Last week I listed the 5 steps to securing Joomla content. Broadly speaking, the Joomla ACL provides two functions; restricting who can view content and who can manage content. It's helpful to think of this as "viewing" and "doing". It's relatively easy to understand and setup "viewing" rules. But the "doing" side is more complicated and that's what I'll tackle this week.
Ok so "doing" is a good way to remember this task but the grammar isn't great, so let's refer to this feature as Joomla "actions". The first step to creating action rules is understanding the various actions. Just like many other Joomla functions, these rules are initially set at a global level, but can be overridden further down the hierarchy. Start by going to Site - Global Configuration - Permissions. This page displays the list of groups with various actions. Click the Registered group and you'll see the following:
Each of the possible actions is displayed at the left and these have the following functions:
Site Login: Determines if a user within this group is able to login to the frontend of the site. Depending on other permissions, this might allow them to simply view content, create new content or manage existing content. So this one can be used on its own, or in conjunction with more permissions. To set an action, you specify if the action is Allowed, Denied or Inherited. Allowed and Denied is pretty obvious. Inherited is a bit more complicated and will be discussed later. In the case of the Registered group, this is the only permission set to Allowed. This means users who are only in the registered group can purely login to the frontend. They can create or manage content.
Admin Login: can login to Administrator.
Offline Access: can login to the frontend of the site, when the site is in offline mode.
Super Admin: can do anything and everything.
Access Administration Interface: although Admin Login allows a user to access Administrator, they can't yet control anything within Administrator. This setting gives them almost full control, but they can't access Global Configuration. This might seem like a complicated solution, but it provides a lot of flexibility.
Create: can create any content.
Delete: can delete any content.
Edit: edit any content.
Edit State: edit the state of content. For example, can change an article from Unpublished to Published. This feature is handy when used in conjunction with another group. You could assign create permission for one group which allows those users to submit content, but it remains unpublished. Then allow edit state to another group who can approve and publish the content.
Edit Own: can only edit content created by that user, as opposed to all content.
You then decide which permission each group needs. But before applying the settings, it's helpful to understand inheritance. Groups can be nested. And by default, permissions flow down this nested hierarchy. You can set Allowed or Denied for every action, within every group, but it makes sense to take advantage of the Inherited setting. For example, the Registered group has one allowed action - Site Login. So groups nested beneath this group will inherit this setting. depending on the complexity of your groups and settings, you can quickly get confused, so Joomla provides a third column labelled Calculated Setting so you can quickly view the effective setting. Look at the Author group which is beneath the Registered group. Site Login is set to Inherited and the Calculated Setting shows that this is Allowed because the higher group - Registered - has this option set to Allowed. But the Author group also has two settings set to Allowed - Create and Edit Own. Those settings will then flow down to the next groups - Editor and Publisher.
As mentioned earlier, these permissions can be overridden down the Joomla content hierarchy. For example, you would set the default permissions in Global Configuration, but you can override permissions at the category, article or module level. So if you wanted to, you could allow one group of users to edit articles within one category. This is set at Content - Category Manager - Options - Permissions.
Inheritance works at two levels. Permissions are inherited down the groups hierarchy. It also works down the Joomla hierarchy. So a setting within Global Configuration is the default that is carried down to the Category level. Unless changed at the category level, it is also carried down to the article level.
The Joomla ACL is very flexible, but this means permissions can quickly get confusing. A more detailed explanation is demonstrated along with examples in the revamped version of our Joomla Users series which is currently in production. This will shortly become part of the Joomla Pro course.