joomla 2.5 & 3.0 acl - joomladay denmark 2012
Embed Size (px)
DESCRIPTION
TRANSCRIPT
tekstJoomla! ACL
Sander Potjer@sanderpotjer
www.aclmanager.net
Joomla!Day Denmark - 26 October 2012
Sander Potjer• Involved in the local Dutch Joomla
community
• Joomla Community Leadership Team (CLT) member
• Company: Sander Potjer Webdevelopment
• ACL Manager developer
• E-mail: [email protected]
Sander Potjer• Involved in the local Dutch Joomla
community
• Joomla Community Leadership Team (CLT) member
• Company: Sander Potjer Webdevelopment
• ACL Manager developer
• E-mail: [email protected]
• Slides: http://www.slideshare.net/sanderpotjer
Joomla! ACL
• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
DrupalCon, October 2005Johan Janssens
It took a while...
• ACL = Access Control List
ACL?!?!
• ACL = Access Control List
• Access to parts of the website– e.g. menu / module visibility– “view” action
ACL?!?!
• ACL = Access Control List
• Access to parts of the website– e.g. menu / module visibility– “view” action
• User actions on objects– example: create / edit / edit state / delete article
ACL?!?!
• Allow backend access to just one specific component
Example
ACL - Groups
7 Groups, fixed structure– Public – Registered– Author– Editor – Publisher – Manager – Administrator– Super-Administrator
2.5/3.0
ACL - Groups
7 Groups, fixed structure– Public – Registered– Author– Editor – Publisher – Manager – Administrator– Super-Administrator
Unlimited Groups, flexible structure
– user – group – names– up– to – you
2.5/3.0
ACL - User in Group
User can be assigned to one group
2.5/3.0
ACL - User in Group
User can be assigned to one group
User can be assigned to multiple groups
2.5/3.0
ACL - Access Levels
3 fixed Access Levels– Public– Registered– Special
2.5/3.0
ACL - Access Levels
3 fixed Access Levels– Public– Registered– Special
Unlimited Access Levels– default access levels– user defined
2.5/3.0
ACL - Access Levels & Groups relation
Fixed relation between Groups and Access Levels
2.5/3.0
ACL - Access Levels & Groups relation
Fixed relation between Groups and Access Levels
Any combination of User Groups can be assigned to any Access Level
2.5/3.0
ACL - Actions
Fixed Actions per groupCreate / edit / delete / admin access / etc.
Permission scope for entire siteSame permission for all objects
2.5/3.0
ACL in Joomla! 1.5 & 1.6 (Actions)
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
ACL - Actions
Fixed Actions per groupCreate / edit / delete / admin access / etc.
Permission scope for entire siteSame permission for all objects
Custom Actions per groupCreate / edit / delete / admin access / etc.
Permission scope at multiple levelsSite/Component/Category/Item
2.5/3.0
Joomla! 2.5 ACL Overview
(but the same for Joomla 3.0)
• http://community.joomla.org/blogs/community/1252-16-acl.html
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Guest is also a user
• Users can be assigned to one or multiple groups
User
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Assigned to group (not to a user!)
• 10 Actions– Site Login– Admin Login– Offline Access (since 1.7)– Super Admin / Configure– Access Component– Create– Delete– Edit– Edit State– Edit Own
Core Permissions
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Users with same permissions
• Inherited permissions from parent groups
• Unlimited nested groups
• Keep it simple! Only use nested groups if needed
• New: Guest group in Joomla 3.0
Group
• http://community.joomla.org/blogs/community/1252-16-acl.html
• What is visible for the group (article, menu, module, etc.)
• Permissions are inherited between Access Levels
• Even Super Users can not view content on frontend ifnot assigned
Access Level
• http://community.joomla.org/blogs/community/1252-16-acl.html
Permissions
• 4 possible permission settings
– Not Set
– Inherited
– Allowed
– Denied
Permissions
• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’
Permissions - Not Set
• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’
Permissions - Inherited
• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’
Permissions - Allowed
• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!
Permissions - Denied
• Level 1: Global configuration – default permissions settings for actions for a group
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core
• Override permissions of higher levels only works if permission setting is not ‘Denied’!
Permission Hierarchy (levels)
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
Available Permissions and Levelsfor a Group of Users
Action: Edit State
ACL Manager for Joomla! 1.6
ACL Manager for Joomla! 1.6
Debug Permissions
• Turn on the ‘Debug System’ in the Global Configuration
• Go to ‘User Manager’ or ‘Groups’
• Click on ‘Debug Permission Report’ next to the User or User Group
Debug Permissions
• Need to turn ‘Debug System’ on...Debug Permissions
So, what about the database?
Database: #__assets
Plan your ACL implementation
• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?
• Viewing: define the Viewing Access Levels
• Action: define the permissions for all actions
Viewing or Action problem
• Structure your content properly to handle the permissions
• Make usage of parent categories with nested categories with same permissions
• No need to set permissions per article
Think ahead! Maintenance?
Some Notes
• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Germany’ category
User in multiple User Groups
• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Denmark’ category
• Denmark– Allowed on edit ‘Denmark’ category– Denied on edit ‘The Netherlands’ category
User in multiple User Groups
• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Denmark’ category
• Denmark– Allowed on edit ‘Denmark’ category– Denied on edit ‘The Netherlands’ category
• User in The Netherlands & Denmark group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Denmark’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)
User in multiple User Groups
What if I locked myself out?
• No need to access your database• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!
What if I locked myself out?
Practical ACL Tips
• Write down your ACL requirements for a website before implementing
• Joomla 1.5 User Groups are for backward compatibility in Joomla 2.5, you may remove them!
• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)
ACL Tips
• Assign User Group with backend access to a Viewing Access Level (often ‘Special’)
• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible
• Use role-based groups
ACL Tips
Quick ACL example(do we have time?)
• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-
permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-
access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really-
joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-
your-extension• http://magazine.joomla.org/issues/issue-sept-2012/item/856-Implementing-
Role-Based-ACL
Resources