MODX Community

Editors permisions driving me crazy

Hi.
I’m turning crazy with mgr limited editors permisions.

After adding all the site resources to a resource group called AllDocs and protecting it, I have put 2 of the resources (of type collection) (ex. News and Offers), within a resource group called EditorsViewOnly.

I have created an ACL for those assigned to the Editors user group, with permissions only for add_children, load, list and view.

So far, so good: Editors only see the News and Offers resources in the manager, and they can create children but not edit, delete or publish neither News nor Offers.

The problem comes from removing the settings permission in the ACL from the context access of the Editors, so that they cannot see the system settings menu in the manager.

Doing that, when Editors try to create a child resource, a white page with error " An error occurred… Denied access" appear. But, if they doit with Quick Create, it work perfectly…the modal window appear and the resource can be created.

So I’m going crazy (more, if possible) trying to find out why the settings permission is violated with the normal creation of a child that is not violated with quick creation.

May be another way to hide Configuration Menu for Editors?

Thanks.

Are there any TVs on that resource or assigned template which might lack permissions to view/edit?

Yes, but…

I have them hidden in the custom forms for the editors, and I’ve created access permissions to the respective elements categories (for the Editors user group).

But no success.

I’ve even tried a new template without access to any template variables (and setting it as the default template).

It didn’t work either.

To clarify, do you refer to the ability to got to system settings (the cog wheel in the top right) or the settings tab in a resource?

System Settings (the cog wheel in the top right). Permission name settings

Are you able to go to the access policy for this user type, sort the Enabled column decending so that it groups all the selected permissions at the top and take a screen grab so we can see what you have enabled? It might take a few screen grabs to get them all. Or you can select the text from the grid and paste it here. See the example below. This is a content editor that has limited permissions.

change_profile
	
User can change their profile.
	
 
class_map
	
To view a list of classes in the Class Map.
	
 
countries
	
To view a list of countries.
	
 
delete_document
	
To delete or remove any Resource.
	
 
edit_document
	
To edit any Resources.
	
 
frames
	
To use the MODX Manager UI at all.
	
 
googleanalytics
	
To view the Google Analytics data.
	
 
help
	
To view the Help page.
	
 
home
	
To view the Welcome page.
	
 
list
	
Basic permission to "list" any object. List means to get a collection of objects.
	
 
load
	
Basic permission to "load" any object, or be able to return it as an instance at all.
	
 
logout
	
To be able to logout as a user.
	
 
menu_reports
	
Show the top menu item "Reports".
	
 
menu_site
	
Show the top menu item "Site".
	
 
menu_support
	
Show the top menu item "Support".
	
 
menu_tools
	
Show the top menu item "Tools".
	
 
menu_user
	
Show the top menu item "User".
	
 
new_document
	
To create a new Resource.
	
 
resource_duplicate
	
To duplicate a Resource.
	
 
resource_tree
	
To view the Resource Tree in the left nav.
	
 
save_document
	
To save any Resources.
	
 
source_view
	
To view and list Media Sources.
	
 
tree_show_resource_ids
	
Show the IDs in the Resource tree.
	
 
view
	
Basic permission to "view" any object.
	
 
view_document
	
To view any Resources.
	
 
view_template
	
To view any Templates.

It’s dificult to copy but easy to explain. With a duplicate of the default Administrator polici, with all permissions checked but the settings one (not checked) the problem appears.

about
	
The About page.
	
 
access_permissions
	
Any Access Permission-related pages and actions.
	
 
actions
	
The Actions page.
	
 
change_password
	
User can change their user password.
	
 
change_profile
	
User can change their profile.
	
 
charsets
	
To view a list of charsets.
	
 
class_map
	
To view a list of classes in the Class Map.
	
 
components
	
To view the Extras menu.
	
 
content_types
	
The Content Types page.
	
 
countries
	
To view a list of countries.
	
 
create
	
Basic "create" access on new objects.
	
 
credits
	
View the Credits page.
	
 
customize_forms
	
View and manage the Form Customization page.
	
 
dashboards
	
View and manage Custom Dashboards.
	
 
database
	
The System Info page.
	
 
database_truncate
	
The ability to truncate a database table.
	
 
delete_category
	
To delete or remove any Categories.
	
 
delete_chunk
	
To delete or remove any Chunks.
	
 
delete_context
	
To delete or remove any Contexts.
	
 
delete_document
	
To delete or remove any Resource.
	
 
delete_eventlog
	
To empty the Event Log.
	
 
delete_plugin
	
To delete or remove any Plugins.
	
 
delete_propertyset
	
To delete or remove any Property Sets.
	
 
delete_role
	
To delete or remove any Roles.
	
 
delete_snippet
	
To delete or remove any Snippets.
	
