Joomla! ACL - Joomla!Day Germany

  • Published on
    05-Dec-2014

  • View
    701

  • Download
    2

DESCRIPTION

 

Transcript

1. Joomla! ACL tekst Sander Potjer @sanderpotjer www.aclmanager.netJoomla!Day Germany - 5 October 2012 2. Sander Potjer Involved in the local Joomla community Joomla Community Leadership Team (CLT) member Company: Sander Potjer Webdevelopment ACL Manager developer E-mail: sander.potjer@community.joomla.org 3. Sander Potjer Involved in the local Joomla community Joomla Community Leadership Team (CLT) member Company: Sander Potjer Webdevelopment ACL Manager developer E-mail: sander.potjer@community.joomla.org Slides: http://www.slideshare.net/sanderpotjer 4. Joomla! ACL 5. It took a while... DrupalCon, October 2005 Johan Janssens http://www.slideshare.net/JohanJanssens/drupalcon-2005-joomla-drupal-and-you-presentation 6. ACL?!?! ACL = Access Control List 7. ACL?!?! ACL = Access Control List Access to parts of the website e.g. menu / module visibility view action 8. ACL?!?! ACL = Access Control List Access to parts of the website e.g. menu / module visibility view action User actions on objects example: create / edit / edit state / delete article 9. ACL - Groups 2.5/3.0 7 fixed Groups Public, Registered, Author, Editor, Publisher, Manager, Administrator and Super- Administrator Hierarchical structure 10. ACL - Groups 2.5/3.0 7 fixed Groups Unlimited Groups Public, Registered, Author, user defined Editor, Publisher, Manager, Administrator and Super- No Hierarchical Structure Administrator required Hierarchical structure 11. ACL - User in Group 2.5/3.0 User can be assigned to one group 12. ACL - User in Group 2.5/3.0 User can be assigned to User can be assigned to one group multiple groups 13. ACL - Access Levels 2.5/3.0 3 fixed Access Levels Public Registered Special 14. ACL - Access Levels 2.5/3.0 3 fixed Access Levels Unlimited Access Levels Public user defined Registered Special 15. ACL - Access Levels & Groups relation 2.5/3.0 Fixed relation between Groups and Access Levels 16. ACL - Access Levels & Groups relation 2.5/3.0 Fixed relation between Any combination of User Groups and Access Groups can be assigned Levels to any Access Level 17. ACL - Actions 2.5/3.0 Fixed Actions per group Create / edit / delete / admin access / etc. Permission scope for entire site Same permission for all objects Permission inheritance not applicable 18. ACL in Joomla! 1.5 & 1.6 (Actions) http://brian.teeman.net/joomla-gps/joomla-15-acl-explained.html 19. ACL - Actions 2.5/3.0 Fixed Actions per group Custom Actions per group Create / edit / delete / Create / edit / delete / admin access / etc. admin access / etc. Permission scope for Permission scope at entire site multiple levels Same permission for all objects Site/Component/Category/Item Permission inheritance Permission can be not applicable inherited Parent Groups / Categories 20. Joomla! 2.5ACL Overview 21. http://community.joomla.org/blogs/community/1252-16-acl.html 22. http://community.joomla.org/blogs/community/1252-16-acl.html 23. User Guest is also a user Users can be assigned to one or multiple groups 24. http://community.joomla.org/blogs/community/1252-16-acl.html 25. Permissions Assigned to group (not to a user!) 10 Actions Site Login Admin Login Offline Access (since 1.7) Super Admin / Configure Access Component Create Delete Edit Edit State Edit Own 26. http://community.joomla.org/blogs/community/1252-16-acl.html 27. Group Users with same permissions Inherited permissions from parent groups Unlimited nested groups Keep it simple! Only use nested groups if needed Guest group in Joomla 3.0 28. http://community.joomla.org/blogs/community/1252-16-acl.html 29. Access Level What is visible for the group (article, menu, module, etc.) Permissions are not inherited between Access Levels Even Super Users can not view content on frontend if not assigned 30. http://community.joomla.org/blogs/community/1252-16-acl.html 31. Permissions 32. Permissions 4 possible permission settings Not Set Inherited Allowed Denied 33. Permissions - Not Set soft deny can be overridden by Allowed or Denied 34. Permissions - Inherited Value from a parent Permission level Value from a parent User Group Can be overridden by Allowed or Denied 35. Permissions - Allowed Action for current permission level and lower levels Action for current user group and child groups Can be overridden by Denied 36. Permissions - Denied Action for current Permission level and lower levels Action for current User Group and child Groups Can not be overridden at all Always win! 37. Permission Hierarchy (levels) Level 1: Global configuration default permissions settings for actions for a group 38. Permission Hierarchy (levels) Level 1: Global configuration default permissions settings for actions for a group Level 2: Component Options can override the permissions of Level 1 39. Permission Hierarchy (levels) Level 1: Global configuration default permissions settings for actions for a group Level 2: Component Options can override the permissions of Level 1 Level 3: Category can override the permissions of Level 1 & Level 2 available for components with categories (Articles, Banners, etc...) 40. Permission Hierarchy (levels) Level 1: Global configuration default permissions settings for actions for a group Level 2: Component Options can override the permissions of Level 1 Level 3: Category can override the permissions of Level 1 & Level 2 available for components with categories (Articles, Banners, etc...) Level 4: Item can override the permissions of Level 1 & Level 2 & Level 3 only available for article manager in Joomla core 41. Permission Hierarchy (levels) Level 1: Global configuration default permissions settings for actions for a group Level 2: Component Options can override the permissions of Level 1 Level 3: Category can override the permissions of Level 1 & Level 2 available for components with categories (Articles, Banners, etc...) Level 4: Item can override the permissions of Level 1 & Level 2 & Level 3 only available for article manager in Joomla core 42. Permission Hierarchy (levels) Level 1: Global configuration default permissions settings for actions for a group Level 2: Component Options can override the permissions of Level 1 Level 3: Category can override the permissions of Level 1 & Level 2 available for components with categories (Articles, Banners, etc...) Level 4: Item can override the permissions of Level 1 & Level 2 & Level 3 only available for article manager in Joomla core Override permissions of higher levels only works if permission setting is not Denied! 43. Inheriting example for Create Action Level 1 Level 2 Level 3 Level 4 http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html 44. Inheriting example for Create Action Level 1 Level 2 Level 3 Level 4 http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html 45. Inheriting example for Create Action Level 1 Level 2 Level 3 Level 4 http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html 46. Inheriting example for Create Action Level 1 Level 2 Level 3 Level 4 http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new-permissions-in-joomla-16.html 47. Available Permissions and Levels for a Group of Users 48. Action: Edit State 49. ACL Manager for Joomla! 1.6 50. ACL Manager for Joomla! 1.6 51. ACL Manager for Joomla! 1.6 www.aclmanager.net/de 52. Debug Permissions 53. Debug Permissions Turn on the Debug System in the Global Configuration Go to User Manager or Groups Click on Debug Permission Report next to the User or User Group 54. Debug Permissions Need to turn Debug System on... 55. So, what about the database? 56. Database: #__assets 57. Plan your ACL implementation 58. Viewing or Action problem Define the problem, is it a viewing problem or action problem (create/delete/edit/etc..)? Or both? Viewing: define the Viewing Access Levels Action: define the permissions for all actions 59. Think ahead! Maintenance? Structure your content properly to handle the permissions Make usage of parent categories with nested categories with same permissions No need to set permissions per article 60. Some Notes 61. User in multiple User Groups The Netherlands Allowed on edit The Netherlands category Denied on edit Germany category 62. User in multiple User Groups The Netherlands Allowed on edit The Netherlands category Denied on edit Germany category Germany Allowed on edit Germany category Denied on edit The Netherlands category 63. User in multiple User Groups The Netherlands Allowed on edit The Netherlands category Denied on edit Germany category Germany Allowed on edit Germany category Denied on edit The Netherlands category User in The Netherlands & Germany group Denied on edit The Netherlands category Denied on edit Germany category Denied always win (again) Solution: dont use denied but not set/inherited (=soft deny) 64. What if I locked myself out? 65. What if I locked myself out? No need to access your database Open your configuration.php and add: public $root_user = username; You can login again and perform all actions Great for playing around with the new ACL Dont forget to remove the $root_user line! 66. Practical ACL Tips 67. ACL Tips Write down your ACL requirements for a website before implementing Joomla 1.5 User Groups are for backward compatibility in Joomla 2.5, you may remove them! Use multi-nested Groups only if needed / know what you are doing (so inheriting value only between levels, not groups as well) 68. ACL Tips Assign User Group with backend access to a Viewing Access Level (often Special) Keep flexible for lower permission levels/groups: Avoid the Denied permission setting as long as possible Use role-based groups 69. Quick ACL example (do we have time?) 70. Resources http://community.joomla.org/blogs/community/1252-16-acl.html http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6 http://docs.joomla.org/Access_Control_System_In_Joomla_1.6 http://www.theartofjoomla.com/home/5-commentary/84-introducing-the-new- permissions-in-joomla-16.html http://www.theartofjoomla.com/home/38-talks/101-the-joomla-16-video- access-controls.html http://www.aclmanager.net http://www.aclmanager.net/news/general/28-is-your-extension-really- joomla-17-ready http://www.aclmanager.net/news/general/31-how-to-add-basic-acl-support-to- your-extension http://magazine.joomla.org/issues/issue-sept-2012/item/856-Implementing- Role-Based-ACL