MODX Community

ACL access in 2.7.3


I am really battling to get ACLs working in MODX 2.7.3

I am trying to put together a PoC where there will be around 60 users who will each need access to edit their own profiles (and not each others) and then some of the users will be granted extra permissions to edit other pages.

So I have started small with just two users.

I have created the Resource Groups (now under the Content menu) and dragged the pages I want the test users to have access to.

Ideally, I would like to show only the pages the user has edit rights to the left hand tree view.

I cloned the Admin Page Policy and reduced its access, created a Page Editors Group, gave Admin SU access, and gave my two users Page Editor (level 15) Context Access of Page Editor role and access Page Editor.

This allows the users to log into the manager screen and has disabled all the admin stuff I do not want them to do (which is a good start) but they do not see any of the resources.

Next, I create a User Group matching my test username, add my user (role 15) and give them Resource Group access (15) with an access policy of Resource.

I also create a Resource Group called AllPages to hide all of them
My issues are:

Depending on where I am through the steps, I either get a 200 error (permission died) or the page completely disappears from view. Enabling sudo for the user gives them full access.


Should policies for Context be set to Context and Resources to Resources?

Where ever I set a role, should it be the same value (15) for all users (other than the admin) in all places (I only have one role with that value)

Is there a way to log what is going on with ACLs?

It looks so powerful that its confusing.

Kind regards


A Resource Group Access ACL entry should have a policy based in a Resource policy template (e.g., the Resource Policy template).

A Context Access ACL entry should have a policy based on a Context policy template(e.g., the Administrator Policy template).

A Context ACL entry is to control what user in a user group can do, in general, in that context (e.g., view resources, save chunks, edit snippets).

A Resource Group ACL entry is to control what, specifically, users in a particular user group can do with resources in the attached Resource Group.

There’s no tool that I’m aware of that could help you diagnose permission issues because MODX only knows that you don’t have permission. It has no way of knowing why. I tried to write such a tool and/or build it into the core, but couldn’t pull it off.

I recommend giving everyone the same role authority level unless you have a massive site with lots of subtle differences in permissions. If users need different rights, I suggest putting them in different user groups – it makes problems much easier to diagnose. I don’t know the extent to which people agree with me on this.

You might be interested in this 50-minute lecture on MODX security permissions.