Simple ACL

Simple ACL Logo
SimpleACL for Joomla helps you to restrict front-end access to particular user/section combinations. You can independently set permission to read, insert and update content items based on the section they belongs to.

The component does not override default Joomla roles, those roles are always checked first.

SimpleACL plays only with default com_content component and doesn’t affect other components or modules.

You can set a default access permission and selectively enable/block users to access content items in selected sections.

What can I do with this component?

A typical scenario:

  • Your site is a company site and the company has several departments.
  • Every department has a user who is in charge for editing web content for the department.
  • Every department has its own section for content items.
  • Users should only be able to edit content in their own department.
  • There is a user who is the public relation manager, he must be able to edit content in all sections (without being Administrator).
  • There are some section whose content should be readable only by selected users.

With SimpleACL you can set permissions to selected section/user combinations (or even to “Joomla! standard groups”/section combinations), this allows you to implement such a fine grained access control.

See also Simple ACL recipes (work in progress)

How it works?

SimpleACL works with an independent database table that hold the permissions for user/section combinations. A system plugin checks those access rules when the user access a content item from the front-end.

If you want to know more about the internals of Simple ACL and how it works, please see Decision Flowchart.

Please note that…

  1. Default Joomla roles are not overridden and are always checked first.
  2. SimpleACL works in the front-end only
  3. Only authenticated users are checked for ACLs
  4. “Administrator” or “Super Administrator” user are not checked for ACLs.
  5. Group support for standard Joomla! groups (author, editor, publisher…) is also available
  6. Custom groups creation is not supported (but you won’t miss it!)

License and costs

Simple ACL for Joomla 1.5 is free software (“free” as in “free speech”), licenced under Affero General Public License but I distribute it only in bundle with paid 12 month support service that costs 45 €.

Together with 12 months support you will get lifetime software updates, that means that you can pay just once and use the software forever in how many Joomla installations you like.

Please use the donation link at the top and middle of this page, you will immediately receive a download link.

Thank you for supporting free software and Joomla Simple ACL project!

Translations

They go in a language file, at the moment only English is in the distribution.

If you need more information about the Simple ACL, please read the FAQ at the bottom of this page.

What’s new in version G.x series

This new version brings many enhancements:

  • limited group support (groups are standard Joomla groups such as “registered”, “author” etc.)
  • check/uncheck all actions when editing ACLs
  • Admin users will not be shown in the user list when creating ACLs
  • limited menu integration
  • ACL menu module  (a mod_mainmenu which knows about ACLs)
  • ACL section module (a mod_sections which knows about ACLs)
  • DB backward compatible (will not overwrite your existing ACLs, but make a backup first)

Let’s give a closer look to some of the coolest new features…

Limited group support

You can now add ACLs to the following standard Joomla user groups:

  • registered
  • author
  • editor
  • publisher
  • manager

In case of ACL conflicts between group-ACLs and user-ACLs, the second will always prevail.

Menu integration

Many of you have asked for an ACL-aware menu.

You can now enable menu integration as an experimental option in Simple ACL configuration.

If you enable this option, Simple ACL will try to hide menu items that point to articles, sections or categories that are not accessible by the logged in user.

In some cases, it can happen that all menu items are hiddden, in this case the user will see an empty menu list, but Simple ACL will not be able to hide the title of the menu itself because it operates at a different level in the joomla processing flow.

New: ACL menu and section modules!

In addition to the “Menu integration” above, the package now contains two ACL modules (aclmenus and aclsections), to be used instead of standard Joomla! mod_mainmenu and mod_sections.

Using this new modules you can have menus and sections lists that  know when a menu item or a section can be accessed by the user, and can hide it accordingly.

Screenshots

FAQ

Is this thing “stable” ?

Yes, sure. It’s now used on several production websites.

Can I limit access to a category instead of a section?

Not in the current version.
I will eventually implement it in a future version (but please don’t ask me when :) )

Will Simple ACL alter in any way menu items or search results depending on user ACLs ?

Yes, Simple ACL comes with some companion plugins to hide unaccessible items from search results as well as from menus and section module (mod_sections).

How will I receive the software after the donation?

After a successful payment, you will receive a download link via email.

The email is automatically sent immediately after a successful payment, please check your spam folder if you don’t receive it in a few minutes.

Why should I pay for a free software component?

I think an explanation is needed: in my career I developed a couple of free (“free” as in “free speech”) software projects (KMLMapserver, MapStorer, Joomla FAP, SWFslideshow to cite a few), all of them are also “free” as in “free lunch” but in more than ten years I did not receive one cent as a donation, most of the time those projects were funded by one or more of my customers.

After keeping Simple ACL unpublished for a while, I simply felt I couldn’t spend time to publish, promote and give assistance on another free software project for nothing, I was simply dedicating too much time in open-source free projects without receiving back any money.

