joomla 2.5 acl @ dutch joomla!days #jd12nl

Rechtenbeheer in Joomla! 2.5

Sander Potjer@sanderpotjer

www.sanderpotjer.nl

Joomla!dagen 2012 - 21 april 2012

Who is Sander Potjer?• Involved in the local Joomla community

• Joomla Community Leadership Team (CLT) member

• Company: Sander Potjer Webdevelopment

• E-mail: [email protected]

mailto:[email protected]


Who is Sander Potjer?• Involved in the local Joomla community

• Joomla Community Leadership Team (CLT) member

• Company: Sander Potjer Webdevelopment

• E-mail: [email protected]

• Slides: http://www.slideshare.net/sanderpotjer



http://www.slideshare.net/sanderpotjer

http://www.slideshare.net/sanderpotjer

Joomla! ACL

• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation

DrupalCon, October 2005Johan Janssens

It took a while...

http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation


• ACL = Access Control List

ACL?!?!


• Access to parts of the website– e.g. menu / module visibility– “view” action

ACL?!?!


• Access to parts of the website– e.g. menu / module visibility– “view” action

• User actions on objects– example: create / edit / edit state / delete article

ACL?!?!

ACL - Groups

• 7 fixed Groups– Public, Registered, Author,

Editor, Publisher, Manager, Administrator and Super-Administrator

• Hierarchical structure

ACL - Groups

• 7 fixed Groups– Public, Registered, Author,

Editor, Publisher, Manager, Administrator and Super-Administrator

• Hierarchical structure

• Unlimited Groups– user defined

• No Hierarchical Structure required

ACL - User in Group

• User can be assigned to one group

ACL - User in Group

• User can be assigned to one group

• User can be assigned to multiple groups

ACL - Access Levels

• 3 fixed Access Levels– Public– Registered– Special

ACL - Access Levels

• 3 fixed Access Levels– Public– Registered– Special

• Unlimited Access Levels– user defined

ACL - Access Levels & Groups relation

• Fixed relation between Groups and Access Levels

ACL - Access Levels & Groups relation

• Fixed relation between Groups and Access Levels

• Any combination of User Groups can be assigned to any Access Level

ACL - Actions

• Fixed Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope for entire site– Same permission for all objects

• Permission inheritance not applicable

ACL in Joomla! 1.5 & 1.6 (Actions)

• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html



ACL - Actions

• Fixed Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope for entire site– Same permission for all objects

• Permission inheritance not applicable

• Defined Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope at multiple levels– Site/Component/Category/Item

• Permission can be inherited– Parent Groups / Categories

Joomla! 2.5 ACL Overview

• http://community.joomla.org/blogs/community/1252-16-acl.html



• Guest is also a user

• Users can be assigned to one or multiple groups

User

• Assigned to group (not to a user!)

• 10 Actions– Site Login– Admin Login– Offline Access (since 1.7)– Super Admin / Configure– Access Component– Create– Delete– Edit– Edit State– Edit Own

Permissions

• Users with same permissions

• Inherited permissions from parent groups

• Unlimited nested groups

• Keep it simple! Only use nested groups if needed

Group

• What is visible for the group(article, menu, module, etc.)

• Permissions are not inherited between Access Levels

• Even Super Users can not view content on frontend ifnot assigned

Access Level

Permissions

• 4 possible permission settings

– Not Set

– Inherited

– Allowed

– Denied

Permissions

• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Not Set

• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Inherited

• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’

Permissions - Allowed

• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!

Permissions - Denied

• Level 1: Global configuration – default permissions settings for actions for a group

Permission Hierarchy (levels)


• Level 2: Component Options – can override the permissions of Level 1




• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)





• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core





• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core

• Override permissions of higher levels only works if permission setting is not ‘Denied’!


• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’ Action



Available Permissions and Levelsfor a Group of Users

Action: Edit State

ACL Manager for Joomla! 1.6

ACL Manager for Joomla! 1.6

www.aclmanager.net

http://www.aclmanager.net


www.aclm

anag

er.n

et

ACL Man

ager

voor

Joom

la!ACL Manager is een extensie van Sander Potjer Webdevelopment - www.aclmanager.net

50%korting met

Joomla!dagen

coupon!

Debug Permissions

• Turn on the ‘Debug System’ in the Global Configuration

• Go to ‘User Manager’ or ‘Groups’

• Click on ‘Debug Permission Report’ next to the User or User Group

Debug Permissions

• Need to turn ‘Debug System’ on...Debug Permissions

So, what about the database?

Database: #__assets

Plan your ACL implementation

• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?

