next »

[Fotis]

One of the most common problems that developers face when finishing a project based on Joomla is user access management, or to be more exact, the lack of user access control! There are numerous solutions on this issue like the commercial component from Joomla Solutions which is called JBAM (Joomla backend access management - $125) and the free component JACLPlus from Byostech. Both are hacks to the core files of Joomla and each has its drawbacks, so many users/developers may be a little sceptical on using them.

Don't get me wrong! But JACL is version dependant and JBAM is way to complicated (and pricey) when all you want to do is give your managers access to the Polls component!!!

So what other options do we have? Well, hack one file a bit and give any user group access to any component yourself!

The file is includes/gacl.class.php.

We can easily assign access to certain components for certain groups. E.g. you might want to give your website Administrator the rights to add/delete user accounts on the backend, but not access to modules or mambots! Or you might want to give Managers access to a third-party component like ArtBanners (for ad banner management) which seems quite logical if you deal with lot of content and want to distribute different tasks to different people.

So we simply change or add a few lines in includes/gacl.class.php and we can totally control what parts of the site the 3 predefined backend management user groups (Super Admin, Admin, Manager) can access!

I'll give you an example of what I usually do...

1. Restrict access for Administrators (not Super Administrators!) to Modules and Mambots.
At about line 136 I comment out the lines below:

Code:

// access to modules
//$this->_mos_add_acl( 'administration', 'install', 'users', 'administrator', 'modules', 'all' );
$this->_mos_add_acl( 'administration', 'install', 'users', 'super administrator', 'modules', 'all' );

//$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'modules', 'all' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'super administrator', 'modules', 'all' );

// access to mambots
//$this->_mos_add_acl( 'administration', 'install', 'users', 'administrator', 'mambots', 'all' );
$this->_mos_add_acl( 'administration', 'install', 'users', 'super administrator', 'mambots', 'all' );

//$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'mambots', 'all' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'super administrator', 'mambots', 'all' );

As you can see, all lines that refer to "administrator" have been commented out. So whenever I open a new user account and give Administrator rights to it, I know they will never see the Modules and Mambots menus!

2. Give Managers and Administrators access to certain components.
At about line 152, below where it says:

Code:

// uncomment following to allow managers to edit modules
//array( 'administration', 'edit', 'users', 'manager', 'modules', 'all' );

replace the following code:

Code:

// access to components
$this->_mos_add_acl( 'administration', 'install', 'users', 'administrator', 'components', 'all' );
$this->_mos_add_acl( 'administration', 'install', 'users', 'super administrator', 'components', 'all' );

$this->_mos_add_acl( 'administration', 'edit', 'users', 'super administrator', 'components', 'all' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'all' );

$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_newsflash' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_frontpage' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_media' );
// ** add additional components for a manager as desired, or give access to all

with these lines:

Code:

// Custom Access - Start
// added for administrators' access
$this->_mos_add_acl( 'administration', 'install', 'users', 'administrator', 'components', 'all' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_massmail' );
$this->_mos_add_acl( 'administration', 'manage', 'users', 'administrator', 'components', 'com_massmail' );
$this->_mos_add_acl( 'administration', 'manage', 'users', 'administrator', 'components', 'com_trash' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_poll' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_media' );

$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_joomfish' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_yanc' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_artbanners' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'administrator', 'components', 'com_virtuemart' );

// added for managers' access
$this->_mos_add_acl( 'administration', 'install', 'users', 'manager', 'components', 'all' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_massmail' );
$this->_mos_add_acl( 'administration', 'manage', 'users', 'manager', 'components', 'com_massmail' );
$this->_mos_add_acl( 'administration', 'manage', 'users', 'manager', 'components', 'com_trash' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_poll' );

$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_joomfish' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_artbanners' );
// Custom Access - End

So this way we enabled access to Administrators to: massmail, trash manager, polls, media manager, Joom!Fish, ArtBanners, YaNC and VirtueMart.
And to Managers we enabled access to: massmail, trash manager, polls, Joom!Fish and ArtBanners, but NOT YaNC or VirtueMart (media manager access is given below as standard). Something that was not possible with standard Joomla! user access control.

