Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Level:
Newbie
Experienced users
Professionals
1.0.9
User Manual
for
Chapter 1 Introduction 4
1.1 WARNING 4
1.2 INSTALLATION 4
1.3 REQUIREMENT 4
Chapter 4 Access Control List (ACL) and Its Access Control Rules (ACRs) 16
4.1 Access Control Rule (ACR) Management 16
4.1.1 Create an Access Control Rule (ACR) 16
4.1.2 Edit an Access Control Rule (ACR) 16
4.1.3 Remove an Access Control Rule (ACR) 16
4.1.4 Disable/Enable an Access Control Rule (ACR) 16
With this professional component, combined with the simplicity of Joomla! catch in hand by the
end-users, Joomla! is able to equip with the extremely sophisticated web sites.
This documentation is intended for all levels of users from newbie to the experienced users or to the
professionals who wish to implement sophisticated access control in their Joomla!.
1.1 WARNING
This component is a hack since we need to modify some of Joomla! core files in order to extend its ACL
capabilities. It is extremely powerful and thus can be extremely dangerous. If you are unable to replace
the necessary files correctly, it will cause error to your Joomla!. It also can generate incompatibilities with
existing components and make the updates much more delicate.
While choosing a hack solution to enter the field of the professional site, that means it will certainly be
necessary to put your hands in dirty oil (the source code of Joomla! core files). If the words hack or patch
does mean something to you, we advise you not to continue the reading of this document and don’t
install JACLPlus. If you do wish to use Joomla! and JACLPlus with components that are not listed in our
web site (Please refer to Appendix A), please consult in our forum. If you are not able to
include/understand the broad outline of its impact to the operation of Joomla!, it is necessary to
absolutely persist the principle that nothing is compatible except the components have been checked
and possibly patched by JACLPlus Team. We know this is not funny, but unfortunately it is the price to
pay for the profit of power.
1.2 INSTALLATION
IMPORTANT: Before do upgrading, please backup your Joomla! and its data first!
Go to our website to download the proper package. If you need to upgrade your JACLPlus from any
previous version, please download the upgrade package - com_patch_joomla!_n_jaclplus_to_1.0.9.zip.
For new or fresh installation, please download the full installation package - com_jaclplus_1.0.9.zip. The
upgrade package will also upgrade your Joomla! to the latest version 1.0.9 Stable. You should install the
full installation package in Joomla! 1.0.9 Stable ONLY.
Procedures:
1. Login to your Joomla! Backend.
2. Set your Joomla! to ‘Offline’.
3. Go to Installers->Components.
4. Browse to your downloaded file and click “Upload File & Install” button.
5. If you use upgrade package, please uninstall the ‘Patch Component’ when done.
To manually patch the necessary files in order to upgrade your previous version of JACLPlus and
Joomla! to this 1.0.9 version, please download the manually patch package -
Joomla_1.0.x_to_1.0.9-Stable-Patch_Package_JACLPlus.zip. Before you patch or replace your files,
you need to remember your previous JACLPlus Configuration setting because your JACLPlus
configuration file will be replaced if any.
1.3 REQUIREMENT
TEST IT ON A FRESH INSTALLATION OF JOOMLA!
DUPLICATE THE INTEGRALITY OF YOUR WEB SITE AND UNDERSTAND IT BEFORE USING IT IN
YOUR PRODUCTION WEB SITE.
Frontend users are granted certain additional rights over guests, which may include the ability to create
and publish content on the web site. We can generally refer to these users as content providers since
their primary goal is to provide content on the web site, not to administer the site or alter its design.
Within this broad classification of content providers are four specific roles, which can be assigned by the
site administrator.
2.1.1.2 Author
Authors can create content, signify certain aspects of how the content is to be displayed and specify the
date for when the material should be published.
2.1.1.3 Editor
An editor has all the abilities of an author plus the ability to edit content of their own articles as well as
that of any other author.
2.1.1.4 Publisher
Publishers can perform all the duties of authors and editors plus have the ability to actually publish an
article. An article is not viewable by other users until it is published.
