ACL Technique in Joomla!

Revision as of 03:13, 24 September 2012

A technical overview of how Access Control is implemented in Joomla!.

Introduction

TODO: short intro about different parts that work together as one Access Control system.

The #__assets table

The #__assets database table has the following structure (MySql):

CREATE TABLE IF NOT EXISTS `#__assets` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT COMMENT 'Primary Key',
  `parent_id` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set parent.',
  `lft` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set lft.',
  `rgt` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set rgt.',
  `level` int(10) unsigned NOT NULL COMMENT 'The cached level in the nested tree.',
  `name` varchar(50) NOT NULL COMMENT 'The unique name for the asset.',
  `title` varchar(100) NOT NULL COMMENT 'The descriptive title for the asset.',
  `rules` varchar(5120) NOT NULL COMMENT 'JSON encoded access control.',
  PRIMARY KEY (`id`),
  UNIQUE KEY `idx_asset_name` (`name`),
  KEY `idx_lft_rgt` (`lft`,`rgt`),
  KEY `idx_parent_id` (`parent_id`)
);

TODO: describe the Assets database table. Fields, layout and purpose.

Also see: Fixing the assets table

JTableAsset

TODO: describe the methods of JTableAsset, a JTableNested.

Also see:

• http://docs.joomla.org/JTableAsset and subpages
• http://api.joomla.org/Joomla-Platform/Table/JTableAsset.html

JAccessRule and JAccessRules

TODO: describe the methods of AccessRule and JAccessRules

Also see:

• deprecated http://docs.joomla.org/JRule, http://docs.joomla.org/JRules and subpages
• http://api.joomla.org/Joomla-Platform/Access/JAccessRule.html and http://api.joomla.org/Joomla-Platform/Access/JAccessRules.html

JAccess

TODO: describe the (static) methods and (static) properties of JAccess

Also see:

• http://docs.joomla.org/JAccess and subpages
• http://api.joomla.org/Joomla-Platform/Access/JAccess.html

Users, Usergroups and View Access Levels

Used tables and classes

Also see: http://docs.joomla.org/Access_Control_System_In_Joomla_1.6

JUser authorisation methods and properties

TODO: describe the authorisation methods and properties of JUser: authorise(), authorisedLevels(), getAuthorisedCategories(), getAuthorisedGroups(), getAuthorisedViewLevels(), $_authActions, $_authGroups, $_authLevels

Also see:

• http://docs.joomla.org/JUser and subpages
• http://api.joomla.org/Joomla-Platform/User/JUser.html
• http://api.joomla.org/Joomla-Platform/User/JUserHelper.html
• http://api.joomla.org/Joomla-Platform/User/JAuthentication.html and http://api.joomla.org/Joomla-Platform/User/JAuthenticationResponse.html
• http://api.joomla.org/Joomla-Platform/Table/JTableUser.html and http://api.joomla.org/Joomla-Platform/Table/JTableUsergroup.html

JTable methods and properties for storing access permissions

TODO: describe the JTable methods and properties for storing access permissions: getRules(), setRules(), etc.

http://docs.joomla.org/JTable is only for 1.5 and lacks those new methods and properties

Also see:

• http://api.joomla.org/Joomla-Platform/Table/JTable.html

access.xml

TODO: describe the use of the access.xml file

setting permissions in a form

TODO: describe the use of a "rules"-fieldset to set the permissions

ACL-related methods in JControllerForm and JModelAdmin

TODO: describe what those methods do, how they are used and when/how to override them.

• JControllerForm: allowAdd(), allowEdit(), allowSave()
• JModelAdmin: canDelete(), canEditState()

How it all comes together

TODO: describe how all the above parts are used together in a workflow

Further reading

More information on Joomla!'s Access Control can be found on the following pages:

• General information and use: Access Control List/1.6-2.5/Tutorial
• Tutorial how to use it in your component: Developing a Model-View-Controller Component/2.5/Adding ACL

Contributors

• Herman Peeren