The next major release of the Joomla web content management system will be Joomla v1.6 (news, site). This version has been in the works for some time, and was released as a public alpha version earlier this year.
The most significant changes for this release are the new advanced security and permissions features. These provide system administrators control over who can edit what and access which components, modules and plugins.
Current Joomla! Security Controls are Lacking
One of the most significant shortcomings of Joomla 1.5 is the lack of advanced ACL (Access Control List) functionality. Users can be put into different access level categories. Those categories are not flexible enough, though.
There are currently three different front-end access level groups, and four groups for back-end administrators. These groups control what type of actions the group members may take and what functions they may use.
There is no way of restricting specific content to chosen groups of users or single users. This has been a major shortcoming of Joomla and consequently has been a high priority enhancement for some time.
Joomla 1.6 ACL: A Different Ballgame
Happily, Joomla users can rejoice when Joomla 1.6 is released. It represents a huge step forward for the project. The new version will include a greatly improved internal security system. The system will enable administrators to set up groups and assign content and functionality to those groups.
Ease of Use is Vital
There are many ways of creating such a system. There are several reasons the development time has been long (actually, the work on this functionality was started over four years ago). The most important one is that the development team wanted a system which is dead-simple to use. They have spent a lot of time finding a solution which is intuitive and fun to use — and from what I can see from the preliminary release, they have succeeded doing just that.
As Hannes Papenberg of the development team writes in a blog post on Joomla.org:
As of last night (Oct 2, 2009), we finally have found a solution that provides the maximum of flexibility, is usable by a four year-old and won't have any really measurable impact on the performance.
How does it work?
In Joomla 1.6 you can create new groups and assign users to more than one group. These groups are formed in a tree, which means that if you are a member of the group "Administrator," you automatically inherit access rights from the group "Manager" below you.
When you have created groups, you will want to assign assign access rights to these groups.
Set global permissions
For instance, you could create a group which has the ability to create articles, weblinks, newsfeeds and just about everything that you can create in Joomla. However, you don't want them to be able to publish any of that, so you give them the global "create" permission, but not the "edit state" permission.
Permissions for publishing
You want them to be able to publish articles, though. So, you go into the article manager in the global preferences into the "Permissions" tab. You're presented with the same permissions as in the global permissions screen. You select the "edit state" permission for that group and now this group can create everywhere in the system, but is only allowed to publish articles.
You might also want them to be able to delete articles in one special category. To set this, you edit the category and, again, see the same permissions as in the global permissions screen and the global preferences screen. In this screen we allow them to delete articles.
Don't want users to create modules?
The group you've created is quite powerful now. As you recall, you allowed them to create content in every component. You might not want them to be able to create modules, though. To disallow this, you go into the module manager. Instead of letting the group inherit settings from the global "create" permission, you deny that group the permission in this component. So, not only can you set allow permissions from global down to single content items, you can also set them both to "allow" or "deny."