2. Joomla! 1.6 ACL
About me
• Co-founder of JoomlaCommunity.eu
• Organizer Joomla!Days Netherlands
• Organizer Joomla! User Groups in The Netherlands
• Company: Sander Potjer Webdesign
• Yireo/Jira ICT
• Student Architecture
4. Joomla! 1.6 ACL
It took a while...
DrupalCon, October 2005
Johan Janssens
• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
5. Joomla! 1.6 ACL
ACL?!
• ACL = Access Control List
• Access to parts of the website
– e.g. menu / module visibility
– “view” action
• User actions on objects
– e.g. create / edit / delete article
6. Joomla! 1.6 ACL
ACL in Joomla! 1.5 & 1.6 (Access)
• 7 fixed Groups • Unlimited Groups
– Public, Registered, Author, Editor, – user-defined
Publisher, Manager, Administrator – not hierarchical
and Super-Administrator
– Hierarchical structure
• User can be assigned to • User can be assigned to
one group multiple groups
7. Joomla! 1.6 ACL
ACL in Joomla! 1.5 & 1.6 (Access)
• 3 fixed Access Levels • Unlimited Access Levels
– Public, Registered and Special – user-defined
• Fixed relation between • Any combination of
Groups and Access Levels Groups can be assigned
to any Access Level
8. Joomla! 1.6 ACL
ACL in Joomla! 1.5 & 1.6 (Actions)
• Fixed Actions per group
– Create / edit / delete /
admin access / etc.
• Permission scope for
entire site
– Same permission for all objects
• Permission inheritance
not applicable
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
10. Joomla! 1.6 ACL
ACL in Joomla! 1.5 & 1.6 (Actions)
• Fixed Actions per group • User defined Actions per
– Create / edit / delete / group
admin access / etc. – Create / edit / delete / admin
access / etc.
• Permission scope for • Permission scope at
entire site multiple levels
– Same permission for all objects – Site, Component, Category,
Object
• Permission inheritance • Permission can be
not applicable inherited
– from parent Groups and parent
Categories
18. Joomla! 1.6 ACL
Joomla 1.6 ACL: Groups
• Users with same permissions
• User can be in multiple groups
• Inherit permissions from
parent groups
• Unlimited (sub-)groups
• Keep it simple! Only use
nested groups if needed
20. Joomla! 1.6 ACL
Joomla 1.6 ACL: Access Level
• Which group can view
what (article, menu,
module, etc.)
• Permissions are not
inherited between
Access Levels
• Even Super Users can
not view content on
frontend
23. Joomla! 1.6 ACL
How Permissions work
• 4 possible permission settings
– Not Set
– Inherited
– Allowed
– Denied
24. Joomla! 1.6 ACL
How Permissions work
• Not set
– ‘soft’ deny
– can be overridden by ‘Allowed’ or ‘Denied’
25. Joomla! 1.6 ACL
How Permissions work
• Inherited
– value from a parent permission level
– value from a parent user group
– can be overridden by ‘Allowed’ or ‘Denied’
26. Joomla! 1.6 ACL
How Permissions work
• Allowed
– action for current permission level and lower levels
– action for current user group and child groups
– can be overridden by ‘Denied’
27. Joomla! 1.6 ACL
How Permissions work
• Denied
– action for current permission level and lower levels
– action for current user group and child groups
– can’t be overridden at all
– always win!
28. Joomla! 1.6 ACL
Permission Hierarchy Levels
• Level 1: Global configuration
– default permissions settings for actions for a group
30. Joomla! 1.6 ACL
Permission Hierarchy Levels
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
33. Joomla! 1.6 ACL
Permission Hierarchy Levels
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
36. Joomla! 1.6 ACL
Permission Hierarchy Levels
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for articles in Joomla 1.6 core
39. Joomla! 1.6 ACL
Permission Hierarchy Levels
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for articles in Joomla 1.6 core
40. Joomla! 1.6 ACL
Permission Hierarchy Levels
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for articles in Joomla 1.6 core
• Override permissions of higher levels only works
if permission setting is not ‘Denied’!
41. Joomla! 1.6 ACL
Inheriting example for ‘Create’ action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
42. Joomla! 1.6 ACL
Inheriting example for ‘Create’ action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
43. Joomla! 1.6 ACL
Inheriting example for ‘Create’ action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
44. Joomla! 1.6 ACL
Inheriting example for ‘Create’ action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
45. Joomla! 1.6 ACL
Inheriting example for ‘Create’ action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
54. Joomla! 1.6 ACL
Debug Permissions
• Turn on the ‘Debug System’ in the
Global Configuration
• Go to ‘User Manager’ or ‘Groups’
• Click on ‘Debug Permission Report’ next to the User
or User Group
58. Joomla! 1.6 ACL
Describe the problem
• Most of the website is public available, specific
content only for a group of users (e.g. teachers &
students)
• A teacher can see content specifically for teachers, all
student content and all public content
• Students can see content specifically for students and
all public content
59. Joomla! 1.6 ACL
Viewing or action problem?
• Define the problem, is it a viewing problem or action
problem (create/delete/edit/etc..)? Or both?
• Viewing: define the Viewing Access Levels
• Access: define the permissions for the actions
60. Joomla! 1.6 ACL
Think ahead! Maintenance?
• Structure your content properly to handle the
permissions
• Make usage of parent categories with nested
categories with same permissions
• No need to set permissions per article
62. Joomla! 1.6 ACL
User in multiple groups
• Class 1
– Allowed on edit ‘Class 1’ category
– Denied on edit ‘Class 2’ category
• Class 2
– Allowed on edit ‘Class 2’ category
– Denied on edit ‘Class 1’ category
• User in Class 1 & Class 2 group
– Denied on edit ‘Class 1’ category
– Denied on edit ‘Class 1’ category
– Denied always win
– Solution: don’t use denied (soft deny)
64. Joomla! 1.6 ACL
What if I locked myself out? :-)
• No need to access your database
• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions
• Great for playing around with the new ACL
• Don’t forget to remove the $root_user line!
66. Joomla! 1.6 ACL
ACL Tips
• Write down your ACL requirements for a website
before implementing
• Joomla 1.5 User Groups are for backward
compatibility in Joomla 1.6, you may remove them!
• Use multi-nested Groups only if needed / know what
you are doing
(so inheriting value only between levels, not groups as well)
67. Joomla! 1.6 ACL
ACL Tips
• Assign User Group with backend access to a Viewing
Access Level
• Keep flexible for lower permission levels/groups:
Avoid the ‘Denied’ permission setting as long as possible
• Idea: Make a Group for each Action so you can assign
actions directly to a user