User Management 3

Its often the case where you might need finer grained access control. For instance if you want one group of users to be able to just view articles in a category blog and another group of users to be able to both view and create articles in the blog. This is where Joomla's User Groups  come in to play. 

There are 3 Back End user groups and 4 Front End user groups that are pre installed with Joomla. (see Here for a list of them and their function). You can also add custom user groups, and apply custom viewing access levels to supplement the default Public, Registered and Special levels. (more about this later) 

Permissions are generally assigned in one of two ways.

1. Globally. For Articles this is in Article Manager:Article-Options-Permissions.

2. Locally. For individual articles this is done in the Article Manager: Edit Article in the Permissions pane. 

In the case where permissions conflict (for instance when a Public module contains a Registered link) the more restrictive permission will apply.

Although this may seem overly complex, this multi leveled approach allow maximum flexibility, allowing resources to be assigned in very specific ways. 

So you can get a feel for how this works we are going to take a relatively simple example. Supposing you want one or more people, besides yourself, to be able to upload articles to your recipe blog. The simplest way to do this, you may think, is to just assign the Create Article menu item to Access  Registered. By default Joomla denies the Registered user group the permissions to create content. This could be changed in the Article Manager - Options-Permissions window but it is not advisable because it would grant all registered users the ability to upload content. We really only want to grant this permission to a subset of registered users.

Fortunately in Joomla there is a User Group created for this very task. the Author group. User groups inherit the properties of their parent, since the parent of the Author group is the Registered group the Author group can be considered a subset of the Registered group, inheriting all the privileges of Registered group plus the additional permission to create content

You can verify that the author group does have these privledges by going to Article Manager, clicking on Options and selecting the Permissions tab. Expand the Author drop down list to see that Create and Edit Own are allowed. Permissions can change by selecting either Inherited (The Global setting or Parent Group) or Allow, or Deny. 

Click Cancel without saving. 

artEdOptPerm2

 

Now if you completed the tutorials in Lesson 4 you will already have a category blog and a 'Create Article' menu item. Remember we assigned the create article menu item Access to Special, so only an administrator could view the menu item. If we set it to Registered all registered users will be able to see this menu item. However if they are not in the Authors user group (and their permissions have not been changed from the default) then they will receive the "you are not authorised to view this resource" message when they click Create Article menu item 

Go to Menus - Main Menu. In the list of menu items find the menu item for the Category Blog (ie Recipes). Click on it to edit it. Change the Access setting to Registered and click Save. Now log into the front end as your testuser. Verify that you can see the Create Article menu item and that when you click on it it gives you the access denied message.

Now in the Back end go to User Manager. Click on testuser to edit it. In the Assigned Users Groups  pane check the box next to Author. Click Save and Close. The test user has now been added to the User Group Author.

assUgrp

Now go back to the Front End and you should be able to reload the create article page.(you may need to log out and log back in as the testuser0 

So while this works it leaves a messy Create Article link that leads to an error for some users. What we really need to do is change the Viewing Access Levels of the Create Article menu item so that for registered users that are not Authors the Create Article menu item is invisible.   

Go to Users - Access Levels - Add New Access level. Type 'Author' in the Level Title Field and check the box next to Author in the User Groups Having viewing Access pane. Click Save and Close.

addAccLev

Now you can go back to the Front End and confirm that the testuser can access the Create Article menu item. If You go to the back end Users - User Manager and remove the testuser's Author privileges (uncheck the box next to Author in the Permissions pane in the testusers editing window.) then go to the front end log out and log back in as testuser to confirm that the Create Article menu item now does not show for a user without Author privleges.

 Things to Try

Create a number of category blogs, available to all registered users, each with there own author. Authors should only be able to publish in their own category. For instance if you were running an online newspaper and you had writers for current affairs, sports, gossip etc or you wanted to divide your recipes into mains and deserts and had specialty writers for each. (Hint create a User Group and a Viewing Access level for each category and apply permissions on the Category)