That’s why instead of keeping Simple ACL hidden in my desktop I decided to distribute it for a small fee, please note that this fee goes to cover the plain costs of assistance (answering to emails, writing documentation etc.) and development of Simple ACL, I will certainly not get rich with this fees.

This is not in contrast with free-software philosophy: GNU Free Software Foundation philosophy not only says that you can distribute free software for money, but encourage you to do so:

http://www.fsf.org/licensing/licenses/gpl-faq.html#DoesTheGPLAllowMoney

http://www.gnu.org/philosophy/selling.html

Can I distribute or sell Simple ACL?

Yes, you can. But doing so, you will probably provoke a stop in the development of Simple ACL, since I will not raise enough funds to cover the costs of its development.

It’s up to you.

Is this fee an yearly fee?

No, you donate once, you get the software and one year email assistance to set it up. That’s all.
I will send you all the future versions of the component (if any) for free.

“Delete” ACL rule doesn’t work

True, but this is not my fault, Joomla does not allow article deletion from the font-end, hence this rule is useless at the moment (but I have implemented it in case future Joomla versions support deletion from the front-end).

Why “Simple” ?

Well, because the objectives of this project were limited:

  • do not touch the core of Joomla
  • be unobstrusive: you can install and remove the component without consequences
  • do not interfere with standard Joomla user and permissions: Simple ACL respect standard Joomla permissions levels, and only acts after Joomla has done its checks and controls
  • solve a simple problem: let selected users to access and/or edit selected sections

I have 1000 users and 1000 sections, does Simple ACL suit my needs?

Probably not: Simple ACL does not support user defined (custom) groups, this mean that you should set up 1000 ACL’s to bind your 1000 users to their 1000 sections. This is just unpractical.
The latest version has limited group support. You can now add ACLs to the following standard Joomla user groups:

  • registered
  • author
  • editor
  • publisher
  • manager

In case of ACL conflicts between group-ACLs and user-ACLs, the second will always prevail (see the Decision Flowchart scheme for details).

What kind of default access policy should I choose?

Simple ACL allows you to configure a default access policy on the individual actions (Create, Update, Retrieve and Delete (the lattest not being implemented in Joomla front-end at the moment).

Please remember that Simple ACL rules apply only to registered users, by keeping this in mind you could have two main scenarios (other scenarios or combinations are of course possible):

1 – Your website is completely public (everybody can see everything) but you have (for example) three authors (A, B, C) and two sections (A, B). You want user A to edit only section A, user B to edit only section B and user C to edit both. In this case, you would

  • create users A, B and C as authors (or editor or publisher)
  • set Joomla standard access to “public” for sections A, B and C (this is the default)
  • set Simple ACL default access policy to Retrieve=Allow, Create=Deny, Update=Deny, Delete=Deny
  • create one ACL for user A/section A to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user B/section B to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user C/section A to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user C/section B to allow all actions (Create, Retrieve, Update, Delete)

2 – Your website is mainly public, but you have some private sections that you want to be accessible only from selected users. You have (for example) three authors (A, B, C) and two private sections (A, B) and you want user A able to read (and not edit) section A, user B able to read (and not edit) section B, user C able to read (and not edit) all three sections. In this case, you would

  • create users A, B and C as registered (remember, they don’t need to edit anything, just read)
  • create sections A, B and C and set standard Joomla access level to “registered” otherwise all user (included A and B) would be able to read section A and B while not authenticated (logged in)
  • set Simple ACL default access policy to Retrieve=Deny, Create=Deny, Update=Deny, Delete=Deny
  • create one ACL for user A/section A to allow Retrieve and deny all other actions
  • create one ACL for user B/section B to allow Retrieve and deny all other actions
  • create one ACL for user C/section A to allow Retrieve and deny all other actions
  • create one ACL for user C/section B to allow Retrieve and deny all other actions

Why two different plugins?

System plugin must always be installed and activated otherwise Simple ACL will not work.

Content plugin is only useful when both of the following conditions apply:

  • in your default access policy (as set in component parameters window) Retrieve=deny
  • and you have a mixture of articles coming from allowed and denied sections in the front page

If given the conditions above you don’t activate the content plugin, a single denied article in the front page will deny the whole page.

What happens when a logged in user try to access/edit a denied page?

A “denied page” means a page containing an article that belongs to a section non accessible by that user because of Simple ACL restrictions.
The user will be redirected to a page generated by Simple ACL component (or to an URL of your choice, you can configure the URL through the component parameters configuration in the control panel). The generated deny page shows the deny message that you can change through the Simple ACL parameters settings in the control panel. The page shows also the default Simple ACL policy and the existing ACLs for that user so the user can see exactly which sections he can access.

