ACL Technique in Joomla!

From Joomla! Documentation

Revision as of 02:07, 22 April 2013 by Wilsonge (Talk | contribs)

A technical overview of how Access Control is implemented in Joomla!.


TODO: short intro about different parts that work together as one Access Control system.

The #__assets table

The #__assets database table has the following structure (MySql):

  `id` int(10) unsigned NOT NULL AUTO_INCREMENT COMMENT 'Primary Key',
  `parent_id` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set parent.',
  `lft` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set lft.',
  `rgt` int(11) NOT NULL DEFAULT '0' COMMENT 'Nested set rgt.',
  `level` int(10) unsigned NOT NULL COMMENT 'The cached level in the nested tree.',
  `name` var<nowiki></nowiki>char(50) NOT NULL COMMENT 'The unique name for the asset.',
  `title` var<nowiki></nowiki>char(100) NOT NULL COMMENT 'The descriptive title for the asset.',
  `rules` var<nowiki></nowiki>char(5120) NOT NULL COMMENT 'JSON encoded access control.',
  PRIMARY KEY (`id`),
  UNIQUE KEY `idx_asset_name` (`name`),
  KEY `idx_lft_rgt` (`lft`,`rgt`),
  KEY `idx_parent_id` (`parent_id`)

TODO: describe the Assets database table. Fields, layout and purpose.

Also see: Fixing the assets table


TODO: describe the methods of JTableAsset, a JTableNested.

Also see:

JAccessRule and JAccessRules

TODO: describe the methods of AccessRule and JAccessRules

Also see:


TODO: describe the (static) methods and (static) properties of JAccess

Also see:

Users, Usergroups and View Access Levels

Used tables and classes

Also see:

JUser authorisation methods and properties

TODO: describe the authorisation methods and properties of JUser: authorise(), authorisedLevels(), getAuthorisedCategories(), getAuthorisedGroups(), getAuthorisedViewLevels(), $_authActions, $_authGroups, $_authLevels

Also see:

JTable methods and properties for storing access permissions

TODO: describe the JTable methods and properties for storing access permissions: getRules(), setRules(), etc. is only for 1.5 and lacks those new methods and properties

Also see:


TODO: describe the use of the access.xml file

setting permissions in a form

TODO: describe the use of a "rules"-fieldset to set the permissions

ACL-related methods in JControllerForm and JModelAdmin

TODO: describe what those methods do, how they are used and when/how to override them.

  • JControllerForm: allowAdd(), allowEdit(), allowSave()
  • JModelAdmin: canDelete(), canEditState()

How it all comes together

TODO: describe how all the above parts are used together in a workflow

Further reading

More information on Joomla!'s Access Control can be found on the following pages: