Joomla User Groups, Viewing Access levels and Permissions (ACL)

<div class="title" style="font-size:150% !important">
 
User Groups, Access Levels 
 and Permissions
</div>

<div class="title2">
by Peter Martin / <a href="https://db8.nl" target="_blank">db8.nl</a>
 
slides: <a href="https://petermartin.nl" target="_blank">https://petermartin.nl</a>

</div>

---

<div class="title">Joomla 5 
<ul style="font-size: 70%">
 <li>User Groups</li>
 <li>Access Levels</li>
 <li>Permissions</li>
</ul>
</div>

---

<div class="title">User Groups</div>

----

### User Groups

- Collections of users ("Categories") 
 - Grouped together 
 - based on common characteristics 
 - or roles

----

### Joomla uses User Groups for
<img src="images/24-joomla5-usergroups-acl/ug.jpg" class="topimg">

- User Account Management
- Viewing Access Levels
- Permissions (Access Control List)
- Workflow

----

### User Groups Benefits

- Flexibility: config groups to match requirements.
- Security: Restricts access based on roles.
- Scalability: Suitable for small and large sites.
- Ease of Management: Reduces managing individual user permissions.

----

### Joomla's default User Groups
<img src="images/24-joomla5-usergroups-acl/ug.jpg" class="topimg">

<ul style="font-size: 70%">
<li>Public: Anyone</li>
<li>Guest: Non-logged-in users</li>
<li>Registered: Logged-in users without special permissions</li>
<li>Author: only submit new articles. Not editing others' content</li>
<li>Editor: Can edit any article. No publishing</li>
<li>Publisher: Can publish or unpublish any article</li>
<li>Manager: Can manage site content with limited backend access</li>
<li>Administrator: Has higher-level administrative access but not full control</li>
<li>Super Users: Full control over the site, including all administrative features </li>
<li>Your Own: Create your own Groups for Viewing Levels and Permissions</li>
</ul>

---

<div class="title">(Viewing) Access Levels</div>

----

### Viewing Access Levels (VAL)
<img src="images/24-joomla5-usergroups-acl/val.jpg" class="topimg">

- What can someone
 - from a User Group
 - see on a page

----

### Config Viewing Access Levels
<img src="images/24-joomla5-usergroups-acl/val.jpg" class="topimg">

Set "Access" via:
<ul>
<li>Components<ul>
 <li class="fragment">"Access": in Menu Item for Component View</li>
</ul></li>
<li>Modules<ul>
 <li class="fragment">"Access" in Module Parameters</li>
</ul></li>
<li>Plugins<ul>
 <li class="fragment">"Access" in Plugin Parameters</li>
</ul></li>
</ul>

----

### Store Viewing Access Levels
<img src="images/24-joomla5-usergroups-acl/val.jpg" class="topimg">

<ul>
<li>Components<ul>
 <li class="fragment">#__categories: access</li>
 <li class="fragment">#__content: access</li>
 <li class="fragment">#__menu: access</li>
</ul></li>
<li>Modules<ul>
 <li class="fragment">#__modules: access</li>
</ul></li>
<li>Plugins<ul>
 <li class="fragment">#__extensions: access</li>
</ul></li>
</ul>

---

<div class="title">Permissions (Access Control List)</div>

----

### ACL: Permissions (ACL)

- Access-Control List (ACL)
- What can someone
 - from specific User Group
 - do in a component
- Cascading: inherit from Parent User Group

----

### Config Permissions
<img src="images/24-joomla5-usergroups-acl/access.jpg" class="topimg">

Set "Permissions" via:
<ul>
<li>Components<ul>
 <li class="fragment">"Options" > "Permissions"</li>
</ul></li>
<li>Modules<ul>
 <li class="fragment">No, only "viewing" access</li>
</ul></li>
<li>Plugins<ul>
 <li class="fragment">No, only "trigger" access</li>
</ul></li>
</ul>

----

### Store Permissions
<img src="images/24-joomla5-usergroups-acl/access.jpg" class="topimg">

<ul>
<li>Components<ul>
 <li class="fragment">#__assets table</li>
</ul></li>
<li>Modules<ul>
 <li class="fragment">No, only "viewing" access</li>
</ul></li>
<li>Plugins<ul>
 <li class="fragment">No, only "trigger" access</li>
</ul></li>
</ul>

