The Joomla! Community Portal ™

Fri

30

Jul

2010

What You Need to Know About Joomla 1.6. Part 3: Access Control Levels
Labels: Joomla 1.6

Written by Jen Kramer   
Friday, 30 July 2010 13:50

15 Minute Guide to Access Levels in ACL

If you’ve heard anything about Joomla 1.6, chances are you’ve heard about two exciting new features more than others: nested categories, and something called ACL.

ACL stands for access control levels. It refers to who has permission to do what on the website, including read, create, edit, delete, or log in, among other permissions.

Many think of ACL as relating to the front end of a website only. For example, when I log into the website, what articles do I have available to me? And if someone else logs into the site, do they see the same articles, or do they see different ones?

However, ACL also relates to who has rights to create, edit, and delete content; who can publish and unpublish content; who can log into the front end or back end of the website; and who can make changes to which components and modules.

Just because you can doesn't mean you should! ACL is complex, and it takes some time to understand exactly how it works. For many sites, perhaps even most sites, you might not need anything beyond the default Joomla configuration. However, if you're building a larger site, it could come in handy.

Examples of where ACL would be required include:

  • A company intranet, where some managers see one level of content, while employees see another
  • A school site, where parents, teachers, students, and the public see types of content
  • A large website with many contributors, where you don't want people changing each other's content, and trust can't or won't work
  • A site with multiple blogs, where authors can't create or edit posts in each other's blogs, and trust can't or won't work

ACL in Joomla 1.5

Joomla 1.5 has ACL at a limited level. If you’ve worked with Joomla 1.5, you’ve seen how you can set a menu item or article to be viewable by the public, registered users, or “special” (authors and above). Likewise, you probably know that registered users can’t log into the back end of a Joomla site, but a super administrator can. Joomla 1.5 ACL is hierarchical, meaning that each user group inherits permissions from the groups below it.

A full explanation of Joomla 1.5’s groups can be found at brian.teeman.net. Groups include public, registered, author, editor, publisher, manager, administrator, and super administrator.

Joomla 1.5's access levels include public, registered, and special. An explanation of the access levels can be found at Revision Technology.

ACL in Joomla 1.6: Overview

Joomla 1.6 ACL is not hierarchical. You can set up groups with whatever permissions you wish. These permissions are inherited from parents in the case of groups, but they are not inherited in the case of access levels.

There are four aspects to the ACL system in Joomla 1.6. These include the user, the group, core permissions, and access levels. I've represented these in the following diagram to describe their relationship, and I'll go through each in detail.

Diagram of how ACL works

User

This is the easiest one to understand — that's you, or someone else visiting the website. A user does not have to have an account to be considered a user of the website. That user would still be considered a public user. Individual users may be assigned to one or several groups. You cannot assign core permissions directly to users; these are assigned to the group.

Core Permissions

Core permissions are assigned to the group, not to individual users. (If you want specific core permissions for a single user, you would need to create a group for that single user.)

Core permissions include:

  • Site login: the ability to log into the front of the website.
  • Admin login: the ability to log into the back end of the website.
  • Admin: administrative (root) privileges, such as changing Global Configuration.
  • Manage: ability to change settings on extensions
  • Create: ability to create new content
  • Delete: ability to delete (trash) content
  • Edit: ability to edit existing content which is not necessarily your own
  • Edit state: ability to change state between published, unpublished, trash

The core permissions are set in the Global Configuration, under Site - Global Configuration, then clicking on the Permissions tab. I'll go through understanding this chart in my second article on ACL.

Group

A group is a group of users who share the same permissions. Using the Joomla 1.5 groups as an example, the publisher group has the right to log into the front of the website, create new articles, edit any articles on the site, and publish or unpublish articles. Anyone in the publisher group has the same permissions to do these same things.

Unlike Joomla 1.5, however, a user may be assigned to multiple groups. A user may be in the publisher group as well as the administrator group, for example.

You can create your own groups and assign them their own set of core permissions. Core permissions are inherited between groups.

