Grant temporary access to resource group

A site I work on has resources in assigned to specific resource groups. Some resources are not accessible if a user does not have access to a specific resource group. However, if the user has a specific URL, they need to be allowed to temporarily access the resources assigned to the resource group (in addition to whatever resources and resource groups they normally have access to).

Is there a “normal” or recommended way to do something like this?

The idea I have so far is to add a special flag/value to the session to note that the user has accessed the special URL and then have a plugin that looks for that value to allow access to a page even though the user is normally not authorized to view the page. Does that seem reasonable? Which event do I need to respond to in order to make this work? Or is there a better way?

Do these resources need to be in a resource group?

It’s probably easier to achieve what you want, if you protect them with a simple snippet as explained in this post by Bob.

I have considered a script like the one you mention and that may be what I will need to do in the end.

The resource group is basically an easy way to tag the resources. If I also have them publicly available, then I can still use the resource group as a way of knowing which resources belong to which group without having to use a different tagging or grouping mechanism.

I don’t think there’s a way to allow temporary access. Before the request gets very far, MODX will return a 404 to the browser if the user is not authorized to see it.

The only thing I can think of (besides the snippet halftrainedharry suggested), and it’s pretty hacky, would be a use a plugin attached to OnWebLogin or OnManagerLogin, that would add the selected resource(s) to the user group if the current user was someone who could get access.

If the plugin is also attached to OnWebLogout or OnManagerLogout, code could remove them, but I suspect that the user would have to explicitly log out for that to work, and someone else on at the same time would lose access to them. As an alternative, a cron job could remove the resources from the group(s) at a selected time of the day.

You could also add the user to a user group with access instead of adding the documents. That would probably be better, since it would never affect other users.