Simple ACL per Joomla 1.5

by filed under Joomla.
[wp_eStore_buy_now:product_id:1:end]

Simple ACL

Simple ACL Logo SimpleACL for Joomla! è un componente (che lavora insieme a un plugin) per limitare ad alcuni utenti registrati l’accesso in lettura, scrittura o modifica agli articoli appartenenti a “sezioni” selezionate. Il componente agisce solo sugli articoli (com_content) e non influenza gli altri componenti (forum, newsletter ecc.). SimpleACL entra in azione dopo aver esaminato le regole predefinite di Joomla basate sul livello dell’utente (author, editor, publisher) e quindi non entra in conflitto con queste. Il componente permette di impostare una regola d’accesso predefinita, per esempio si può consentire la lettura di tutte le sezioni come regola predefinita, salvo poi restringere solo ad alcuni particolari utenti l’accesso in scrittura a una o più sezioni. Si può anche impedire a tutti gli utenti l’accesso in lettura come regola predefinita, concedendo poi l’accesso esplicitamente solo ad alcuni utenti.

A cosa serve?

Un tipico caso d’uso è il seguente:
  • Una ditta o un’ente è composto da diversi reparti e ciascuno di essi ha una apposita sezione sul sito web.
  • Ogni reparto ha utente designato all’inserimento di contenuti nel sito web della ditta.
  • Ciascun utente deve poter inserire articoli solo nella sezione dedicata al proprio reparto.
  • C’è un utente speciale che essendo addetto alle pubbliche relazioni deve poter inserire articoli anche nelle sezioni relative agli altri reparti.
  • Ci sono alcune sezioni contenenti articoli che devono poter essere letti solo da particolari utenti.
SimpleACL permette di impostare permessi d’accesso per determinate combinazioni utente/sezione (oppure gruppo/sezione) rendendo quindi possibile questo tipo di configurazione.

Come funziona?

SimpleACL usa una tabella per configurare le regole d’accesso per determinate coppie utente/sezione, le regole sono controllate tramite un plugin di sistema quando l’utente accede ai contenuti. Per saperne di più sul funzionamento di Simple ACL, fate riferimento allo schema Decision Flowchart.

Da tenere presente

  1. Il componente agisce solo a valle dei ruoli predefiniti di Joomla, se quindi una sezione è disponibile solo per gli utenti con ruolo “publisher” e l’utente ha ruolo “author” anche se impostate una ACL per consentire l’accesso a questo utente, l’utente non avrà comunque accesso.
  2. Le ACL si applicano (ovviamente) solo agli utenti conosciuti quindi autenticati tramite login e password.
  3. Le ACL funzionano solo nel front-end.
  4. Gli utenti con ruolo “Administrator” o “Super Administrator” non sono soggetti alle ACL.
  5. Al momento sono supportati solo i gruppi standard di Joomla, il componente non è quindi adatto a gestire un gran numero di utenti e sopratutto non supporta gruppi definiti dall’utente.

Licenza e costi

Il software è distribuito sotto licenza AGPL (Affero GPL) v. 3. Per poter scaricare il componente si richiede un pagamento di 45€ (IVA inclusa, regolarmente fatturati) come contributo una tantum per 12 mesi di assistenza remota.

Traduzioni

I messaggi sono relativamente pochi e sono tutti contenuti in una cartella “language” con il file corrispondente alla lingua. Al momento solo il file relativo alla lingua inglese è presente nella distribuzione.

What’s new in version G.x series

This new version brings many enhancements:
  • limited group support (groups are standard Joomla groups such as “registered”, “author” etc.)
  • check/uncheck all actions when editing ACLs
  • Admin users will not be shown in the user list when creating ACLs
  • limited menu integration
  • ACL menu module  (a mod_mainmenu which knows about ACLs)
  • ACL section module (a mod_sections which knows about ACLs)
  • DB backward compatible (will not overwrite your existing ACLs, but make a backup first)
Let’s give a closer look to some of the coolest new features…

Limited group support

You can now add ACLs to the following standard Joomla user groups:
  • registered
  • author
  • editor
  • publisher
  • manager
In case of ACL conflicts between group-ACLs and user-ACLs, the second will always prevail.

