ACL Technique in Joomla!

From Joomla! Documentation

Revision as of 05:49, 25 April 2013 by Tom Hutchison (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Quill icon.png
Content is Incomplete

This article or section is incomplete, which means it may be lacking information. You are welcome to assist in its completion by editing it as well. If this article or section has not been edited in several days, please consider helping complete the content.
This article was last edited by Tom Hutchison (talk| contribs) 18 months ago. (Purge)


A technical overview of how Access Control is implemented in Joomla!.


TODO: short intro about different parts that work together as one Access Control system.

The #__assets table

The #__assets database table has the following structure (MySql):

  `id` int(10) unsigned NOT NULL AUTO_INCREMENT COMMENT 'Primary Key',
  `parent_id` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set parent.',
  `lft` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set lft.',
  `rgt` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set rgt.',
  `level` int(10) unsigned NOT NULL COMMENT 'The cached level in the nested tree.',
  `name` varchar(50) NOT NULL COMMENT 'The unique name for the asset.',
  `title` varchar(100) NOT NULL COMMENT 'The descriptive title for the asset.',
  `rules` varchar(5120) NOT NULL COMMENT 'JSON encoded access control.',
  PRIMARY KEY (`id`),
  UNIQUE KEY `idx_asset_name` (`name`),
  KEY `idx_lft_rgt` (`lft`,`rgt`),
  KEY `idx_parent_id` (`parent_id`)

TODO: describe the Assets database table. Fields, layout and purpose.

Also see: Fixing the assets table


TODO: describe the methods of JTableAsset, a JTableNested.

Also see:

JAccessRule and JAccessRules

TODO: describe the methods of AccessRule and JAccessRules

Also see:


TODO: describe the (static) methods and (static) properties of JAccess

Also see:

Users, Usergroups and View Access Levels

Used tables and classes

Also see:

JUser authorisation methods and properties

TODO: describe the authorisation methods and properties of JUser: authorise(), authorisedLevels(), getAuthorisedCategories(), getAuthorisedGroups(), getAuthorisedViewLevels(), $_authActions, $_authGroups, $_authLevels

Also see:

JTable methods and properties for storing access permissions

TODO: describe the JTable methods and properties for storing access permissions: getRules(), setRules(), etc. is only for 1.5 and lacks those new methods and properties

Also see:


TODO: describe the use of the access.xml file

setting permissions in a form

TODO: describe the use of a "rules"-fieldset to set the permissions

ACL-related methods in JControllerForm and JModelAdmin

TODO: describe what those methods do, how they are used and when/how to override them.

  • JControllerForm: allowAdd(), allowEdit(), allowSave()
  • JModelAdmin: canDelete(), canEditState()

How it all comes together

TODO: describe how all the above parts are used together in a workflow

Further reading

More information on Joomla!'s Access Control can be found on the following pages: