Joomla! 1.6 First Look

A concise guide to everything that’s new in Joomla! 1.6.    

What’s new about the Access Control Levels system?

In Joomla! 1.5, a fixed set of user groups was available, ranging from “Public” users (anyone with access to the frontend of the site) to “Super Administrators”, allowed to log in to the backend and do anything. The ACL system in Joomla! 1.6 is much more flexible:

• Instead of fixed user groups with fixed sets of permissions, you can create as many groups as you want and grant the people in those groups any combination of permissions. ACL enables you to control anything users can do on the site: log in, create, edit, delete, publish, unpublish, trash, archive, manage, or administer things.
• Users are no longer limited to only one group: a user can belong to different groups at the same time. This allows you to give particular users both the set of permissions for one group and another group without having to create a third, combined set of permissions from the ground up.
• Permissions no longer apply to the whole site as they did in Joomla! 1.5. You can now set permissions for specific parts of the site. Permissions apply to either the whole site, or to specific components, categories, or items (such as a single article).

What are the default user groups and permissions?

The flexibility of the new ACL system has a downside: it can also get quite complex. The power to create as many user groups as you like, each with very fine-grained sets of permissions assigned to them, means you can easily get entangled in a web of user groups, Joomla! Objects, and permissions.

You should carefully plan the combinations of permissions you need to assign to different user groups. Before you change anything in Joomla!, sketch an outline or use mind mapping tools (such as http://bubbl.us) to get an overview of what you want to accomplish through Joomla! ACL: who (which users) should be able to see or do what in which parts of the site?

In many cases, you might not need to go beyond the default setup and just use the default users groups and permissions that are already present when you install Joomla! 1.6. So, before we go and find out how you can craft custom user groups and their distinctive sets of permissions, let’s have a look at the default Joomla! 1.6 ACL setup.

The default site-wide settings

In broad terms, the default groups and permissions present in Joomla! 1.6 are much like the ACL system that was available in Joomla! 1.5. To view the default groups and their permissions, go to Site | Global Configuration | Permissions. The Permission Settings screen is displayed, showing a list of User Groups. A user group is a collection of users sharing the same permissions, such as Public, Manager, or Administrator.

By default the permission settings of the Public user group are shown; clicking any of the other user group names reveals the settings for that particular group.

On the right-hand side of the Permission Settings screen, the generic (site-wide) action permissions for this group are displayed: Site Login, Admin Login, and so on. Actions are the things users are allowed do on the site. For the sample user groups, these action permissions have already been set.

Default user groups

Let’s find out what these default user groups are about. We’ll discuss the user groups from the most basic level (Public) to the most powerful (Super Users).

Public – the guest group

This is the most basic level; anyone visiting your site is considered part of the Public group. Members of the Public group can view the frontend of the site, but they don’t have any special permissions.

Registered – the user group that can log in

Registered users are regular site visitors, except for the fact that they are allowed to log in to the frontend of the site. After they have logged in with their account details, they can view content that may be hidden from ordinary site visitors because the Access level of that content has been set to Registered. This way, Registered users can be presented all kinds of content ordinary (Public) users can’t see.

Registered users, however, can’t contribute content. They’re part of the user community, not web team.

Author, Editor, Publisher – the frontend content team

Authors, Editors, and Publishers are allowed to log in to the frontend, to edit or add articles. There are three types of frontend content contributors, each with their specific permission levels:

• Authors can create new content for approval by a Publisher or someone higher in rank. They can edit their own articles, but can’t edit existing articles created by others.
• Editors can create new articles and edit existing articles. A Publisher or higher must approve their submissions.
• Publishers can create, edit, and publish, unpublish, or trash articles in the frontend. They cannot delete content.

Manager, Administrator, Super User – the backend administrators

Managers, Administrators and Super Users are allowed to log in to the backend to add and manage content and to perform administrative tasks.

• Managers can do all that Publishers can, but they are also allowed to log in to the backend of the site to create, edit, or delete articles. They can also create and manage categories. They have limited access to administration functions.
• Administrators can do all that Managers can and have access to more administration functions. They can manage users, edit, or configure extensions and change the site template. They can use manager screens (User Manager, Article Manager, and so on) and can create, delete, edit, and change the state of users, articles, and so on.
• Super Users can do everything possible in the backend. (In Joomla! 1.5, this user group type was called Super Administrator). When Joomla! is installed, there’s always one Super User account created. That’s usually the person who builds and customizes the website. In the current example website, you’re the Super User.

Shop Suppliers and Customers – two sample user groups

You’ll notice two groups in the Permission Settings screen that we haven’t covered yet: Shop Suppliers and Customer. These are added when you install the Joomla! 1.6 sample data. These aren’t default user groups; they are used in the sample Fruit Shop site to show how you can create customized groups.

Are there also sample users available?

As there are user groups present in the sample data, you might expect there are also sample users. This is not the case. There are no (sample) users assigned to the sample user groups. There’s just one user available after you’ve installed Joomla!— you. You can view your details by navigating to Users | User Manager. You’re taken to the User Manager: Users screen:

Here you can see that your name is Super User, your user name is admin (unless you’ve changed this yourself when setting up your account), and you’re part of the user group called Super Users.

There’s also a shortcut available to take you to your own basic user settings: click on Site | My Profile or—even faster—just click on the Edit Profile shortcut in the Control Panel. However, you can’t manage user permissions here; the purpose of the My Profile screen is only to manage basic user settings.

Action Permissions: what users can do

We’ve now seen what types of users are present in the default setup of Joomla! 1.6. The action permissions that you can grant these user groups—things they can do on the site—are shown per user group in the Site | Global Configuration | Permissions screen. Click on any of the user group names to see the permission settings for that group:

You’ll also find these permissions (such as Site Login, Create, Delete, Edit) on other places in the Joomla! interface: after all, you don’t just apply permissions on a site-wide basis (as you could in previous versions of Joomla!), but also on the level of components, categories, or individual items.

To allow or deny users to do things, each of the available actions can be set to Allowed or Denied for a specific user group. If the permission for an action isn’t explicitly allowed or denied, it is Not Set.

Permissions are inherited

You don’t have to set each and every permission on every level manually: permissions are inherited between groups. That is, a child user group automatically gets the permissions set for its parent.

Wait a minute—parents, children, inheritance … how does that work? To understand these relationships, let’s have a look at the overview of user groups in the Permission Settings screen. This shows all available user groups (I’ve edited this screen image a little to be able to show all the user groups in one column):

You’ll notice that all user group names are displayed indented, apart from Public. This indicates the permissions hierarchy: Public is the parent group, Manager (indented one position) is a child of Public, Administrator (indented two positions) is a child of Manager.

Permissions for a parent group are automatically inherited by all child groups (unless these permissions are explicitly set to Allowed or Denied to “break” the inheritance relationship). In other words: a child group can do anything a parent group can do—and more, as it is a child and therefore has its own specific permissions set.

For example, as Authors are children of the Registered group, they inherit the permissions of the Registered group (that is, the permission to log in to the frontend of the site). Apart from that, Authors have their own specific permissions added to the permissions of the Registered group.

Setting an action to Denied is very powerful: you can’t allow an action for a lower level in the permission hierarchy if it is set to Denied higher up in the hierarchy. So, if an action is set to Denied for a higher group, this action will be inherited all the way down the permissions “tree” and will always be denied for all lower levels—even if you explicitly set the lower level to Allowed.