A group might be created for two different reasons. One would be to view content on the front end of the website. The other would be to specify what content can be created, edited, deleted, published or unpublished, or managed by that group.

By visiting the website, a site visitor is considered a user belonging to the public group.

The public group and the registered group may not be deleted, but all other groups may be deleted. (However, I'd recommend you keep them, because they give you a good model of how permissions inheritance works.)

Access Level

Access levels refer to who can see what content on the front end of the website. Essentially, this amounts to read permissions on the front end of the website.

Historically, there have been three access levels: public (which anyone can see), registered (you must be logged in to see the content), or special (you must be a logged in author or higher level group to see the content).

These access levels are still present in 1.6 as default settings, but you can also create your own access levels.

Access levels do not inherit their permissions. If you have an article, and you set it to be viewable by publishers only, even super administrators cannot view that article. You must be assigned to the publisher group in order to view this article. (However, as a super administrator, you are able to edit this article on the back end.)

I Want Different People to See Different Content When They Log In

Now that you have a grasp on the terminology of ACL, let's look at implementing a simple system with Joomla 1.6.

Before you start clicking buttons, you must start with an ACL strategy for implementing this website. Start by describing the problem you're trying to solve:

For the school website I am developing:

  • The general public can visit that site and see most content. However, there is content behind the scenes for students and teachers.
  • A teacher can see content specifically for teachers, all student content. and the public content.
  • Students can only see student content (not teacher content) and the public content.

Note we talked only about the content that was seen. We did not talk about editing, creating, deleting, or managing content. This points to a reading problem — or an issue with access levels.

Next, we have three groups described here: the public, students, and teachers. The Public group already exists, but we'll need to create the students and teachers groups. All these users are doing is logging into the website to see more content, so the only permission we need to assign to this group is the ability to log into the front end of the website. Essentially, teachers and students are registered users.

We'll then need to create our content such that teachers see both student and teacher content, while students see only student content.

Our approach to this problem will be as follows:

  1. Create our groups, called "students" and "teachers".
  2. Assign core permissions to our group. In this case, we're assigning the site login core permission.
  3. Create our users and assign them to groups. I'll create one called "student" and one called "teacher" for our example, but in the real world, you may have many accounts to create.
  4. Create an access level for students, and another access level for teachers.
  5. Create categories for students and teachers, and assign the correct access levels.
  6. Create articles for students and teachers, and assign the correct access levels.
  7. Create menu items for students and teachers, and assign the correct access levels.
  8. Test our logins and see if they work correctly.

1. Create Our Groups

To create a group, log into the back end of the Joomla 1.6 website.

Go to the top menu and go to Users - Add New Group. You'll see this screen.

Add User Group screen.

  1. For Group Title, enter Teachers Group.
  2. For Group Parent, choose Registered. Registered users match the permissions for the teacher group (i.e. ability to log into the front end of the website). Teachers will be a sub-group within registered users.
  3. Click the Save & New button, shown on the top right, to save the Teachers group and create a new group.
  4. For Group Title, enter Students Group.
  5. For Group Parent, choose Registered. This puts the Teachers and Students groups at the same level.
  6. Click Save & Close to save our Students group and return to the User Manager: Groups screen.

2. Assign Core Permissions

Since we assigned Registered as the parent for Teachers and for Students, our core permissions inherit from Registered through our groups. The Registered group already has the core permission to log into the front end of the website, so we don't need to add anymore core permissions to these groups.

3. Create Users, Assign to Groups

Now that we have our groups created, we need to create some users to live in these groups.

To do this, go to Users - Add New User, and you'll see the following screen:

User Manager screen in Joomla 1.6.

  • Name: Enter the user's full name, in this case, Ms. Jones.
  • Login Name: Enter a username for this person: msjones.
  • Password and Confirm Password: Type the same password twice.
  • Email: Enter the user's email address. (If you are not doing this for a real user, use something@example.com.)

Skip the other fields on this page, and scroll down to Assigned Groups. Note that by default, Registered is checked and Public is greyed out. This is to remind you that the Registered group inherits permissions from the Public group.