Menu integration

Many of you have asked for an ACL-aware menu. You can now enable menu integration as an experimental option in Simple ACL configuration. If you enable this option, Simple ACL will try to hide menu items that point to articles, sections or categories that are not accessible by the logged in user. In some cases, it can happen that all menu items are hiddden, in this case the user will see an empty menu list, but Simple ACL will not be able to hide the title of the menu itself because it operates at a different level in the joomla processing flow.

New: ACL menu and section modules!

In addition to the “Menu integration” above, the package now contains two ACL modules (aclmenus and aclsections), to be used instead of standard Joomla! mod_mainmenu and mod_sections. Using this new modules you can have menus and sections lists that  know when a menu item or a section can be accessed by the user, and can hide it accordingly.

Screenshots

FAQ

Is this thing “stable” ?

Yes, sure. It’s now used on several production websites.

Can I limit access to a category instead of a section?

Not in the current version. I will eventually implement it in a future version (but please don’t ask me when 🙂 )

Will Simple ACL alter in any way menu items or search results depending on user ACLs ?

Yes, Simple ACL comes with some companion plugins to hide unaccessible items from search results as well as from menus and section module (mod_sections).

How will I receive the software after the donation?

After a successful payment, you will receive a download link via email. The email is automatically sent immediately after a successful payment, please check your spam folder if you don’t receive it in a few minutes.

Why should I pay for a free software component?

I think an explanation is needed: in my career I developed a couple of free (“free” as in “free speech”) software projects (KMLMapserver, MapStorer, Joomla FAP, SWFslideshow to cite a few), all of them are also “free” as in “free lunch” but in more than ten years I did not receive one cent as a donation, most of the time those projects were funded by one or more of my customers. After keeping Simple ACL unpublished for a while, I simply felt I couldn’t spend time to publish, promote and give assistance on another free software project for nothing, I was simply dedicating too much time in open-source free projects without receiving back any money. That’s why instead of keeping Simple ACL hidden in my desktop I decided to distribute it for a small fee, please note that this fee goes to cover the plain costs of assistance (answering to emails, writing documentation etc.) and development of Simple ACL, I will certainly not get rich with this fees. This is not in contrast with free-software philosophy: GNU Free Software Foundation philosophy not only says that you can distribute free software for money, but encourage you to do so: http://www.fsf.org/licensing/licenses/gpl-faq.html#DoesTheGPLAllowMoney http://www.gnu.org/philosophy/selling.html

Can I distribute or sell Simple ACL?

Yes, you can. But doing so, you will probably provoke a stop in the development of Simple ACL, since I will not raise enough funds to cover the costs of its development. It’s up to you.

Is this fee an yearly fee?

No, you donate once, you get the software and one year email assistance to set it up. That’s all. I will send you all the future versions of the component (if any) for free.

“Delete” ACL rule doesn’t work

True, but this is not my fault, Joomla does not allow article deletion from the font-end, hence this rule is useless at the moment (but I have implemented it in case future Joomla versions support deletion from the front-end).

Why “Simple” ?

Well, because the objectives of this project were limited:
  • do not touch the core of Joomla
  • be unobstrusive: you can install and remove the component without consequences
  • do not interfere with standard Joomla user and permissions: Simple ACL respect standard Joomla permissions levels, and only acts after Joomla has done its checks and controls
  • solve a simple problem: let selected users to access and/or edit selected sections

I have 1000 users and 1000 sections, does Simple ACL suit my needs?

Probably not: Simple ACL does not support user defined (custom) groups, this mean that you should set up 1000 ACL’s to bind your 1000 users to their 1000 sections. This is just unpractical. The latest version has limited group support. You can now add ACLs to the following standard Joomla user groups:
  • registered
  • author
  • editor
  • publisher
  • manager
In case of ACL conflicts between group-ACLs and user-ACLs, the second will always prevail (see the Decision Flowchart scheme for details).

What kind of default access policy should I choose?

