Post on 22-May-2015
description
Rechtenbeheer in Joomla! 2.5
Sander Potjer@sanderpotjer
www.sanderpotjer.nl
Joomla!dagen 2012 - 21 april 2012
Who is Sander Potjer?• Involved in the local Joomla community
• Joomla Community Leadership Team (CLT) member
• Company: Sander Potjer Webdevelopment
• E-mail: sander.potjer@community.joomla.org
Who is Sander Potjer?• Involved in the local Joomla community
• Joomla Community Leadership Team (CLT) member
• Company: Sander Potjer Webdevelopment
• E-mail: sander.potjer@community.joomla.org
• Slides: http://www.slideshare.net/sanderpotjer
Joomla! ACL
• http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation
DrupalCon, October 2005Johan Janssens
It took a while...
• ACL = Access Control List
ACL?!?!
• ACL = Access Control List
• Access to parts of the website– e.g. menu / module visibility– “view” action
ACL?!?!
• ACL = Access Control List
• Access to parts of the website– e.g. menu / module visibility– “view” action
• User actions on objects– example: create / edit / edit state / delete article
ACL?!?!
ACL - Groups
• 7 fixed Groups– Public, Registered, Author,
Editor, Publisher, Manager, Administrator and Super-Administrator
• Hierarchical structure
ACL - Groups
• 7 fixed Groups– Public, Registered, Author,
Editor, Publisher, Manager, Administrator and Super-Administrator
• Hierarchical structure
• Unlimited Groups– user defined
• No Hierarchical Structure required
ACL - User in Group
• User can be assigned to one group
ACL - User in Group
• User can be assigned to one group
• User can be assigned to multiple groups
ACL - Access Levels
• 3 fixed Access Levels– Public– Registered– Special
ACL - Access Levels
• 3 fixed Access Levels– Public– Registered– Special
• Unlimited Access Levels– user defined
ACL - Access Levels & Groups relation
• Fixed relation between Groups and Access Levels
ACL - Access Levels & Groups relation
• Fixed relation between Groups and Access Levels
• Any combination of User Groups can be assigned to any Access Level
ACL - Actions
• Fixed Actions per group– Create / edit / delete /
admin access / etc.
• Permission scope for entire site– Same permission for all objects
• Permission inheritance not applicable
ACL in Joomla! 1.5 & 1.6 (Actions)
• http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html
ACL - Actions
• Fixed Actions per group– Create / edit / delete /
admin access / etc.
• Permission scope for entire site– Same permission for all objects
• Permission inheritance not applicable
• Defined Actions per group– Create / edit / delete /
admin access / etc.
• Permission scope at multiple levels– Site/Component/Category/Item
• Permission can be inherited– Parent Groups / Categories
Joomla! 2.5 ACL Overview
• http://community.joomla.org/blogs/community/1252-16-acl.html
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Guest is also a user
• Users can be assigned to one or multiple groups
User
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Assigned to group (not to a user!)
• 10 Actions– Site Login– Admin Login– Offline Access (since 1.7)– Super Admin / Configure– Access Component– Create– Delete– Edit– Edit State– Edit Own
Permissions
• http://community.joomla.org/blogs/community/1252-16-acl.html
• Users with same permissions
• Inherited permissions from parent groups
• Unlimited nested groups
• Keep it simple! Only use nested groups if needed
Group
• http://community.joomla.org/blogs/community/1252-16-acl.html
• What is visible for the group(article, menu, module, etc.)
• Permissions are not inherited between Access Levels
• Even Super Users can not view content on frontend ifnot assigned
Access Level
• http://community.joomla.org/blogs/community/1252-16-acl.html
Permissions
• 4 possible permission settings
– Not Set
– Inherited
– Allowed
– Denied
Permissions
• ‘soft’ deny• can be overridden by ‘Allowed’ or ‘Denied’
Permissions - Not Set
• Value from a parent Permission level• Value from a parent User Group• Can be overridden by ‘Allowed’ or ‘Denied’
Permissions - Inherited
• Action for current permission level and lower levels• Action for current user group and child groups• Can be overridden by ‘Denied’
Permissions - Allowed
• Action for current Permission level and lower levels• Action for current User Group and child Groups• Can not be overridden at all• Always win!
Permissions - Denied
• Level 1: Global configuration – default permissions settings for actions for a group
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core
Permission Hierarchy (levels)
• Level 1: Global configuration – default permissions settings for actions for a group
• Level 2: Component Options – can override the permissions of Level 1
• Level 3: Category – can override the permissions of Level 1 & Level 2– available for components with categories (Articles, Banners, etc...)
• Level 4: Item – can override the permissions of Level 1 & Level 2 & Level 3– only available for article manager in Joomla core
• Override permissions of higher levels only works if permission setting is not ‘Denied’!
Permission Hierarchy (levels)
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html
Level 1
Level 2
Level 3
Level 4
Inheriting example for ‘Create’ Action
Available Permissions and Levelsfor a Group of Users
Action: Edit State
ACL Manager for Joomla! 1.6
ACL Manager for Joomla! 1.6
www.aclm
anag
er.n
et
ACL Man
ager
voor
Joom
la!ACL Manager is een extensie van Sander Potjer Webdevelopment - www.aclmanager.net
50%korting met
Joomla!dagen
coupon!
Debug Permissions
• Turn on the ‘Debug System’ in the Global Configuration
• Go to ‘User Manager’ or ‘Groups’
• Click on ‘Debug Permission Report’ next to the User or User Group
Debug Permissions
• Need to turn ‘Debug System’ on...Debug Permissions
So, what about the database?
