Simple ACL

Simple ACL Logo SimpleACL for Joomla helps you to restrict front-end access to particular user/section combinations. You can independently set permission to read, insert and update content items based on the section they belongs to. The component does not override default Joomla roles, those roles are always checked first. SimpleACL plays only with default com_content component and doesn’t affect other components or modules. You can set a default access permission and selectively enable/block users to access content items in selected sections.

What can I do with this component?

A typical scenario:
  • Your site is a company site and the company has several departments.
  • Every department has a user who is in charge for editing web content for the department.
  • Every department has its own section for content items.
  • Users should only be able to edit content in their own department.
  • There is a user who is the public relation manager, he must be able to edit content in all sections (without being Administrator).
  • There are some section whose content should be readable only by selected users.
With SimpleACL you can set permissions to selected section/user combinations (or even to “Joomla! standard groups”/section combinations), this allows you to implement such a fine grained access control. See also Simple ACL recipes (work in progress)

How it works?

SimpleACL works with an independent database table that hold the permissions for user/section combinations. A system plugin checks those access rules when the user access a content item from the front-end. If you want to know more about the internals of Simple ACL and how it works, please see Decision Flowchart.

Please note that…

  1. Default Joomla roles are not overridden and are always checked first.
  2. SimpleACL works in the front-end only
  3. Only authenticated users are checked for ACLs
  4. “Administrator” or “Super Administrator” user are not checked for ACLs.
  5. Group support for standard Joomla! groups (author, editor, publisher…) is also available
  6. Custom groups creation is not supported (but you won’t miss it!)

License and costs

Simple ACL for Joomla 1.5 is free software (“free” as in “free speech”), licenced under Affero General Public License but I distribute it only in bundle with paid 12 month support service that costs 45 €. Together with 12 months support you will get lifetime software updates, that means that you can pay just once and use the software forever in how many Joomla installations you like. Please use the donation link at the top and middle of this page, you will immediately receive a download link. Thank you for supporting free software and Joomla Simple ACL project!

Translations

They go in a language file, at the moment only English is in the distribution. If you need more information about the Simple ACL, please read the FAQ at the bottom of this page.

What’s new in version G.x series

This new version brings many enhancements:
  • limited group support (groups are standard Joomla groups such as “registered”, “author” etc.)
  • check/uncheck all actions when editing ACLs
  • Admin users will not be shown in the user list when creating ACLs
  • limited menu integration
  • ACL menu module  (a mod_mainmenu which knows about ACLs)
  • ACL section module (a mod_sections which knows about ACLs)
  • DB backward compatible (will not overwrite your existing ACLs, but make a backup first)
Let’s give a closer look to some of the coolest new features…

Limited group support

You can now add ACLs to the following standard Joomla user groups:
  • registered
  • author
  • editor
  • publisher
  • manager
In case of ACL conflicts between group-ACLs and user-ACLs, the second will always prevail.

Menu integration

Many of you have asked for an ACL-aware menu. You can now enable menu integration as an experimental option in Simple ACL configuration. If you enable this option, Simple ACL will try to hide menu items that point to articles, sections or categories that are not accessible by the logged in user. In some cases, it can happen that all menu items are hiddden, in this case the user will see an empty menu list, but Simple ACL will not be able to hide the title of the menu itself because it operates at a different level in the joomla processing flow.

New: ACL menu and section modules!

In addition to the “Menu integration” above, the package now contains two ACL modules (aclmenus and aclsections), to be used instead of standard Joomla! mod_mainmenu and mod_sections. Using this new modules you can have menus and sections lists that  know when a menu item or a section can be accessed by the user, and can hide it accordingly.

Screenshots

FAQ

Is this thing “stable” ?

Yes, sure. It’s now used on several production websites.

Can I limit access to a category instead of a section?

Not in the current version. I will eventually implement it in a future version (but please don’t ask me when 🙂 )

Will Simple ACL alter in any way menu items or search results depending on user ACLs ?

Yes, Simple ACL comes with some companion plugins to hide unaccessible items from search results as well as from menus and section module (mod_sections).

How will I receive the software after the donation?

After a successful payment, you will receive a download link via email. The email is automatically sent immediately after a successful payment, please check your spam folder if you don’t receive it in a few minutes.

Why should I pay for a free software component?

