joomla 2.5 & 3.0 acl - joomladay denmark 2012

tekstJoomla! ACL

Sander Potjer@sanderpotjer

www.aclmanager.net

Joomla!Day Denmark - 26 October 2012

http://www.aclmanager.net


Sander Potjer• Involved in the local Dutch Joomla

community

• Joomla Community Leadership Team (CLT) member

• Company: Sander Potjer Webdevelopment

• ACL Manager developer

• E-mail: [email protected]

mailto:[email protected]


Sander Potjer• Involved in the local Dutch Joomla

community

• Joomla Community Leadership Team (CLT) member

• Company: Sander Potjer Webdevelopment

• ACL Manager developer

• E-mail: [email protected]

• Slides: http://www.slideshare.net/sanderpotjer



Joomla! ACL

• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation

DrupalCon, October 2005Johan Janssens

It took a while...

http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation


• ACL = Access Control List

ACL?!?!


• Access to parts of the website– e.g. menu / module visibility– “view” action

ACL?!?!


• Access to parts of the website– e.g. menu / module visibility– “view” action

• User actions on objects– example: create / edit / edit state / delete article

ACL?!?!

• Allow backend access to just one specific component

Example

ACL - Groups

7 Groups, fixed structure– Public – Registered– Author– Editor – Publisher – Manager – Administrator– Super-Administrator

2.5/3.0

ACL - Groups

7 Groups, fixed structure– Public – Registered– Author– Editor – Publisher – Manager – Administrator– Super-Administrator

Unlimited Groups, flexible structure

– user – group – names– up– to – you

2.5/3.0

ACL - User in Group

User can be assigned to one group

2.5/3.0

ACL - User in Group

User can be assigned to one group

User can be assigned to multiple groups

2.5/3.0

ACL - Access Levels

3 fixed Access Levels– Public– Registered– Special

2.5/3.0

ACL - Access Levels

3 fixed Access Levels– Public– Registered– Special

Unlimited Access Levels– default access levels– user defined

2.5/3.0

ACL - Access Levels & Groups relation

Fixed relation between Groups and Access Levels

2.5/3.0

ACL - Access Levels & Groups relation

Fixed relation between Groups and Access Levels

Any combination of User Groups can be assigned to any Access Level

2.5/3.0

ACL - Actions

Fixed Actions per groupCreate / edit / delete / admin access / etc.

Permission scope for entire siteSame permission for all objects

2.5/3.0

ACL in Joomla! 1.5 & 1.6 (Actions)

• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html



ACL - Actions

Fixed Actions per groupCreate / edit / delete / admin access / etc.

Permission scope for entire siteSame permission for all objects

Custom Actions per groupCreate / edit / delete / admin access / etc.

Permission scope at multiple levelsSite/Component/Category/Item

2.5/3.0

Joomla! 2.5 ACL Overview

(but the same for Joomla 3.0)

• http://community.joomla.org/blogs/community/1252-16-acl.html



• Guest is also a user

• Users can be assigned to one or multiple groups

User

• Assigned to group (not to a user!)

• 10 Actions– Site Login– Admin Login– Offline Access (since 1.7)– Super Admin / Configure– Access Component– Create– Delete– Edit– Edit State– Edit Own

Core Permissions

• Users with same permissions

• Inherited permissions from parent groups

• Unlimited nested groups

• Keep it simple! Only use nested groups if needed

• New: Guest group in Joomla 3.0

Group

• What is visible for the group (article, menu, module, etc.)

• Permissions are inherited between Access Levels

• Even Super Users can not view content on frontend ifnot assigned

Access Level

Permissions

• 4 possible permission settings

– Not Set

– Inherited

– Allowed

– Denied

Permissions

• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Not Set

• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Inherited

• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’

Permissions - Allowed

• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!

Permissions - Denied

• Level 1: Global configuration – default permissions settings for actions for a group

Permission Hierarchy (levels)


• Level 2: Component Options – can override the permissions of Level 1




• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)





• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core





• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core

• Override permissions of higher levels only works if permission setting is not ‘Denied’!


• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’ Action



Available Permissions and Levelsfor a Group of Users

Action: Edit State

ACL Manager for Joomla! 1.6

ACL Manager for Joomla! 1.6

www.aclmanager.net



Debug Permissions

• Turn on the ‘Debug System’ in the Global Configuration

• Go to ‘User Manager’ or ‘Groups’

• Click on ‘Debug Permission Report’ next to the User or User Group

Debug Permissions

• Need to turn ‘Debug System’ on...Debug Permissions

So, what about the database?

Database: #__assets

Plan your ACL implementation

• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?

• Viewing: define the Viewing Access Levels

• Action: define the permissions for all actions

Viewing or Action problem

• Structure your content properly to handle the permissions

• Make usage of parent categories with nested categories with same permissions

• No need to set permissions per article

Think ahead! Maintenance?

Some Notes

• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Germany’ category

User in multiple User Groups

• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Denmark’ category

• Denmark– Allowed on edit ‘Denmark’ category– Denied on edit ‘The Netherlands’ category


• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Denmark’ category

• Denmark– Allowed on edit ‘Denmark’ category– Denied on edit ‘The Netherlands’ category

• User in The Netherlands & Denmark group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Denmark’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)


What if I locked myself out?

• No need to access your database• Open your configuration.php and add:

– public $root_user = 'username';

• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!

What if I locked myself out?

Practical ACL Tips

• Write down your ACL requirements for a website before implementing

• Joomla 1.5 User Groups are for backward compatibility in Joomla 2.5, you may remove them!

• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)

ACL Tips

• Assign User Group with backend access to a Viewing Access Level (often ‘Special’)

• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible

• Use role-based groups

ACL Tips

Quick ACL example(do we have time?)

• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-

permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-

access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really-

joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-

your-extension• http://magazine.joomla.org/issues/issue-sept-2012/item/856-Implementing-

Role-Based-ACL

Resources

http://community.joomla.org/blogs/community/1252-16-acl.html

http://community.joomla.org/blogs/community/1252-16-acl.html

http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6

http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6

http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html




http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-access-controls.html






http://www.aclmanager.net/news/general/28-is-your-extension-really-joomla-17-ready




http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-your-extension






http://magazine.joomla.org/issues/issue-sept-2012/item/856-Implementing-Role-Based-ACL




joomla 2.5 & 3.0 acl - joomladay denmark 2012

Technology