Joomla ACL

Sander Potjer - @sanderpotjer www.sanderpotjer.com Joomla World Conference 2015

- Enjoy contributing to Joomla

- Enjoy contributing to Joomla - Joomla Agency: Perfect Web Team

- Enjoy contributing to Joomla - Joomla Agency: Perfect Web Team - Joomla Extension: ACL Manager

Sander Potjer

- Enjoy contributing to Joomla - Joomla Agency: Perfect Web Team - Joomla Extension: ACL Manager - sander@sanderpotjer.nl - Slides: sanderpotjer.com

Photo by: Mark Fischer

Joomla ACL

ACL?!?!ACL = Access Control List

ACL?!?!ACL = Access Control List

1) Visibility of content

ACL?!?!ACL = Access Control List

1) Visibility of content

2) Actions on objects

Photo by: Chris Smith

Overview

user

user permissions

user permissions permissions

Site Login Admin Login

Offline Access Super Admin / Configure Access Admin. Interface

Create Delete

Edit Edit State Edit Own

user permissions

group

user permissions

access levelgroup

user permissions

access levelgroup

user permissions

access levelgroup

user permissions

access levelgroup

user permissions

access levelgroup

user permissions

access levelgroup

user permissions

access levelrole

user permissions

Site Login Admin Login

Offline Access Super Admin / Configure Access Admin. Interface

Create Delete

Edit Edit State Edit Own

access levelgroup

ACL levels

Photo by: Ian Sane

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

Photo by: Andreas

Inheritance

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

not set

inherited

inherited

inherited

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

allowed

inherited

inherited

inherited

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

allowed

inherited

denied

locked

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

not set

allowed

inherited

inherited

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

not set

inherited

allowed

inherited

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

denied

allowed

locked

locked

Global Configuration permissions

Component permissions

Category / Module permissions

Article permissions

denied

allowed

locked

locked

CONFLICT

Photo by: Andreas

Inheritance #2

Photo by: Andreas

Inheritance #1 + #2

Inheriting example for ‘Create’

Level 1

Level 2

Level 3

Level 4

Inheriting example for ‘Create’

Level 1

Level 2

Level 3

Level 4

Why?

Photo by: jon jordan

Why not!

Photo by: Peter Reed

Usability

Photo by: Rick Dolishny

Don’t make me think

Photo by: Alper Çuğun

Users want it!

Users want it!

Photo by: Mark Fischer

ACL Demo

Basic ACL implementation

Photo by: Daniel Kulinski

Configure To configure the access settings via the 'Options'

toolbar button

Access Administration Interface To define which group is able to access/manage the

component

2 actions required

4 steps 18 lines of code couple minutes

Add actions 1

File: administrator/components/com_foobar/config.xml

Access check 2

File: administrator/components/com_foobar/foobar.php

‘Options’ toolbar button3

File: administrator/components/com_foobar/views/foobars/view.html.php

File: administrator/components/com_foobar/views/foobars/view.html.php

Add language string 4

File: administrator/language/en-GB/en-GB.com_foobar.ini

Done!

Basic ACL support is not optional, it is a

requirement for any Joomla extension!

Advanced ACL implementation

Photo by: Patrick Lauke

Database

Rules - JSON encoded

{"core.login.site":{"6":1,"2":1}

com_content.article.24 [extension].[section].[object id]

Action name format (database)

JTable

Access.xml

File: administrator/components/com_foobar/config.xml

File: administrator/components/com_content/access.xml

File: administrator/components/com_content/access.xml

File: administrator/components/com_content/access.xml

File: administrator/components/com_content/access.xml

File: administrator/components/com_content/access.xml

File: administrator/components/com_content/access.xml

Component permissions

Category / Module permissions

Article permissions

File: administrator/components/com_content/access.xml

Site Login: core.login.site Admin Login: core.login.admin

Offline Access: core.login.offline Super Admin / Configure: core.admin

Access Administration Interface: core.manager Create: core.create Delete: core.delete