I think an explanation is needed: in my career I developed a couple of free (“free” as in “free speech”) software projects (KMLMapserver, MapStorer, Joomla FAP, SWFslideshow to cite a few), all of them are also “free” as in “free lunch” but in more than ten years I did not receive one cent as a donation, most of the time those projects were funded by one or more of my customers. After keeping Simple ACL unpublished for a while, I simply felt I couldn’t spend time to publish, promote and give assistance on another free software project for nothing, I was simply dedicating too much time in open-source free projects without receiving back any money. That’s why instead of keeping Simple ACL hidden in my desktop I decided to distribute it for a small fee, please note that this fee goes to cover the plain costs of assistance (answering to emails, writing documentation etc.) and development of Simple ACL, I will certainly not get rich with this fees. This is not in contrast with free-software philosophy: GNU Free Software Foundation philosophy not only says that you can distribute free software for money, but encourage you to do so: http://www.fsf.org/licensing/licenses/gpl-faq.html#DoesTheGPLAllowMoney http://www.gnu.org/philosophy/selling.html

Can I distribute or sell Simple ACL?

Yes, you can. But doing so, you will probably provoke a stop in the development of Simple ACL, since I will not raise enough funds to cover the costs of its development. It’s up to you.

Is this fee an yearly fee?

No, you donate once, you get the software and one year email assistance to set it up. That’s all. I will send you all the future versions of the component (if any) for free.

“Delete” ACL rule doesn’t work

True, but this is not my fault, Joomla does not allow article deletion from the font-end, hence this rule is useless at the moment (but I have implemented it in case future Joomla versions support deletion from the front-end).

Why “Simple” ?

Well, because the objectives of this project were limited:
  • do not touch the core of Joomla
  • be unobstrusive: you can install and remove the component without consequences
  • do not interfere with standard Joomla user and permissions: Simple ACL respect standard Joomla permissions levels, and only acts after Joomla has done its checks and controls
  • solve a simple problem: let selected users to access and/or edit selected sections

I have 1000 users and 1000 sections, does Simple ACL suit my needs?

Probably not: Simple ACL does not support user defined (custom) groups, this mean that you should set up 1000 ACL’s to bind your 1000 users to their 1000 sections. This is just unpractical. The latest version has limited group support. You can now add ACLs to the following standard Joomla user groups:
  • registered
  • author
  • editor
  • publisher
  • manager
In case of ACL conflicts between group-ACLs and user-ACLs, the second will always prevail (see the Decision Flowchart scheme for details).

What kind of default access policy should I choose?

Simple ACL allows you to configure a default access policy on the individual actions (Create, Update, Retrieve and Delete (the lattest not being implemented in Joomla front-end at the moment). Please remember that Simple ACL rules apply only to registered users, by keeping this in mind you could have two main scenarios (other scenarios or combinations are of course possible):

1 – Your website is completely public (everybody can see everything) but you have (for example) three authors (A, B, C) and two sections (A, B). You want user A to edit only section A, user B to edit only section B and user C to edit both. In this case, you would

  • create users A, B and C as authors (or editor or publisher)
  • set Joomla standard access to “public” for sections A, B and C (this is the default)
  • set Simple ACL default access policy to Retrieve=Allow, Create=Deny, Update=Deny, Delete=Deny
  • create one ACL for user A/section A to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user B/section B to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user C/section A to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user C/section B to allow all actions (Create, Retrieve, Update, Delete)
2 – Your website is mainly public, but you have some private sections that you want to be accessible only from selected users. You have (for example) three authors (A, B, C) and two private sections (A, B) and you want user A able to read (and not edit) section A, user B able to read (and not edit) section B, user C able to read (and not edit) all three sections. In this case, you would
  • create users A, B and C as registered (remember, they don’t need to edit anything, just read)
  • create sections A, B and C and set standard Joomla access level to “registered” otherwise all user (included A and B) would be able to read section A and B while not authenticated (logged in)
  • set Simple ACL default access policy to Retrieve=Deny, Create=Deny, Update=Deny, Delete=Deny
  • create one ACL for user A/section A to allow Retrieve and deny all other actions
  • create one ACL for user B/section B to allow Retrieve and deny all other actions
  • create one ACL for user C/section A to allow Retrieve and deny all other actions
  • create one ACL for user C/section B to allow Retrieve and deny all other actions

Why two different plugins?

System plugin must always be installed and activated otherwise Simple ACL will not work. Content plugin is only useful when both of the following conditions apply:
  • in your default access policy (as set in component parameters window) Retrieve=deny
  • and you have a mixture of articles coming from allowed and denied sections in the front page
If given the conditions above you don’t activate the content plugin, a single denied article in the front page will deny the whole page.