----

### Permissions Assets Table
<img src="images/24-joomla5-usergroups-acl/access.jpg" class="topimg">

Permissions for com_content:
- #__assets table
- record: com_content 
- column: rules (JSON: Action + User Group IDs)

```json
{
  "core.admin":{"7":1},
  "core.manage":{"6":1},
  "core.create":{"3":1},
  "core.edit":{"4":1},
  "core.edit.state":{"5":1},
  "core.execute.transition":{"6":1,"5":1}
}
```

----

### Who has Permissions (default)
<img src="images/24-joomla5-usergroups-acl/access.jpg" class="topimg">

Permissions for com_content:
<ul style="font-size: 70%">
<li>core.admin: Administrator (ID:7)</li>
<li>core.manage: Manager (ID:6)</li>
<li>core.create: Author (ID:3)</li>
<li>core.edit: Editor (ID4)</li>
<li>core.edit.state: Publisher (ID:5)</li>
<li>core.execute.transition: Manager (ID:6) + Publisher(ID:5)</li>
</ul>

----

### How Permissions 1/2
<img src="images/24-joomla5-usergroups-acl/access.jpg" class="topimg">

File: /administrator/components/com_content/access.xml

```xml
<?xml version="1.0" encoding="UTF-8"?>
<access component="com_content">
	<section name="component">
		<action name="core.admin" title="JACTION_ADMIN" />
		<action name="core.options" title="JACTION_OPTIONS" />
		<action name="core.manage" title="JACTION_MANAGE" />
		<action name="core.create" title="JACTION_CREATE" />
		<action name="core.delete" title="JACTION_DELETE" />
		<action name="core.edit" title="JACTION_EDIT" />
		<action name="core.edit.state" title="JACTION_EDITSTATE" />
		<action name="core.edit.own" title="JACTION_EDITOWN" />
		<action name="core.edit.value" title="JACTION_EDITVALUE" />
		<action name="core.manage.workflow" title="JACTION_MANAGEWORKFLOW" />
		<action name="core.execute.transition" title="JACTION_EXECUTETRANSITION" />
	</section>
</access>
```

----

### How Permissions 2/2
<img src="images/24-joomla5-usergroups-acl/access.jpg" class="topimg">

File: /administrator/components/com_content/src/ View/Articles/HtmlView.php

```php
protected function addToolbar() {
$canDo   = ContentHelper::getActions('com_content', 
'category', $this->state->get('filter.category_id'));
$user    = $this->getCurrentUser();
$toolbar = $this->getDocument()->getToolbar();

ToolbarHelper::title(Text::_('COM_CONTENT_ARTICLES_TITLE'), 'copy article');

if ($canDo->get('core.create') || 
\count($user->getAuthorisedCategories('com_content', 
'core.create')) > 0) 
{
    $toolbar->addNew('article.add');
}
```

---

<div class="title">Create your own User Groups, 
Viewing Access Levels, 
Permissions</div>

----

### Create!
<img src="images/24-joomla5-usergroups-acl/create.jpg" class="topimg">

<ol>
<li>Let's create a User Group (UG) : Marketing Group</li>
<li class="fragment">With Viewing Access Level (VAL) : Marketing Level</li> 
<li class="fragment">Set Permissions (ACL) to<ul> 
 <li>Login into the back-end</li>
 <li>Manage articles from category "News"</li>
 <li>Manage Redirects</li>
 </ul>
</li>
</ol>

---

<div class="title">Create your own User Groups</div>

----

### UG: User Groups

----

### UG: New Marketing Group

<ul>
<li>"Category" of Users</li>
</ul>

► Users > Groups > New

----

### UG: New Marketing Group

<ul>
<li>Group Title: Marketing Group </li>
<li>Group Parent: Public</li>
</ul>

----

### UG: Marketing Group

New User Group: 
Marketing Group

---

<div class="title">(Viewing) Access Levels</div>

----

### VAL: New Marketing Level

► Users > Access Levels > New

----

### VAL: New Marketing Level

<ul>
<li>Level Title: Marketing Level </li>
<li class="grey">User Groups With Viewing Access: Marketing Group</li>
</ul>

----

### VAL: New Marketing Level

<ul>
<li class="grey">Level Title: Marketing Level </li>
<li>User Groups With Viewing Access: Marketing Group</li>
</ul>

---

<div class="title">Permissions (Access Control List)</div>

----

### ACL: Permissions (ACL)

- Access-Control List (ACL)
- What can someone 
 - from specific User Group 
 - do in a component

----

### ACL: Back-end

<ul>
<li>Login in Back-end</li>
<li class="grey">Manage Content</li>
<li class="grey">Manage Categories</li>
<li class="grey">Manage Redirects</li>
</ul>

► System > Global Configuration > Permissions > 
Marketing Group > Administrator Login: Allowed

