In the previous chapter, we explored Joomla Menus, and understood how to create menu items, defining the navigation mechanisms for our website.
We’ll now dig into users and their permissions management feature.
After reading this chapter, you will understand the following:
Joomla integrates many functionalities related to users, as you will discover throughout this chapter. Let’s start with Users Dashboard.
The first contact of the website administrator with Joomla’s features related to user management is represented by Users Dashboard, displayed in Figure 6.1.
Figure 6.1 – Users Dashboard
Users Dashboard shows three modules with links to user-related functionalities:
We will explore each of the features linked by the three modules in the following sections of this chapter.
The dashboard also includes the Logged-in Users module, which shows a list of the latest accesses to the website, reporting the name of the user, the location (Site or Administration), and the date and time of the access.
As with all the other Joomla dashboards, Users Dashboard can also be completely customized by adding or removing modules.
Let’s now present the user account features.
Joomla integrates all the needed features to create and manage user accounts out of the box. Accounts allow users to log into the website, perform operations, and access content and pages for which they have the appropriate permissions. Accounts can be created either in the backend of the website by an administrator or in the frontend of the website by the user directly through a self-registration form.
Administrators can choose whether to allow self-registration to the website or not through the options available in the Users component’s options.
Users on the website may have different permissions and roles. In fact, each user belongs to one or more User Groups and, through the group, receives specific permissions. We’ll explore User Groups in depth in a later section.
Let’s now see how to create a user account from the website backend.
Starting from Users Dashboard, displayed in Figure 6.1, click on the + sign, next to Manage in the Users module. The account creation screen is then displayed, as per Figure 6.2.
Figure 6.2 – New user screen
Let’s analyze the fields proposed in the Account Details tab:
Password requirements
In Figure 6.2, there is a visible meter under the Password field that indicates the complexity level of the selected password. This evaluation is made against the password requirements specified in the Options section of the Users component. There, you can specify a series of parameters for your website passwords, including the minimum password length, the minimum quantity of symbols, and the use of lowercase and uppercase characters as well as numbers. Through these options, you can increase the security of the users of your website, forcing them to choose more robust passwords. In Password Options, you can also specify the maximum number of password reset attempts and how long in hours must lapse before the count of reset password attempts is restored.
Let’s move to the Assigned User Groups tab, displayed in Figure 6.3.
Figure 6.3 – New user: Assigned User Groups
On this screen, you can assign the user account to one or more User Groups. By default, all user accounts belong to the Registered user group. In Figure 6.3, you can see the list of predefined User Groups, available in all Joomla installations. You may create, edit, and delete user groups at your convenience. In the next section, we will explore User Groups and their importance in assigning permissions on the website.
Let’s move on to the Basic Settings tab, displayed in Figure 6.4.
Figure 6.4 – New user: Basic Settings
The controls in this tab allow you to customize the experience of the user, selecting the template style for the backend, the language for either the frontend or backend, the editor to use, and the time zone of the users. Through these options, you can offer an experience tailored to the user, showing the website in a specific language, or allowing the user to input their content using an editor different from the one set as the default for the website. You can also offer the user the ability to apply these options through the profile page on the website frontend.
Let’s move on to the Accessibility Settings tab, displayed in Figure 6.5.
Figure 6.5 – New user: Accessibility Settings
The controls offered by this tab allow you to customize the experience of the user in terms of accessibility, enabling the high contrast or monochromatic version of the website, highlighting links, or increasing the font size, where these options are supported by the backend or frontend template in use. These options are available for each user and can be set by the user through their profile page.
Let’s now move on to the last tab, Joomla API Token, displayed in Figure 6.6.
Figure 6.6 – New user: Joomla API Token
This screen shows the unique token that allows you to use the web services offered by the Joomla API, as a specific user. For example, you can authenticate to the website and execute operations through a command line or a script, without the need to type the user credentials, by simply using the token.
On the screen, you can also choose whether the token should be active or not and whether you want to regenerate the token at the next user save.
Once you have completed the mandatory fields in the tabs we explored, just click on Save & Close to create the user account. Based on the options selected, the user may receive a notification via email to inform them about the account’s creation, with login instructions included.