Backend Users are typically thought of as the site administrators. Just as with the Frontend users,
Backed users may have different privileges or roles;
2.1.1.5 Manager
A manager can be thought of as a publisher with access to the backend administrator’s panel. Managers
have access to all the content associated controls in the administrator panel but are not able to change
templates, alter page layouts, or add or delete extensions (components, modules and mambots) to
Joomla!. Managers also have no authority to add users or alter existing user profiles.
2.1.1.6 Administrator
Administrators have a broader range of access than managers. In addition to all the content related
activities that a manager can perform, administrators can add and delete extensions to the web site,
Based on the classification of those different privileges or roles, Joomla! has all these default user
groups:
Public Backend
| ------- Manager
| ------------- Administrator
| ------------------- Super Administrator
The default user group for a new signed up user is ‘Registered’. For Frontend users to receive any other
role requires the system administrator to change their user group through the backend administrator’s
panel.
Registered
Item with ‘Registered’ access level parameter will be accessible only by all registered users.
Special
Any user created as Author, Editor, Publisher, Manager, Administrator or Super Administrator is
considered a Special User. Item with ‘Special’ access level parameter will be accessible only by
these Special users.
2.1.2.2 Advanced Access Control
Advanced access such as to add, edit, publish or manage an item is controlled by using a predefine
Access Control List (ACL). Joomla! ACL is a list of Access Control Rule (ACR) to govern which user
groups can manage specific components or to perform specific actions in Joomla! or its components.
Nevertheless, it does not include the ‘CAN NOT’ list. That mean if you disable an Access Control Rule
(ACR) in ACL, it does not override the permission of any previous rules in ACL. If one of the previous
rules already enabling the permission, you will not be able to disable or override it by other ACR. Please
To extended Joomla! user system capability in order to allow you to classify more roles, JACLPlus has
enabled you to create new user groups in Joomla!. And to allow you to control your Joomla! items’ view
or use accesses with more options besides the default 3 access levels (Public, Registered and Special),
JACLPlus has enabled you to create your own access levels. Therefore, with JACLPlus, you will not only
have those default user groups and the 3 access levels, you can have many own user groups and many
own access levels. Hence, the meanings of access levels in Joomla! with JACLPlus have to be
redefined.
Therefore, if you assign ‘Special’ access level to ‘Registered’ user group (please refer to “Create a User
Group”), users from ‘Registered’ group will be able to access items that assigned with this ‘Special’
access level. In other words, items with ‘Special’ access level are now no more limit access to Joomla!
Special users only but can be any users from user groups that have this access level.
Joomla!, just like Mambo, use a modified version of the third library phpGACL to control its advanced
accesses. Most of the terms used in Joomla! ACL are from phpGACL. If you need to fully understand the
meaning of those terms, please refer to phpGACL manual. Below are the terms that used in JACLPlus
and Joomla! and their basic definitions.
In Joomla!, ARO is the users. Therefore, ARO value is user group’s name. ACO and AXO can be
components, modules, mambots, permission actions or etc. These ACO and AXO values are depended
on how we define an ACR. In Joomla!, you don’t need to fully understand the meanings of these terms in
order to create your own ACRs. All you have to know is that what kind of combination of these values
control what kind of access in Joomla!. We will cover these in more details in “Type of ACR and Its
Meaning”.
Figure 1
After you clicked on the User Group Manager menu, you will see a list of user groups (Figure 2). User
groups with an asterisk are default Joomla! user groups. You can not delete or rename their name as
that is to keep the integrality of Joomla! default settings for Joomla! upgrading purpose.
Figure 2
Figure 3
In new user group form (Figure 3), you should key in a Group Name for your new user group. This group
name should be unique.
Then choose its Parent Group from the dropdown list. We strongly recommend you to choose
‘Registered’ as parent group for your new created user group if it does not have any parent group. This
is more logical and it will have maximum compatibility with other components.
You can select or deselect multiple access levels to be assigned to this user group by pressing your
keyboard “Ctrl” button and mouse click.
You also can make the user group to inherit ACL from an existing user group by selecting an appropriate
user group from the dropdown list.
In the “inherit ACL from” dropdown list, you are able to choose to let this group to inherit ACL from its
parent group, ‘My Group’ or any other existing user groups. ‘My Group’ stands for the user group that
you are login with. If you are login as a super administrator, then ‘My Group’ will be “Super Administrator”
group.
