Acces Policy / Roles

I want to give the content manager limited acces. I followed the tutorial ‘giving a user manager access’ as I did many times before.
As a content manager you ca only create, edit and delete resources and you only have access to the media-files.

I’ve done this serveal times succesfully, but on the site I’m working on, I have an issue.
When I’m logging in as content manager I still see the elements menu and also the top-menu. Even if I give the content manager an even more limited role, like member, I still have access to everything.

I really haven’t any clue what’s going wrong.

For the record, I had some issues, moving the site from development to the root. At some point I couldn’t log in at all. I’ve solved this by installing MODX on a sub-domain and moved the manager-folder to the root.
Aftter that I created the new role, acces policy and added a new user.
For a minute I thought that the manager maybe was connected to another database. But I’ve checked phpMyadmin and everything looks fine.I see the template for the contentmanager and I see the user with that role.

Does anybody has a clue what could be the problem and how I can solve this?

Try logging out all users, manually deleting all files in the core/cache directory, and visiting the site with your browser in private or incognito mode.

Just to be sure about the DB, check the core/config/config.inc.php file. There are two references to the DB in there. Check both.

I’ve taken the liberty of removing your config .jpg. You should also delete the .jpg file as soon as possible. There’s way too much information there for hackers to use to gain access to your site.

Since none of your actions fixed things, it seems you have a problem with protecting things. Remember that nothing in MODX is protected unless you provide access to it for a user group that the editor is not a member of.

So:

  1. Make sure the content manager is not a member of the Administrator group.

  2. Put the Resources and Media Sources a group (or groups).

  3. Attach the group(s) to the Administrator group in the ‘mgr’ context with a group access ACL entry with a policy that gives them all permissions.

  4. Put the content editor(s) in a separate group.

  5. Attach that group to the groups containing the Resources and Media Sources in the ‘mgr’ context with a restrictive Policy like Content Editor.

  6. Flush permissions

  7. Log everyone out

  8. Delete the core/cache files again.

  9. Visit in incognito or private mode when testing.

If that doesn’t do it, I’m stumped. :wink:

1 Like

Ah, so its not so much assigning rights to the users, but rather creating an area that is off limits to them…

Yes, giving people access to them does nothing. Putting stuff in groups does nothing. You have to protect them by giving someone else rights to them.

1 Like

Hi Bobray,

Thank you so much. I really appreciate it. But I’m a little bit confused. It’s the first time that the tutorial in the MODX-documentation ('Giving a user manager access) didn’t help me out. Do you say that this tutorial isn’t correct (anymore)?

I tried to follow your steps But still I have some questions. First of all, I put all resources in a recource group, named ‘content’. In the resources I have two collections. The children are not included in the resource group. How can I fix that?

Next, I’m not sure how to get your ‘step 3’ working. On the tab "permissions’ in user group Administrator, I want to add the resource group. In the pop-up I choose the group content, ‘mgr’ in context and minimum role, Super User. Then I have to select an access policy. And there I see a drop-down with: (no policy), context, load only, Load, list and view, object and resource. Wich one I need to select? (see attach.)
Hope you can help me a little bit more.

1 Like

Ok let’s break down what you’ve got and want.

You’ve tried to limit the content editors, but right now it seems the problem is not precisely the rights of the editors you care about, but rather to hide some contents from them?

So, for the content that you do not want the editors to see, it must be protected by being owned by someone else. The only way to protect if from one group is for it to be owned by another.

For those children, this seems to be another problem, can’t you add them into the group as you did the other resources?

Let’s hone in on what you want to do precisely

I haven’t looked at the MODX documentation on permissions lately, but nothing has changed with permissions in MODX.

For step 3, with the Administrator group, you want to select the ‘Resource’ Policy which gives them all resource permissions.

1 Like

Thank you again. It took some time but it is working now, just as I want it.

Thank you for joining this topic. It’s working now just as I want it. FInally.

1 Like

Great work! Glad I could help