 
delete_template
	
To delete or remove any Templates.
	
 
delete_tv
	
To delete or remove any Template Variables.
	
 
delete_user
	
To delete or remove any Users.
	
 
directory_chmod
	
To chmod a physical directory.
	
 
directory_create
	
To create a physical directory.
	
 
directory_list
	
To list subdirectories for a physical directory.
	
 
directory_remove
	
To remove a physical directory.
	
 
directory_update
	
To rename a physical directory.
	
 
edit_category
	
To edit any Categories.
	
 
edit_chunk
	
To edit any Chunks.
	
 
edit_context
	
To edit any Contexts.
	
 
edit_document
	
To edit any Resources.
	
 
edit_locked
	
Allows a user to override a lock and edit a locked Resource.
	
 
edit_plugin
	
To edit any Plugins.
	
 
edit_propertyset
	
To edit any Property Sets.
	
 
edit_role
	
To edit any Roles.
	
 
edit_snippet
	
To edit any Snippets.
	
 
edit_template
	
To edit any Templates.
	
 
edit_tv
	
To edit any Template Variables.
	
 
edit_user
	
To edit any User.
	
 
element_tree
	
The ability to view the Elements Tree on the left nav.
	
 
empty_cache
	
To empty the site cache.
	
 
error_log_erase
	
To erase the error log.
	
 
error_log_view
	
To view the error log.
	
 
events
	
To view any System Events.
	
 
export_static
	
To export the site to static HTML.
	
 
file_create
	
To create a file.
	
 
file_list
	
To list files within a given physical directory.
	
 
file_manager
	
To use the file manager utility.
	
 
file_remove
	
To remove physical files.
	
 
file_tree
	
To view the Files Tree on the left nav.
	
 
file_unpack
	
To extract zip archives.
	
 
file_update
	
To update the content of physical files.
	
 
file_upload
	
To upload files to a directory.
	
 
file_view
	
To view the contents of a file.
	
 
flush_sessions
	
Can flush Sessions across the site.
	
 
formit
	
To view the formit package.
	
 
formit_encryptions
	
To view the formit package, encriptions part.
	
 
frames
	
To use the MODX Manager UI at all.
	
 
help
	
To view the Help page.
	
 
home
	
To view the Welcome page.
	
 
import_static
	
To view or use the Import pages.
	
 
languages
	
To edit or view Lexicon Languages.
	
 
lexicons
	
To edit or view Lexicons and Internationalization.
	
 
list
	
Basic permission to "list" any object. List means to get a collection of objects.
	
 
load
	
Basic permission to "load" any object, or be able to return it as an instance at all.
	
 
logout
	
To be able to logout as a user.
	
 
logs
	
To view the logs, such as error and manager logs.
	
 
menu_reports
	
Show the top menu item "Reports".
	
 
menu_security
	
Show the top menu item "Security".
	
 
menu_site
	
Show the top menu item "Site".
	
 
menu_support
	
Show the top menu item "Support".
	
 
menu_system
	
Show the top menu item "System".
	
 
menu_tools
	
Show the top menu item "Tools".
	
 
menu_trash
	
Show the top menu item "Trash Manager".
	
 
menu_user
	
Show the top menu item "User".
	
 
menus
	
To edit or save any top Menu items.
	
 
messages
	
To send or view any personal Messages.
	
 
namespaces
	
To edit or view Namespaces.
	
 
new_category
	
To create a new Category.
	
 
new_chunk
	
To create a new Chunk.
	
 
new_context
	
To create a new Context.
	
 
new_document
	
To create a new Resource.
	
 
new_document_in_root
	
To be able to create a Resource at the root level.
	
 
new_plugin
	
To create a new Plugin.
	
 
new_propertyset
	
To create a new Property Set.
	
 
new_role
	
To create a new Role.
	
 
new_snippet
	
To create a new Snippet.
	
 
new_static_resource
	
To create a new Static Resource.
	
 
new_symlink
	
To create a new SymLink.
	
 
new_template
	
To create a new Template.
	
 
new_tv
	
To create a new Template Variable.
	
 
new_user
	
To create a new User.
	
 
new_weblink
	
To create a new WebLink.
	
 
packages
	
To use any Transport Packages in the Package Management system.
	
 
policy_delete
	
To delete an Access Policy.
	
 
policy_edit
	
To edit an Access Policy.
	
 
policy_new
	
To create a new Access Policy.
	
 
policy_save
	
To save an Access Policy.
	
 
policy_template_delete
	
To delete an Access Policy Template.
	
 
policy_template_edit
	
To edit an Access Policy Template.
	
 
policy_template_new
	
To create a new Access Policy Template.
	
 
policy_template_save
	
To save an Access Policy Template.
	
