Documentation

Find documentation for our Joomla extensions on this page.

JoomFAQs - Access Control and Permissions

Parent Category: Documentation JoomFAQ Documentation Hits: 181

JoomFAQs integrates fully with Joomla's Access Control List (ACL) system, giving you fine-grained control over who can view, create, edit, and manage FAQ content. This guide walks you through the permission system at every level -- from global component settings down to individual questions.

How Joomla's ACL Applies to JoomFAQs

Joomla's ACL works as a cascading permission system. Permissions set at a higher level flow down to lower levels unless explicitly overridden. For JoomFAQs, the hierarchy looks like this:

Global Configuration (Joomla system-wide)
  |
  +-- Component-Level Permissions (JoomFAQs Options > Permissions)
        |
        +-- Category-Level Permissions (per FAQ category)
              |
              +-- Per-Question Access Level (viewing access on individual FAQs)

Each level can Inherit, Allow, or Deny a permission. The key rules to remember:

  • Inherit means "use whatever the parent level says."
  • Allow grants the permission at this level and below (unless a Deny overrides it).
  • Deny always wins -- if any group a user belongs to has Deny for an action, that action is blocked regardless of other settings.

JoomFAQs Permission Actions Reference

JoomFAQs defines actions across three sections in its ACL configuration. Here is the complete list:

Component-Level Actions

These are set via Components > JoomFAQs > Options > Permissions and control overall access to the component.

ActionInternal NameDescription
Configure ACL & Options core.admin Allows users to change the component's permission settings. Typically reserved for Super Users.
Access Options core.options Allows users to access the component's Options (configuration) screen.
Access Administration Interface core.manage Allows users to access the JoomFAQs backend (administrator area). Without this, a user cannot see JoomFAQs in the admin panel at all.
Create core.create Allows users to create new FAQ questions (both backend and frontend submission form).
Delete core.delete Allows users to permanently delete FAQ questions from the backend.
Edit core.edit Allows users to edit any FAQ question. On the frontend, this also controls access to the editorial form, viewing unpublished questions, managing comments, and seeing vote/comment statistics.
Edit State core.edit.state Allows users to change the publish state of questions (Published, Unpublished, Archived, Trashed).
Edit Own core.edit.own Allows users to edit FAQ questions they themselves created.
Edit Custom Field Value core.edit.value Allows users to edit the values of custom fields attached to FAQ questions.

Category-Level Actions

These are set per category via Content > Categories > [Your JoomFAQs Category] > Permissions and control what users can do within a specific FAQ category.

ActionInternal NameLabelDescription
Add a Question core.create Add a question Controls whether a user group can submit questions in this category via the frontend form.
Edit (Respond) core.edit Edit (Respond) Controls whether a user group can edit questions and provide answers in this category. This is the primary "moderator" permission for a category.

Custom Fields Actions

JoomFAQs also supports Joomla's custom fields system. The following actions apply to field groups and individual fields:

LevelActions Available
Field Group Create, Delete, Edit, Edit State, Edit Own, Edit Custom Field Value
Field Delete, Edit, Edit State, Edit Custom Field Value

These are standard Joomla custom field permissions and are managed through Components > JoomFAQs > Field Groups and Fields.

Component-Level Permissions

Component-level permissions set the baseline for all JoomFAQs operations.

How to Configure

  1. Navigate to Components > JoomFAQs in the administrator panel.
  2. Click the Options button in the toolbar (or go to System > Global Configuration > JoomFAQs).
  3. Select the Permissions tab.
  4. Select a user group from the list on the left.
  5. For each action, choose Inherited, Allowed, or Denied from the dropdown.
  6. Click Save.

Default Behavior

Out of the box, permissions inherit from Joomla's Global Configuration. This means:

  • Super Users can do everything.
  • Manager and Administrator groups can typically manage the backend.
  • Registered users and Public users have no special JoomFAQs permissions unless you grant them.

Important Notes

  • The core.manage permission is checked before a user can access the JoomFAQs administrator backend. If a user group does not have this permission, members of that group will see an "access denied" message when trying to open the component in the admin panel.
  • The core.admin permission should be granted sparingly -- it allows changing the permission rules themselves.

Category-Level Permissions

Category-level permissions let you control access on a per-category basis. This is where JoomFAQs gets its flexibility -- you can have one category open for public question submission and another locked down to editors only.