Based on the user role or the functionalities enabled on your website, the user creation and edit screen may show additional tabs, such as the User Action Log tab (only visible to super users) or the WebAuthn login and Multi-factor authentication tabs, which are displayed only when the respective plugins are enabled.
From the list of users, accessible through the Manage link on Users Dashboard, you can edit the user accounts of the website. To edit an account, just click on the name of the user. You can see all the fields and tabs that we’ve explored during the creation of a new account.
Being able to create and edit user accounts, we’ll now discover User Groups and understand their purpose.
In Joomla, User Groups are used to grant permissions to resources, that is, content, menu items, and extensions, in both the frontend and backend. Each user of the website must be assigned to one or more User Groups, as we saw while creating or editing a user account.
Groups are heavily connected to access levels; in fact, each access level should be assigned to one or more groups, granting users of the selected group the permissions defined at that access level. We’ll explore access levels in depth in the next section.
Let’s now review the User Groups available by default in Joomla, as displayed in Figure 6.7.
Figure 6.7 – User Groups
To access the User Groups page, from the sidebar menu click on Users then on Groups. You’ll then see the list of all the groups created on the website, the number of enabled users in each group, the number of blocked users in each group, and a link to check the permissions that users of each group have on the website.
Groups can also be nested, one under another. In this way, the subgroup inherits permissions from its parent, allowing you to customize only the needed permissions, without re-defining the whole permissions set.
As we can observe in Figure 6.7, the root group is called Public, and it represents the base for the permissions for the whole website. All the other groups inherit the basic permissions from Public.
You can create and nest user groups at your convenience. To create a user group, click on the New button. You will be taken to the screen visible in Figure 6.8.
Figure 6.8 – New user group screen
The creation of a new user group is a very simple process that provides only the following two fields:
As you can see, groups are basic entities, without many options. We’ll now dig into access levels, which allow us to grant permissions to users through user groups.
Access levels are very important in Joomla, since they allow us to assign permissions to user groups, and to users. Some access levels are already provided by default in a standard installation, but you can create as many access levels as you need.
Each access level can be assigned to one or more user groups. Let’s explore the standard access levels, displayed in Figure 6.9.
Figure 6.9 – Access Levels
To view the access levels of your website, just click on Access Levels in the Users sidebar menu. As you can see, Joomla comes with five built-in access levels: Public, Guest, Registered, Special, and Super Users. For each of the access levels, we can find the list of user groups assigned to them. In the next section, we’ll see how to create a new access level.
To create a new access level, just click on the New button shown in the toolbar. The access level creation screen will look like Figure 6.10.
Figure 6.10 – New access level: Level Details
In the first tab, Level Details, we can only specify the name of the access level, using the Level Title field. The second tab, User Groups With Viewing Access, allows you to choose which user groups should receive this access level, as shown in Figure 6.11.
Figure 6.11 – New access level: User Groups With Viewing Access
Creating several access levels will allow us to have a higher granularity in managing permissions on the website. For example, if we are building the website for a school, it would be common to have at least three additional access levels: Teachers, Students, and School Personnel. In this way, we can grant those groups access to the relevant sections of the website or reserved areas, differentiated by role.
In the next section, we’ll see how to manage permissions using access levels.
In this chapter, we’ve introduced two basic entities that are crucial in the Joomla permission management system: User Groups and Access Levels. Specifically, through access levels, we can manage permissions and privileges for almost all the entities in the CMS, contents, modules, components, and menu items, either in the backend or the frontend of the website. You can, in fact, create custom permissions sets for each of the sides of the application: limiting features of the backend, allowing only certain parts of the backend to be used, or creating a specific access level for the frontend that allows users with this level to access only a specific set of pages. The Joomla Access Control List (ACL) is a very powerful feature.
Let’s start to understand the permission management functionalities by accessing the Settings link from System Dashboard.
The page shown will be the Permissions tab of Global Configuration, as displayed in Figure 6.12.
