Some Joomla admin security without ACL

[civiZEN]

We're all aware of the lack of ACL for a Joomla based install of CiviCRM.
One of the biggest problems is the inability to prevent non-administrators from seeing and clicking on links to things like 'Administer CiviCRM'.

Disclaimer: This is quite obviously not a fully secure alternative to a functioning ACL system.

The Joomla extension ReReplacer (Free, GPL, found in the Joomla extensions directory) may be used to hide the 'Administer CiviCRM' (and other) links depending on the users Joomla user group (Registered, Editor, Publisher, etc.)

For example:

I've got 2 rules set up to hide the 'Administer CiviCRM' links on the top and left menus.

The 'Hide Admin Civi left menu' rule simply searches for:

Code: [Select]

<li class="leaf"><a href="index2.php?option=com_civicrm&amp;task=civicrm/admin&amp;reset=1" >Administer CiviCRM</a></li>
...and replaces it with nothing. I've selected all user groups except for Super Administrator and now when anyone other than me logs in, they do not see the link.
(http://urbanzenfoundation.org/rereplacer.gif)
Of course this does not prevent them from getting there by other means, but when allowing back end access to trusted staff this provides some safety without hacking any core files. Now I know they can get in and do what they need to do with far less possibility of them changing any settings or seeing things they shouldn't see.

The same procedure would work for hiding other links like the CiviContribute link, CiviMailer link, etc. You could, in theory, go through and hide just about anything you want based on access level. Just look at the source of the page and copy and paste into a ReReplacer rule. It even supports searching by regular expression, so there's some power and flexibility there.

Hope this helps some of you make things just a little bit safer.

[Dave Greenberg]

Nice workaround - thx for sharing (caveats and all)!