joomla access control list (acl) at joomladay london, uk #jduk11
Post on 29-Nov-2014
2.944 Views
Preview:
DESCRIPTION
TRANSCRIPT
User Access Levelsfor Joomla! 1.5 – 1.7
Sander Potjer@sanderpotjer
www.sanderpotjer.nl
Who is Sander Potjer?• Co-founder of JoomlaCommunity.eu
• Organizer Joomla!Days Netherlands
• Organizer Joomla! User Groups in The Netherlands
• Joomla Community Leadership Team (CLT) member
• Company: Sander Potjer Webdevelopment
• E-mail: sander.potjer@community.joomla.org
Joomla! ACL
• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
DrupalCon, October 2005Johan Janssens
It took a while...
• ACL = Access Control List
ACL?!?!
• ACL = Access Control List
• Access to parts of the website– e.g. menu / module visibility– “view” action
ACL?!?!
• ACL = Access Control List
• Access to parts of the website– e.g. menu / module visibility– “view” action
• User actions on objects– example: create / edit / edit state / delete article
ACL?!?!
ACL - Groups
• 7 fixed Groups– Public, Registered, Author,
Editor, Publisher, Manager, Administrator and Super-Administrator
• Hierarchical structure
ACL - Groups
• 7 fixed Groups– Public, Registered, Author,
Editor, Publisher, Manager, Administrator and Super-Administrator
• Hierarchical structure
• Unlimited Groups– user defined
• No Hierarchical Structure required
ACL - User in Group
• User can be assigned to one group
ACL - User in Group
• User can be assigned to one group
• User can be assigned to multiple groups
ACL - Access Levels
• 3 fixed Access Levels– Public– Registered– Special
ACL - Access Levels
• 3 fixed Access Levels– Public– Registered– Special
• Unlimited Access Levels– user defined
ACL - Access Levels & Groups relation
• Fixed relation between Groups and Access Levels
ACL - Access Levels & Groups relation
• Fixed relation between Groups and Access Levels
• Any combination of User Groups can be assigned to any Access Level
ACL - Actions
• Fixed Actions per group– Create / edit / delete /
admin access / etc.
• Permission scope for entire site– Same permission for all objects
• Permission inheritance not applicable
ACL in Joomla! 1.5 & 1.6 (Actions)
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
ACL - Actions
• Fixed Actions per group– Create / edit / delete /
admin access / etc.
• Permission scope for entire site– Same permission for all objects
• Permission inheritance not applicable
• Defined Actions per group– Create / edit / delete /
admin access / etc.
• Permission scope at multiple levels– Site/Component/Category/Item
• Permission can be inherited– Parent Groups / Categories
Joomla! 1.6/1.7/2.5 ACL Overview
• http://community.joomla.org/blogs/community/1252-16-acl.html
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Guest is also a user
• Users can be assigned to one or multiple groups
User
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Assigned to group (not to a user!)
• 10 Actions– Site Login– Admin Login– Offline Access (since 1.7)– Super Admin / Configure– Access Component– Create– Delete– Edit– Edit State– Edit Own
Permissions
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Users with same permissions
• Inherited permissions from parent groups
• Unlimited nested groups
• Keep it simple! Only use nested groups if needed
Group
• http://community.joomla.org/blogs/community/1252-16-acl.html
• What is visible for the group(article, menu, module, etc.)
• Permissions are not inherited between Access Levels
• Even Super Users can not view content on frontend ifnot assigned
Access Level
• http://community.joomla.org/blogs/community/1252-16-acl.html
Permissions
• 4 possible permission settings
– Not Set
– Inherited
– Allowed
– Denied
Permissions
• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’
Permissions - Not Set
• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’
Permissions - Inherited
• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’
Permissions - Allowed
• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!
Permissions - Denied
• Level 1: Global configuration – default permissions settings for actions for a group
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core
• Override permissions of higher levels only works if permission setting is not ‘Denied’!
Permission Hierarchy (levels)
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
Available Permissions and Levelsfor a Group of Users
Action: Edit State
ACL Manager for Joomla! 1.6
ACL Manager for Joomla! 1.6
ACL Managerfor Joomla!
Debug Permissions
• Turn on the ‘Debug System’ in the Global Configuration
• Go to ‘User Manager’ or ‘Groups’
• Click on ‘Debug Permission Report’ next to the User or User Group
Debug Permissions
• Need to turn ‘Debug System’ on...Debug Permissions
So, what about the database?
Database: #__assets
Plan your ACL implementation
• Most of the website is public available, specific content only for a group of users (e.g. teachers & students)
• A teacher can see content specifically for teachers, all student content and all public content
• Students can see content specifically for students and all public content
Describe the problem
• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?
• Viewing: define the Viewing Access Levels
• Action: define the permissions for all actions
Viewing or Action problem
• Structure your content properly to handle the permissions
• Make usage of parent categories with nested categories with same permissions
• No need to set permissions per article
Think ahead! Maintenance?
Some Notes
• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category
• Belgium– Allowed on edit ‘Belgium’ category– Denied on edit ‘The Netherlands’ category
• User in The Netherlands & Belgium group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)
User in multiple User Groups
What if I locked myself out?
• No need to access your database• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!
What if I locked myself out?
Practical ACL Tips
• Write down your ACL requirements for a website before implementing
• Joomla 1.5 User Groups are for backward compatibility in Joomla 1.6, you may remove them!
• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)
ACL Tips
• Assign User Group with backend access to a Viewing Access Level
• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible
• Idea: Make a Group for each Action so you can assign actions directly to a user
ACL Tips
Joomla! ACL, what’s next?
• View as action
• END user friendly interface
• Easy overview of your entire website
• Changes directly visible (no page reload)
• ...
Suggestions
• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-
permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-
access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really-
joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-
your-extension
Resources
top related