Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#1930] - Support for ACL permissions per module in com_modules

? Success

User tests: Successful: Unsuccessful:

avatar sanderpotjer
sanderpotjer
7 Sep 2013

This pull request allows to set permissions per module in the Joomla Module Manager. So besides configuring the com_modules general permissions you can configure the permissions per module.

You can use this for example to:

  • allow access to com_modules, but only editing a selection of modules
  • allow access to com_modules and edit all modules expect one (or more)
  • disable state changes for certain modules
  • etc..

Notes

This patch doesn't include the SQL changes for all sample data sets yet. I am working on that but would suggest to review the code meanwhile.

JoomlaCode Tracker Item

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=28638

Testers welcome!

Testers are much welcome, let me know if you have any questions / feedback. Thanks in advance!

Test Instructions

For those interested in testing (thank you!) I have created testing instructions. If you have a fresh Joomla installation with the ACL permissions per module patch applied I would suggest the following steps:

  1. Go to the User Manager and create a new test user that is assigned to the "Manager" group
  2. Start a different browser and login with your test user (by using a different browser for your test users the sessions with your own account are not mixed-up)
  3. Notice that your test user can't browse the Module Manager in the Menu.
  4. Go to the Module Manager with your admin account, open the Options and set the "Access Administration Interface" permission for the "Manager" group to "Allowed".
  5. Check that your test user is now able to browse to the Module Manager.
  6. Confirm that your test user is now able to edit and save the listed modules.
  7. Open one of the modules with your admin account, and set all actions for the "Manager" group to "Denied".
  8. Confirm that your test user is no longer able to edit the module you just changed the permissions for.
  9. Open another module with your admin account, and set only the "Edit State" action for the "Manager" group to "Denied".
  10. Confirm that your test user is no longer able to changing the state of this module (publish/unpublish), but still able to change the title for example.
  11. Open another module with your admin account, and set only the "Edit" action for the "Manager" group to "Denied".
  12. Confirm that your test user is no longer able to edit the module but able to publish/unpublish the module.

Above are several examples listed of tests you can perform on this new feature. Please go ahead and try other permission setting combinations as well. Like: not allowing the create action in the Module Manager settings, and only the actions for a couple modules instead.

Thanks, Sander

avatar sanderpotjer sanderpotjer - open - 7 Sep 2013
avatar sanderpotjer
sanderpotjer - comment - 17 Sep 2013

For those interested in testing (thank you!) I have added testing instructions to the description.

avatar sanderpotjer
sanderpotjer - comment - 18 Sep 2013

Based on the feedback of the testers in the tracker item (http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=28638) I have updated the pull request.

Code improvements:

The module dropdown now respects the Module ACL settings as well. While this is not in line with the behaviour of the article manager I agree that it is better if the dropdown respects the ACL settings. So in the updated pull request the dropdown is only visible if a user is allowed to edit or edit state the module, and the items shown in the dropdown are also based on the allowed actions.

Please have a look at this and let me know if you like this better. If you think it is better I will make a pull request for the Article Manager as well.

Changes: sanderpotjer@9c52ef5

General Feedback:

One of the other comments made a couple times is that it confusing that the "Save as new" button is visible when edit is not allowed. This is actually correct behaviour. To prevent that and hide that button you need to deny the "Create" action for the Module Manager permissions (step 4 in the testing instructions).

To discuss:

As Brian mentioned when you edit a module while you are denied for the "edit state" action you can click on the Published/Ubpublished/Trashed buttons, but the changes are not saved (which is good). Better would be if the user can't click those buttons at all. At the moment there is no support for a "disabled" state for this type of buttons. In the article manager a dropdown is used which will be disabled when you can't change the state.

I think there are two options to solve this:
1) Use the article way of presenting the Published/Ubpublished/Trashed state, so a dropdown which can be disabled when you can't change the state.
2) Simply hide the Status buttons at all if you are not allowed to change the state.

You're opinions on this are much welcome. Thanks!

avatar sanderpotjer
sanderpotjer - comment - 11 Oct 2013

I have synced the pull request with the latest master.

Due to UX changes the module dropdown doesn't respect ACL at the moment, but is in line with the article manager. I will create a separate pull request to make sure the dropdown respects the ACL permissions for the article manager, module manager, etc...

avatar mbabker mbabker - close - 22 Oct 2013
avatar garyamort garyamort - reference | - 2 Dec 13

Add a Comment

Login with GitHub to post a comment