I’m trying to implement a member only page, but it seems like I missed some ACL - even though the resource has the resource group assigned, anonymous access still works.
Do I have to add some ACL’s to the “anonymous” group as well? Not sure what I’m missing here.
I only want to lock frontend to anonymous users, and allow it to users in groups Secure, Moderators and Editors.
I’ve tried clearing cache, flushing permissions, different browsers … nothing seems to work.
Just trying to understand your setup:
So you have a resource in the context “secure” (and NOT “web”).
This resource is also in the resource-group “Secure”.
When you open this resource in a browser (in a private window or in a different browser where you are not logged in to the MODX manager), you can still see the content?
Correct. I have a context secure. I have a resource in there, that I only want to allow for logged in users. The secure context contains a registration/login section as well.
When I open the resource with “Secure” resource group ticked (so it should be protected), it opens even i the incognito tab.
However, not sure what happened - but now upon trying to login (in incognito), it keeps throwing me: [2023-12-12 15:03:16] (ERROR @ /var/www/sites/xxx/public_html/core/model/modx/moduser.class.php : 362) PHP warning: session_regenerate_id(): Cannot regenerate session id - session is not active
What access policy does the (anonymous) user group have for the context “secure”.
I believe without at least “load” permission, the (anonymous) user group shouldn’t even be able to switch to the “secure” context in the routing-plugin.
Is the system setting anonymous_sessions set to “Yes”?
I’d suggest installing Classic Cache Killer (or the equivalent) in your browser, and turn it on to rule out the browser cache.
I agree with HTH, that with your setting, anonymous users shouldn’t have access to that context at all, unless the resource is also in another context that they have access to.
The context secure was on the same domain as my primary web context. That one had anonymous session turned off, since the site had no requirement for them, and it would reduce overhead as well.
Turning on anonymous sessions on the primary context worked - although I guess a subdomain would work as well in this case.
This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.