Figure 6.12 – Global Configuration: Permissions
In the tab, we can see the list of User Groups on the left and the list of actions on the right side. For each action, you can select a setting through the dropdown. The system will show the result of the permission applied based on the permissions inherited and set there, in the Calculated Setting column. For each action you can set one of the three following values: Not Set, Allowed, or Denied. In Figure 6.12, we can observe that the permissions shown are intended for the Public user group.
Let’s now explore the available permission types that can be assigned globally to an access level:
The Public access level has the Not Allowed (Default) permission on all of the actions reported in the preceding list since it’s meant to be the group where website visitors belong and they shouldn’t have any specific permissions.
Other access levels have specific permissions; for example, we can see a preview of the permissions for the Manager access level in Figure 6.13.
Figure 6.13 – Global Configuration: Permissions | Manager
We can observe that the Not Set option – seen in Figure 6.12 – has been replaced by Inherited. This means that permissions are inherited from the parent user groups. That’s why it can be useful to nest user groups in a meaningful way.
Beyond Global Configuration, permissions can be set on a per-component basis and even on a per-item basis. Let’s see how.
As we mentioned earlier in this section, almost every item in Joomla allows you to define specific permissions for each access level. In this way, you can have full control of privileges on your website.
The permissions management screen for each component can be accessed from System | User Permissions | Settings, by selecting the desired component in the list shown on the left side, as we saw earlier in Figure 6.12.
Let’s explore the permissions manageable for the Articles component, displayed in Figure 6.14.
Figure 6.14 – Global Configuration – Articles: Permissions
Actions shown for each component may vary, extending the granularity of the permissions from the standard set of permissions set in Global Configuration. Again, the Calculated Setting column will ensure you reach the desired permissions result, showing eventual conflicts between global and specific permissions set in the components.
For example, in Figure 6.14, we can see that there are some additional permissions for the Articles component. Let’s check them out:
The number and type of actions may vary based on the component. Some of the actions, such as Access Administration Interface and Configure ACL & Options, are available for all the components.
Scenario – custom backend permissions
Through the appropriate permissions, you can restrict access to functionalities to specific backend users. For example, for a magazine website, you can create an access level for authors, allowing them to access only the Articles component, granting them only Create and Edit Own permissions, and allowing them to submit new articles or edit their articles. Another backend access level could be useful for editors, allowing them to execute transitions of the workflow, edit items, and change the state of items so that they can review, approve, and publish articles. With an ACL, you can fully apply the principle of minimum privilege.
But permissions can also be managed on a per-item basis. Let’s now see how.
Almost every item in Joomla allows you to specify the permissions based on the access level. This is specifically useful when you want to restrict permissions of specific articles, categories, or modules.
On an article edit screen, you can see the Permissions tab, in which you are allowed to define who can delete, edit, or edit the state for the specific article, as shown in Figure 6.15.
Figure 6.15 – Single article permissions
The same pattern applies to modules; in fact, for each module you can specify who can perform a specific action through the Permissions tab, as shown in Figure 6.16.
Figure 6.16 – Module permissions
Joomla also allows you to specify who should see specific content, such as an article, a category, a menu item, or even a module. In the next section, we’ll see how to restrict access to content to specific users.
For each item in Joomla, from articles to categories, from modules to menu items, you can specify who should be able to access the item. This is pursued through the Access field, visible in the item creation/editing screen, as displayed in Figure 6.17.
Figure 6.17 – Article edit screen: Access
Through the Access field, you can choose from the dropdown the user group who should be able to access the item. If you have nested User Groups and you select a group that is parent to other user groups, all the user groups nested under the selected group will be granted access to the item.
This access setting is available on both sides of the application, allowing you to customize access permissions for each item for both the frontend and the backend of the site.
Scenario – custom backend dashboard
You can build a customized dashboard in the backend of the website, hiding some modules and menus and adding other modules to simplify their operations. To do so, just create a user group for those users and assign it to the modules that are meant to be shown to them only. Hide modules that should not be visible to them by selecting a higher user group, such as super users. In this way, you can completely customize the backend experience of your coworkers.
