Menu

Joomla Blog

Tutorials, reviews, case studies and other tips to help website owners and website developers master the Joomla content management system.

The 5 steps to securing Joomla content

Last week I discussed the three ways on how to get users into the Joomla database. These users can then be allocated certain permissions, such as who can view content and who can manage content. It's helpful to think of these two tasks as "viewing" and "doing". This post explains the 5 basic steps on how to restrict who can view content on your Joomla site. In summary these steps are:

  • Create users
  • Create groups
  • Assign users to one or more groups
  • Create access viewing levels
  • Set the access feature within articles, categories, menus or modules

Actually depending on whether you're building a new site or adding ACL functionality to an existing site, it might make sense to create groups first and then users. In that case, you only need three steps as you would create groups, then when you create the users, you would allocate them to a group at the same time. But in this case I'm going to assume you already have some users in your system. If not, review last week's post as that covers three ways to create users. That's step 1 complete.

Step 2 is to create groups. This is done in Administrator at Users - Groups. Joomla is installed with certain groups, and in many cases the defaults are adequate. For example, if you just need a single level of protection, stick with the default Registered group. This allows you to assign all your sensitive content into one group. All users who need access to view this content would then be allocated to this Registered group.

However the Joomla ACL is far more powerful and if you need to, you can create multiple groups. For example if you manage a school website, you might have one set of articles that should only be accessible by teachers and another set of articles that are accessible by both teachers and students. In this case, you would need two groups; teachers and students.

Once all the necessary groups are in place, you're ready for step 3. Edit every user record and use the Assigned User Groups checkboxes to allocate each user to one or more groups. If your site is new, or if you only have a small number of users, this is relatively painless. But if you have a large number of users, this process could take hours. Fortunately Joomla comes to the rescue with its batch process feature. Use the check box next to each applicable user and then choose the appropriate group from the batch process drop-down menu. Select Add to Group and click the Process button. The users you selected will then be added to the group. You can repeat this process if you need to add users to multiple groups.

Joomla ACL batch processing

Step 4 is to create viewing levels. There is a good chance that all you need to do is create levels to match the groups. Once again if you just need one level, stick with the existing Registered level. Or if you have two groups, create two matching access viewing levels. This is found at Users - Access Levels. Creating a new level is easy. Click New - give it a title and select the group or groups that should be included in this level.

And finally step 5 is to decide what content you need to restrict. This can be done at the article, category, menu level or with modules. Let's say you wish to hide all articles in a particular category. Go to Content - Category Manager and edit the category. Change access from Public to the newly created access level.

All articles in that category will now only be visible if a user belongs to a group that belongs to that access level. This might seem like a complicated method, but the Joomla ACL is flexible to accommodate all sorts of scenarios.

This process and much more is demonstrated in the revamped version of our Joomla Users series which is part of our Joomla Pro course. This is in production right now and will be available soon.

Next week I will explain the steps to restricting who can create and edit content.

Rate this blog entry:
Joomla ACL Actions Explained
Multi Profiles Plugin

Related Posts

 

Comments 6

Guest - jeff on Friday, 11 May 2012 11:59

Hi Richard, I have enjoyed finding you site and viewing you video tuturials. I've started your pro course and I love it. Thank you for all you do. I hope to follow in your foot steps with my own Joomla business one day. But first things first.

I'm doing a site for my wife she's and optometrists with many patients. I would like to have her patients login to the site and access their private exam records along with glasses and contact lens prescriptions. I've tried doing this by adding all patients to Patient Group but all exam records are visible by all. Not good. Will I have to create a group for every patient and give them rights all individually? Or is there a better way using ACL's?

Thanks, Jeff

0
Hi Richard, I have enjoyed finding you site and viewing you video tuturials. I've started your pro course and I love it. Thank you for all you do. I hope to follow in your foot steps with my own Joomla business one day. But first things first. I'm doing a site for my wife she's and optometrists with many patients. I would like to have her patients login to the site and access their private exam records along with glasses and contact lens prescriptions. I've tried doing this by adding all patients to Patient Group but all exam records are visible by all. Not good. Will I have to create a group for every patient and give them rights all individually? Or is there a better way using ACL's? Thanks, Jeff
Richard Pearce on Wednesday, 16 May 2012 13:20

You need a programmer to help with this. Although you could create individual users and groups, this is a messy solution. You really need a solution that allows a user to "View own" record. A bit like the "edit own" action. And that's a job for a programmer.