How to Configure

  1. Navigate to Components > JoomFAQs > Categories (or Content > Categories and filter by JoomFAQs).
  2. Open the category you want to configure.
  3. Select the Permissions tab.
  4. Set permissions per user group.

Key Category Permissions

Add a Question (core.create)

This permission controls the frontend question submission form. When a user visits a category page:

  • If the user has core.create for that category, the "Add a question" button appears.
  • If the user does not have this permission, the submission form is hidden and any direct attempt to submit is blocked with an "access denied" message.
  • Both guests (if allowed) and registered users are checked against this permission when submitting a question via the AJAX form.

Edit / Respond (core.edit)

This is the most powerful category-level permission. A user with core.edit on a category can:

  • Access the frontend editorial form to edit questions and write answers.
  • View unpublished questions (via the "Show Unpublished questions" button).
  • See vote tallies and comment counts on each question.
  • Delete comments on questions within that category (from the frontend editorial form).
  • Manage question details (state, category, metadata) through the frontend form.

How Category Permissions Interact with Component Permissions

Category permissions override component-level permissions for actions defined at both levels. For example:

  • If core.create is Allowed at the component level but Denied for a specific category, users cannot submit questions in that category.
  • If core.create is Inherited at the category level, it falls back to whatever the component level says.

Per-Question Access Levels

In addition to permission-based access control, each FAQ question has an Access field that uses Joomla's standard viewing access levels (Public, Registered, Special, etc.).

How It Works

The access column on each question is compared against the user's authorized view levels. When the frontend category model loads questions, it includes this filter:

WHERE a.access IN (user's authorized view levels)

This means:

  • A question with Public access is visible to everyone.
  • A question with Registered access is only visible to logged-in users.
  • A question with Special access is only visible to users in the Special viewing access level group.
  • Custom viewing access levels you create in Joomla will also work.

How to Set Per-Question Access

  1. Open a question in the JoomFAQs backend (Components > JoomFAQs > Questions).
  2. The access level is determined by the category and Joomla's standard access level field.
  3. Save the question.

Combining Access Levels with Permissions

Access levels and permissions serve different purposes:

MechanismControlsApplied To
Access Level (per question) Who can view the question on the frontend Individual FAQ questions
Permissions (ACL) Who can create, edit, delete, manage questions User groups at component or category level

A user must satisfy both checks. For example, even if a user has core.edit permission, they will only see questions whose access level matches their authorized view levels.

Comment Permissions

JoomFAQs has a comment system that allows visitors to provide feedback when they vote that an answer was not helpful. Here is how permissions apply to comments:

Adding Comments

The comment form appears when a user clicks "thumbs down" on the helpfulness poll for a question. The comment system currently allows any visitor to submit a comment (the allowAdd method in the comment controller returns true unconditionally). However:

  • The comment form only appears if the Poll option is enabled in the category settings.
  • A CAPTCHA can be configured for comment submissions via Components > JoomFAQs > Options > Comments to prevent spam.
  • Comments require a minimum length of 10 characters.

Deleting Comments

Deleting comments requires the core.edit permission on the category that the question belongs to. Specifically:

  • The system looks up which category the question belongs to.
  • It then checks if the current user has core.edit on com_joomfaqs.category.[catid].
  • Only users who pass this check can delete comments.
  • Comments can be deleted from the frontend editorial form (for users with edit access) and from the admin backend question editor.

Viewing Comment Counts

Comment counts (alongside vote tallies) are only displayed to users who have core.edit permission on the relevant category. Regular visitors see the answers and the voting poll but not the statistics.

Practical Scenarios

Scenario 1: Allowing Registered Users to Submit Questions

Goal: Let any logged-in user submit questions in a specific category, but not edit or manage them.

  1. Go to Components > JoomFAQs > Options > Permissions.
  2. Select the Registered user group.
  3. Set Create to Allowed.
  4. Leave all other permissions as Inherited (which defaults to Not Allowed for Registered).
  5. Save.

Alternatively, to restrict this to a specific category only:

  1. Go to Components > JoomFAQs > Categories.
  2. Open the target category and go to the Permissions tab.
  3. Select the Registered group.
  4. Set Add a question to Allowed.
  5. Save.

