CiviCRM Community Forums (archive)

OK so here's a way of using CiviCRM groups for Access Control in Joomla menus. Longish post including details of mods to two joomla specific Civicrm files - civicrm.xml and civicrm.php. The civicrm.xml file is found (after install) in (joomla root)/administrator/components/com_civicrm/ and the mod is to insert one additional line around line 28 after the line that start
<param name="reset" Insert this line:
    <param name="groupacl"   type="text" size="5" label="Access Groups" description="The ID of the groups allowed to access this option. Separate with commas. Leave blank if no access control required"/>
This creates an additional parameter when adding CiviCRM items to Joomla menus. You use this to specify the group IDs o fthe CiviCRM group or groups (comma separated list) whose members are allowed to access this item.

The modification to civicrm.php which is found in (joomla root)/components/com_civicrm/ uses this parameter to check whether the logged in user is a member of the specified group or groups and if not tells them they don't have permission.

There are two bits of code to insert into the file. The first two lines make the relevant CiviCRM API calls available, and then a block of code (about 20 lines without comments) which does the test. It is not beautiful code - suggestions for improvement welcome - and is probably not totally secure, try in your test environment before use on a live site but it seems to work for me.

I rely on the Joomla user's registered email address to find their CiviCRM contactID - it ought to be possible to have this available anyway - maybe it is? So it relies on email addresses being unique on the individual CiviCRM contacts (it assumes the first match returned is the current user).

Insert the following two lines around line 25 in civicrm.php AFTER the line
require_once 'CRM/Core/Invoke.php';INSERT
//=========================== groupACL mod add 2 lines add
require_once 'api/v2/Contact.php';
require_once 'api/v2/GroupContact.php';

Then insert the following block around original line 54 AFTER the lines
        $menu->load( $_GET['Itemid'] );
        $params = new mosParameters( $menu->params );

and BEFORE         $args = array( 'task', 'id', 'gid', 'reset' );
        foreach ( $args as $a ) {

INSERT
//===================================================== groupACL mod add block
// This block checks if the user is member of groups specified for access control before allowing to proceed
// get the groupacl from itemId
$accessGrp = array($params->get( 'groupacl', null));
//debug print_r($accessGrp);
//if we have a groupacl parameter set then we need to check access rights
if ( !($accessGrp[0] == 0) ){
// get the users Joomla email as a key to search for CiviCRM ID
global $my;
$JoomEmail = $my->email;
//debug echo '<br />Joomla email='.$JoomEmail.'<br />';
// call the civi API to get the Civi UserID matching the user's email.
                        //Ideally would use the joomla user link table but no API function
$schparams = array( 'email' => $JoomEmail, 'contact_type' => 'Individual', 'return.contact_id' => 1); 
$result = civicrm_contact_search( $schparams );
//debug print_r($result);
$civiId = key($result);
// if no CiviCRM individual with the email then exit
if ( is_null($civiId) ) { 
echo '<br />Sorry, could not find your membership details.<br />';
return;
}
// we are only going to look at the first value - potential hazard if there are Civi contacts with duplicate emails
//debug echo '<br />CiviId ='.$civiId.'<br />';
// now we have the Civi ID we can get the groups the user belongs to
$grpParams = array( 'contact_id' => $civiId, 'return.group_id' => 1);
$myGroups = civicrm_group_contact_get( $grpParams );
//debug print_r($myGroups);
//clear a flag and iterate through the groups checking if they are in groupacl list
$allowed = false;
while (list ($key, $grpList) = each($myGroups)) {
//debug echo '<br />'.$grpList['group_id'];
if ( in_array($grpList['group_id'], $accessGrp)) {
$allowed = true;
//debug echo ' Matched <br />';
}
}
if (!$allowed)  {
// no groups match so give them a message and exit
echo '<p>Sorry, you do not have permission to do that</p>';
return;
}
//debug echo '<p>Go ahead';
//debug return;
}
//========================================================= end of modification

The lines marked //debug can be deleted, they are just there to help you see what is happening when it doesn't work for you - just delete the "//debug" text and it will print what is happening on the screen.

Using this you can use any CiviCRM group to control access to a profile that is called through a Joomla menu, this gives a lot of flexibility, although unfortunately you cannot use the dynamic (search) groups as the API doesn't give access to them.

I use the standard Joomla user levels - public/registered/special to give first level visibility of the menus, and then groups to actually control access. So for example a profile which lists a set of users might be visible as a front end menu to all registered users but only those belonging to the admins or cornwall groups could use it.

Apologies for incorporating text output as hard coded strings in the code, very bad practice - simply insert your own local message in place of "Sorry, you do not have permission to do that".

One obvious problem is that if you create a Joomla user who has the email address of an existing CiviCRM contact then they will pick up the CiviCRM contact's privilges...

Hope this is useful to someone - or someone will tell me why it is a bad idea. Of course you will have to manually update the civicrm.php and xml files every time they change in a version upgrade.

RogerCO

Ok, I have made a couple of improvements - now using the UFMatch function as suggested which prevents a user spoofing someone else by temporarily changing their Joomla email address.

It also now has a second parameter when creating the Joomla menu item which allows you to set the message the user sees if they are denied access.

It also now checks and warns the user if the Joomla and CiviCRM email addresses do not match. I didn't want to force them to be the same after the initial link is made so it just shows an on-screen warning at the top of the profile page you are loading.

There is a zip file containing the two files over in the doc wiki at http://wiki.civicrm.org/confluence/display/CRMDOC/CiviCRM+groups+for+Joomla+access+control

RogerCO

In my website i have six user groups like public,register...etc
each and every group having some previleges to display the events for the usergroups.   
For that purpose i need to give previleges to each group  so i made all the changes
what to u mentioned above(in xml file and civicrm.php file) but its not working
it shows some error msg and warning msg like ur membership email is not matching,
can u please explain what are the tables involved in this and what r the fields we need to compare,
anyboby can help me  how we achieve this....