With this section, we completed the part related to permissions and ACLs. We’ll now move on to custom fields related to users.
In Chapter 3, Advanced Content Management, we discovered custom fields, focusing on their usage as enrichment for articles. But Joomla also allows you to add custom fields to users, allowing you to enrich data about your users.
For example, you can use custom fields tied to users to collect data such as a short biography, birth date, province, city, phone number, email, and much more.
Custom Fields are organized in Custom Field Groups, which are used to display fields in an ordered way.
Custom Fields will be displayed in the user creation and editing form in the backend, while they are shown on the profile page and registration page on the website frontend.
To create and manage custom fields related to users, from Users Dashboard click on Fields in the module called User Fields. The procedure to create a custom field is identical to the one already presented in Chapter 3, Advanced Content Management.
We’re now going to explore another feature that is useful for administrators, User Notes.
Joomla allows administrators to add internal notes to users. Notes are organized through Note Categories, so you can create different categories to manage your notes, for example, billing, behavior, and so on. You can then create a note, assigning it to the respective category and adding it to the user, noting for example bad behavior on the part of the user, a missing payment, and so on.
Notes are not visible to the users, and they are only displayed to the website administrators.
To create a user note, from the sidebar menu, click on Users, then on User Notes, and on New, as shown in Figure 6.18.
Figure 6.18 – New user note
The user note creation screen includes the following fields:
You can add any number of notes you want to any of your users, as well as create all the categories you need to organize your notes. These can be useful while managing your website to remind you of specific things, such as misbehavior, late payments, and much more.
After user notes, we will explore Mass Mail Users, which allows administrators to contact website users in an easy way.
Mass Mail Users is a feature that allows administrators to write an email to users of the website easily and quickly. To access the functionality, click on Users in the sidebar menu, then on Mass Mail Users.
You will be prompted by a screen like the following figure, Figure 6.19:
Figure 6.19 – Mass Mail Users
As you can see, using this feature is very easy. You just have to type the subject and the message in the related box and select the desired options:
Once the message is ready for delivery, click on Send Email to send it. Please note that there is no track of sent messages, nor information about the delivery status of your messages.
Note – when you should avoid using Mass Mail Users
As mentioned at the end of the section, Mass Mail Users does not track sent email messages, nor the delivery status of the messages. Furthermore, this feature creates a single message with all the selected users as recipients. This might not work in certain hosting environments due to some limits on the number of recipients for a message or the daily email send rate, especially when you have many users selected as the recipient. If you want to send mass communications, schedule the sending process, collect information about the delivery status, and track the openings, then you should use a newsletter component.
Having seen the Mass Mail Users feature, it’s time to discover the privacy-related functionalities.
Since version 3.9, Joomla includes a series of features dedicated to privacy, simplifying the process to comply with privacy regulations through a set of functionalities called the Privacy Tools Suite.
This suite of tools has been designed in line with GDPR requirements and includes the following:
All those features are accessible from Privacy Dashboard, which you can open from the sidebar menu by clicking on Users, then clicking on the dashboard icon next to the Privacy menu item. Let’s start exploring Privacy Dashboard.
Privacy Dashboard, as displayed in Figure 6.20, shows two main modules and allows you to check at a glance the status of privacy requests and needed actions:
Figure 6.20 – Privacy Dashboard
The first module, Privacy Requests, shows the list of outstanding information or deletion requests coming from your website users. We’ll see in the next section what a privacy request is and how to submit one.
The second module, Privacy Status, shows the status of some checks, including the following:
As with all the other dashboards of the backend, you can customize this dashboard with additional modules. Let’s see how to set a privacy policy for your website.
In order to allow the website to collect consent from your users, you need to make them aware of the privacy policy. Joomla can manage two types of privacy policies: an article or a menu item (for example, if you have a specific URL for the policy).
To set your privacy policy, after having created the article or the menu item, open the plugin called System - Privacy Consent, which will look like Figure 6.21.
Figure 6.21 – System – Privacy Consent plugin
Let’s explore the options offered by the plugin, starting from the Plugin tab:
Let’s now move to the Expiration tab, shown in Figure 6.22
.