----

### ACL: Content

<ul>
<li class="grey">Login in Back-end</li>
<li>Manage Content</li>
<li class="grey">Manage Categories</li>
<li class="grey">Manage Redirects</li>
</ul>

► Content > Articles > Options > 
Permissions > 
Marketing Group > Access Admin. Interface: Allowed

----

### ACL: Categories

<ul>
<li class="grey">Login in Back-end</li>
<li class="grey">Manage Content</li>
<li>Manage Categories</li>
<li class="grey">Manage Redirects</li>
</ul>

► Content > Categories > "News" > Permissions > 
Marketing Group > all Actions: Allowed

----

### ACL: Redirects

<ul>
<li class="grey">Login in Back-end</li>
<li class="grey">Manage Content</li>
<li class="grey">Manage Categories</li>
<li>Manage Redirects</li>
</ul>

► System > Redirects > Permissions > 
Marketing Group > Allow all Actions except "Configure"

---

----

### Add New User

- Mark Ting
- Marketing Department

► Users > Manage > New

----

### Back-end Login with account 
No Back-end Title + Toolbar

----

### VAL: Title + Toolbar Module

<ul>
<li>Duplicate Admin Modules:
<ul>
<li>Title</li>
<li>Toolbar</li>
</ul>
</li>
<li>and assign Access to: 
<ul><li>Marketing Level</li></ul>
</li>
</ul>

► System > Administrator Modules > duplicate

----

### Back-end Login with account
Back-end Title + Toolbar visible

----

### Users: Result

<table>
<tr>
<td><img src="images/24-joomla5-usergroups-acl/ug.jpg" style="height:100px"></td>
<td>User Group: Marketing Group</td>
</tr>
<tr>
<td><img src="images/24-joomla5-usergroups-acl/val.jpg" style="height:100px"></td>
<td>Viewing Access Level: Marketing Level</td>
</tr>
<tr>
<td><img src="images/24-joomla5-usergroups-acl/access.jpg" style="height:100px"></td>
<td>Permissions of Marketing Group<ul> 
 <li>Login back-end</li>
 <li>Manage articles from category "News"</li>
 <li>Manage Redirects</li></ul>
</td>
</tr>
</table>

---

----

### More with Joomla core

<ul style="font-size: 90%">
 <li class="fragment">Workflows 
 - Joomla content Statuses: Published, Unpublished, Archived, Trashed 
 - Create your own Statuses + Content Approval Flows
 </li>
 <li class="fragment">Webservices API 
 - Webservices only for Super Users with token? 
 - Create Super User/token + downgrade to Registered User 
 </li>
</ul>

----

### More with 3rd Party

<ul style="font-size: 90%">
 <li class="fragment"><a href="https://extensions.joomla.org/extension/acl-manager/" target=_blank>ACL Manager</a>: 
 - GUI to manage ACL Permissions developed by Sander Potjer (PWT)
</li>
 <li class="fragment"><a href="https://extensions.joomla.org/extension/membership-pro/" target=_blank>Membership Pro</a>: 
 - Extension to move Users to User Groups, e.g. after payment 
</li>
</ul>

---

---

<div class="title">Questions?</div>

----

## Photo Credits

<ul style="font-size:50%">
<li>https://unsplash.com/photos/blue-and-gray-stairs-inside-building-PFeFOCB6S18</li>
<li>https://pixabay.com/photos/notebook-paper-pages-open-731212/</li>
<li>https://www.pexels.com/photo/woman-in-yellow-t-shirt-using-gray-binoculars-3813486/</li>
<li>https://unsplash.com/photos/a-red-and-white-sign-sitting-on-the-side-of-a-road--XiKxvvFGgU</li>
<li>https://unsplash.com/photos/creative-decor-Q_6BS8IN0J8</li>
<li>https://www.pexels.com/photo/group-of-people-near-wall-2422290/</li>
<li>https://www.pexels.com/photo/woman-in-yellow-t-shirt-using-gray-binoculars-3813486/</li>
<li>https://unsplash.com/photos/a-red-and-white-sign-sitting-on-the-side-of-a-road--XiKxvvFGgU</li>
<li>https://www.pexels.com/photo/woman-demonstrating-blank-business-card-in-light-room-7319300/</li>
<li>https://unsplash.com/photos/a-neon-sign-that-says-more-on-it-VPRnUFM0eX4</li>
<li>https://unsplash.com/photos/3GZi6OpSDcY</li>
<li>https://unsplash.com/photos/hhq1Lxtuwd8</li>
</ul>

</section>