In this month’s explore the core series, we cover Access Control Lists (ACL). ACL are one of the most powerful parts of Joomla’s core, allowing you to give permissions to users to do as much or as little as you want them to while using your website.
Though the default Joomla ACL is designed to be simple and straightforward, the ability to customize access for various uses means Joomla provides a very flexible method for defining access throughout your site. After firstly running through the concepts you need to know, I will be sharing with you a number of scenarios I’ve implemented for sites that extend the core ACL functionality to meet the client’s requirements.
ACL stands for Access Control List, and is a list that defines access permissions and roles for what you are able to do in any system that implements ACL principles. Joomla uses the concept of ACL to allow site managers to define, administer and control permissions for users on your website, deciding what they’re able to view, add, update and access when logged into the site.
For basic websites, the default ACL is sufficient to allow you to set up simple access to your Joomla website.When you install a Joomla website you’ll be prompted for a username and password to create a Super User account. This account has permissions to modify everything on the website, which is needed in order to configure your Joomla installation. Once you have the site created, you can go to Users > Manage to then add new users to your site. Adding additional users to the Administrators user group where needed will allow you to have a team managing your site. Adding users to the Registered user group will give them the ability to log in and see content that you only want logged in users to see. There’s additional examples further in this article. You can also configure menu items that point to the login page and/or configure login modules to enable users to login from the frontend of the site.
The real power of Joomla’s ACL system comes into action more when you start looking at giving users other levels of access. The flexibility is there so that when users login, you know exactly what they are able to access on the site based on their User Group.
In Joomla, there’s three key parts to ACL that all work together to implement permissions:Users
To be able to have permissions applied, ACL relies on applying permissions via an user account. Once an user account is created, the user is assigned to one or more User Groups and those groups define what the user can do on the website.User Groups
Users can be assigned to one or more User Groups. Each User Group is a member of one or more Viewing Access Levels allocated, and that defines what the user sees when accessing the site.Viewing Access Levels
Viewing Access Levels are used to define which User Group can see what on the site. You’ll be most familiar with Viewing Access Levels as the list that populates the “Access” dropdown on various content areas of a Joomla site.
You can see the default groups via Users > Viewing Access Levels:Public: Includes the Public group - Public is the parent User Group for all groups within the site, so everything is visible whether or not visitors are logged in. Guest: Includes only the Guest group, and so only those users not logged in will see content assigned to the Guest Viewing Access Level. Registered: Gives access to users assigned to the Registered, Manager or Super Users group, as well as any child user groups. Registered typically gives access to any logged in user, but you’ll see some examples below where that might not be the best scenario. Special: This is an administration viewing access level that is used mainly to restrict viewing of content to member User Groups that have administration roles at various levels. These include Manager, Author and Super Users and their child groups by default.
User Groups work on an inheritance basis. So whenever you are managing the group membership of a User and permissions allocated to a User Group, you need to be aware of the structure of your user group hierarchy in order to ensure you’re not accidentally giving the wrong type of user access to more parts of the site than they should have access.
With an understanding of Joomla’s default Access Control Lists structure, you can expand your site’s ACL structure further to add additional User Groups and Viewing Access Levels to then apply the ACL to various scenarios. There’s more detail on specific aspects of setting up ACL in the Joomla Documentation Access Control List Tutorial.
In most cases the default permissions for a Viewing Access Level suffice, but there are occasions where you might need to change a default permission to allow a specific Viewing Access Level to have more or less permission.
Once you have your Viewing Access Levels structured, you can set permissions for various components and features in Joomla via the Permissions tab, which appears in many parts of the Joomla administrator back end.
When you go to System > Global Configuration, down the left side of the screen you’ll see a list of all the various component options. For each component, the options will have a Permissions tab where you can set the permission for that component’s functionality. You can also access the permissions for components via the Options button at the top right of the screen.
Selecting the different user groups in the permissions tab to modify permissions.
Permissions also appear in other places throughout the administrator area of the site. For example you can change the permissions on individual categories and articles to stop particular User Groups from editing content in that category. You can also change permissions on modules to stop users in particular groups being able to change the settings for the module.
If you do have further questions on configuring Joomla Access Control Lists, comment on this article, consult the Joomla Documentation, or ask your questions in the Joomla Forum or Joomla Stack Exchange.
There’s an unlimited number of ways to use ACL to control access to your website. Here’s just a few examples I’ve implemented across various projects that might give you inspiration on how to use ACL for your sites.