• Viewing: define the Viewing Access Levels

• Action: define the permissions for all actions

Viewing or Action problem

• Most of the website is public available, specific content only for a group of users (e.g. teachers & students)

• A teacher can see content specifically for teachers, all student content and all public content

• Students can see content specifically for students and all public content

Describe the problem

Met de Access Control List maak je snel onderscheid in het toegangsniveau van verschillende gebruikers-groepen. Zo zet je je ACL op…

Joomla! ACL in de praktijk

tools | tech | trends Joomla! 2.5experts Sander Potjer

ange tijd was het één van de meest gewilde nieuwe functionaliteiten in Joomla en sinds de beschikbaarheid van Joomla 1.6 is het er dan eindelijk: uitgebreid toegangs- en rechtenbeheer, ook wel Access Control List (ACL) genoemd.

Joomla 1.0 en 1.5 beschikten al over een ACL-systeem, maar dit was nog erg beperkt. De gebruikersgroepen, toegangsniveaus en rechten konden niet ingesteld worden. In Joomla 1.6, 1.7 en 2.5 kan dit nu wel, waardoor het ACL-systeem weliswaar complexer is geworden, maar er tevens veel nieuwe mogelijkheden zijn ontstaan.

Voor deze workshop gaan we een ACL-con!iguratie opzetten voor een kleine school in een Joomla 2.5-installatie, zonder Joomlavoorbeelddata. De school heeft drie klassen met leerlingen en diverse docenten. Een docent kan voor meerdere klassen staan.

De school wil graag dat iedere klas een eigen klasblog heeft waar de leerlingen uit de klas artikelen kunnen toevoegen en alleen de zelf geschreven artikelen kunnen bewerken. Beide via de voorzijde van de website. De artikelen zijn voor iedereen zichtbaar op de website.

De docent van een klas moet alle artikelen voor publicatie eerst goedkeuren, kan alle artikelen van de leerlingen in de klas bewerken en eventueel verwijderen, zowel via de voorzijde als het beheergedeelte van de website. In het beheergedeelte mag de docent alleen bij de artikelen van de eigen klas(sen) komen. De docent moet zelf ook artikelen kunnen plaatsen.

Als laatste wens is er dat voor de docenten een aparte blog is voor intern gebruik waar de docenten artikelen kunnen plaatsen, een klein intranet dus. Dit mag alleen voor de docenten zichtbaar zijn.

L

01 Verwijderen standaard gebruikersgroepen

Voordat we rechten kunnen instellen moeten er eerst groepen aangemaakt worden. Standaard zijn er al diverse groepen beschikbaar die overeenkomen met de groepen die we uit Joomla 1.5 kennen. Deze groepen zijn niet nodig en zorgen voornamelijk voor verwarring. Daarom verwijderen we alle groepen behalve ‘Publiek’ en ‘Super gebruikers’, omdat deze niet verwijderd kunnen worden.

<boven>

Dankzij de zeer !lexibele ACL kun je nu mensen toewijzen aan verschillende groepen

DE EXPERT

Sander Potjer is voorzitter van Stiching Sympathy en actief met JoomlaCommu-nity.eu, de Joomla-gebruikersgroepen en de Joomla!Dagen. Op international gebied maakt Sander deel uit van het Joomla Leadership Team. Sander is ook de ontwikkelaar van ACL Manager waarmee het Joomla ACL-beheer wordt vereenvoudigd.

Joomla! ACL in de praktijk

32 _______________________________________________________________ workshops

<workshops>

wdJSP_032035_ACL_ok.indd 32 30-03-12 11:29

pagina 32 - 35

• Structure your content properly to handle the permissions

• Make usage of parent categories with nested categories with same permissions

• No need to set permissions per article

Think ahead! Maintenance?

Some Notes

• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category

• Belgium– Allowed on edit ‘Belgium’ category– Denied on edit ‘The Netherlands’ category

• User in The Netherlands & Belgium group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)

User in multiple User Groups

What if I locked myself out?

• No need to access your database• Open your configuration.php and add:

– public $root_user = 'username';

• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!

What if I locked myself out?

Practical ACL Tips

• Write down your ACL requirements for a website before implementing

• Joomla 1.5 User Groups are for backward compatibility in Joomla 2.5, you may remove them!

• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)

ACL Tips

• Assign User Group with backend access to a Viewing Access Level

• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible

• Idea: Make a Group for each Action so you can assign actions directly to a user

ACL Tips

Quick ACL example

• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-

permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-

access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really-

joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-

your-extension

Resources

http://community.joomla.org/blogs/community/1252-16-acl.html

http://community.joomla.org/blogs/community/1252-16-acl.html

http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6

http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6

http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html




http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-access-controls.html






http://www.aclmanager.net/news/general/28-is-your-extension-really-joomla-17-ready




http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-your-extension






joomla 2.5 acl @ dutch joomla!days #jd12nl

Technology

permissions of level

group level

acl groups

acl user

acl actions

current permission level

admin access

access component