For security reasons, it is important to control who has access to various areas in the backend of our News website. Initially, one person might take on the responsibility of creating a Community News website. However, as the Community News website grows, your News website team should eventually include several members. These include an Editor in charge of all content, Reporters who submit content to the Editor, a Newsletter Coordinator who run the Email Newsletters, an Events Coordinator who handles community events, and a Tech Coordinator who handles editing and updating the website. In addition, you may have two groups of readers. These might include featured authors who submit articles and readers who register so they can submit comments on articles and editorials on issues .
The purpose of creating a custom access control system is to allow different members of our network to access different parts of our website. To see how Joomla User Groups can be set up to manage a news team, we will create a Demo Community News team.
#1 Define our Demo Community News Team Members
A typical community news team consists of at least three groups:
Only a small group of people should have access to the back end of the website – and even then, they should only have access to the specific tools in the back end that they need to administer the website. We will cover these administration tools, such as the newsletter and events components, in a later chapter. These administrators will be added directly as Joomla administrators using the Joomla Administrator Control Panel User Manager.
The remaining two groups are normal members and special members. Normal members merely need to register in order to post comments, submit editorials, submit events and receive Newsletters.
Special Members register with the same Member Registration form as Normal Members. However, they are given access to a Special Members menu which allows them to submit and edit their own articles. Both Special and Normal Members access their group functions by logging into the front end of the website. But they see different menu items when they log into the front end of the website. Neither Special Members or Normal Members ever need to log into the back end of the website. They therefore do not need to be using a Linux computer.
Administrators added via the Joomla Back End User Manager
Those with access to the back end of the website should get training in website security. In particular, they should only use a Linux computer to log into the back end of the website and never use a Windows or Apple computer – as using these insecure computers might allow hackers to access the back end of our website. It is also best to have more than one person able to perform the same task in the back end – in case a task needs to be done right away. This is why each of the following positions should be regarded as the leader of a team rather than the sole person responsible for carrying out the needed tasks.
Our Demo Community News Team will be led by a five members. These are an Editor and a Tech Coordinator – both of whom will have access to the entire backend of the website. The Events Coordinator, Newsletter Coordinator and Reporters will each have limited access to just a few areas of the backend of our website.
Here is a brief summary of the roles of these five positions and how the areas of the website each position needs access to.
Managing Editor… The Managing Editor will not only oversee all articles and editors but also manage all Banner Ad funds and Community Event Banner ads as well as making payments to any reporters or Tech team members. They also manage the community news bank account and submit taxes and other forms as needed.
Events Coordinator… The Events Coordinator is the contact person for all community events. This person will post all events on the website community events calendar and provide a list of all coming events to the Newsletter Coordinator. The Events Coordinator will need access to the Events section of our News website.
Newsletter Coordinator…The Newsletter Coordinator will write and email newsletters about new articles and coming events. The Newsletter Coordinator will also update the list of subscribers and need access to the Newsletter section of our News website.
Tech Coordinator… The Tech Coordinator will be responsible for building and running the community news website. This will include the Membership Registration System, the Newsletter system and the Events Calendar system. The Tech Team Coordinator will also lead the Tech Team which will train group members on how to run various sections of the community network website. The Tech Coordinator will need access to all areas of the website.
Reporter(s)… Each reporter can submit and edit articles on the backend of the website. Reporters might be allowed to approve posting of articles submitted by featured authors. Eventually, there may be different reporters for different topics such as a Sports Reporter, a Schools Reporter and a Business Reporter.
#2 Create a Table of Our Demo Network Members
This table provides a summary of all members including the 5 administrator members, 2 Featured Authors and 2 General Members. To register on our website, each of these people will need a Name, a Username, a Password and an Email Address.
While we could use dummy email addresses such as Chair1 at example dot com, it is better to use actual email addresses, all associated with our community network domain name so we can see how the actual process works. In a moment, we will explain how to create Demo Domain Related Email addresses. For now, we will use the example
#3 Create Demo Domain Related Email addresses
Before we create these accounts in our News website database, we need to first set up their domain related email addresses. To do this, log into your Hestia Admin panel and go to the Community News website User panel. Then click Mail.
