|What You Need to Know About Joomla 1.6. Part 3: Access Control Levels|
|Written by Jen Kramer|
|Friday, 30 July 2010 13:50|
15 Minute Guide to Access Levels in ACL
If you’ve heard anything about Joomla 1.6, chances are you’ve heard about two exciting new features more than others: nested categories, and something called ACL.
ACL stands for access control levels. It refers to who has permission to do what on the website, including read, create, edit, delete, or log in, among other permissions.
Many think of ACL as relating to the front end of a website only. For example, when I log into the website, what articles do I have available to me? And if someone else logs into the site, do they see the same articles, or do they see different ones?
However, ACL also relates to who has rights to create, edit, and delete content; who can publish and unpublish content; who can log into the front end or back end of the website; and who can make changes to which components and modules.
Just because you can doesn't mean you should! ACL is complex, and it takes some time to understand exactly how it works. For many sites, perhaps even most sites, you might not need anything beyond the default Joomla configuration. However, if you're building a larger site, it could come in handy.
Examples of where ACL would be required include:
ACL in Joomla 1.5
Joomla 1.5 has ACL at a limited level. If you’ve worked with Joomla 1.5, you’ve seen how you can set a menu item or article to be viewable by the public, registered users, or “special” (authors and above). Likewise, you probably know that registered users can’t log into the back end of a Joomla site, but a super administrator can. Joomla 1.5 ACL is hierarchical, meaning that each user group inherits permissions from the groups below it.
A full explanation of Joomla 1.5’s groups can be found at brian.teeman.net. Groups include public, registered, author, editor, publisher, manager, administrator, and super administrator.
Joomla 1.5's access levels include public, registered, and special. An explanation of the access levels can be found at Revision Technology.
ACL in Joomla 1.6: Overview
Joomla 1.6 ACL is not hierarchical. You can set up groups with whatever permissions you wish. These permissions are inherited from parents in the case of groups, but they are not inherited in the case of access levels.
There are four aspects to the ACL system in Joomla 1.6. These include the user, the group, core permissions, and access levels. I've represented these in the following diagram to describe their relationship, and I'll go through each in detail.
This is the easiest one to understand — that's you, or someone else visiting the website. A user does not have to have an account to be considered a user of the website. That user would still be considered a public user. Individual users may be assigned to one or several groups. You cannot assign core permissions directly to users; these are assigned to the group.
Core permissions are assigned to the group, not to individual users. (If you want specific core permissions for a single user, you would need to create a group for that single user.)
Core permissions include:
The core permissions are set in the Global Configuration, under Site - Global Configuration, then clicking on the Permissions tab. I'll go through understanding this chart in my second article on ACL.
A group is a group of users who share the same permissions. Using the Joomla 1.5 groups as an example, the publisher group has the right to log into the front of the website, create new articles, edit any articles on the site, and publish or unpublish articles. Anyone in the publisher group has the same permissions to do these same things.
Unlike Joomla 1.5, however, a user may be assigned to multiple groups. A user may be in the publisher group as well as the administrator group, for example.
You can create your own groups and assign them their own set of core permissions. Core permissions are inherited between groups.
A group might be created for two different reasons. One would be to view content on the front end of the website. The other would be to specify what content can be created, edited, deleted, published or unpublished, or managed by that group.
By visiting the website, a site visitor is considered a user belonging to the public group.
The public group and the registered group may not be deleted, but all other groups may be deleted. (However, I'd recommend you keep them, because they give you a good model of how permissions inheritance works.)
Access levels refer to who can see what content on the front end of the website. Essentially, this amounts to read permissions on the front end of the website.
Historically, there have been three access levels: public (which anyone can see), registered (you must be logged in to see the content), or special (you must be a logged in author or higher level group to see the content).
These access levels are still present in 1.6 as default settings, but you can also create your own access levels.
Access levels do not inherit their permissions. If you have an article, and you set it to be viewable by publishers only, even super administrators cannot view that article. You must be assigned to the publisher group in order to view this article. (However, as a super administrator, you are able to edit this article on the back end.)
I Want Different People to See Different Content When They Log In
Now that you have a grasp on the terminology of ACL, let's look at implementing a simple system with Joomla 1.6.
Before you start clicking buttons, you must start with an ACL strategy for implementing this website. Start by describing the problem you're trying to solve:
Note we talked only about the content that was seen. We did not talk about editing, creating, deleting, or managing content. This points to a reading problem — or an issue with access levels.
