Setting up restricted access with multiple user-groups - an example
Setting ACL permissions and View Access Levels with multiple groups.This article needs revising. UNDER SPECIAL access
This note is an extension of How to create a private category. It extends that article to cover creating downloads as well as listing categories or downloads. Also it includes User Group Ranking - see Which User-Group is Used? for more details on that aspect.
From the front end the user requirements are:
- being able to download
- creating and editing downloads
We will look at these in turn. As from jD2.5.19 and jD3.2.19 jDownloads cascades Permissions and View Access Levels for NEW categories and downloads. Existing categories and downloads retain their existing permissions so these may need changing manually. That is new categories and downloads take their permissions from their parent category. Top level categories take their permissions for each user group from the defaults set for the Component. These Component Permissions for each User Group are accessible by using the Options button on either the jDownloads Control page or the User Group Settings page.
Setting View Access Levels may be carried out for multiple Categories by sel;ecting the appropriate set of Categories in the back end Categories and using the batch option.
There are two fundamental ways to control which items a user group may download or create.
- One method is to solely rely on selectively setting Permisions to every Category, to every sub-category and so on, and to every Download to either Allowed or Denied for every user group. As well as being a significant amount of work this will also result in users receiving 'you do not have permission' messages. And if a new user group is created then all the categories and permissions also have to be set for that user group.
- A second method is to set up the appropriate Component Access Permissions at the 'principle levels' that is Registered, Author and so on because User Groups take their initial permissions from their parent user group. These Permissions will then apply to every category and every download for all user groups. Note that the default settings for the Component Permissions are generally satisfactory, but the Public group Permissions may need to be set to 'inherited' if Public access to categories and downloads are not to be allowed, conversely if you wish certain categories and downloads to ber publically available you have to set the permissions to for the relervant groups to be Allowed. Final control is set by using the View Access levels to determine which user groups can see what. The advantages of this second scheme is that one is only concerned about specific user groups, creation of other user groups is of no significance, there is no need to change or be concerned after initial setup about the Permissions on categories and downloads, and the 'you do not have permission messages' are avoided. It is also much simpler to advise the 'creators' which Access Level they should set rather than getting them to change a whole host of Permissions for different user groups.
There are of course intermediate schemes
Downloads- Public access
If the downloads are to be available to everyone then clearly it is the Public user-group that would be used. The Access rights for the Public Group would be set to . The Public user-group setting would be used. This is the simplest situation of course.
Repeating from above , as fromjD2.5.19 and jD3.2.19 jDownloads new Categories and Downloads take their permissions from the preceding level. The top level Categories take their permissions from the Component Permissions so a simple way is to set the component permissions appropriately. The Component Permissions are availabe to be changed by using the Options button on the menu bar of the jDownloads Control Panel and the User Group Setting page. So for general public access set the Public permissions to Allow. This will then propagate to the top level categories and so on. Of course one could set the Category permissions directly. Also when creating a Category before changing any permissions always do a Save as it is only after saving that the actual state of the Calculated Permissions will be shown - this is due to the way Joomla works. But existing categories and downloads must be changed individually.
Downloads- restricted access, single membership level
Where the downloads are just available to a membership then the obvious choice is the Registered user-group as people are automatically joined to the Registered Group when the 'user' is created. As above set the component the Registed group Download access needs to be set to 'Allowed'. Also in this situation then the Public Access needs to be turned off, so set the Public as 'Inherited' . The simplest way of doing this is to set the Component Permissions as described above.
On no account set the Public Access to be 'denied' . This is because the Public group is the ultimate root of all the Access rights. If the Public access level is set at 'Denied' then the Registered group calculated Access would be because a Joomla access of 'Deny' at one level propagates to all child levels.
|and others as above|
Downloads- restricted access, multiple membership levels
There may be some downloads that belong to specific interest groups. So a suitable user-group could be called say “sig-downloaders”. This could of course be extended to several special interest groups. The natural place for that group would use the registered group as a parent. So as a start one could assign ranking levels as opposite where there are actually two 'special interest' groups. See also the notes above about Component Permissions. Here the Component Public download permission would be set to Inherited and the Registered permission set to Allowed.
For example Users could be members of the following user groups:
- Registered only where the user-group settings for the Registered group would apply;
- Registered (rank=20) and sig-downloaders (rank=23) where the user-group settings for the sig-downloaders group would apply;
- Registered (rank=20), sig-downloaders (rank=23) and sig2-downloaders (rank=26) where the user-group settings for the sig2-downloaders group would apply.
Actually there are six combinations and in all cases the applicable ranking is the highest one. Of course the user could be a member of other groups as may be needed for other purposes on the web site as these would have a zero ranking. Similarly if any other user-group was created by the Joomla User Manager then that also would have a zero ranking by default.
This is not the end of the story of course as it is also essential to set the Category access and view permissions appropriately. For the purposes of this example three top level categories called 'RegCat', 'SigCat' and 'Sig2Cat' have been setup (see notes above about setting Component Permissions). In a real situation more appropriate names would be used but here, to hopefully add clarity, category names relating to the group name have been used. Each of these categories would of course need Download permissions. This would be set for all three user-groups. Because the View Access will be used to control who can see what it does not matter who has download access permission provided it is available for the those user groups that really will actually be able to download.
|Member of User Group||Views|
The next step is to set up three View Access Levels as below so that each user-group only sees what it should as shown opposite:
When creating sub categories and Downloads then the View Access must be set to the same View Access level as used for the top level category. From jD2.5.15 and jD 3.2.15 jDownloads sets the View Access Level from the parent level unless the user sets the access level.
Provided the Component Access Permissions are set appropriately for a user-group then these will apply to the Categories and Downloads. It is the View Access Levels that do not propagate and currently need to be set for each category and download (but see notes at end of article).
As a final step then menu entries such as List All Downloads and List All Categories should have a View Access of Registered. Non Registered user will then not see the menu item.
Creating New Downloads - restricted access, multiple membership levels
The multiple membership case is clearly the most complex. This will in fact mimic the download multiuser case except rather than use Registered as the base level then user groups with the Publisher level as the parent level is used. Usually the default permisions will then allow Create, Edit, Edit Own and Edit State. That is in this example if a user has the ability to Create a Download it seems eminently reasonable that they should also be able to Edit the download. The scheme is to create the appropriate User Groups as shown below, where for convenience the previous user groups are also shown.
Do not forget to give the three new groups Rankings in jDownloads User Group settings, say 53, 55 and 57 respectively. In the above the 'O' is for optional with a recommendation of not belonging to the user group.
The three existing View Groups need to be extended to include the additional User Groups as shown below, and again the complete set is shown.
So that only users with permissions to create new downloads are shown the Create Download menu item then also create yet another View Group, say ViewUploaders, whose members are reg-uploaders, sig-uploaders and sig2-uploaders.
Colin Mercer July 2014
- User Group Ranking for new user groups is not set to zero. They are set to the parent level + 1 for example 21 if parent was Registered. So avoid using 21, 31, 41 and so on. This is to be changed.
- When creating downloads all the categories are shown in the 'Publication' pulldown, not just those that the user has view access - it is a bug.
- The way in which jDownloads handles 'cascading' of Permissions and View Access Levels is being investigated.