Now registered users will see the "Add a question" button on that category's frontend page. Submitted questions will appear as unpublished by default, waiting for a moderator to review and answer them.

Scenario 2: Restricting FAQ Viewing to Specific Groups

Goal: Make certain FAQs visible only to a particular user group (for example, a "Premium Members" group).

  1. In Joomla, go to Users > Access Levels and create a new access level called "Premium" (if it does not already exist). Assign your desired user groups to it.
  2. Open the FAQ questions you want to restrict in Components > JoomFAQs > Questions.
  3. Change the Access level field to "Premium" (or whichever access level you created).
  4. Save each question.

Alternatively, to restrict an entire category:

  1. Go to the category manager for JoomFAQs.
  2. Open the category and set its Access level to the restricted level.
  3. Save. All questions in that category will now be hidden from users who are not in the matching access level group.

Scenario 3: Setting Up a Moderator Who Can Manage Comments but Not Delete Questions

Goal: Create a "FAQ Moderator" role that can edit questions, write answers, and delete comments -- but cannot delete questions or change component configuration.

  1. In Joomla, go to Users > Groups and create a new group called "FAQ Moderator" (as a child of Registered, or another appropriate parent).

  2. Go to Components > JoomFAQs > Options > Permissions.

  3. Select the FAQ Moderator group and set:

    ActionSetting
    Configure ACL & Options Inherited (Not Allowed)
    Access Options Inherited (Not Allowed)
    Access Administration Interface Allowed (if they need backend access)
    Create Allowed
    Delete Inherited (Not Allowed)
    Edit Allowed
    Edit State Allowed
    Edit Own Allowed

  4. Save.

With this setup, FAQ Moderators can:

  • Edit any question and write answers (both frontend and backend).
  • View unpublished questions on the frontend.
  • See vote tallies and comment counts.
  • Delete comments (because core.edit on the category grants this ability).
  • Change publish state of questions.

But they cannot:

  • Permanently delete questions (no core.delete).
  • Change JoomFAQs configuration or permission rules (no core.admin or core.options).

If you want this moderator role to apply only to specific categories, skip step 2-3 above and instead set the Edit (Respond) permission to Allowed on each desired category's Permissions tab.

Email Notifications and Permissions

JoomFAQs can send email notifications to editors when a new question is submitted. The notification system is tied to the core.edit permission:

  • Notifications are sent to users in groups that have core.edit allowed (as Inherited) on the component.
  • You can disable notifications entirely via the category parameter Disable notifications in the category display options.

Quick Permission Cheat Sheet

What you want to allowRequired permissionWhere to set it
View FAQs on the frontend Joomla Access Level on question/category Question editor or Category settings
Submit questions from the frontend core.create on the category Category Permissions tab
Edit/answer questions from the frontend core.edit on the category Category Permissions tab
View unpublished questions on the frontend core.edit on the category Category Permissions tab
Delete comments from the frontend core.edit on the category Category Permissions tab
Access the admin backend core.manage on the component JoomFAQs Options > Permissions
Create questions in the admin backend core.create on the component/category JoomFAQs Options or Category Permissions
Edit questions in the admin backend core.edit on the component/category JoomFAQs Options or Category Permissions
Delete questions in the admin backend core.delete on the component JoomFAQs Options > Permissions
Change publish state core.edit.state on the component JoomFAQs Options > Permissions
Change component configuration core.admin on the component JoomFAQs Options > Permissions

Troubleshooting

Users cannot see the "Add a question" button. Check that their user group has core.create allowed either at the component level or on the specific category. Also verify they are logged in if the permission is set for a registered group.

A moderator gets "access denied" when trying to edit a question. Ensure the user's group has core.edit allowed on the category the question belongs to. Remember that the frontend editorial form checks core.edit against com_joomfaqs.category.[catid], not against the component as a whole.

Questions are invisible to certain users. Check the Access Level field on the question itself. If it is set to something other than "Public," only users in the matching access level group will see it. Also check the category's own access level.

A user can view questions but not vote or comment. The voting poll visibility is controlled by the category display parameter "Poll," not by permissions. Make sure the Poll option is enabled in the category settings. Comments appear as part of the voting flow and do not require any special permission to submit.

Company

Support

Products

Extensions

Recently Updated

Latest News
Cron Job Starts

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok