Logging into restricted page with Login plug produces unexpected 404

meltingdog · August 18, 2019, 2:36am

Hi all,

I am trying to set up member restricted pages on my site. I have gone through the tutorial here: https://docs.modx.com/extras/revo/login/login.tutorials/login.basic-setup#Login.BasicSetup-CreatetheRequiredPages

However, I am having an issue where when I login I am redirected to the 404 page instead of the ‘Members Home Page’ I created as per the tutorial. I am having trouble figuring out why.

Somethings to note:

I have created a Resource Group called Members, and have assigned a Members Home Page resource to that group.
I have created a new user and assigned them to the Members Resource Group (with the role of Member). That user is set to Active.
The Members Home Page resource is published. I can access it when logged into my admin account.
After filling out the login form, I am being redirected to the error_page (404) I’ve set in site settings, not the specified unauthorized_page (403).
Similar to above, If I paste the Members Home Page url into an Incognito browser window I get redirected to the 404 instead of the expected 403.
I have cleared cache and refreshed URIs.

Would anyone know what I could’ve done wrong or what I could do to debug?

bobray · August 18, 2019, 3:56am

Did you forget to add yourself to the Members User Group?

As for the 404 for unauthorized users, the problem is that when users aren’t authorized to see a page, it’s as if the page is unpublished or missing. This leads to a 404 and the error page.

There’s a solution using ACLs, (not sure if this still works). Add the users who shouldn’t see the page to another group and give that group Load Only access in the ‘web’ context to the restricted pages. That should avoid the 404 and get them to the unauthorized page.

I find that method a little cumbersome, and prefer getting rid of the ACL entries, and adding a fairly simple custom snippet to the template of the restricted page, the page’s content or a chunk used in the page.

The snippet can work in various ways, but one is to simply redirect user who are not members of the authorized group (or groups) to the unauthorized page.

if (! $modx->user->isMember('SomeUserGroup')) {
    $modx->sendUnauthorizedPage();
}
return '';

There are more details on how to do it in this blog article.