ACLs: User groups with mgr access to own contexts

I have a site with several contexts: web, A,B,C and D. Each of the one-letter context has a similarly named group of editors who should only ever change and add stuff in their context.

I created a new Access Policy based on Content Editor (lets call it NewEditor) and created 4 User groups with that policy.

I set up the groups such that e.g. group A has NewEditor Policy with role 10 for contexts

• A
• mgr

and Load Only with role Member 9999 for contexts

• B
• C
• D
• web

And similar for all other groups and contexts.

It works in that in the manager, Editor A only sees his context in the tree. He also sees the whole site with all contexts from the frontend, like he should.

But it does not prevent Editor A (user group A) from manually changing the manager URL so that he can access resources from other contexts (by changing the id in manager/?a=resource/update&id=100. He can load, edit and save any other resource this way.

Is that normal? Or is there a way to prevent him from doing so?

Is my setup at all sensible or did I do something wrong?

I don’t use multiple contexts much, so I’m not sure if what you’re seeing is normal. I suspect that it is normal, though, because users who have permission to edit and save resources in the ‘mgr’ context (which all your users definitely need), have that right on for any unprotected resource regardless of it’s context. MODX just checks for the necessary permissions in the ‘mgr’ context, then checks to see if the resources are protected by a Resource Group ACL entry. If not, they’re fair game.

I do know that you what you want could be accomplished by having a Resource Group for each context’s resources, and using a Resource Group Access ACL entry for each user group to tie them to their own resources. That would protect those resources from members of other user groups.