Choose "Teachers" from the list. Note that the Registered option and Public option are now greyed out. That is because Teachers have a parent of Registered, which has a parent of Public.

Click "Save & New", then repeat this same process for a Student login. The student's name is David Smith and username is david. Use something2@example.com if you need another email address. Assign David to the Students Group. Choose Save & Close when you're done.

4. Create Access Levels

We have our users, core permissions, and groups all set up, so now it's time to create two Access Levels, one for students, and one for teachers.

Go to Users - Add New Access Level, and you should see this screen:

Add access level screen.

For the Level Title, enter Teachers Access Level. Then check the boxes next to Teachers Group. This will allow only teachers to see the Teachers Group content.

Click Save & New, enter Students Access Level for the Level Title, and check the Students Group and Teachers Group boxes. This means that teachers can see this student content, in addition to students seeing the student content. Click Save & Close to leave this screen.

5. Create Categories

On this website, I have created a category for teachers (under Content - Add New Category):

Add new category.

I also created a category for students. It's set up the same way, except the title is Students Category and the Access is Students Access Level.

6. Create Articles

Next I set up an article for Teachers, in the Teachers category. To create a new article, go to Content - Add New Article.

Article for teachers.

The fields I completed were:

  • Title: This Article is for Teachers
  • Category: Teachers Category
  • State: Published
  • Access: Teachers Access Level
  • Article text: enter some dummy text.

Click Save & New, then repeat the process for students:

  • Title: This Article is for Students
  • Category: Teachers Category
  • State: Published
  • Access: Students Access Level
  • Article text: enter some dummy text.

Click Save & Close when you are done.

While I have created only one article for each group, I could create as many articles as I wished.

7. Create Menu Items

Next comes the menu. In the Main Menu (under Menus - Main Menu), we'll add two links, one for teachers and one for students.

To create the link, I went to New (upper right corner), chose Category List for the menu item type, and entered the other information as below:

New menu item.

  • Title: Teachers Information
  • Menu Item Type: click Select, then Category List
  • State: Published
  • Access: Teachers Access Level
  • Choose a Category: Teachers Category

Click Save & New, and repeat the process for students:

  • Title: Students Information
  • Menu Item Type: click Select, then Category List
  • State: Published
  • Access: Students Access Level
  • Choose a Category: Students Category

Click Save & Close when you're done.

(Normally, I would have displayed this as a single article. However, the single article choice wasn't working for me, but category list was -- so we have a category list instead.)

8. Test Our Logins

We've finally configured everything required to have different content for students and teachers on our website.

Before testing, disable the cache on the website. (This is due to a bug in Joomla 1.6 beta 6.) To do this, go to Site - Global Configuration, System tab, and set Caching to OFF.

Global Config, disabling caching.

Click "Save & Close" once you've made this change.

Now, go to the front end of the website. Enter your login information in the login box.

Enter the username and password for the teacher, Ms. Jones. Remember that's msjones as the username and whatever you entered for her password.

If you've done everything right, you should see two links in the main menu, one for "Teacher Information" and one for "Student Information". (If you have the sample data installed, you'll need to scroll down to the "This Site" menu to find your links.)

Return to the login page to click the Log out button. Now repeat the process as David Smith, the student, with a username of david and the password you gave him.

If you've done everything right, you should see one link in the main menu for "Student Information".

Conclusion

If you've followed this example all the way through, it probably took you about 15 minutes to complete, perhaps longer if you are new to Joomla 1.6.

Just because you can, doesn't mean you should! ACL can be time consuming for you and for your client, and it might be extremely confusing to use. A few wrong settings and the wrong people can see the wrong information, so be very careful in your testing to make sure this works properly.

In my next article on ACL, I'll cover setting up permissions for creating, editing, and deleting content; editing state; logging into the front or back end of the website; managing extensions; and admin permissions.

Thank you to Brian Teeman, for helping to revise and edit the article, and for testing the example to make sure it works.