What happens when a logged in user try to access/edit a denied page?

A “denied page” means a page containing an article that belongs to a section non accessible by that user because of Simple ACL restrictions. The user will be redirected to a page generated by Simple ACL component (or to an URL of your choice, you can configure the URL through the component parameters configuration in the control panel). The generated deny page shows the deny message that you can change through the Simple ACL parameters settings in the control panel. The page shows also the default Simple ACL policy and the existing ACLs for that user so the user can see exactly which sections he can access.

78 Responses to “Simple ACL ready for Joomla 1.5”

  • Prea Markovic

    Hello,

    Is it possible with “simple ACL” make articles that are only visible to one user.
    I would like to generate for each of my customers page with info considering only them.

  • Alessandro Pasotti

    @Prea

    this can be done with Simple ACL: you can set default access policy to Retrieve=deny so that registered users (remember: Simple ACL has no effect on “guests”) will not have access to any section while logged in.

    Then you can set up an ACL rule for each customer to give him Retrieve=allow access to their personal section.

    Using a combination of Joomla standard access level (public, registered, special) and Simple ACL rules you can achieve many complex access control setups.

  • Pawel

    Simple ACL is working very satisfactory on my Web page.
    Of course it should be better to have the some possibilities on categories. Now the only way is to create new sections instead categories and bigger site makes you more troubles with internal structure.
    Please think about it – the way how to do it isn’t very complcated, is it?

  • Alessandro Pasotti

    @Pawel,

    it’s more complicated than you can imagine…
    … if you want a bullet-proof solution that can work with both sections and categories in all kind of scenarios the people is using Simple ACL at the time being.

    Of course, IF (you just need categories AND you are satisfied with a quick hack AND you can do some PHP coding) THEN you could do it in a couple of hours (testing included) 🙂

  • wanted

    Have a trial version for Joomla 1.5.10 and working over the PHP4?
    I’ve try many kinds of CAL but seems not working well.

  • Alessandro Pasotti

    @wanted

    no, sorry there is not a trial version.

    PHP4 is supported (but not recommended!) in the stable version only.

    New beta version was not (yet) tested on PHP4 but I would expect it will work without problems.

  • Kathy

    I am working on a medical tourism website where I will have public access to view some basic pages/articles and registered users who will be able to view only more detailed pages/articles. Then I need a third level of users who can access and modify perhaps only information regarding their trip. No one else can view their information unless authorized by the client–say a relative or friend they want to be aware of their trip information. This means the search function must not bring up their profiles and pages/articles.

    It looks like I can set up a section for each user and restrict access to just that user, much like access to bank account information. Right?

    Can Simple ACL work to provide this? I am not a programer so I need a plugin that is easily modified and set up.

    Thanks.

    Kathy

  • Alessandro Pasotti

    @Kathy,

    Yes, Simple ACL will do what you want: you will deny access to all as default ACL policy, create one section for each user, set up an ACL to grant access to that user, and only that user will be able to read/search and optionally edit or create content in that section.

    And yes, Simple ACL is really “simple” to install and configure, this is its unique selling point, after all: do one thing and do it well and easily.

    That said, be warned that Simple ACL was not built with military grade security in mind, this means that if you put a reserved document (say a PDF) in one of the reserved pages, if an unauthorized user knows the exact document URL, nothing will prevent her/him to download the document if she/he enters the URL directly in the browser address bar.

  • David

    I surely know this question has been asked and answered but not in the way my brain is working, so…

    Can I set/restrict my Authors to only be able to ‘see’ certain sections/categories and thus be only able to write to those restricted sections/categories.

    eg – on my Site I have

    Sections: A, B, C, D, E, F, G

    I want to allow Authors the ability to ONLY write for Sections: A, B, G

    (I still wish to retain Admin control over final publishing for public viewing)

    Thanks

    David

  • Alessandro Pasotti

    @David,

    yes, of course it’s possible. It’s just a matter of setting the right ACLs.

    Set default configuration to Create=Deny, Retrieve=Allow, Update=Deny
    Create 3 ACLs to Create=Allow and Update=Allow for group Author and sections A,B,G

  • Alexis

    Hello! I just saw this “The latest version has limited group support. You can now add ACLs to the following standard Joomla user groups:
    registered
    author
    editor
    publisher
    manager”.

    it might be silly of me to ask, but just to be sure… Does that mean that Simple ACL doesn’t support the creation of other user groups??