Simple ACL allows you to configure a default access policy on the individual actions (Create, Update, Retrieve and Delete (the lattest not being implemented in Joomla front-end at the moment). Please remember that Simple ACL rules apply only to registered users, by keeping this in mind you could have two main scenarios (other scenarios or combinations are of course possible):

1 – Your website is completely public (everybody can see everything) but you have (for example) three authors (A, B, C) and two sections (A, B). You want user A to edit only section A, user B to edit only section B and user C to edit both. In this case, you would

  • create users A, B and C as authors (or editor or publisher)
  • set Joomla standard access to “public” for sections A, B and C (this is the default)
  • set Simple ACL default access policy to Retrieve=Allow, Create=Deny, Update=Deny, Delete=Deny
  • create one ACL for user A/section A to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user B/section B to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user C/section A to allow all actions (Create, Retrieve, Update, Delete)
  • create one ACL for user C/section B to allow all actions (Create, Retrieve, Update, Delete)
2 – Your website is mainly public, but you have some private sections that you want to be accessible only from selected users. You have (for example) three authors (A, B, C) and two private sections (A, B) and you want user A able to read (and not edit) section A, user B able to read (and not edit) section B, user C able to read (and not edit) all three sections. In this case, you would
  • create users A, B and C as registered (remember, they don’t need to edit anything, just read)
  • create sections A, B and C and set standard Joomla access level to “registered” otherwise all user (included A and B) would be able to read section A and B while not authenticated (logged in)
  • set Simple ACL default access policy to Retrieve=Deny, Create=Deny, Update=Deny, Delete=Deny
  • create one ACL for user A/section A to allow Retrieve and deny all other actions
  • create one ACL for user B/section B to allow Retrieve and deny all other actions
  • create one ACL for user C/section A to allow Retrieve and deny all other actions
  • create one ACL for user C/section B to allow Retrieve and deny all other actions

Why two different plugins?

System plugin must always be installed and activated otherwise Simple ACL will not work. Content plugin is only useful when both of the following conditions apply:
  • in your default access policy (as set in component parameters window) Retrieve=deny
  • and you have a mixture of articles coming from allowed and denied sections in the front page
If given the conditions above you don’t activate the content plugin, a single denied article in the front page will deny the whole page.

What happens when a logged in user try to access/edit a denied page?

A “denied page” means a page containing an article that belongs to a section non accessible by that user because of Simple ACL restrictions. The user will be redirected to a page generated by Simple ACL component (or to an URL of your choice, you can configure the URL through the component parameters configuration in the control panel). The generated deny page shows the deny message that you can change through the Simple ACL parameters settings in the control panel. The page shows also the default Simple ACL policy and the existing ACLs for that user so the user can see exactly which sections he can access. [wp_eStore_buy_now:product_id:1:end]

78 Responses to “Simple ACL per Joomla 1.5”

  • Louise

    I’ve read your site and this list of comments, but i’m always nervous of buying an extension before I feel totally comfortable.

    I’m currently developing a website for a photographer and am looking into options for client areas, where by a client could log in and see their images only.

    With Simple ACL it seems to me this would be straightforward. I’m guessing you would create a section for each client, and then give them access to that section only, as a registered user? And it would be possible to only let them view content (not edit etc..)? Would there be any issues with this that I am missing?

    Thanks for your help.

  • Alessandro Pasotti

    @Luoise,

    Yes, to the first two questions.

    I can’t answer to the second, the main potential (but very unlikely) issue with a “mostly private” setup concerns how to present to the users their own content. You will probably need to create a menu item for each private section and then enable menu integration in Simple ACL options. This menu integration is advertised as “experimental”, this means that it will work on 99,99% of Joomal installations but there are a few cases in wich the standard Joomla mod_mainmenu is overridden by the template causing menu intgration to fail.

    I can only guarantee that menu integration works perfectly with all Joomla standard templates (the templates that are distributed with Joomla itself).

    It’s a long time now we are thinking of writing a simple “ACL-aware” mod_sections, this will probably be the definitive solution to this problem.

  • Louise

    @Alessandro

    Thanks so much for your detailed answer, its really helpful.

    I will keep a look out for ACL-aware in the future!!

    Louise

  • Alessandro Pasotti

    @Louise,

    We have developed the ACL-aware Sections module, it’s currently under testing and will be released within the main package in a few days.