Edit: core.edit Edit State: core.edit.state Edit Own: core.edit.own

Title vs Name

File: administrator/components/com_content/access.xml

File: administrator/components/com_content/access.xml

Component permissions

Category / Module permissions

Article permissions

allowed

inherited

inherited

Custom Actions

File: administrator/components/com_akeeba/access.xml

File: administrator/components/com_akeeba/access.xml

File: administrator/components/com_akeeba/access.xml

File: administrator/components/com_akeeba/access.xml

File: administrator/components/com_akeeba/access.xml

Action name format (xml)

akeeba.backup [name extension].[name action]

Keep it structured

Interface

File: administrator/components/com_foobar/views/foobar/tmpl/edit.php

getActions helper

File: libraries/cms/helper/content.php

File: can be used anywhere

File: can be used anywhere

addToolbar

File: administrator/components/com_foobar/views/foobars/view.html.php

File: administrator/components/com_foobar/views/foobars/view.html.php

Photo by: Chris Smith

Overview?????

Action: Edit State• Global configuration

– default permissions for each action and group

• Component options (permissions) – can override the default permissions for a component

• Category – can override the default permissions and component options

– applies to components with categories (Articles, Banners, etc...)

• Object – can override all permissions above for an object

– only applies to articles in Joomla 1.6 core

Many permission screens....• Global configuration

– default permissions for each action and group

• Component options (permissions) – can override the default permissions for a component

• Category – can override the default permissions and component options

– applies to components with categories (Articles, Banners, etc...)

• Object – can override all permissions above for an object

– only applies to articles in Joomla 1.6 core

Many permission screens....• Global configuration

– default permissions for each action and group

• Component options (permissions) – can override the default permissions for a component

• Category – can override the default permissions and component options

– applies to components with categories (Articles, Banners, etc...)

• Object – can override all permissions above for an object

– only applies to articles in Joomla 1.6 core

Many permission screens....• Global configuration

– default permissions for each action and group

• Component options (permissions) – can override the default permissions for a component

• Category – can override the default permissions and component options

– applies to components with categories (Articles, Banners, etc...)

• Object – can override all permissions above for an object

– only applies to articles in Joomla 1.6 core

Many permission screens....• Global configuration

– default permissions for each action and group

• Component options (permissions) – can override the default permissions for a component

• Category – can override the default permissions and component options

– applies to components with categories (Articles, Banners, etc...)

• Object – can override all permissions above for an object

– only applies to articles in Joomla 1.6 core

Idea?!

Action: Edit State• Global configuration

– default permissions for each action and group

• Component options (permissions) – can override the default permissions for a component

• Category – can override the default permissions and component options

– applies to components with categories (Articles, Banners, etc...)

• Object – can override all permissions above for an object

– only applies to articles in Joomla 1.6 core

ACL Manager for Joomla! 1.6

ACL Manager for Joomla! 1.6• USA group

– Allow on edit ‘USA’ category

– Deny on edit ‘Europe’ category

• Europe group – Allow on edit ‘Europe’ category

– Deny on edit ‘USA’ category

• User in USA & Europe group – Deny on edit ‘Europe’ category

– Deny on edit ‘USA’ category

– Deny always winwww.aclmanager.net

Resources

Photo by: Schub@

Is your extension really Joomla 1.7 ready?http://www.aclmanager.net/news/general/28-is-your-extension-really-joomla-17-ready

How to add basic ACL support to your extension http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to-your-

extension

Developing a MVC Component/Adding ACL http://docs.joomla.org/J2.5:Developing_a_MVC_Component/Adding_ACL

Adding ACL rules to your component http://docs.joomla.org/Adding_ACL_rules_to_your_component

Access Control List Tutorial http://docs.joomla.org/J2.5:Access_Control_List_Tutorial

Support for ACL permissions per module in com_modules https://github.com/joomla/joomla-cms/pull/1930/files

JHelperContent::getActions() improvementshttps://github.com/joomla/joomla-cms/pull/2728

This presentation http://slideshare.net/sanderpotjer/