0
You need a programmer to help with this. Although you could create individual users and groups, this is a messy solution. You really need a solution that allows a user to "View own" record. A bit like the "edit own" action. And that's a job for a programmer.
Guest - Sherry Bennett on Monday, 21 May 2012 17:33

A very well explained step-wise-step guide. Just a few days back I was thinking about categorizing the content of my Joomla based website in similar manner. I had a fairly blurry idea about multiple groups, but now I am much more enlightened.

0
A very well explained step-wise-step guide. Just a few days back I was thinking about categorizing the content of my Joomla based website in similar manner. I had a fairly blurry idea about multiple groups, but now I am much more enlightened.
ALAN HAYWARD on Saturday, 30 May 2015 17:58

Hi Richard I have recently set up paypal pay now buttons on my joomla 2.5 (soon to be 3.x) site. I know how to set up paypal to direct clients who have paid back to a specific landing page on my site but I would like to know how to have that landing page only accessible to such clients and not be access to anyone else.

Is it by any chance as simple as creating the article and menu but not publishing the menu? If not what do I need to do please?

Many thanks

Alan Hayward

0
Hi Richard I have recently set up paypal pay now buttons on my joomla 2.5 (soon to be 3.x) site. I know how to set up paypal to direct clients who have paid back to a specific landing page on my site but I would like to know how to have that landing page only accessible to such clients and not be access to anyone else. Is it by any chance as simple as creating the article and menu but not publishing the menu? If not what do I need to do please? Many thanks Alan Hayward
Richard Pearce on Sunday, 31 May 2015 10:18

Strictly speaking this is hard, but it depends on how securely you want to protect the page. If you just want to send them to a page that is inaccessible via a link (like a menu), then yes you can create a "hidden menu item". See http://www.buildajoomlawebsite.com/blog/tutorial/joomla-hidden-menus

However this is not very secure. Someone could give this link out and it will work. If you think this is low risk then it is the easiest solution. The only thing is, you must change the default robots setting for this page to "NOINDEX", which will reduce the likelihood of that page being indexed by search engines. This is done in the menu settings.

Strictly speaking, you should create a page with appropriate access control. However this only works if the user is logged in and has already been assigned to the correct viewing level. From your description, this isn't going to work.

Depending on what you're doing, you might find an extension that takes care of all this. For example, I have a similar issue for this site and I use Akeeba Subscriptions. Or if you're looking to give access to a downloadable product, you'll find some extensions such as Hika Shop provides this function.

0
Strictly speaking this is hard, but it depends on how securely you want to protect the page. If you just want to send them to a page that is inaccessible via a link (like a menu), then yes you can create a "hidden menu item". See http://www.buildajoomlawebsite.com/blog/tutorial/joomla-hidden-menus However this is not very secure. Someone could give this link out and it will work. If you think this is low risk then it is the easiest solution. The only thing is, you must change the default robots setting for this page to "NOINDEX", which will reduce the likelihood of that page being indexed by search engines. This is done in the menu settings. Strictly speaking, you should create a page with appropriate access control. However this only works if the user is logged in and has already been assigned to the correct viewing level. From your description, this isn't going to work. Depending on what you're doing, you might find an extension that takes care of all this. For example, I have a similar issue for this site and I use Akeeba Subscriptions. Or if you're looking to give access to a downloadable product, you'll find some extensions such as Hika Shop provides this function.
ALAN HAYWARD on Monday, 01 June 2015 04:25

Hi Richard
Thank you so much for this input. Very helpful indeed and much appreciated.

Alan Hayward

0
Hi Richard Thank you so much for this input. Very helpful indeed and much appreciated. Alan Hayward

Free Joomla TutorialLearn Joomla for free with our 16 lesson, 2 hour course.

Get Started