78 Responses to “Simple ACL ready for Joomla 1.5”

  • Louise

    @Alessandro

    Thanks so much for your detailed answer, its really helpful.

    I will keep a look out for ACL-aware in the future!!

    Louise

  • Alessandro Pasotti

    @Louise,

    We have developed the ACL-aware Sections module, it’s currently under testing and will be released within the main package in a few days.

    Of course all previous customers will receive it immediately after our quality controls are passing.

  • sky

    I have 1000 users in registered group, and I want to grant 20 of them the right to edit certain section’s contents. Can SimpleACL does this?

  • Alessandro Pasotti

    @sky

    Simple ACL will not support ACL on categories in the near future.

    To answer your second question: no, because Simple ACL do not override standard Joomla role access control and Joomla does not allow a “registered” user to edit anything, “author” level is the minimum role to edit something in Joomla.

  • Kailey

    Does simple ACL allow publishers to publish new content to a specific section rather then just be able to edit it?

  • Alessandro Pasotti

    @Kailey

    No, sorry, there is no demo.

    As for your second question, I would say yes. Let me explain how it works.

    You can configure Simple ACL (SACL) to deny by default all “insert/create” actions. Then you can create an ACL to allow your publisher users (all of them or just a selected set) to “insert/create” content in one or a few selected sections.

    When the publisher will try to “insert/create” an article from the front-end he will be presented the full list of sections (no apparent changes in the interface so far) but if they choose a section they are not allowed to publish in, SACL redirect them to an error page (default is a page with a configurable message and a list of existing ACLs for that user, you can also choose a custom URL as the error page).

  • Bill Speary

    I want to give a client access to Joomla 1.5 BACKEND. BUT I don’t want him to change ANYTHING.

    Any way to do this usin ACL??
    Bill

  • Alessandro Pasotti

    @Jeff:

    No: the edit icon is generated from the template, given the fact that there are thousands of different Joomla! templates, there is no possibility to control this behavior from a component or a plugin.

  • Andrew

    I need to develope a website for a Diabetic Clinic. A patient must be able to log in and see their test results. Obviously the page with the test results must be private and only viewable to the patient.

    Can I do that with this plugin?

  • Alessandro Pasotti

    @Andrew:

    Yes, see recipe 3 here:
    http://www.itopen.it/2010/03/13/joomla-simple-acl-recipes/

    Please keep in mind that:
    * you will need one section for each user
    * you will need to create one ACL rule for each user/section combination
    * Simple ACL security is not military-grade: attachments will be accessible by direct links (security through obscurity)

    To create a menu link to the user’s (patient’s) “private” section you can use the new “aclsections” module, provided with Simple ACL, this module shows only sections to which the user has access, so the patient will see only the link to his private section.

    Regards.

  • litsa

    Hello,

    I want to build a website for a English language center. Is it possible if I use your extension, to give access for each user (parent) to a specific article (about their kid only). I will also like, the user not to see what other students exist in the system. Is that possible?

  • Simona

    Salve, avrei una domanda: in un sito devo poter gestire privilegi diversi per gli utenti in lettura, nello specifico: gli agenti devono poter consultare alcune sezioni, i clienti altre (che in realtà confluiscono in un’unica e generica area riservata).
    Il vostro plug-in mi permetterebbe di gestire questa situazione?
    Grazie mille!

  • Alessandro Pasotti

    @Simona,

    in linea di massima, si. Però non è possibile creare gruppi custom, quindi o crei dei record ACL per ciascun utente definendo quale sezione può consultare oppure assegni le due tipologie di utente ad uno dei “gruppi” standard Joomla (registered, author, editor ecc.) e crea una ACL per il “gruppo”.

  • Hadi

    I need a demo to explore your component features.
    Is it possible to have a control to any specific links at the backend, so i can set the permission for particular groups/users?
    For example, I have some events on Civicrm component, and I need to restrict to any particular Event so that only the Event which belong to a group can be viewed by the user on that group.

  • Alessandro Pasotti

    @Hadi,

    sorry, there is no demo available. Also I don’t think that SimpleACL is useful for you, it does not allow to restrict arbitrary links because it is only active on Joomla standard sections.

  • Deirdre

    Hi Alessandro

    I have set up simple ACL on an intranet & have restricted access to one section. I want to be able to prompt the user to login when they click on this section. I tried to do this using acl redirect in the component parameters but it is not working. It just displays 403 page you are not authorised to view this resource

    Is there a way around this? thanks

Trackbacks/Pingbacks

  1.  ItOpen - Open Web Solutions, WebGis Development » Blog Archive » Simple ACL for Joomla
  2.  ItOpen – Open Web Solutions, WebGis Development » Blog Archive » Joomla Simple ACL recipes

Leave a Reply

Your email address will not be published.