Figure 6.22 – System – Privacy Consent: Expiration
Through this tab, you can choose to enable the expiration of consent to your privacy policy and set the following options:
After configuring the plugin as desired, it’s important to enable it and change Status to Published, then click on Save & Close.
Let’s now move to privacy requests.
A privacy request is a request from a user to either inform them about the data the website holds about them (information request) or delete their data from the website (deletion request). Those requests are part of the rights to data subjects offered by the GDPR and other privacy regulations.
When processing an information request, the system will produce an XML file containing the data that the website holds about the user (for example, name, email address, and preferences). The contents of the file might not include all the data that the website holds about the user, since not all extensions implement the Privacy API. The data included may differ based on the extensions used on your website.
This type of request is also called an export request, as it allows you to comply with the right to data portability provided by privacy regulations.
While processing a deletion request, the system will pseudonymize all the information related to the user. In fact, it’s not a complete removal of data, since that could create issues related to the operations of the website (for example, in the case of e-commerce or when deleting data about an author, which might result in having orphan articles).
The first step to collecting privacy requests is to create a menu item on your website pointing to Privacy | Create Request. This would result in a page accessible to your users on which they can submit a privacy request, selecting from export and data removal types.
Also, it is important to note that privacy requests cannot be deleted from your website.
When a user submits a privacy request, they will be required to confirm it, validating their email address, through a link included in a confirmation email.
You can also create a privacy request from the backend of the website, but also, in this case, users should confirm it via the confirmation link. This is required to ensure the security of data.
Once a request has been opened, but not yet confirmed, it will show as Pending and can be invalidated by an administrator, as you can see in Figure 6.23.
Figure 6.23 – An export request pending confirmation
For each request, we can see the email, the status, the type of request, and the date of the request. Also, on the right side of the screen, we have complete tracking of the activity executed on the request.
Each request can have one of the following statuses:
By default, only super users are allowed to see and process privacy requests.
Let’s now explore the last feature introduced with the Privacy Tools Suite: User Action Log.
Even if it’s not strictly related to privacy, the User Action Log feature has been introduced together with the other privacy functionalities as it’s propaedeutic for the work of other mechanisms and tools. In fact, we’ve seen that a log of actions executed is kept in each privacy request.
As the feature name suggests, User Action Log represents a registry of the actions taken by users. In the options of the component, you can choose which type of actions you want to record. By default, the operations executed in the following components are logged: articles, banners, cache, categories, check-in, configuration, contacts, installer, media, menus, messaging, modules, news feeds, plugins, redirects, scheduled tasks, tags, templates, and users.
So, every operation, such as creating an article, editing a menu item, or logging into the website, is logged, with the user involved and the date and time of the operations. These logs are useful for administrators to find out who did an operation and when.
The component allows you to export logs as CSV and execute search/filtering in logs.
User Action Log is accessible from the respective menu item available under the Users menu in the sidebar.
With User Action Log, we completed our look at the features dedicated to users.
In this chapter, we explored the functionalities to create and manage users and user groups and grant them appropriate permissions through access levels. We went through the privacy-related features, discovering privacy requests, privacy consent, and the user action log.
In the next chapter, we’ll explore the SEO-oriented features offered by the CMS.
It’s time to apply the knowledge acquired in this chapter to work with users and permissions.
Create a user group called MyGroup. The group should be nested under the Registered user group. Change the menu item called MyArticle (created in the exercise of Chapter 5, Build Your Site Structure: The Menu System), to grant access to users in the MyGroup group.
Then create a new user on your website from the backend and add the user to the MyGroup user group.
Create an article called Privacy Policy and write your policy text. Then, open the System – Privacy Consent plugin and set the article created as a privacy policy for the website. Once done, enable the consent expiration with the default values and enable the plugin.
Create a new menu item, selecting the Privacy | Create Request type, with the name Privacy Request, setting Access as Registered, and saving it.
In this way, you created a privacy policy for your website, ensured that your website collects the consent to your policy, and made available a form to receive privacy requests from your users. The menu item will be visible only to registered users.