How to narrow editing resources roles by context

Support
1

We currently maintain a MODX 2.6.5 installation with multiple contexts, each one related to a different portal (and accessed by a specific user group). We created a Content Editor role to allow some users in each portal to edit page content. However, when one such user logs in the manager context, they can see (and modify…) resources from ALL contexts.

I have not been able to find a way to limit their access by context.

I suppose this should be a common issue for MODX administrators, but I have not found a lot of information on this subject. All suggested solutions refer to single-context installations (i.e., the ones with default contexts ‘mgr’ and ‘web’).

Any pointer/suggestion appreciated.

Thanks,

Massimo

2

This is a bit convoluted but the short answer is as follows:

Add context access for Administrator User Group for all contexts.
Add context access only for the Editor’s user Group for only the Context that User Group should be able to access.

The longer answer is that if you have Content Editors with specific access to say a apples context and another user group that needs access to an oranges context you’ll need to have 2 user groups that use the same Access Policy of Content Editor, each that has context access to the context they should be able to access.

See:

User%20Group%20Administrator%20%20Emerging%20Apps%202019-04-01%2012-35-12
User Group Administrator Emerging Apps 2019-04-01 12-35-12.png1095×836 59.1 KB

User%20Group%20Blog%20Author%20%20Emerging%20Apps%202019-04-01%2012-34-45
User Group Blog Author Emerging Apps 2019-04-01 12-34-45.png1109×586 39.8 KB

This might give you a sense of what needs to be done.

Here’s what the Blog Author on this site can see (there is further form customization and resource groups/user groups assignments on this site as well but you don’t need to go that far down the path, likely).

Dashboard%20%20Emerging%20Apps%202019-04-01%2012-36-42
Dashboard Emerging Apps 2019-04-01 12-36-42.png930×689 70.6 KB

3

Got it, thanks!
However, in my case, for some reason I had also to add access to the context (ckdbiox) for Content Editor in Context Access:

content_editor_role_user_group
content_editor_role_user_group.jpg998×514 41.8 KB

otherwise, when I connected as a user with Content Editor role, I would not see anything under Resources (I must have missed a privilege when I created the access policy).

Also, under Files, I only see the top level of the Filesystem media source and ALL other contexts (no assets, images, scripts directories), but I do not see the media source defined for my context!
Again, this may be due to the way I created the Content Editor role. These are the permissions in the access policy:
change_profile, class_map, countries, delete_document, edit_document, element_tree, file_list, file_manager, file_remove, file_tree, file_update, file_upload, frames, help, home, list, load, logout, menu_reports, menu_site, menu_support, menu_tools, menu_user, new_document, resource_duplicate, resource_tree, save_document, source_view, tree_show_resource_ids, view, view_document, view_template, view_unpublished

I realize this issue may be a little outside my original question, so if needed I can create a new topic.

Thanks a bunch for your help!
Massimo