Interface
Create
Delete
Edit
Edit State
Edit Own
access level
group

28. ACL levels
Photo by: Ian Sane

29. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions

30. Photo by: Andreas
Inheritance

31. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions

32. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions

33. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
not set
inherited
inherited
inherited

34. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
allowed
inherited
inherited
inherited

35. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
allowed
inherited
denied
locked

36. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
not set
allowed
inherited
inherited

37. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
not set
inherited
allowed
inherited

38. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
denied
allowed
locked
locked

39. Global Configuration permissions
Component permissions
Category / Module permissions
Article permissions
denied
allowed
locked
locked
CONFLICT

40. Photo by: Andreas
Inheritance #2

42. Inheriting example for ‘Create’
Level 1
Level 2
Level 3
Level 4

43. Inheriting example for ‘Create’
Level 1
Level 2
Level 3
Level 4

44. Inheriting example for ‘Create’
Level 1
Level 2
Level 3
Level 4

45. Inheriting example for ‘Create’
Level 1
Level 2
Level 3
Level 4

46. Photo by: Chris Smith
Overview?????

47. Action: Edit State
• Global configuration
– default permissions for each action and group
• Component options (permissions)
– can override the default permissions for a component
• Category
– can override the default permissions and component options
– applies to components with categories (Articles, Banners, etc...)
• Object
– can override all permissions above for an object
– only applies to articles in Joomla 1.6 core

48. Many permission screens....
• Global configuration
– default permissions for each action and group
• Component options (permissions)
– can override the default permissions for a component
• Category
– can override the default permissions and component options
– applies to components with categories (Articles, Banners, etc...)
• Object
– can override all permissions above for an object
– only applies to articles in Joomla 1.6 core

49. Many permission screens....
• Global configuration
– default permissions for each action and group
• Component options (permissions)
– can override the default permissions for a component
• Category
– can override the default permissions and component options
– applies to components with categories (Articles, Banners, etc...)
• Object
– can override all permissions above for an object
– only applies to articles in Joomla 1.6 core

50. Many permission screens....
• Global configuration
– default permissions for each action and group
• Component options (permissions)
– can override the default permissions for a component
• Category
– can override the default permissions and component options
– applies to components with categories (Articles, Banners, etc...)
• Object
– can override all permissions above for an object
– only applies to articles in Joomla 1.6 core

51. Many permission screens....
• Global configuration
– default permissions for each action and group
• Component options (permissions)
– can override the default permissions for a component
• Category
– can override the default permissions and component options
– applies to components with categories (Articles, Banners, etc...)
• Object
– can override all permissions above for an object
– only applies to articles in Joomla 1.6 core

52. Idea?!

53. Action: Edit State
• Global configuration
– default permissions for each action and group
• Component options (permissions)
– can override the default permissions for a component
• Category
– can override the default permissions and component options
– applies to components with categories (Articles, Banners, etc...)
• Object
– can override all permissions above for an object
– only applies to articles in Joomla 1.6 core
ACL Manager for Joomla! 1.6

59. ACL Manager for Joomla! 1.6
• USA group
– Allow on edit ‘USA’ category
– Deny on edit ‘Europe’ category
• Europe group
– Allow on edit ‘Europe’ category
– Deny on edit ‘USA’ category
• User in USA & Europe group
– Deny on edit ‘Europe’ category
– Deny on edit ‘USA’ category
– Deny always win
www.aclmanager.net

60. Resources
Photo by: Schub@

61. Is your extension really Joomla 1.7 ready?
http://www.aclmanager.net/news/general/28-is-your-extension-really-joomla-17-ready
How to add basic ACL support to your extension
http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-your-
extension
Developing a MVC Component/Adding ACL
http://docs.joomla.org/J2.5:Developing_a_MVC_Component/Adding_ACL
Adding ACL rules to your component
http://docs.joomla.org/Adding_ACL_rules_to_your_component
Access Control List Tutorial
http://docs.joomla.org/J2.5:Access_Control_List_Tutorial
Support for ACL permissions per module in com_modules
https://github.com/joomla/joomla-cms/pull/1930/files
JHelperContent::getActions() improvements
https://github.com/joomla/joomla-cms/pull/2728
This presentation
http://slideshare.net/sanderpotjer/