joomla access control list (acl) at joomladay london, uk #jduk11

81
User Access Levels for Joomla! 1.5 – 1.7 Sander Potjer @sanderpotjer www.sanderpotjer.nl

Upload: sander-potjer

Post on 29-Nov-2014

2.944 views

Category:

Technology


0 download

DESCRIPTION

 

TRANSCRIPT

Page 2: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Who is Sander Potjer?• Co-founder of JoomlaCommunity.eu

• Organizer Joomla!Days Netherlands

• Organizer Joomla! User Groups in The Netherlands

• Joomla Community Leadership Team (CLT) member

• Company: Sander Potjer Webdevelopment

• E-mail: [email protected]

Page 3: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Joomla! ACL

Page 4: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation

DrupalCon, October 2005Johan Janssens

It took a while...

Page 5: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• ACL = Access Control List

ACL?!?!

Page 6: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• ACL = Access Control List

• Access to parts of the website– e.g. menu / module visibility– “view” action

ACL?!?!

Page 7: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• ACL = Access Control List

• Access to parts of the website– e.g. menu / module visibility– “view” action

• User actions on objects– example: create / edit / edit state / delete article

ACL?!?!

Page 8: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Groups

• 7 fixed Groups– Public, Registered, Author,

Editor, Publisher, Manager, Administrator and Super-Administrator

• Hierarchical structure

Page 9: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Groups

• 7 fixed Groups– Public, Registered, Author,

Editor, Publisher, Manager, Administrator and Super-Administrator

• Hierarchical structure

• Unlimited Groups– user defined

• No Hierarchical Structure required

Page 10: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - User in Group

• User can be assigned to one group

Page 11: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - User in Group

• User can be assigned to one group

• User can be assigned to multiple groups

Page 12: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Access Levels

• 3 fixed Access Levels– Public– Registered– Special

Page 13: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Access Levels

• 3 fixed Access Levels– Public– Registered– Special

• Unlimited Access Levels– user defined

Page 14: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Access Levels & Groups relation

• Fixed relation between Groups and Access Levels

Page 15: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Access Levels & Groups relation

• Fixed relation between Groups and Access Levels

• Any combination of User Groups can be assigned to any Access Level

Page 16: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Actions

• Fixed Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope for entire site– Same permission for all objects

• Permission inheritance not applicable

Page 18: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL - Actions

• Fixed Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope for entire site– Same permission for all objects

• Permission inheritance not applicable

• Defined Actions per group– Create / edit / delete /

admin access / etc.

• Permission scope at multiple levels– Site/Component/Category/Item

• Permission can be inherited– Parent Groups / Categories

Page 19: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Joomla! 1.6/1.7/2.5 ACL Overview

Page 22: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Guest is also a user

• Users can be assigned to one or multiple groups

User

Page 24: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Assigned to group (not to a user!)

• 10 Actions– Site Login– Admin Login– Offline Access (since 1.7)– Super Admin / Configure– Access Component– Create– Delete– Edit– Edit State– Edit Own

Permissions

Page 26: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Users with same permissions

• Inherited permissions from parent groups

• Unlimited nested groups

• Keep it simple! Only use nested groups if needed

Group

Page 28: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• What is visible for the group(article, menu, module, etc.)

• Permissions are not inherited between Access Levels

• Even Super Users can not view content on frontend ifnot assigned

Access Level

Page 30: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Permissions

Page 31: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• 4 possible permission settings

– Not Set

– Inherited

– Allowed

– Denied

Permissions

Page 32: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Not Set

Page 33: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’

Permissions - Inherited

Page 34: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’

Permissions - Allowed

Page 35: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!

Permissions - Denied

Page 36: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Level 1: Global configuration – default permissions settings for actions for a group

Permission Hierarchy (levels)

Page 37: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 38: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Level 1: Global configuration – default permissions settings for actions for a group

• Level 2: Component Options – can override the permissions of Level 1

Permission Hierarchy (levels)

Page 39: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 40: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 41: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Level 1: Global configuration – default permissions settings for actions for a group

• Level 2: Component Options – can override the permissions of Level 1

• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)

Permission Hierarchy (levels)

Page 42: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 43: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 44: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Level 1: Global configuration – default permissions settings for actions for a group

• Level 2: Component Options – can override the permissions of Level 1

• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)

• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core

Permission Hierarchy (levels)

Page 45: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 46: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 47: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Level 1: Global configuration – default permissions settings for actions for a group

• Level 2: Component Options – can override the permissions of Level 1

• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)

• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core

Permission Hierarchy (levels)

Page 48: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Level 1: Global configuration – default permissions settings for actions for a group

• Level 2: Component Options – can override the permissions of Level 1

• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)

• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for articles in Joomla 1.6 core

• Override permissions of higher levels only works if permission setting is not ‘Denied’!

Permission Hierarchy (levels)

Page 49: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’ Action

Page 50: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’ Action

Page 51: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’ Action

Page 52: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’ Action

Page 53: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Available Permissions and Levelsfor a Group of Users

Page 54: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Action: Edit State

Page 55: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 56: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL Manager for Joomla! 1.6

Page 57: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL Manager for Joomla! 1.6

Page 58: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL Managerfor Joomla!

Page 59: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 60: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 61: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

ACL Manager for Joomla! 1.6

www.aclmanager.net

Page 62: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Debug Permissions

Page 63: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Turn on the ‘Debug System’ in the Global Configuration

• Go to ‘User Manager’ or ‘Groups’

• Click on ‘Debug Permission Report’ next to the User or User Group

Debug Permissions

Page 64: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11
Page 65: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Need to turn ‘Debug System’ on...Debug Permissions

Page 66: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

So, what about the database?

Page 67: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Database: #__assets

Page 68: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Plan your ACL implementation

Page 69: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Most of the website is public available, specific content only for a group of users (e.g. teachers & students)

• A teacher can see content specifically for teachers, all student content and all public content

• Students can see content specifically for students and all public content

Describe the problem

Page 70: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?

• Viewing: define the Viewing Access Levels

• Action: define the permissions for all actions

Viewing or Action problem

Page 71: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Structure your content properly to handle the permissions

• Make usage of parent categories with nested categories with same permissions

• No need to set permissions per article

Think ahead! Maintenance?

Page 72: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Some Notes

Page 73: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category

• Belgium– Allowed on edit ‘Belgium’ category– Denied on edit ‘The Netherlands’ category

• User in The Netherlands & Belgium group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)

User in multiple User Groups

Page 74: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

What if I locked myself out?

Page 75: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• No need to access your database• Open your configuration.php and add:

– public $root_user = 'username';

• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!

What if I locked myself out?

Page 76: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Practical ACL Tips

Page 77: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Write down your ACL requirements for a website before implementing

• Joomla 1.5 User Groups are for backward compatibility in Joomla 1.6, you may remove them!

• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)

ACL Tips

Page 78: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• Assign User Group with backend access to a Viewing Access Level

• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible

• Idea: Make a Group for each Action so you can assign actions directly to a user

ACL Tips

Page 79: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

Joomla! ACL, what’s next?

Page 80: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• View as action

• END user friendly interface

• Easy overview of your entire website

• Changes directly visible (no page reload)

• ...

Suggestions

Page 81: Joomla Access Control List (ACL) at JoomlaDay London, UK #jduk11

• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-

permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-

access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really-

joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-

your-extension

Resources