Once you have completed choosing all the options, press “Save” or “Apply” button to create this new
user group.
Note: You are unable to add ACR for a group until you have saved it into database.
In the edit user group form (Figure 4), you will be able to change the group name and its parent group for
that user group. If you try to edit a Joomla! default user group, you will not be able to change its parent
group and its name. However, you are still able to change the assigned access levels and to add,
enable/disable or remove ACR for a Joomla! default user group.
To add an ACR for the user group, please select appropriate values from the dropdown lists or key in all
the appropriate values into the necessary fields and then press the [+] sign link.
To remove an ACR, press the [-] sign link beside the ACR that you want to remove.
To disable or enable an ACR, press the ‘Yes’ or ’No’ link beside the ACR that you want to disable or
enable.
Figure 5
Figure 6
In new access level form (Figure 6), you should key in an unique name for your new access levels to
make it easily be distinguished although you are allow to use duplicate name for unlimited of times. After
you have key in the access level’s name, press “Save” or “Apply” button to create this new access level.
Note: When you create a new access level, it will be automatically assigned to ‘Super Administrator’
group.
Figure 7
What does this property setting used for? If you have read thru this manual from the beginning until here,
you should know that Joomla! has separated its access control into two main categories – basic access
control and advanced access control. For basic access control, JACLPlus have integrated its access
levels into Joomla! without any extra database queries. Which mean it will not affect your Joomla!
queries time a lot. However, for advanced access control, you need to create own ACRs into Joomla!
ACL. And upon user access, access checking will require some additional database queries and/or
script process to find out the answer. This will affect the page loading time. For users that don’t need to
use advanced access control in their Joomla! web site, with this property setting, he/she can disable the
advanced access control in their com_content frontend by changing the selection to ‘No’. Therefore, it
will avoid unnecessary database queries and/or access checking. If you are not sure which selection
you should select, just leave it to ‘Yes’.
Figure 9
Figure 10
In Joomla!, all ACRs are predefined (fixed) in the includes/gacl.php file. JACLPlus has moved them into
database and allow you to create your own ACRs and/or modify the existing ACRs more easily
(dynamic).
If you go to edit one of the default user groups, you may notice that there might already have a few ACRs
in those groups (Figure 11).
Please note that, for security reasons, you are only allowed to add ACR that your group have. Which
mean if your group doesn’t have that kind of ACR, then you will not be able to add that kind of ACR to
other user groups. If you are super administrator, you can create or define new ACR into “Super
Administrator” group in order to allow it to be created in other user groups. Anyway, there is one
exception. You don’t need to predefine section, category or content related ACR into super administrator
group in order to create it in other groups. But to add that kind of ACR, you must have permission to
manage the content items.
Note: Combination of ACO, ARO and AXO values to form an ACR are written as ACO Section > ACO
Value > ARO Section > ARO Value > AXO Section > AXO Value > Enable which is based on the fields in
edit user form to create an ACR (Figure 4).
2. action > edit > users > super administrator > content > all > Yes
This ACR allow super administrator to EDIT all contents in all sections and categories. Therefore, action
> edit > users > User Group > content > all > Yes will allow User Group to EDIT all contents in all
sections and categories. By default, when you enable a user group to EDIT contents, it will be able to
ADD new contents as well. You can use “Limit Edit ACR to Edit Item Only” property setting in JACLPlus
Configuration to prevent this.
3. action > edit > users > super administrator > content > own > Yes
This ACR allow super administrator to EDIT their OWN contents in all sections and categories.
Therefore, action > edit > users > User Group > content > own > Yes will allow User Group to EDIT their
OWN contents in all sections and categories. Some of you may notice that we have set the enable
property for this ACR to ‘No’ in super administrator group. This is because super administrator has been
allowed to edit all contents in all sections and categories by another ACR. Therefore we don’t need this
ACR. Then, why we need to have this ACR in super administrator group? We need this ACR is to allow
super administrator to add this type of ACR to other groups which is useful. Remember that, for security
reasons, you are only allowed to add ACR type that your group have to other groups. Again by default,
when you enable a user group to edit its own contents, it will be able to ADD new contents as well. To
prevent this, you can use “Limit Edit-Own ACR to Edit Item Only” property setting in JACLPlus
Configuration.