 
policy_template_view
	
To view an Access Policy Template.
	
 
policy_view
	
To view an Access Policy.
	
 
property_sets
	
To view and edit Properties and Property Sets.
	
 
providers
	
To view and edit Providers across the site.
	
 
publish_document
	
To publish or unpublish any Resource.
	
 
purge_deleted
	
To empty the Recycle Bin.
	
 
remove
	
Basic permission to remove any object.
	
 
remove_locks
	
To remove all existing Locks throughout the site.
	
 
resource_duplicate
	
To duplicate a Resource.
	
 
resource_quick_create
	
To be able to use Quick Create Resource in the left-hand tree.
	
 
resource_quick_update
	
To be able to use Quick Update Resource in the left-hand tree.
	
 
resource_tree
	
To view the Resource Tree in the left nav.
	
 
resourcegroup_delete
	
To delete a Resource Group.
	
 
resourcegroup_edit
	
To edit a Resource Group.
	
 
resourcegroup_new
	
To create a new Resource Group.
	
 
resourcegroup_resource_edit
	
To edit Resources in a Resource Group.
	
 
resourcegroup_resource_list
	
To view or list Resources in a Resource Group.
	
 
resourcegroup_save
	
To save a Resource Group.
	
 
resourcegroup_view
	
To list Resource Groups.
	
 
save
	
Basic save permission for any object.
	
 
save_category
	
To save any Categories.
	
 
save_chunk
	
To save any Chunks.
	
 
save_context
	
To save any Contexts.
	
 
save_document
	
To save any Resources.
	
 
save_plugin
	
To save any Plugins.
	
 
save_propertyset
	
To save any Property Sets.
	
 
save_role
	
To save any Roles.
	
 
save_snippet
	
To save any Snippets.
	
 
save_template
	
To save any Templates.
	
 
save_tv
	
To save any Template Variables.
	
 
save_user
	
To save any Users.
	
 
search
	
To use the Search page.
	
 
set_sudo
	
To make any User sudo.
	
	
 
source_delete
	
To delete a Media Source.
	
 
source_edit
	
To edit a Media Source.
	
 
source_save
	
To create or save a Media Source.
	
 
source_view
	
To view and list Media Sources.
	
 
sources
	
To manage Media Sources and Media Source Types.
	
 
steal_locks
	
To "steal" locks, overriding a current lock on a Resource.
	
 
tree_show_element_ids
	
Show the IDs in the Elements tree.
	
 
tree_show_resource_ids
	
Show the IDs in the Resource tree.
	
 
undelete_document
	
To undelete any Resource.
	
 
unlock_element_properties
	
To be able to edit the default properties for any Element.
	
 
unpublish_document
	
To unpublish any Resources.
	
 
usergroup_delete
	
To delete a User Group.
	
 
usergroup_edit
	
To edit a User Group.
	
 
usergroup_new
	
To create a new User Group.
	
 
usergroup_save
	
To save a User Group.
	
 
usergroup_user_edit
	
To edit Users in a User Group.
	
 
usergroup_user_list
	
To view or list Users in a User Group.
	
 
usergroup_view
	
To view a User Group.
	
 
view
	
Basic permission to "view" any object.
	
 
view_category
	
To view any Categories.
	
 
view_chunk
	
To view any Chunks.
	
 
view_context
	
To view any Contexts.
	
 
view_document
	
To view any Resources.
	
 
view_element
	
To get a list of Elements or Element classes.
	
 
view_eventlog
	
To view the Event Log.
	
 
view_offline
	
To be able to view the site when it is in offline status.
	
 
view_plugin
	
To view any Plugins.
	
 
view_propertyset
	
To view any Property Sets.
	
 
view_role
	
To view any Roles.
	
 
view_snippet
	
To view any Snippets.
	
 
view_sysinfo
	
To view the system info page.
	
 
view_template
	
To view any Templates.
	
 
view_tv
	
To view any Template Variables.
	
 
view_unpublished
	
To view any unpublished Resources.
	
 
view_user
	
To view any User.
	
 
workspaces
	
To use Package Management.

Oh, wow. That’s odd. I assume you’re using 2.7.3? This sounds like a bug, to be honest.

Yes, using 2.7.3.

I don’t know … I’m doing a fresh install to test the same thing with no extra installed. I still think it is due to some extra … Although I have already disabled all plugins … and nothing change.

Proven … in a cool installation it works as expected. So it’s not a Modx bug…(?)

Site check reports all green, 0 errors… but it still fails

Finally SOLVED :exploding_head:…a bad entry in table modx_menus, Batcher Extra menu was with permissions = settings. I don’t know why, but that was the problem, after remove it, everything turn to function normally. :blush:
Thanks!

2 Likes