Community News dot us currently has one email address account. Click on the plus sign to create another one:
In the Account box, type editor. Then add a password you will remember. Note: Hestia passwords must have at least 8 characters and at least 1 upper and lower case letter, at least 1 digit and at least 1 non-alphanumeric character such as *. Create your own passwords. These passwords should be changed by the actual user.
Click Advanced Options. In the Forward To box, type in your normal email address so that all mail sent to this user is forwarded to you. Then click Save, Back and Back again. Then click Add Mail Account. Repeat this process until all 9 email accounts are created.
Then in the upper right corner, click on the arrow to go back to the admin panel. Then click on it again to log out.
#4 Use the Joomla Control Panel User screen to create new Joomla User accounts for our 5 Demo board members.
Log into your Joomla control panel and click Users, Manage. Then click Options in the upper right corner. Then click Password Options and reduce the Minimum Password Length from 12 to 8. Then click Save and Close. Then click New.
Type in the Name, Username, Password and Email address of the Editor and then click Save and New. Repeat for the other 4 News Admin Team members. Each new member will receive an email letting them know that they are now a registered member of our network. Here is our list of our Demo News Team Joomla Users:
Note that all of these Demo Members have been assigned to a User Group called Registered. The Registered User Group is allowed to log into the front end of the website and see any menu items assigned to the Registered group. But the Registered Group is not allowed to log into the back.
#5 Look at the List of Default Joomla User Groups
Click on Users, User Groups in the Top Menu.
By default, there are 9 Joomla User groups. Currently, there are 5 members in the Registered group and 1 member in the Super Users group. Before we add our custom News Team User Groups, let’s look at what each of these existing groups can do.
#6 Review the Default Joomla User Groups
Joomla uses groups as a way to assign different sets of permissions to different group members to view different pages and do different tasks on those pages . Put another way, a group is a collection of users who all share the same set of permissions. As a super user, you can assign any member to any number of User Groups.
Groups control what you can see and what you can do
The Joomla User Management system is actually two separate systems. One is an Access system that controls what website pages group members can see. The other is a Permissions system that controls what actions group members can do.
Back End versus Front End Groups
In addition to viewing certain pages and taking certain actions, access control for viewing and doing can be divided into the front end viewing and doing versus back end viewing and doing.
Some people think of access control as simply limiting what pages a person can see on the front end of a website. The public sees only some of the pages. Registered Users see more pages in the front end. The Super User sees all the pages in the front end and back end of our site. But what a person can do matters just as much as what they can see. Joomla has one set of User groups for the Back End and another set of User groups for the front end:
Note that Manager and Administrator are back end user groups while Registered Author, Editor, and Published are Front End User Groups.
Back End User Groups
These two groups are followed by two groups, called Manager and Administrator with (limited) access to parts of the back end of our website. Back end groups can log into the back end of our website via the sitename/administrator URL for our website.
Managers can create, edit, publish and delete all articles on the back end of our site. This makes them similar to the Publisher (Front End) Group. Managers also have access to the Media Manager and Contacts components in the back end of our website.
Administrators can do everything managers can plus they can create new users, manage group privileges and install extensions. They have access to nearly every part of our website except Global Configurations and the Template Custom Edit screen. The only group that can do more than Administrators is the Super User group.
Four Front End User Groups
The remaining six user groups all only have access to the front end of our website.
Registered Users can view menu items and articles that are set for Registered User access – but only after they have logged in. Registered means pages that can be viewed by anyone who has filled out the Registration form for our website – and therefore become a member of our community network. Members of this group need to log in to our website after registering in order to see pages on the website intended only for Registered members. All one needs to become a Registered Member is to fill out the registration form with a unique email address and then be approved by an administrator.
Authors have all the permissions of Registered Users. Plus they can create new articles and edit the articles they have written (after they have logged in to the front end of the website). Authors and all other groups except Public and Registered are assigned by the Super User of the website.
Editors have all the permissions of Authors. Plus they can edit all articles written by anyone – even unpublished articles.
Publishers have all the permissions of editors. Plus they can publish articles. However, they cannot create menu items. So unless an article has been assigned to a category, it will not be viewable even after it is published – until a super user creates a menu item for it.
Super Users can create menu items and control any part of the website including adding or deleting any other Super User! The first super user was created when our Joomla website was created. The first super user is considered the Site Owner.