Conclusion
That way we can easily "distribute" access permission rights for certain components to 2 user groups (Administrators and Managers) without the need for a third-party component!

Please note that there are some core restrictions to certain user groups by default in Joomla! that cannot be affected by the above "hacks". For example, Managers do not handle User Management or cannot access Global Configuration.

But in most cases, all you'll ever need is give access to your site managers to third-party components and probably restrict Administrators from "playing around" with Modules or Mambots.

[mwbarker]

One question I have on this is if I give access to managers to certain components, how do they actually get to them without actually knowing the URL?  In other words, I give a manager access to the com_hydra or com_joomfish component, but the actual components menu still doesn't show up for them to even attempt to access those.  The only way for them to access them at that point it to login to the backend, then paste the entire URL into their browser:

http://mysite.com/administrator/index2.php?option=com_hydra

Is there any way to work around that?

[Fotis]

Some components add an extra check in the backend. So these will need to be hacked to get them working. Regarding Hydra I cannot say much cause I haven't used it. But Joom!Fish works just fine with the adjustments proposed in the gacl.class.php file. 

[mwbarker]

One of the components I tried this with was Joom!Fish.  The components menu still doesn't appear.

[mwbarker]

I had to make sure this line was in there to get it to work:

Code:

$this->_mos_add_acl( 'administration', 'install', 'users', 'manager', 'components', 'all' );

I know this is listed in your original code, but that really doesn't make any sense to me as this is saying then that the manager can install components (which I obviously don't want).  While they may not see the option to install a component, if they know the URL to go to, it will allow them access.  This also doesn't allow the tab to appear on the right side of the main admin page.  Guess it needs just a little more playing around with.  I know that when I allow the manager full access to the components, it shows up, so there must be a component out there that controls the tabs?

[Fotis]

Have you tried this?

Code:

$this->_mos_add_acl( 'administration', 'manage', 'users', 'manager', 'components', 'com_joomfish' );
$this->_mos_add_acl( 'administration', 'edit', 'users', 'manager', 'components', 'com_joomfish' );

[azgaroth]

Hey Fotis. I have followed your tutorial and it works like a charm.
I have one question. For example the manager user group is given access only to JoomlaFish, but they can also access the Content Section. Is it possible to cut this too? I would like to give em access only to the fish and nothing more.
Thanks for the awesome tutorial mate.

[Fotis]

Unfortunately not. If you give access to a certain component, then you provide full access to that component, unless it has some internal permissions checkings based on user group. In any case, you need to hack the component's code to achieve what you want, or simply remove this link by deleting the appropriate registration in the database. But you need to be careful on that. Personally, I don't find it that important. 

[azgaroth]

Unfortunately not. If you give access to a certain component, then you provide full access to that component, unless it has some internal permissions checkings based on user group. In any case, you need to hack the component's code to achieve what you want, or simply remove this link by deleting the appropriate registration in the database. But you need to be careful on that. Personally, I don't find it that important. 

Well probably I wasn't clear enough in my previous message. What I was trying to say was: Can I cut the access to the content section? I don't want the managers to be able to modify the content of the site... the menu section too if it is possible.
Thank you for your answers

[Fotis]

You would need to actually hide/disable the links for the managers group inside the file administrator/modules/mod_fullmenu.php.

Study this file to see how the menu items of the admin navigation are presented. You'll understand then how to hide the MENU and CONTENT menus for managers only.

[azgaroth]

Thank you very much Fotis.

[nn]

Hello,
i dont know how appropriate it is to ask this in this forum but the topic seems related.
I need to disable publishing for Manager user group, i understand that this can not be done just with editing of gacl.class.php.
I guess I also need to disable Publish/Unpublish buttons and toggle, also Publish checkbox when adding/editing item and all of this just for the manager usertype.
It seems that i should edit:
administrator\includes\menubar.html.php
administrator\components\com_content\admin.content.php or
administrator\components\com_content\admin.content.html.php
but i do not really know what the changes should be...

I also tried to get the answer at the official joomla forum:
http://forum.joomla.org/index.php/topic,218190.msg1015877.html#msg1015877
http://forum.joomla.org/index.php/topic,167540.msg1012822.html#msg1012822

pls help.

[MindTooth]

Can't this be made by a plugin, Fotis? If so, you up for the task?

[JeremyRevo]

Revolution Web Studios.com Builds Custom Interactive Websites with CMS.

[JeremyRevo]

I have not heard back from anyone on this issue. I am sure it is discussed somewhere on the Forum and I do not want to seem ignorant, I just need help understanding how I can do it or have someone walk me through it. Revolution Web Studios.com Builds Custom Interactive Websites with CMS. Thank you for any response.

[cbal]

You would need to actually hide/disable the links for the managers group inside the file administrator/modules/mod_fullmenu.php.

Study this file to see how the menu items of the admin navigation are presented. You'll understand then how to hide the MENU and CONTENT menus for managers only.

Any more advice? on how to disapear the menu?

[Fotis]

To restrict access to parts of the joomla backend menu, the easiest way is to hide these links from certain groups. It is obvious to hide for example the "Menu" submenu in the joomla backend for the "managers" group. Others might wanna go further and hide even the "Content" submenu to restrict e.g. "managers" from modifying content (but provide them access to some other component with my original hack).

Let's see how we can hide the "Menu" submenu totally for all "managers"...

All changes needed done involve editing one file only: administrator/modules/mod_fullmenu.php

Around line 118, this is the part that shows the "Menu" submenu:

Code:

// Menu Sub-Menu
?> _cmSplit,
[null,'Menu',null,null,'Menu Management',
<?php
if ($manageMenuMan) {
?> ['<img src="../includes/js/ThemeOffice/menus.png" />','Menu Manager','index2.php?option=com_menumanager',null,'Menu Manager'],
_cmSplit,
<?php
}
foreach ( $menuTypes as $menuType ) {
?> ['<img src="../includes/js/ThemeOffice/menus.png" />','<?php echo $menuType;?>','index2.php?option=com_menus&menutype=<?php echo $menuType;?>',null,''],
<?php
}
?> ],

In order for us to hide this from "managers", we just need to wrap it with:

Code:

if ($canConfig) { ... }

which is an if statement used to enable content only for "administrators" and "super administrators". So the original code portion would become:

Code:

// Menu Sub-Menu
if ($canConfig) { // start - hide from managers
?> _cmSplit,
[null,'Menu',null,null,'Menu Management',
<?php
if ($manageMenuMan) {
?> ['<img src="../includes/js/ThemeOffice/menus.png" />','Menu Manager','index2.php?option=com_menumanager',null,'Menu Manager'],
_cmSplit,
<?php
}
foreach ( $menuTypes as $menuType ) {
?> ['<img src="../includes/js/ThemeOffice/menus.png" />','<?php echo $menuType;?>','index2.php?option=com_menus&menutype=<?php echo $menuType;?>',null,''],
<?php
}
?> ],
<?php
} // end - hide from managers
?>

You can use the same code for other parts of the joomla backend menu, just make sure you carefully add the needed php code, as it is mixed with javascript code and some might easily get confused. 

[jetronic]

wonderful solution!! thanks!
But still , in Tab info, manager still have the right to access menu, how to disable it?

[timgerr]

This is a nice tutorial.  I was wondering if you had any information on creating groups.  I want to create new groups so I can script automated creation of firebord forums.  They use the default group permissions for access. 

I am having trouble understanding how to create groups (because of the left and right keys).   Do you have any information on how to create new groups?

Thanks for the help,
timgerr

[MokumDesign]

Fotis - once again your knowledge of joomla frightens me but in a GOOD WAY!!
I came to the forum looking for a solution to a totally different problem and found this thread.
I have been doing my nut for months over this!! then put it down and stopped trying to get it to work..Now I follow the steps and it works perfectly.
I am soo impressed with you and your company!! that why I will always buy your "paid" extensions!! you guys deserve it!!