4. action > publish > users > super administrator > content > all > Yes
This ACR allow super administrator to Publish contents into all sections and categories. Therefore,
action > publish > users > User Group > content > all > Yes will allow User Group to Publish contents
into all sections and categories.
6. administration > edit > users > super administrator > components > all > Yes
This ACR allow super administrator to edit all components at Backend. Therefore, administration > edit
> users > User Group > components > all > Yes will allow User Group to edit all components at Backend.
7. administration > edit > users > super administrator > modules > all > Yes
This ACR allow super administrator to edit all modules at Backend. Therefore, administration > edit >
users > User Group > modules > all > Yes will allow User Group to edit all modules at Backend.
9. administration > edit > users > super administrator > user properties > block_user > Yes
This ACR allow super administrator to block user. Therefore, administration > edit > users > User Group
> user properties > block_user > Yes will allow User Group to block user.
10. administration > install > users > super administrator > components > all > Yes
This ACR allow super administrator to install components. Therefore, administration > install > users >
User Group > components > all > Yes will allow User Group to install components.
11. administration > install > users > super administrator > languages > all > Yes
This ACR allow super administrator to install languages. Therefore, administration > install > users >
User Group > languages > all > Yes will allow User Group to install languages.
12. administration > install > users > super administrator > mambots > all > Yes
This ACR allow super administrator to install mambots. Therefore, administration > install > users >
User Group > mambots > all > Yes will allow User Group to install mambots.
13. administration > install > users > super administrator > modules > all > Yes
This ACR allow super administrator to install modules. Therefore, administration > install > users > User
Group > modules > all > Yes will allow User Group to install modules.
14. administration > install > users > super administrator > templates > all > Yes
This ACR allow super administrator to install templates. Therefore, administration > install > users >
User Group > templates > all > Yes will allow User Group to install templates.
15. administration > login > users > super administrator > null > null > Yes
This ACR allow super administrator to login at Backend. Therefore, administration > login > users > User
Group > null > null > Yes will allow User Group to login at Backend.
IMPORTANT: Please don’t disable or remove this ACR for super administrator or else you will not be
able to login at Backend as a super administrator.
16. administration > manage > users > super administrator > components > com_jaclplus > Yes
This ACR allow super administrator to manage JACLPlus Component. Therefore, administration >
manage > users > super administrator > components > com_jaclplus > Yes will allow User Group to
manage JACLPlus Component.
17. administration > manage > users > super administrator > components > com_languages > Yes
This ACR allow super administrator to manage Languages Component. Therefore, administration >
manage > users > super administrator > components > com_languages > Yes will allow User Group to
manage Languages Component.
18. administration > manage > users > super administrator > components > com_massmail > Yes
This ACR allow super administrator to manage Massmail Component. Therefore, administration >
manage > users > super administrator > components > com_massmail > Yes will allow User Group to
manage Massmail Component.
19. administration > manage > users > super administrator > components > com_menumanager > Yes
This ACR allow super administrator to manage Menu Manager Component. Therefore, administration >
manage > users > super administrator > components > com_menumanager > Yes will allow User Group
to manage Menu Manager Component.
20. administration > manage > users > super administrator > components > com_templates > Yes
This ACR allow super administrator to manage Templates Component. Therefore, administration >
manage > users > super administrator > components > com_templates > Yes will allow User Group to
manage Templates Component.
22. administration > manage > users > super administrator > components > com_users > Yes
This ACR allow super administrator to manage Users Component. Therefore, administration > manage
> users > super administrator > components > com_users > Yes will allow User Group to manage Users
Component.
23. workflow > email_events > users > super administrator > null > null > Yes
This ACR allow super administrator to configure Joomla! settings. Therefore, administration > config >
users > User Group > null > null > Yes will allow User Group to configure Joomla! settings.
2. administration > edit > users > super administrator > components > com_jaclplus > Yes
This ACR was previously used as to allow super administrator to manage JACLPlus Component. Since
all default components are using the word “manage”, therefore we have changed to use “manage” as
well. You can remove this ACR if you want.
2. action > add > users > super administrator > category > category_id > Yes
This ACR allow super administrator to CREATE new contents into the category with category id equal to
category_id. Therefore, action > add > users > User Group > category > category_id > Yes will allow
User Group to CREATE new contents into the category with category id equal to category_id.
3. action > edit > users > super administrator > section > section_id > Yes
This ACR allow super administrator to EDIT all contents in the section with section id equal to section_id.
Therefore, action > edit > users > User Group > section > section_id > Yes will allow User Group to EDIT
all contents in the section with section id equal to section_id.
Note: By default, if you enable a user group to EDIT content items, it will be able to ADD new contents
as well. To prevent this, you can use “Limit Edit ACR to Edit Item Only” property setting in JACLPlus
Configuration.
4. action > edit > users > super administrator > category > category_id > Yes
This ACR allow super administrator to EDIT contents in the category with category id equal to
category_id. Therefore, action > edit > users > User Group > category > category_id > Yes will allow
User Group to EDIT contents in the category with category id equal to category_id.
Note: By default, if you enable a user group to EDIT content items, it will be able to ADD new contents
as well. To prevent this, you can use “Limit Edit ACR to Edit Item Only” property setting in JACLPlus
Configuration.
5. action > edit > users > super administrator > content > content_id > Yes
This ACR allow super administrator to EDIT the content with content id equal to content_id. Therefore,
action > edit > users > User Group > content > content_id > Yes will allow User Group to EDIT the
content with content id equal to content_id.
Note: By default, if you enable a user group to EDIT content items, it will be able to ADD new contents
as well. To prevent this, you can use “Limit Edit ACR to Edit Item Only” property setting in JACLPlus
Configuration.
7. action > publish > users > super administrator > category > category_id > Yes
This ACR allow super administrator to change the publish setting for contents in the category with
category id equal to category_id. Therefore, action > publish > users > User Group > category >
category_id > Yes will allow User Group to change the publish setting for contents in the category with
category id equal to category_id.
8. action > publish > users > super administrator > content > content_id > Yes
This ACR allow super administrator to change the publish setting for the content with content id equal to
content_id. Therefore, action > publish > users > User Group > content > content_id > Yes will allow
User Group to change the publish setting for the content with content id equal to content_id.
com_letterman > can_delete > users > super administrator > null > null > Yes
com_letterman > is_editor > users > super administrator > null > null > Yes
com_letterman > is_sender > users > super administrator > null > null > Yes
virtuemart > prices > users > super administrator > null > null > Yes
These ACRs are required by the components to allow certain privileged accesses.
Then, how to determine which component requires which ACR or ACRs? The best way to determine is
to search thru the component source code and look for the $acl->acl_check function. As in our
JACLPlus admin.jaclplus.php file, you may find the code as the below.
From the code, you will know that in order to access JACLPlus component, the user must have
administration > edit > users > user group > components > all > Yes or administration > manage > users
> user group > components > com_jaclplus > Yes ACR in his user group. By adding one of these ACRs
into his user group’s ACL, that user will be able to access JACLPlus component.
Another example, if you open admin.newsfeeds.php file, you may find the code as the below.
Again, from the code, you will know that in order to access Newsfeeds component, the user must have
administration > edit > users > user group > components > all > Yes or administration > edit > users >
user group > components > com_newsfeeds > Yes ACR in his user group. By adding one of these ACRs
into his user group’s ACL, that user will be able to access Newsfeeds component.
In order to prevent misleading to JACLPlus users, we are not going to provide the compatible list here.
This is because actually almost all Joomla! extensions (components, modules, mambots or hacks) can
be used together with our JACLPlus. Just some of them might need to be patched for security reasons.
Due to there are almost thousand of Joomla! extensions out there. It is nearly impossible for JACLPlus
Team to check and test all of them for their compatibilities and create patches if necessary. For this
reason, you should always refer to our website for the latest update information. Normally, JACLPlus
Team will check the compatibility for most famous extensions such Community Builder, Joomlaboard,
VirtueMart, SMF Bridge, and etc.