    Thanks,

    Alexis

  • Alessandro Pasotti

    @Alexis

    Simple ACL does not support custom user-defined groups.

    You can create ACLs for

    * single user / single section
    * standard Joomla groups (author, editor etc.) / single section
    * default

    This ACLs offers a broad range of use cases but Simple ACL is not the solution for *all* ACL problems, is’t “Simple” after all.

  • Alexis

    Got it! Thank you very much for your reply, as i was saying it was just to be sure. Good luck!

  • Christian

    Hello,

    Is your tool useful for my site?

    The situation is:

    About 10 people (group registered, status publisher) should be allowed to edit and insert news only in one defined category with the frontend editor. The articles in this news category are viewable by public and the first five articles are shown also on the frontpage.

    They should not to be allowed to change (edit,delete) public articles in other categories (rest of the site) when they logged in the frontend.

  • Alessandro Pasotti

    Yes, Simple ACL will do it but only if you change category into a section: Simple ACL works with sections, not with categories (of course you can create a section with a single category for this purpose).

    You will
    * set default Simple ACL parameters to allow retrieve and deny all other actions
    * create an ACL for standard group “publishers” to grant edit and insert for your defined section

  • Anders

    Im using Simple ACL, and it works great. But I have given som editors the right to publish to one section and category on the page, but I have to approve the articles before they are published.

    How do I make them published automaticly?

    Thanks.

  • Blain Ingram

    1. Does Simple ACL work with CB registration?
    2. Is there a way to test this with a short trial period and then registration key. I am tired of getting burned by the paid stuff. Oddly enough the free stuff ends up being more stable? Just paid for Juga…a waste of time and money.

  • Alessandro Pasotti

    @Blain:

    1 – I haven’t tested, so I assume No.
    2 – No sorry, I guarantee Simple ACL works as advertised, but feel free to ask more informations about Simple ACL, describe your use case and I honestly will tell you if Simple ACL will do the job.

    Simple ACL is fine for a broad range of use cases, but of course it’s not a solution for *all* ACL problems.

  • Alessandro Pasotti

    @WWW

    In theory, yes: the “delete” action is checked by Simple ACL (post-mortem as all other actions).

    Since the “delete” function is not available in front-end this feature is untested.

    What extension are you thinking to install?

  • Beck

    I’ve just used SimpleACL on a site with approx 30 registered users. The users require read access only to different sections, on account of the fact that they are members of different committees, sub committees. I had about 8 sections in total.

    I had to create approx 100 ACL but given that each one took seconds to create, it really wasn’t too onerous a task. It took me about 45 minutes to create the ACL’s from the first to the last.

    Thanks for this extension, I’m really pleased with how it does exactly what I want.

  • Paul

    Hi Alessandro

    I need guest and registered levels of access for my site but need a third for “special members” to access the forum.

    Looking at a tip on a board, I thought about using Editor (ie Special level)and then restricting their ability to edit. I only want the admins to edit.

    Will your software allow me to restrict editing on all pages by editors (and remove the edit icon from the page).

    My thanks

  • Alessandro Pasotti

    @Paul

    You’d better use “Author” instead of “Editor” and yes, Simple ACL will do fine in preventing authors to create new contents (or editing existing one) but Simple ACL will not be able to remove the edit icon because this icon is generated in the template (it’s something you can fix easily editing the template code or with a template override).

    When an unauthorized user clicks on the edit icon he will be redirected to the “deny” page (where you can put your own text).

  • howard

    Hi Allessandro

    We have SimpleACL up and working fine. Great job.

    Is it possible to use a redirect instead of the SimpleACL error page ? We would like to send the user back to the home page.

  • Anonymous

    @Howard

    Yes, this is now possible, you can specify in the Simple ACL configuration parameters an URL where users are redirected when they try to do a denied action.

    You can change the redirect as you wish.

    For the homepage, just leave “index.php”.

  • BTS

    Hi I am wondering how you integrate this with DOCMan? Any guidance would be appreciate. Thanks!

  • Noster

    Before I adquire Simple ACL, I need to know if I can do the following:

    -I want to have an area in my site where clients can see information related to them. For example, I want to have a common tab “client access”. If client “A” clicks that tab, he will see his information, with other tabs related to his account. If client “B” clicks the tab, he will see only his information. Information of Client A will be very different to the information of client B.

    I understand that I would have to register and give access to every client manually, it’s not a problem.

    is this possible?

