How to Add ACL in Joomla Component

With Access Control, you can define which user groups are allowed or denied to do which actions in your component. In the database, these are stored in _assets table. You can also read the basics of Access Control Levels in Joomla.


  1. core.admin - edit component options and permissions (superuser at global config level)
  2. core.options - edit component options, but not permissions
  3. core.create - can create new
  4. core.delete - can delete
  5. core.edit - can edit existing
  6. core.edit.state -  can change status (publish or unpublish)
  7. core.edit.own -  can change those which the user self created
  8. core.edit.value

Component Level

There are two actions that need to be defined at the component level:

  1. Configure (core.admin): which groups are allowed to configure the component level permissions via the "Options" toolbar button?
  2. Access Component (core.manage): which groups are allowed to access the component's backend?

To add this functionality, you need to do following steps:

  1. Add component level actions to access.xml
  2. Add the permissions fieldset to config.xml
  3. Add the 'Options' toolbar button
  4. Restrict the access to the component's back-end

1. access.xml

A basic access.xml file consists of only two basic actions: core.admin and core.manage. This file is stored in the admin subdirectory.

<?xml version="1.0" encoding="utf-8" ?>
<access component="com_helloworld">
<section name="component">
<action name="core.admin" title="JACTION_ADMIN" description="JACTION_ADMIN_COMPONENT_DESC" />
<action name="core.manage" title="JACTION_MANAGE" description="JACTION_MANAGE_COMPONENT_DESC" />

2. config.xml

Next, you need to add the permissions fieldset to config.xml, in order to be able to set component level permissions.


3. HtmlView.php

In the display():

$this->canDo = JHelperContent::getActions('com_helloworld');

In the addToolBar(), add the 'Options' toolbar button when user is authorised for it. In the view file, you can add the following code to check if the user can edit the preferences:

if ($this->canDo->get('core.admin')) 

4. Restrict the component's back-end access

To control the access to the back-end of the component, add the following lines to the main entry file (admin/component_name.php) of the component:

// Access check: is this user allowed to access the backend of this component?
if (!JFactory::getUser()->authorise('core.manage', 'com_helloworld'))
throw new Exception(JText::_('JERROR_ALERTNOAUTHOR'));

Category Level

Each component (or part of it) has its own set of permissions that can be controlled. They are described in the access.xml file located at the root of the admin folder. The actions to which access is controlled can be divided in three sections: at the component level, the category level and the item level. 

<section name="category">
<action name="core.create" title="JACTION_CREATE" description="COM_CATEGORIES_ACCESS_CREATE_DESC" />
<action name="core.delete" title="JACTION_DELETE" description="COM_CATEGORIES_ACCESS_DELETE_DESC" />
<action name="core.edit" title="JACTION_EDIT" description="COM_CATEGORIES_ACCESS_EDIT_DESC" />
<action name="core.edit.state" title="JACTION_EDITSTATE" description="COM_CATEGORIES_ACCESS_EDITSTATE_DESC" />
<action name="core.edit.own" title="JACTION_EDITOWN" description="COM_CATEGORIES_ACCESS_EDITOWN_DESC" />

Toolbar Buttons

Which toolbar buttons to display depends on the Access Control permissions for the user. The function JHelperContent::getActions() is used to find the permissions. In the view (view.html.php) file, add the following code inside the display() function:

// What Access Permissions does this user have?
$this->canDo = JHelperContent::getActions('com_helloworld');

Then, indie the addToolBar() function,

if ($this->canDo->get('core.create')) 
JToolBarHelper::addNew('helloworld.add', 'JTOOLBAR_NEW');
if ($this->canDo->get('core.edit'))
JToolBarHelper::editList('helloworld.edit', 'JTOOLBAR_EDIT');
if ($this->canDo->get('core.delete'))
JToolBarHelper::deleteList('', 'helloworlds.delete', 'JTOOLBAR_DELETE');
if ($this->canDo->get('core.admin'))