How to test acl
Although there are many ways to do it, here is one useful strategy for testing ACL in the back end.
In the user manager create these new groups with Public as the parent: manage edit create delete edit.state
In the access levels add those groups to Special.
Create users with the same names as the groups and assign to the same groups. So user Manage is assigned to the manage group. User edit is assigned to the edit group.
In the Global Configuration give all of your groups the following:
- Admin Login-Allow
- For the edit group, edit allow
- For the create group, create allow
- For the edit.state group edit.state allow
- For the delete group delete.allow,
Now you can log into the backend with each of these users and it will allow you to test each global permission in isolation.
In addition you will then be able to test the impact at lower levels. For example, for user Edit test if deny of Edit on a particular component or category actually denies.
With user manage you can test how allow works in the presence of implicit deny for everything. So test explicit deny and allow at the component, category an article levels.
For front end testing you only need edit, create and edit.state.