Parent and Child Groups
Note that there is only one group which does not have a dash in front of its name. This group is called Public. Public is the group with the least amount of Permissions. By default, any menu item or article we create can be viewed by the public. Groups with a single dash to the left of their name are called a “child” of the Public group. The four groups with a single dash are called Guest, Manager, Registered and Super User. These groups can see and do everything the Public group can do. Plus they can see and do more. Children can always do more than their parents.
#7 Assign News Team Members to User Groups
We created email addresses for 9 News Team Members and registered 5 Members. We will now assign one of these 5 members to an additional default user group to see how the default Joomla User Management system works. Then in the next article, we will review how to use Joomla Access Levels in combination with Joomla User groups. We will then create a new custom user group called Featured Authors which we will use to give special permissions to our Featured Author News Team members.
#8 Assign the Newsletter Coordinator to the Author User Group
To better understand how the default Joomla User Management system works, log in as a Super User and click on the Users menu item. Then click on the Newsletter Coordinator to open the Edit screen. Then click on the Assigned User Groups tab:
We can see that any registered user is automatically placed in the Registered User group. Check the box for Author. Then click Save and Close. This person now belongs to two groups – the Registered group and the Author group.
#9 Make a Member Log In Article and Menu Item
Next go to Content, Articles to create a new article called Community News Member Log In. Type:
If you are already a Community News member, use the form below to log into our Community News Member area. If you are not yet a member of our group, and you would like to be able to post comments and submit events or editorials, go to our Member Sign Up page to join our group!
Then click Save and Close. Then go to Menu, Bottom Menu, New to create a new menu item for this article.
Then go to Content, Site Modules and click on the Log In Module to edit it. Change the title to Member Login. Put it in the News1 template Bottom 01 position. Click Publish. Then click on the Conditions tab. Then click the Member Log In Menu item. Then click Save and Close.
Also make a Member Logout Menu Item
We need a way for logged in Members to log out. Go to Menu, Bottom Menu, New. For Type, select Users, Logout. For Title, type Member Logout. For Access, click Registered. Click Save and Close.
#10 Make a Create Article Menu Item
Before this person can create any articles, we need to create a new special menu item for the front end of our website that is only visible to those above the rank of registered user. Click on the Menus, Bottom Menu, New. For Menu Item type, select Articles, Create Article. For title, type Create Article. For access, go to the lower right corner of the screen and assign this menu item to the “Special” Access group (which we will review later). Then click Save and Close.
#11 Create a Featured Authors Information Category
We need to write an instructional article to help our featured authors create their articles. So go to Content Categories and create a category called Featured Author Information. Here is the description: This category includes articles to help our Featured Authors learn how to create and submit their own articles, events and editorials.
#12 Create a New article called Features Authors First Steps
We will eventually add our Featured Authors tutorial to this article. Assign the article to the Features Authors Information category.
#13 Create a new Menu Items for our Featured Authors Category
Go to Menus, Bottom Menu and create new menu items of the type Category Blog for the Featured Authors Information category with Access to this menu item only viewable by Registered Members.
#14 Adjust the JCE Editor to provide Front End Authors with their own Media Folders
Go to Components, JCE Editor, Profiles. Then click Default, Setup tab, and scroll down to User Group.
Add Registered Users to the list of permitted users. But delete Managers, Administrators and Super Users as we will soon give them a different JCE Editor. See image below.
Click Save. Then click on the Editor Parameters tab. We will leave URL Conversion set for relative URLs in order to make it easier to copy. But we will need to change it to Absolute URLs for the Administrator Editor for editing the Newsletter component we will be installing later. Then click Save and Close. We now have the default JCE Editor set up as a normal editor.
Create a Second JCE Editor for Administrators
Next click on JCE Editor Profiles. Select the Default Editor and click Copy. This will add another editor called Copy of Default that is exactly like the Default Editor. Click Copy of Default to open it. Change its name to Super User Editor. Change Status to Published. Scroll down to User Group, uncheck all groups except Manager, Administrator and Super Users. See image below.
Then click Save and Close. We now have two published Editors.
Create a Personal Document Folder for each Registered Member
Next, click on the JCE Default editor to open it. Click on the Editor Parameters tab. Then click on the File System tab. At the top of this screen is the "File Directory Path". Set this box for members/$username. (this is read members slash $ user name).
