Access levels and usergroups issue [jd 3.2.33]

[patty3769]

Hi,

I'm fighting with the ACL system in Joomla and jDownloads. I'd be glad, if someone can help me with the following scenario:
Btw. I already searched the forum and scanned the documentation, but still...

The default usergroup of a registrant is Registered/Customer, so they can access (see and download) a top category especially for customers.
I changed the access level of the category to "Customer" - so far so easy...

Now I need to implement two new categories "SoftwareA" and "SoftwareB" with the following access rules:
Everybody (public) can view the category, but only customers that a members of the corresponding usergroups "SoftwareA User" and "SoftwareB User" are allowed to download. Those users are still members of "Customer".
Those users can also be members of all three groups (Customers, SoftwareA, SoftwareB).

So I set the access level to public, but changed the access rules of the category "SoftwareA" to the following:
Public /Guest -> deny Download
Registered/Customer -> deny Download
Registered/SoftwareA User -> Allow
Registered/SoftwareB User -> Deny
The same goes with the category "SoftwareB", but obviously with reversed access rules (Registered/SoftwareA User -> Deny, Registered/SoftwareB User -> Allow  ).

This does not work as expected: Because of the fact, that the users are also members of "Customer", they are not allowed to download "SoftwareA" or "SoftwareB".
Is there another way to accomplish this scenario? Perhaps I made some mistakes? I tried to change inheritance (e.g. changed parenthood of SoftwareA User to be a subgroup of Public) and also fiddled around with the JD user group settings - especially with the ranking of mentioned user groups - hopefully "outrank" the customers' user group. But still no chance...

Please help

[Arno]

Hi,

This does not work as expected: Because of the fact, that the users are also members of "Customer", they are not allowed to download "SoftwareA" or "SoftwareB".

I think that a user which is a member from multiple user groups can not has different permissions. So maybe must you change here the structure?
But Colin should have more experience here as he has created some articles about this in the documentation. 

I know: the ACL in Joomla is a challenge!

[ColinM]

@patty3769
Hi  yes we can fix this OK.

First thing to remember is that if you find you need to use Deny then it is most likely that things are incorrectly structured.

Next point is that Joomla uses implied group membership.  So if you are a member of the Registered User Group (UG) then you are also a member of the Public UG.  Because you have set 'deny' in Public UG then no one in Registered UG or any UG that can trace its parenthood back to Registered will not be able to do anything because deny cannot be overridden.

The next thing to do is to ensure that the Component permissions (accessible via Options button on jD Control Panel) are set to 'inherit' for Download in all UGs.  This is to give us detail control.  Note the default permission will be computed as Not Allowed.

Because you want anyone to see the Downloads then you should set the View Access Level to Public for both categories.  Check that the Downloads also have Public Access Level. Think this is what you have done already.

You have 3 user groups(UGs)  Customer, SoftwareA-User and SoftwareB-User.  All three UGs have Registered as their parent UG
You have two Top level Categories SoftwareA and SoftwareB  - note I assume they are top level cats.

The objectives are as follows. Users in SoftwareA-User UG can only download from Downloads in Cat SoftwareA
Users in SoftwareB-User UG can only download from Downloads in Cat SoftwareB.
Users may belong to multiple UGs.  Everyone can see the Downloads.

If I have misunderstood the objectives please advise as the steps below may not be the right ones!
Most of what follows is to clean up just in case.

For Category SoftwareA:
select Public UG  and set Download permission to inherited
select Registered UG and set Download permission to inherited
select SoftwareA-User UG and set Download permission to Allowed  -  usually this is all that is needed for cat SoftwareA but we need to tidy up
select SoftwareB-User UG and set Download permission to inherited
Now Save and check that the computed permissions are as desired: Not Allowed for Registered and SoftwareB-User UGs; Allowed for SoftwareA-User UG
Save & Close

We now select Category SoftwareB:
select Public UG  and set Download permission to inherited
select Registered UG and set Download permission to inherited
select SoftwareA-User UG and set Download permission to inherited
select SoftwareB-User UG and set Download permission to Allowed  -  usually this is all that is needed for cat SoftwareA but we need to tidy up
Now Save and check that the computed permissions are as desired: Not Allowed for Registered and SoftwareB-User UGs; Allowed for SoftwareA-User UG
Save & Close

We should be done.  A particular user can be a member of all three UGs, or any two UGs, or just one UG
If all is not OK then double check the Component permissions, that you ticked each of the steps above.  Also check that you did not set Allow or Deny in any Download permission for any Category.

If there is still a problem then send me super admin access.

Colin