Next, we have three groups described here: the public, students, and teachers. The Public group already exists, but we'll need to create the students and teachers groups. All these users are doing is logging into the website to see more content, so the only permission we need to assign to this group is the ability to log into the front end of the website. Essentially, teachers and students are registered users.
We'll then need to create our content such that teachers see both student and teacher content, while students see only student content.
Our approach to this problem will be as follows:
1. Create Our Groups
To create a group, log into the back end of the Joomla 1.6 website.
Go to the top menu and go to Users - Add New Group. You'll see this screen.
2. Assign Core Permissions
Since we assigned Registered as the parent for Teachers and for Students, our core permissions inherit from Registered through our groups. The Registered group already has the core permission to log into the front end of the website, so we don't need to add anymore core permissions to these groups.
3. Create Users, Assign to Groups
Now that we have our groups created, we need to create some users to live in these groups.
To do this, go to Users - Add New User, and you'll see the following screen:
Skip the other fields on this page, and scroll down to Assigned Groups. Note that by default, Registered is checked and Public is greyed out. This is to remind you that the Registered group inherits permissions from the Public group.
Choose "Teachers" from the list. Note that the Registered option and Public option are now greyed out. That is because Teachers have a parent of Registered, which has a parent of Public.
Click "Save & New", then repeat this same process for a Student login. The student's name is David Smith and username is david. Use firstname.lastname@example.org if you need another email address. Assign David to the Students Group. Choose Save & Close when you're done.
4. Create Access Levels
We have our users, core permissions, and groups all set up, so now it's time to create two Access Levels, one for students, and one for teachers.
Go to Users - Add New Access Level, and you should see this screen:
For the Level Title, enter Teachers Access Level. Then check the boxes next to Teachers Group. This will allow only teachers to see the Teachers Group content.
Click Save & New, enter Students Access Level for the Level Title, and check the Students Group and Teachers Group boxes. This means that teachers can see this student content, in addition to students seeing the student content. Click Save & Close to leave this screen.
5. Create Categories
On this website, I have created a category for teachers (under Content - Add New Category):
I also created a category for students. It's set up the same way, except the title is Students Category and the Access is Students Access Level.
6. Create Articles
Next I set up an article for Teachers, in the Teachers category. To create a new article, go to Content - Add New Article.
The fields I completed were:
Click Save & New, then repeat the process for students:
Click Save & Close when you are done.
While I have created only one article for each group, I could create as many articles as I wished.
7. Create Menu Items
Next comes the menu. In the Main Menu (under Menus - Main Menu), we'll add two links, one for teachers and one for students.
To create the link, I went to New (upper right corner), chose Category List for the menu item type, and entered the other information as below:
Click Save & New, and repeat the process for students:
Click Save & Close when you're done.
(Normally, I would have displayed this as a single article. However, the single article choice wasn't working for me, but category list was -- so we have a category list instead.)
8. Test Our Logins
We've finally configured everything required to have different content for students and teachers on our website.
Before testing, disable the cache on the website. (This is due to a bug in Joomla 1.6 beta 6.) To do this, go to Site - Global Configuration, System tab, and set Caching to OFF.
Click "Save & Close" once you've made this change.
Now, go to the front end of the website. Enter your login information in the login box.
Enter the username and password for the teacher, Ms. Jones. Remember that's msjones as the username and whatever you entered for her password.
If you've done everything right, you should see two links in the main menu, one for "Teacher Information" and one for "Student Information". (If you have the sample data installed, you'll need to scroll down to the "This Site" menu to find your links.)
Return to the login page to click the Log out button. Now repeat the process as David Smith, the student, with a username of david and the password you gave him.
If you've done everything right, you should see one link in the main menu for "Student Information".
If you've followed this example all the way through, it probably took you about 15 minutes to complete, perhaps longer if you are new to Joomla 1.6.
Just because you can, doesn't mean you should! ACL can be time consuming for you and for your client, and it might be extremely confusing to use. A few wrong settings and the wrong people can see the wrong information, so be very careful in your testing to make sure this works properly.
In my next article on ACL, I'll cover setting up permissions for creating, editing, and deleting content; editing state; logging into the front or back end of the website; managing extensions; and admin permissions.
Thank you to Brian Teeman, for helping to revise and edit the article, and for testing the example to make sure it works.