How to use JACLPlus/MACLPlus To Enhance Your Component Access Control (Part 1)
(This article is new and still under improvement)

This article intend to show you how to use JACLPlus/MACLPlus to enhance your component access control either at backend or at frontend. When we say enhance, we really mean that we will add advanced access controls into the component. It is not just mean to add some basic access checking to the component to make it controllable by JACLPlus/MACLPlus. Anyway, in this article we will try the best to cover up all the necessary information and how to add the necessary access control checking from basic to advanced to enhance your component access control.

In this article, we will use weblinks component as our example and guide you step by step to enhance its access control. After complete reading this article (including part 2), you will be able to use the same concept to enhance your other components' access control. This article will show you how to enhance your weblinks component access control by using JACLPlus/MACLPlus to manage:
1) who can submit weblinks. (completed) (Chartered Member Only)
2) who can view the weblink (click on weblink to follow its url). Coming soon...(Chartered Member Only)
3) who can view weblinks in certain categories (access certain weblink categories). Coming soon... (Chartered Member Only)
*Special: Put access checking code in template file to enhance backend access control. (completed) (Chartered Member Only)

Requirements to use this article:
1) Basic knowledge of backup and modify PHP files.
2) Joomla system with JACLPlus or Mambo system with MACLPlus.
3) Familiar with Joomla/Mambo.
4) Know where to add Access Control Rule (ACR) thru JACLPlus or MACLPlus.
5) Basic knowledge of PHP if you want to add advanced access controls.

The Location of Main Files of a Component
As we know, Joomla/Mambo have backend and frontend access. Component files used for backend are normally located in /administrator/components/ directory. Meanwhile, component files used for frontend are normally located in /components/ directory. Upon access a component, Joomla/Mambo will load the component main file. At frontend, the component main file will be the PHP file with a filename that same to component name. For example, the weblinks component frontend main file is weblinks.php that located under /components/com_weblinks/ directory. At backend, the component main file will be the PHP file with a filename that same to component name and with a prefix of "admin.". Therefore, in our example, the backend main file for weblinks component is admin.weblinks.php which is located in /administrator/components/com_weblinks/ directory. Figure 1 show you how to determine component main files through access URL.

Figure 1: Use URL to determine the main files of a component.

How to determine there is Access Control/Checking in Component
In order to control the access of a component, you need to make sure there is an access checking in the component main file. For example, if you want to implement frontend access control for the weblinks component, you will have to make sure there is an access checking in weblinks.php file. If you want to implement backend access control for the weblinks component, then you will have to make sure there is an access checking in admin.weblinks.php file. How to determine there is Access Control/Checking in a component? The answer is to look for a function called $acl->acl_check(). Joomla/Mambo and JACLPlus/MACLPlus use this function to check access permission. This function receive 6 arguements based on user and will return a value of true or false based on ACR either predefined by Joomla/Mambo or defined/added by you thru JACLPlus/MACLPlus. For example, $acl->acl_check( 'administration', 'edit', 'users', $my->usertype, 'components', 'com_weblinks' ) will look for the administration->edit->users->User Group->components->com_weblinks ACR in Joomla/Mambo ACL.  If it found the ACR and the ACR is enable, then it will return true or else it will return false.

Add Basic Access Control/Checking to Component
If you open weblinks.php file, you may notice that there is no access checking for that file. Therefore, there is no Access Control Rule(ACR) can control the access of this weblinks component at frontend. In order to use ACR to control this component at frontend, you can add the below access checking code on top of the weblinks.php file just after the "defined( '_VALID_MOS' ) or die( 'Restricted access' );" code.

Basic Frontend Access Checking Code to add in on top of the weblinks.php file: 

// ensure user has access to this function
if (!($acl->acl_check( 'administration', 'edit', 'users', $my->usertype, 'components', 'all' )
        | $acl->acl_check( 'administration', 'edit', 'users', $my->usertype, 'components', 'com_weblinks' ))) {
    mosRedirect( 'index.php', _NOT_AUTH );
} 

Explanation: The above code will look for  administration->edit->users->User Group->components->all or administration->edit->users->User Group->components->com_weblinks ACRs for the user. If it found one of them and is enable, then it will continue to process other code or else it will stop and redirect the user to index.php page. Therefore, by adding this access checking code on top of the weblinks.php file, you can use these two ACRs to control the frontend access of the weblinks component now! However, this is not so good because now ONLY login user can use the component at frontend due to "Public Frontend" group for public user can't support ACR yet.

Once you have added the above access checking code into weblinks.php, you will need to add administration->edit>users->Super Administrator->components->com_weblinks ACR to Super Administrator group before you can add this type of ACR to other group.
By adding this administration->edit>users->Registered->components->com_weblinks ACR to Registered group and enable it, all your Registered group users will be able to access weblinks component or vice versa.

If you open admin.weblinks.php file, you may notice that there is access checking in that file. The access checking code is just below the "defined( '_VALID_MOS' ) or die( 'Restricted access' );" code. Therefore, there are two ACRs can control the access of this weblinks component at backend.

Basic Backend Access Checking Code that already in the admin.weblinks.php file:

// ensure user has access to this function
if (!($acl->acl_check( 'administration', 'edit', 'users', $my->usertype, 'components', 'all' )
        | $acl->acl_check( 'administration', 'edit', 'users', $my->usertype, 'components', 'com_weblinks' ))) {
    mosRedirect( 'index2.php', _NOT_AUTH );
}

Note: Backend access checking code will redirect to index2.php page of backend instead of index.php upon no access.

Some of you may noticed that the backend com_content main file ( / administrator /components / com_content / admin.content.php) do not have access checking as well. Therefore, all backend users will be able to access the com_content at backend to add/edit/publish content items. You can add basic access checking code into the file to make it controllable by ACR. Using this simple concept, you will be able to make all your components controllable by JACLPlus/MACLPlus either at frontend or backend!

Add Advanced Access Control/Checking to Component (Chartered Member Only)