  • Alessandro Pasotti

    @Noster:

    Simple ACL does one simple thing (and does it well): control user access to sections (and categories or articles below the section), what you put in your sections or categories articles it doesn’t matter.

    There is limited menu item support: if you create a menu item that points to an article, a section or a category which is denied by an ACL, then Simple ACL will try to hide the menu (some templates might override this behaviour so it’s only 99% safe) .

    I hope I answered your question.

  • Jamz

    Hi There,

    I have a quick question about this… Does this addon allow custom user groups to be created? Then access given to the pages for the different user groups.

    We are creating a website that has 3 different age groups, and would like only age group 1 to see some pages, age group 2 to see some more and age group 3 to see them all.

    Is this possible with this?

  • Alessandro Pasotti

    @Jamz:

    It’s in the FAQ: Simple ACL does not support user defined (custom) groups.

    But keep in mind that you need to do one operation to put a user in a group and you need to do one operation to create a user ACL, so if the relationship is such as each user belongs to exactly one group then Simple ACL is the perfect tool.

  • Helena

    Obrigado pelo módulo Simple ACL. Apesar de não ter conhecimento de programação, tive suporte imediato, que me atendeu de forma profissional e rápida. É muito bom encontrar profissionais assim, dispostos a oferecer um trabalho sério e de qualidade.
    Estou muito satisfeita.
    Valeu!

  • Ivo Carvalho

    I’ve used Simple ACL in a different way. My site is private, only registered members can access it. It’s an Hospital site in wich each department has an section, so each member can only access its own section. I have about 100 members, each with its own rules in SimpleACL and it has worked wonderfully!
    Thank you!

  • Barry Wallace

    Works a dream for our site. We have lots of sections, but once logged in, users can now see a members area. We only wanted them to be able to update this section – this has worked fine.

  • Pedram

    Hey Alessandro, i had a question about this ACL extension, what i am looking to do is to upload invoices to my website for restricted access but i want the customers to be able to ONLY see their own invoices i have tried many different things but these would make the invoices visible to all the users that are registered, would it be possible to accomplish this with simple ACL?

    Thanks so much i look forward to your response.

  • Alessandro Pasotti

    Yes, see recipe n° 3. You will need to create a section, a menu item and an ACL rule for each of your customers to selectively open access to their “private section”, you can place invoices in the section body itself or create articles inside.

    Please note that we will be closed for holidays until 26 july, assistance is not guaranteed during this period.

    Download is automatic so it will work even if our offices are closed.

  • Bill Speary

    I just bought “Simple ACL ready for Joomla 1.5”, and I have a couple of questions. I just built a site which has a public section and an owner section.

    Once a user has logged in and registered, we need to determine if he is an owner and, if so, give him access to the owner section. What access level should I use?

    Several of the articles in the owner section have designated authors. How do I give them access to edit and publish only those articles?

    Thanks. Bill

  • Alessandro Pasotti

    @Bill:

    > Once a user has logged in and registered, we need to determine if he is an owner and, if so, give him access to the owner section. What access level should I use?
    >

    If I understand right, you have a section named “owner” and you want to grant access to that section to selected users.

    First thing to keep in mind is that Simple ACL (SACL) respect standard Joomla access rules, tis means that you must not use access level “public” for restricted sections, choose an access level which is compatible for the user you want to grant access to that section (for example: “registered” or “special”).

    > Several of the articles in the owner section have designated authors. How do I give them access to edit and publish only those articles?
    >

    You can follow recipe 3:
    http://www.itopen.it/2010/03/13/joomla-simple-acl-recipes/

    Basically, you configure SACL to be closed by default and open selected sections to selected users.

    You can use different combinations of

    * user-specific ACL
    * group-specific ACL (group=Joomla group like “author”, “editor”, “regitered” etc.)
    * default ACL

    The first that match, will win and grant or deny the required action (edit, add, read or delete).

    The following flowchart will help you to understand what’s going on inside SACL. If in doubt, you can activate debug in SACL parameters and you will see printed at the top of the front-end page the reason for a grant or deny action.

    http://www.itopen.it/wp-content/uploads/2008/09/Simple-ACL-Decision-Flowchart.png

    Hope this helps.

Trackbacks/Pingbacks

  1.  ItOpen - Open Web Solutions, WebGis Development » Blog Archive » Simple ACL for Joomla
  2.  ItOpen – Open Web Solutions, WebGis Development » Blog Archive » Joomla Simple ACL recipes