Then click Save and Close. The Default Editor will become the editor for the entire community and will give each person their own uploads folder with their username on it. This folder will be in the root folder for the website. Meanwhile, the Super Admin will retain the normal upload folder called Images which is accessed in the Joomla back end via Content, Media Manager.
Set the JCE Editor as the Default editor for your website
In Users, User Manager, click on your Super User name to edit the settings. Then click on Basic Settings tab and set the Editor to JCE Editor. Also set the Help Site and Time Zone. Then click Save and Close. While both the Global Configurations and the Super User appear to be pointing towards the same JCE Editor, the Editor will direct Back End Administrators to the Super User Editor and Front End Members to the Default Editor.
Install the Phoca Commander File Manager to Create a Community Folder
We need to add a File Manager to the Joomla Control Panel to make File Changes without the need to log into our server. To download Phoca Commander, go to this web page and click Download: https://www.phoca.cz/download/category/96-phoca-commander-component
Then install Phoca Commander by going to Systems, Install, Extensions. Then go to Components, Phoca Commander. Then read the Warning and click OK. The Phoca Commander File Manager now appears. We will use Phoca Commander to create the members folder which will hold the images folders of all of our members. This file manager allows you to quickly create and edit files and folders without needing to log into your Hestia VPS. The File Manager opens at the website root folder. Click F7 New Folder to add a new folder. Then type the word members with all lower case letters in the empty box.
Click Create. Then exit the file manager by clicking on any menu item in the top menu. Now, when a member adds an image to their profile page, the JCE Editor will automatically add a new folder in the members folder using the username of the group member.
#15 Log in as the Newsletter Coordinator to create a new article
Open a new browser tab, go to our Community News Home page and click on the Log In menu item in the Bottom Menu. Then log in as the Newsletter Coordinator. Their username is newsletterco.
You will now see a Menu Item on the Bottom Menu that says Create Article. Click on it to bring up the Article New screen. Give the article a Title such as This is my first article. Then type some text into the Editor screen such as This is my first article as an author.
Let’s see how well the JCE editor Media folder creation function works. First type two or three sentences. Then create a new line between the sentences and place your cursor at the beginning of this new line. Then, to add an image to the article, click on the JCE editor Picture icon. If the JCE editor is set up properly, you will not see any images or image folders. The only folder you will see is called Home. In the JCE Images Manager, click on the Upload icon which is just above the Details area:
Then open your Home computer file manager and select an image which is under 100 kb and drag it into the JCE Upload box.
Then click Upload. Then click on the file to the right of the checkmark to see and adjust its properties:
In the Dimensions box, reduce its width from 975 to 500 pixels. Then click the Insert button in the lower right corner of the screen.
Click Save and Close at the bottom of the screen. This will close your article and return you to the Home page. A popup will appear that says: Article Submitted.
In addition, an email will be sent to the Site Administrator letting them know that an article was submitted and is waiting for approval:
#14 How to Edit Submitted Articles
Let’s say you want to add more information, images, videos or links to your article. Sadly, if you go back to Create Article, Publishing tab and select your category, the article is not shown. This is because it has not yet been published. Log into the control panel as the super user and click on Content Articles where you will see the unpublished new article. Click it to review it to make sure the content is OK. Then select it and click Publish. Then log into the front end as the person who created the article (in this case, the newsletter coordinator). Go to the category where you placed the article and you will see the article with an Edit button to the right of it. Click on the Edit button to open the article to editing.
Next, assign a different member such as the Events Coordinator to be an author. Then log in as this member. When they go to the same category, they can see the article but not edit it. Sadly, an author can not delete an article. To delete your article, you will need to contact someone who is a super user or was the person who published the article.
Next, log in as a super user and assign a user to the Publisher user group. Then click on Create Article in the Bottom Menu. Then give the new article a Title and some text. Then click on the Publishing tab. We can assign this article to a category, set the Status to Published and select the Start and End dates for this article. Click Save. Then click on the Menu Item for the category the two articles were assigned to.
