[Fred] playing with ACLs and resource groups

jnogueira · June 3, 2019, 10:58am

Hi all,

I’ve been trying to play around with the ACLs for the Fred permissions and everything seems simple.
This is the reference I followed:
https://modxcms.github.io/fred/site_admin/acls/permissions/

I was able to define a set of resource groups where a specific group of users can only edit the resources assigned on the resource group, and the remaining resources they have view permission (added list, view and show for all others).

So far so good, but the thing is that Fred is still active, but when saving it throws permission denied.
It serves the purpose as it avoids editing, but showing Fred as active on these resources is misleading.

Am I missing some option so I can fine-tune this?

Many thanks in advance

theboxer · June 5, 2019, 9:06am

Can you share more of your set up? Resource groups, user groups, policies, etc.?

jnogueira · June 5, 2019, 10:50am

Hi John,

Here are some details:
1 - Created a Resource Group (Group Leaders) and added 3 resource containers into it (none of them are the home page);
2 - Created another Resource Group (Admin Only) where I added home page;
3 - Now, on the ACLs, created a Role with authority 9000 (Group Leaders);
4 - Created a new Group also called “Group Leaders” with these details:

Contexts: web
Manager Policy: Fred Editor
Resource Groups: “Group Leaders”
Added a user to this group assigned to the role “Group Leaders” as well (Authority: 9000);

5 - On the User group (Group Leaders), by going to the Permissions Tab, added the following:

“Context Access”:
- Minimum Role: Group leaders - 9000 (Context: web; Min Role: Group Leaders - 9000; Access Policy: Fred Editor)
- Minimum Role: Group leaders - 9000 (Context: mgr; Min Role: Group Leaders - 9000; Access Policy: Content Editor)
“Resource Group Access”:
- Minimum Role: Group leaders - 9000 (Resource Group: Admin Only; Min Role: Group Leaders - 9000; Access Policy: Load, List and View; Context: Web)
- Minimum Role: Group leaders - 9000 (Resource Group: Group leaders; Min Role: Group Leaders - 9000; Access Policy: Resource; Context: Mgr)

6 - On ACLs, edited the “Administrator” Group, went to the “Resource Group Access” and added this line:

Minimum Role: Member - 9999 (Resource Group: Group Leaders; Min Role: Member - 9999; Access Policy: Resource; Context: mgr)
Minimum Role: Member - 9999 (Resource Group: Admin Only; Min Role: Member - 9999; Access Policy: Resource; Context: web)
Minimum Role: Super User - 0 (Resource Group: Admin Only; Min Role: Super user - 0; Access Policy: Resource; Context: mgr)

7 - Last, on anonymous group, went to the “Resource Group Access” and added this line:

Minimum Role:Member - 9999 (Resource Group: Admin Only; Min Role: Member - 9999; Access Policy: Load, List and View; Context: Web)

This is the current setup

theboxer · June 5, 2019, 12:10pm

Thank you. All of that seems correct. Currently the Fred can be disabled only on the context level and I’m not 100% sure if there is a valid case for loading Fred when you don’t have permissions to save the resource.

Anyways, currently there are no custom permissions that you can apply on an object level (for resources in resource group) that would affect Fred itself.

Quick & dirty fix you can apply (at your own risk and will need to by re-applied after upgrading Fred) would be adjusting the Fred plugin, event OnWebPagePrerender and after if (!$modx->hasPermission('fred')) return; add if (!$modx->resource->checkPolicy('save')) return;.

jnogueira · June 5, 2019, 12:25pm

Many thanks John.
Cheers

system · June 7, 2019, 12:25pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.