    Of course all previous customers will receive it immediately after our quality controls are passing.

  • sky

    I have 1000 users in registered group, and I want to grant 20 of them the right to edit certain section’s contents. Can SimpleACL does this?

  • Alessandro Pasotti

    @sky

    Simple ACL will not support ACL on categories in the near future.

    To answer your second question: no, because Simple ACL do not override standard Joomla role access control and Joomla does not allow a “registered” user to edit anything, “author” level is the minimum role to edit something in Joomla.

  • Kailey

    Does simple ACL allow publishers to publish new content to a specific section rather then just be able to edit it?

  • Alessandro Pasotti

    @Kailey

    No, sorry, there is no demo.

    As for your second question, I would say yes. Let me explain how it works.

    You can configure Simple ACL (SACL) to deny by default all “insert/create” actions. Then you can create an ACL to allow your publisher users (all of them or just a selected set) to “insert/create” content in one or a few selected sections.

    When the publisher will try to “insert/create” an article from the front-end he will be presented the full list of sections (no apparent changes in the interface so far) but if they choose a section they are not allowed to publish in, SACL redirect them to an error page (default is a page with a configurable message and a list of existing ACLs for that user, you can also choose a custom URL as the error page).

  • Bill Speary

    I want to give a client access to Joomla 1.5 BACKEND. BUT I don’t want him to change ANYTHING.

    Any way to do this usin ACL??
    Bill

  • Alessandro Pasotti

    @Jeff:

    No: the edit icon is generated from the template, given the fact that there are thousands of different Joomla! templates, there is no possibility to control this behavior from a component or a plugin.

  • Andrew

    I need to develope a website for a Diabetic Clinic. A patient must be able to log in and see their test results. Obviously the page with the test results must be private and only viewable to the patient.

    Can I do that with this plugin?

  • Alessandro Pasotti

    @Andrew:

    Yes, see recipe 3 here:
    http://www.itopen.it/2010/03/13/joomla-simple-acl-recipes/

    Please keep in mind that:
    * you will need one section for each user
    * you will need to create one ACL rule for each user/section combination
    * Simple ACL security is not military-grade: attachments will be accessible by direct links (security through obscurity)

    To create a menu link to the user’s (patient’s) “private” section you can use the new “aclsections” module, provided with Simple ACL, this module shows only sections to which the user has access, so the patient will see only the link to his private section.

    Regards.

  • litsa

    Hello,

    I want to build a website for a English language center. Is it possible if I use your extension, to give access for each user (parent) to a specific article (about their kid only). I will also like, the user not to see what other students exist in the system. Is that possible?

  • Simona

    Salve, avrei una domanda: in un sito devo poter gestire privilegi diversi per gli utenti in lettura, nello specifico: gli agenti devono poter consultare alcune sezioni, i clienti altre (che in realtà confluiscono in un’unica e generica area riservata).
    Il vostro plug-in mi permetterebbe di gestire questa situazione?
    Grazie mille!

  • Alessandro Pasotti

    @Simona,

    in linea di massima, si. Però non è possibile creare gruppi custom, quindi o crei dei record ACL per ciascun utente definendo quale sezione può consultare oppure assegni le due tipologie di utente ad uno dei “gruppi” standard Joomla (registered, author, editor ecc.) e crea una ACL per il “gruppo”.

  • Hadi

    I need a demo to explore your component features.
    Is it possible to have a control to any specific links at the backend, so i can set the permission for particular groups/users?
    For example, I have some events on Civicrm component, and I need to restrict to any particular Event so that only the Event which belong to a group can be viewed by the user on that group.

  • Alessandro Pasotti

    @Hadi,

    sorry, there is no demo available. Also I don’t think that SimpleACL is useful for you, it does not allow to restrict arbitrary links because it is only active on Joomla standard sections.

  • Deirdre

    Hi Alessandro

    I have set up simple ACL on an intranet & have restricted access to one section. I want to be able to prompt the user to login when they click on this section. I tried to do this using acl redirect in the component parameters but it is not working. It just displays 403 page you are not authorised to view this resource

    Is there a way around this? thanks