#15 A person assigned to the Publisher group can edit either their own articles or anyone else's articles. Click on the Edit button for the unpublished article. Then change the status of the article from Unpublished to Published. Then click Save. Then click on the Category Menu Item to view the article again. Both articles are now published. Click on the article to edit it again. This time click on Cancel. However, members of the Published group cannot cancel articles. Click on Edit again. This time, unpublish and then save both articles. Next log in as a super user and assign a user to the role of a Manager. Then log into the front end of our website. Then click on Create Article. Then click the Publishing tab. You will see that a member of the Manager group has the same publishing rights as a Publisher. Click on the Category for the two unpublished articles and note that the Manager can publish either one of these articles. But more important, a Manager can log into the back end of our website by first going to the site administrator log in page. Then logging in with their user name and password.
In addition to accessing the Article Manager, Category Manager and Media Manager, the Manager has access to a few components:
If you wanted the Manager to only access the Article Manager, this would require changing their access to each of the above components on the Global Configurations Permissions page as we discuss in a minute. For now, click Content, Article Manager.
A member of the Manager Group can not just publish articles, but can also delete them. Select the two unpublished articles. Then click Trash. Then click Search Tools, Status, Trashed and select the two articles again. Then click Empty Trash. Next log out as a manager, log in as a Super Administrator and assign a very trusted user to the role of Administrator. Log out, clear the cache, then log back into to the Administrator log in page as this administrator. You will note that you can access every part of our website except Global Configurations and the Template Edit Customization screen.
#16 Viewing and Changing Joomla Group Permissions
Permissions define and control what a group can see and do.6 Permissions are assigned to a group, not to an individual user. Users get permissions to see and do things by being assigned to a group. There are four places where Permissions can be viewed and changed for each Joomla group. These are default configurations, component options, category settings and article settings.
To better understand how the default permissions have been set for our default Joomla groups, we will briefly look at the default settings in the Global Configurations settings table. The remaining three areas by default are set to “inherit” the settings from Global Configurations unless they are changed at these more precise locations.
Global Configurations Sets Permission for our entire Website
Default Permissions for the entire website can be changed by going to System, Global Configurations. Click on the Permissions tab:
This screen shows that there are no special permissions set for members of the Public group. There is also a side menu for the various Components (or major parts) of the website where permissions can be set for access to each Component. Permissions can also be set for various menu items and for each page of the website that will over-ride the Default Permissions set for the entire website. Click on the Registered tab and you will see that all Registered Members are allowed to do in the Default settings is Log Into the website. Menu items will have to also be set for Registered in order for Registered Users to see these pages.
Click on Authors to see what pages this group is allowed to see.
The Select New Settings Column can either be Not Set, Inherit, Allow or Deny. The Calculated Setting column shows you the setting in effect. It is either Not Allowed (the default), Allowed, or Denied.
Here is a table of the default settings for all default Joomla groups:
How a Super User can change Global Permissions for the Administrator group:
In Global Configurations, Permissions, select the Administrator group. Then change the settings in the Select New Settings column for any Action (what the group can see or do) from Inherited to Allowed or Deny (Not Allowed). Select one Group at a time by opening the tab for that group. Change the permissions in the Select New Settings drop-down list boxes. Note that the Calculated Setting column is not updated until you press the Save button. To check that the settings are what you want, press the Save button and check the Calculated Settings column.
Go to Content, Categories, Uncategorized, Permissions . Then click Administrator. We can create any number of categories in which to place our pages or articles. Then we can assign categories to particular groups. The Permissions System for the Category Manager and Article Manager work much the same way as the Permissions for the Menu items. Here are the Permissions system for an Administrator for the Uncategorized Category.
#17 Why We Should Avoid Setting Permissions to Deny (IMPORTANT!) There is a problem if you change settings to “Deny” in Global Configurations. Once a setting is changed to Deny, it cannot be changed back to Allow at a more precise level such as at the Category or Article Permissions screens. Also, setting Deny for a higher level group such as the Public or Registered Group will force the same settings to apply to all child groups. Since the Super User group is a child of the Public group, setting the public group to Deny could actually lock the Super Users (and everyone else) out of our website! There is a way to get back into your website. But it is very time consuming. So simply avoid setting Permissions to Deny in Global Configurations. The way we avoid setting a custom group that denies permissions is by always choosing a parent group that has permissions LESS THAN we actually need. Then add the permissions we want until we have the group just the way we want it.
What’s Next?
Now that we know more about Joomla Groups and Permissions, in the next article, we will see how to use Joomla Access Levels to give us even more control over what different groups can see and do.