Database: #__assets
Plan your ACL implementation
• Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both?
• Viewing: define the Viewing Access Levels
• Action: define the permissions for all actions
Viewing or Action problem
• Most of the website is public available, specific content only for a group of users (e.g. teachers & students)
• A teacher can see content specifically for teachers, all student content and all public content
• Students can see content specifically for students and all public content
Describe the problem
Met de Access Control List maak je snel onderscheid in het toegangsniveau van verschillende gebruikers-groepen. Zo zet je je ACL op…
Joomla! ACL in de praktijk
tools | tech | trends Joomla! 2.5experts Sander Potjer
ange tijd was het één van de meest gewilde nieuwe functionaliteiten in Joomla en sinds de beschikbaarheid van Joomla 1.6 is het er dan eindelijk: uitgebreid toegangs- en rechtenbeheer, ook wel Access Control List (ACL) genoemd.
Joomla 1.0 en 1.5 beschikten al over een ACL-systeem, maar dit was nog erg beperkt. De gebruikersgroepen, toegangsniveaus en rechten konden niet ingesteld worden. In Joomla 1.6, 1.7 en 2.5 kan dit nu wel, waardoor het ACL-systeem weliswaar complexer is geworden, maar er tevens veel nieuwe mogelijkheden zijn ontstaan.
Voor deze workshop gaan we een ACL-con!iguratie opzetten voor een kleine school in een Joomla 2.5-installatie, zonder Joomlavoorbeelddata. De school heeft drie klassen met leerlingen en diverse docenten. Een docent kan voor meerdere klassen staan.
De school wil graag dat iedere klas een eigen klasblog heeft waar de leerlingen uit de klas artikelen kunnen toevoegen en alleen de zelf geschreven artikelen kunnen bewerken. Beide via de voorzijde van de website. De artikelen zijn voor iedereen zichtbaar op de website.
De docent van een klas moet alle artikelen voor publicatie eerst goedkeuren, kan alle artikelen van de leerlingen in de klas bewerken en eventueel verwijderen, zowel via de voorzijde als het beheergedeelte van de website. In het beheergedeelte mag de docent alleen bij de artikelen van de eigen klas(sen) komen. De docent moet zelf ook artikelen kunnen plaatsen.
Als laatste wens is er dat voor de docenten een aparte blog is voor intern gebruik waar de docenten artikelen kunnen plaatsen, een klein intranet dus. Dit mag alleen voor de docenten zichtbaar zijn.
L
01 Verwijderen standaard gebruikersgroepen
Voordat we rechten kunnen instellen moeten er eerst groepen aangemaakt worden. Standaard zijn er al diverse groepen beschikbaar die overeenkomen met de groepen die we uit Joomla 1.5 kennen. Deze groepen zijn niet nodig en zorgen voornamelijk voor verwarring. Daarom verwijderen we alle groepen behalve ‘Publiek’ en ‘Super gebruikers’, omdat deze niet verwijderd kunnen worden.
<boven>
Dankzij de zeer !lexibele ACL kun je nu mensen toewijzen aan verschillende groepen
DE EXPERT
Sander Potjer is voorzitter van Stiching Sympathy en actief met JoomlaCommu-nity.eu, de Joomla-gebruikersgroepen en de Joomla!Dagen. Op international gebied maakt Sander deel uit van het Joomla Leadership Team. Sander is ook de ontwikkelaar van ACL Manager waarmee het Joomla ACL-beheer wordt vereenvoudigd.
Joomla! ACL in de praktijk
32 _______________________________________________________________ workshops
<workshops>
wdJSP_032035_ACL_ok.indd 32 30-03-12 11:29
pagina 32 - 35
• Structure your content properly to handle the permissions
• Make usage of parent categories with nested categories with same permissions
• No need to set permissions per article
Think ahead! Maintenance?
Some Notes
• The Netherlands– Allowed on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category
• Belgium– Allowed on edit ‘Belgium’ category– Denied on edit ‘The Netherlands’ category
• User in The Netherlands & Belgium group– Denied on edit ‘The Netherlands’ category– Denied on edit ‘Belgium’ category– Denied always win (again)– Solution: don’t use denied but not set/inherited (=soft deny)
User in multiple User Groups
What if I locked myself out?
• No need to access your database• Open your configuration.php and add:
– public $root_user = 'username';
• You can login again and perform all actions• Great for playing around with the new ACL• Don’t forget to remove the $root_user line!
What if I locked myself out?
Practical ACL Tips
• Write down your ACL requirements for a website before implementing
• Joomla 1.5 User Groups are for backward compatibility in Joomla 2.5, you may remove them!
• Use multi-nested Groups only if needed / know what you are doing(so inheriting value only between levels, not groups as well)
ACL Tips
• Assign User Group with backend access to a Viewing Access Level
• Keep flexible for lower permission levels/groups: Avoid the ‘Denied’ permission setting as long as possible
• Idea: Make a Group for each Action so you can assign actions directly to a user
ACL Tips
Quick ACL example
• http://community.joomla.org/blogs/community/1252-16-acl.html• http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6• http://docs.joomla.org/Access_Control_System_In_Joomla_1.6• http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-
permissions-in-joomla-16.html• http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video-
access-controls.html• http://www.aclmanager.net• http://www.aclmanager.net/news/general/28-is-your-extension-really-
joomla-17-ready• http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-
your-extension
Resources