1. Rechtenbeheer in Joomla! 2.5
Sander Potjer
@sanderpotjer
www.sanderpotjer.nl
Joomla!dagen 2012 - 21 april 2012
2. Who is Sander Potjer?
• Involved in the local Joomla community
• Joomla Community Leadership Team
(CLT) member
• Company: Sander Potjer
Webdevelopment
• E-mail: sander.potjer@community.joomla.org
3. Who is Sander Potjer?
• Involved in the local Joomla community
• Joomla Community Leadership Team
(CLT) member
• Company: Sander Potjer
Webdevelopment
• E-mail: sander.potjer@community.joomla.org
• Slides: http://www.slideshare.net/sanderpotjer
5. It took a while... DrupalCon, October 2005
Johan Janssens
• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
7. ACL?!?!
• ACL = Access Control List
• Access to parts of the website
– e.g. menu / module visibility
– “view” action
8. ACL?!?!
• ACL = Access Control List
• Access to parts of the website
– e.g. menu / module visibility
– “view” action
• User actions on objects
– example: create / edit / edit state / delete article
9. ACL - Groups
• 7 fixed Groups
– Public, Registered, Author,
Editor, Publisher, Manager,
Administrator and Super-
Administrator
• Hierarchical structure
10. ACL - Groups
• 7 fixed Groups • Unlimited Groups
– Public, Registered, Author, – user defined
Editor, Publisher, Manager,
Administrator and Super-
• No Hierarchical Structure
Administrator
required
• Hierarchical structure
11. ACL - User in Group
• User can be assigned to
one group
12. ACL - User in Group
• User can be assigned to • User can be assigned to
one group multiple groups
13. ACL - Access Levels
• 3 fixed Access Levels
– Public
– Registered
– Special
14. ACL - Access Levels
• 3 fixed Access Levels • Unlimited Access Levels
– Public – user defined
– Registered
– Special
15. ACL - Access Levels & Groups relation
• Fixed relation between
Groups and Access
Levels
16. ACL - Access Levels & Groups relation
• Fixed relation between • Any combination of User
Groups and Access Groups can be assigned
Levels to any Access Level
17. ACL - Actions
• Fixed Actions per group
– Create / edit / delete /
admin access / etc.
• Permission scope for
entire site
– Same permission for all objects
• Permission inheritance
not applicable
18. ACL in Joomla! 1.5 & 1.6 (Actions)
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
19. ACL - Actions
• Fixed Actions per group • Defined Actions per group
– Create / edit / delete / – Create / edit / delete /
admin access / etc. admin access / etc.
• Permission scope for • Permission scope at
entire site multiple levels
– Same permission for all objects – Site/Component/Category/Item
• Permission inheritance • Permission can be
not applicable inherited
– Parent Groups / Categories
27. Group
• Users with same permissions
• Inherited permissions from
parent groups
• Unlimited nested groups
• Keep it simple! Only use
nested groups if needed
29. Access Level
• What is visible for the group
(article, menu, module, etc.)
• Permissions are not
inherited between Access
Levels
• Even Super Users can not
view content on frontend if
not assigned
33. Permissions - Not Set
• ‘soft’ deny
• can be overridden by ‘Allowed’ or ‘Denied’
34. Permissions - Inherited
• Value from a parent Permission level
• Value from a parent User Group
• Can be overridden by ‘Allowed’ or ‘Denied’
35. Permissions - Allowed
• Action for current permission level and lower levels
• Action for current user group and child groups
• Can be overridden by ‘Denied’
36. Permissions - Denied
• Action for current Permission level and lower levels
• Action for current User Group and child Groups
• Can not be overridden at all
• Always win!
39. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
40.
41.
42. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
43.
44.
45. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
46.
47.
48. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
49. Permission Hierarchy (levels)
• Level 1: Global configuration
– default permissions settings for actions for a group
• Level 2: Component Options
– can override the permissions of Level 1
• Level 3: Category
– can override the permissions of Level 1 & Level 2
– available for components with categories (Articles, Banners, etc...)
• Level 4: Item
– can override the permissions of Level 1 & Level 2 & Level 3
– only available for article manager in Joomla core
• Override permissions of higher levels only works
if permission setting is not ‘Denied’!
50. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
51. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
52. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
53. Inheriting example for ‘Create’ Action
Level 1
Level 2
Level 3
Level 4
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
65. 50% et
gm
in
kort a!dagen
!
la
l
Joom upon!
m
co
o
et
Jo
.n
or
er
vo
ag
er
an
ag
m
an
cl
.a
M
w
L
w
AC
w
Potjer Webdevelopment - www.aclmanager.net
67. Debug Permissions
• Turn on the ‘Debug System’ in the
Global Configuration
• Go to ‘User Manager’ or ‘Groups’
• Click on ‘Debug Permission Report’ next to the User
or User Group
73. Viewing or Action problem
• Define the problem, is it a viewing problem or action
problem (create/delete/edit/etc..)? Or both?
