ACL and EB
By Ian Shere on Thursday, 27 June 2019
Posted in General Issues
Replies 7
Likes 0
Views 599
Votes 0
I have Joomla and EB set up pretty out-of-the-box in regards ACL. I actually know very little about setting it up in any custom fashion, though I understand how it works, at least at a basic level.

I have a blog set up at https://norcalpulse.com/humboldt/blog which is allowing Registered users to log in and post new blog posts - this surely cannot be correct.

I made a new user group called "Bloggers" under "Registered, which is what I want to use as my guest blogger group and give them only access to the blog as far as creation and editing. Because that group is a child of Registered, they immediately get rights to create even though ACL show every option as Not Allowed.

I cannot figure out why this is acting this way and am now concerned every blog I've set up will be allowing registered users access. As I mentioned, I normally don't touch ACL at all so this appears to be the default setup which is bad.
Hi Ian,
they immediately get rights to create even though ACL show every option as Not Allowed.
From what I checked on your 'Blogger' user group ACL, currently they do have every ACL option enabled.

You have to configure the ACL whenever you add new Joomla user groups to the site, as the permissions will all be enabled by default.

The child user group permission will be prioritized, meaning if the parent group is 'disabled', and child group is 'enabled', the end result is 'enabled'.
Raymond
·
Thursday, 27 June 2019 12:43
·
0 Likes
·
0 Votes
·
0 Comments
·
Sorry I don't follow at all. Where are you seeing every ACL option enabled? The Advanced Permissions Report under Users? That shows that login is allowed but no editing or creation is allowed for every item.

Under EB ACL it only shows Manage Tags as allowed.

And why is a Registered user able to do any editing? This seems insane as Registered users are regular run-of-the-mill sign ups. They should have no privileges other than login access.
Ian Shere
·
Friday, 28 June 2019 03:40
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey Ian,
Where are you seeing every ACL option enabled?
I have provided the screenshot in my previous reply. EasyBlog's ACL under the Blogger usergroup.
Under EB ACL it only shows Manage Tags as allowed.
I believe you are looking at Joomla's ACL section(https://take.ms/foK3MV). The ACL in that section actually controls which part of the backend the usergroup is allowed to access.

Just to be sure I'm on the referred site, the screenshots I provided is taken from EasyBlog backend of the site https://norcalpulse.com/humboldt.
Raymond
·
Friday, 28 June 2019 11:00
·
0 Likes
·
0 Votes
·
0 Comments
·
Ahhh thank you. Apologies, I failed to look at the image - thank you for posting that. Now it makes sense. You're correct, I WAS looking at Joomla's ACL overview.

So that begs the question: Why does EB allow a Registered user, by default, to have all that access? Registered users are like people who subscribe to a blog post and register themselves as a Joomla user. This should NEVER give them the sort of access it does by default. By default they should only have similar access as Public does, unless the site owner has defined "Log in to read" or "Login to comment", etc.

I have EB on a number of sites and I'm very concerned this sort of carte blanche access is available to blog subscribers.
Ian Shere
·
Saturday, 29 June 2019 00:06
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey Ian,

When a new user group is created on the site, there is no way to detect what kind of user group is created(registered, super user, administrator, editor etc).

As such, it is entirely up to the site admin to configure the ACL of the new user group accordingly.
Raymond
·
Monday, 01 July 2019 12:15
·
0 Likes
·
0 Votes
·
0 Comments
·
Yep I understand that. However, you could have EB install with ALL permissions for Registered set to off. That doesn't need you to figure out what group a new registrant belongs to, it only requires you to set up EB so it installs by default denying any edit/create abilities to the standard Joomla group "Registered".
Ian Shere
·
Tuesday, 02 July 2019 00:53
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey Ian,

I will log this in our tracker so we can set all ACL to disable by default when any new usergroups are created on the site.
Raymond
·
Tuesday, 02 July 2019 13:23
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post