Joomla Open Source Web Content Management System (CMS)
The next major release of the Joomla web content management system will be Joomla v1.6 (news, site). This version has been in the works for some time, and was released as a public alpha version earlier this year.

The most significant changes for this release are the new advanced security and permissions features. These provide system administrators control over who can edit what and access which components, modules and plugins.

Current Joomla! Security Controls are Lacking

One of the most significant shortcomings of Joomla 1.5 is the lack of advanced ACL (Access Control List) functionality. Users can be put into different access level categories. Those categories are not flexible enough, though.

There are currently three different front-end access level groups, and four groups for back-end administrators. These groups control what type of actions the group members may take and what functions they may use.

There is no way of restricting specific content to chosen groups of users or single users. This has been a major shortcoming of Joomla and consequently has been a high priority enhancement for some time.

Joomla 1.6 ACL: A Different Ballgame

Happily, Joomla users can rejoice when Joomla 1.6 is released. It represents a huge step forward for the project. The new version will include a greatly improved internal security system. The system will enable administrators to set up groups and assign content and functionality to those groups.

[Note: The 2009 Open Source CMS Market Share report looks at 20 of the most popular open source CMS products. Download your copy for free.]

Ease of Use is Vital

There are many ways of creating such a system. There are several reasons the development time has been long (actually, the work on this functionality was started over four years ago). The most important one is that the development team wanted a system which is dead-simple to use. They have spent a lot of time finding a solution which is intuitive and fun to use -- and from what I can see from the preliminary release, they have succeeded doing just that.

As Hannes Papenberg of the development team writes in a blog post on Joomla.org:

As of last night (Oct 2, 2009), we finally have found a solution that provides the maximum of flexibility, is usable by a four year-old and won't have any really measurable impact on the performance.

How does it work?

In Joomla 1.6 you can create new groups and assign users to more than one group. These groups are formed in a tree, which means that if you are a member of the group "Administrator," you automatically inherit access rights from the group "Manager" below you.

When you have created groups, you will want to assign assign access rights to these groups.

Set global permissions

For instance, you could create a group which has the ability to create articles, weblinks, newsfeeds and just about everything that you can create in Joomla. However, you don't want them to be able to publish any of that, so you give them the global "create" permission, but not the "edit state" permission.

Permissions for publishing

You want them to be able to publish articles, though. So, you go into the article manager in the global preferences into the "Permissions" tab. You're presented with the same permissions as in the global permissions screen. You select the "edit state" permission for that group and now this group can create everywhere in the system, but is only allowed to publish articles.

Delete articles?

You might also want them to be able to delete articles in one special category. To set this, you edit the category and, again, see the same permissions as in the global permissions screen and the global preferences screen. In this screen we allow them to delete articles.

Don't want users to create modules?

The group you've created is quite powerful now. As you recall, you allowed them to create content in every component. You might not want them to be able to create modules, though. To disallow this, you go into the module manager. Instead of letting the group inherit settings from the global "create" permission, you deny that group the permission in this component. So, not only can you set allow permissions from global down to single content items, you can also set them both to "allow" or "deny."

Third-party Support for Joomla Core ACL

Another important aspect of the new ACL system is to facilitate third-party support. There are thousands of Joomla extensions available and many of them will benefit from the improved ACL functions.

Thus, it is crucial that the inclusion of the system is easy to do for third-party developers. This benefits the developer and the user. There will be documentation readily available on how to include the ACL system into third-party components and the process is said to be extremely straightforward.

Joomla! 1.6 Release Plan

This is taken from the latest statement from the Joomla 1.6 development team:

We've added the ACL, nested categories work, a new Article Manager is written, new core libraries like JForm have been added, and we're working on fresh new templates for both the front-end and the back-end. We're also working on a way to make upgrading from Joomla 1.5 as painless as possible. So, in order to get a round of solid feedback from the community, we're looking to release a second Alpha very soon and follow up with a quick Beta after that.

As you can see, Joomla 1.6, though long in the arrival, will deliver a number of important enhancements, which I personally feel significantly improve this already powerful CMS.