• Viewing: define the Viewing Access Levels
• Action: define the permissions for all actions
74. Describe the problem
• Most of the website is public available, specific
content only for a group of users (e.g. teachers &
students)
• A teacher can see content specifically for teachers, all
student content and all public content
• Students can see content specifically for students and
all public content
75.
76. <workshops>
Joomla! ACL in de praktijk pagina 32 - 35
Joomla! ACL
L
DE EXPERT ange tijd was het één van de
meest gewilde nieuwe
functionaliteiten in Joomla en
in de praktijk
sinds de beschikbaarheid van
Joomla 1.6 is het er dan eindelijk:
uitgebreid toegangs- en
rechtenbeheer, ook wel Access
Control List (ACL) genoemd.
Joomla 1.0 en 1.5 beschikten al over een ACL-
systeem, maar dit was nog erg beperkt. De
Sander Potjer is
gebruikersgroepen, toegangsniveaus en rechten
Met de Access Control List voorzitter van Stiching
Sympathy en actief
konden niet ingesteld worden. In Joomla 1.6, 1.7 en
2.5 kan dit nu wel, waardoor het ACL-systeem
maak je snel onderscheid in met JoomlaCommu-
nity.eu, de Joomla- weliswaar complexer is geworden, maar er tevens
veel nieuwe mogelijkheden zijn ontstaan.
het toegangsniveau van gebruikersgroepen en
de Joomla!Dagen. Op Voor deze workshop gaan we een ACL-
international gebied configuratie opzetten voor een kleine school in een
verschillende gebruikers- maakt Sander deel uit Joomla 2.5-installatie, zonder Joomlavoorbeelddata.
van het Joomla De school heeft drie klassen met leerlingen en
groepen. Zo zet je je ACL op… Leadership Team.
Sander is ook de
diverse docenten. Een docent kan voor meerdere
klassen staan.
ontwikkelaar van ACL
De school wil graag dat iedere klas een eigen
Manager waarmee het
klasblog heeft waar de leerlingen uit de klas
Joomla ACL-beheer
tools | tech | trends Joomla! 2.5 wordt vereenvoudigd. artikelen kunnen toevoegen en alleen de zelf
experts Sander Potjer geschreven artikelen kunnen bewerken. Beide via
de voorzijde van de website. De artikelen zijn voor
iedereen zichtbaar op de website.
De docent van een klas moet alle artikelen voor
publicatie eerst goedkeuren, kan alle artikelen van
de leerlingen in de klas bewerken en eventueel
verwijderen, zowel via de voorzijde als het
beheergedeelte van de website. In het
beheergedeelte mag de docent alleen bij de
artikelen van de eigen klas(sen) komen. De docent
moet zelf ook artikelen kunnen plaatsen.
Als laatste wens is er dat voor de docenten een
aparte blog is voor intern gebruik waar de docenten
artikelen kunnen plaatsen, een klein intranet dus. Dit
mag alleen voor de docenten zichtbaar zijn.
77. Think ahead! Maintenance?
• Structure your content properly to handle the
permissions
• Make usage of parent categories with nested
categories with same permissions
• No need to set permissions per article
79. User in multiple User Groups
• The Netherlands
– Allowed on edit ‘The Netherlands’ category
– Denied on edit ‘Belgium’ category
• Belgium
– Allowed on edit ‘Belgium’ category
– Denied on edit ‘The Netherlands’ category
• User in The Netherlands & Belgium group
– Denied on edit ‘The Netherlands’ category
– Denied on edit ‘Belgium’ category
– Denied always win (again)
– Solution: don’t use denied but not set/inherited (=soft deny)
81. What if I locked myself out?
• No need to access your database
• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions
• Great for playing around with the new ACL
• Don’t forget to remove the $root_user line!
83. ACL Tips
• Write down your ACL requirements for a website
before implementing
• Joomla 1.5 User Groups are for backward
compatibility in Joomla 2.5, you may remove them!
• Use multi-nested Groups only if needed / know what
you are doing
(so inheriting value only between levels, not groups as well)
84. ACL Tips
• Assign User Group with backend access to a Viewing
Access Level
• Keep flexible for lower permission levels/groups:
Avoid the ‘Denied’ permission setting as long as possible
• Idea: Make a Group for each Action so you can assign
actions directly to a user