Sometimes there’s content that you don’t need to have appearing if the user is logged in, such as the Login menu item.
On my sites, I have two menu items configured when I provide user access to the site. For the Login menu item, I set that to have “Guest” as the Viewing Access Level. This menu item then only appears when the user is not logged in.
Depending on the site, I either create a Logout menu item that is set to the “Registered” Viewing Access Level, or create a module that is assigned to “Registered”. The logout option then only appears when users are logged in.
You might not want to create a paywall specifically, but just limit access to Registered Users so that you increase your site's user base.
To limit access to your content, you can set articles to have “Registered” Viewing Access Level. You would then have a menu item to show the Blog Category Layout as a “Public” access level. That menu item would then have the setting for “Show Unauthorised Links” set to Yes.
When Joomla then renders the page for users that are not logged in, it displays “Read more” buttons for articles in the category that are set to Public, and a “Register to read more…” button for articles set to Registered. When the user then clicks on the button, they’re taken to a page to then create a user account.
You can find out more on how to set up this functionality in this Joomla Doc. If you want to turn your site into a paywall, so users need to subscribe to your content, you can install a membership extension on your site to add that functionality.
Over the years, I’ve had a number of times where sites required ACL structures that needed to only give access to various content to particular registered users.
One example is a website selling online training courses. They have five training courses users can subscribe to, either individually, or in groups of two to five courses via various package options.
For this scenario, I’ve created User Groups for each course, and that allows me to then allocate subscribers to the User Groups relating to each course. The content for the courses is assigned to the various User Group created for that topic. For the courses I’m using OS Campus by JoomlaShack, but there’s multiple learning management systems available which all use Joomla’s ACL in similar ways.
I’ve also created some other User Groups to provide access to special customer groups. One allows us to provide a login to affiliates to access a course preview for all the courses. The second one allows user accounts to be created that can be used by consultants to demonstrate the courses, but not additionally make any changes to content.
To then manage the access to the courses, I created a Viewing Access Level for each course. I’ve then selected the various user groups that can see the courses for that Viewing Access Level. This includes Super Users (so I could test the courses when logged in) and the Course Preview and Course Demonstration User Groups.
This solution seamlessly automates the subscription process so that a new user signing up and purchasing a courses package is automatically added to the required User Groups, and at the end of their subscription are also automatically removed from the subscription User Groups and returned to Registered status.
Another series of sites I’ve built have utilised various form building components to create simple applications that are underpinned by Joomla’s ACL to control what individual users are able to access in the application.
Each application operates with similar functionality to allow users to view, add or update records, depending on the permission levels. Variations between the systems use ACL to perform functions like:Only provide view access for some users who need read-only access, while allowing add and update access to a separate group of users. Provide numerous User Groups with specific access to records relating to their User Group. For example, Users from different companies have their company User Group which only lets them action items relating to their company. Create approval workflows with customised Viewing Access Levels that mimic the structure of the default Joomla Author > Editor > Publisher structure, but only apply to the application. This prevents users from being able to edit other content on the site.
The final example for this article - comment if you’d like a deeper dive into this example in a future magazine article - is the ability to utilise a number of extensions to then manipulate how content is displayed based on ACL.
For over a decade, I’ve now been using extensions from Regular Labs throughout my sites to display content to various users based on their ACL levels.
One of the simpler extensions that assist with this is Conditional Content. On the courses site in the earlier example, I use the Conditional Content plugin to display messages on various pages of the site that either prompt users to login if they’re already a subscriber, or alternatively display a link to logged in users that takes them through to their purchased courses.
Advanced Module Manager is another must have from Regular Labs. The main feature I use in this extension is the ability to control the assignment of modules based on countless options, including limiting it to various ACL options. You can specify assignments to specific Users, User Groups and Viewing Access Levels.
I hope the examples above encourage you to explore the core a little more soon. ACL has always been one of the features of Joomla that’s seen me using it as my CMS of choice now since 2005.
We’d love to learn about more examples and case studies of creative ways you’ve used Joomla’s ACL. Feel free to add a comment of how you’ve used ACL, or if it’s a complex example, write up a case study and submit it as a magazine article.
Joomla’s Documentation contains a number of tutorials and guides on using the various features of ACL.
ACL has not been covered for a while in the Joomla Community Magazine. Though these articles were originally written with Joomla 2.5 examples, the concepts Randy Carey outlined back in 2012 & 2013 are still applicable today.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.