MODX 3 ACLs not working at all

I’ve got MODX 3.0.3 installed on a couple of sites and having issues with ACLs. One site I upgraded from 2.8.4, so the ACLs haven’t changed at all. But now it’s like everyone is SUDO; they have access to everything. I also just set up a new MODX 3 site from scratch, created an Editor user group, and created a new access policy based on the Administrator template, with a reduced number of authorized actions. Same story there; people assigned to this group and access level can access everything.

Is there some additional step involved in setting up ACLs in MODX 3? Anyone else having these issues?

ACLs are working normally in my 3.0.3 installs, FWIW.


Hey @snowcreative

I’ve got a good few MODX 3.0.3 sites running with restricted manager [editor] users - set up just like you described.

These seem to behave as expected - so I wonder if there’s maybe something else going on there?

Just tried with a fresh install as well. All OK.

OK, this gets weirder. In the new installation, when I delete all of a user’s permissions in the user settings, they can still log in and see everything! How is that possible?

Did you install 3.0.3 fresh, or are those sites upgraded from previous versions of 3.0?

They’re a mixture of both.

I’m guessing you’ve already checked that your custom ACL policy is selected against the Manager context in the User Group “Access Permissions” settings?

And you definitely don’t have a SUDO user logged in the same browser instance? You could test using another browser / incognito mode etc.

Yes, tested with user in a different browser, with all cookies deleted. There are no sudo users in the sites. When I remove ALL access permissions for a user, so they don’t belong to any group, when that use logs in, they have full access to everything.

Also, I can’t view any unpublished pages as an administrator, even though view_unpublished is enabled in the ACLs. It’s like MODX is using some unknown ACL for everybody.

OK, interesting fact. Changing PHP from 7.4 to 8.1 fixed the ACL problem for the site that is a new installation. Why would that be?

On the other site, which was upgraded from MODX 2.8.4 to 3.0 and then up to 3.0.3, changing php to 8.1 makes the site crash. Must be some incompatible plugin in that site.

I tried reverting a 3.0.3 test site back to PHP 7.4 but still can’t replicate your issue. Everything seems to work as expected.

Let me know if I can test anything else for you - hopefully someone else might have some ideas too.

Is there a list somewhere of required PHP extensions for MODX 3?

All here I think.

zlib , json , gd , pdo (specifically pdo_mysql ), imagick , simplexml (php-xml ), curl , and mbstring

Really, imagick is required? That’s not enabled in my PHP 8 site and it works fine, nor is it enable on my PHP 7.4 sites as a rule.

So, I went into the new MODX 3 installation again today and . . . ACLs now work. I didn’t change anything. Very bizarre.

Did it not start working on that one when you moved PHP to 8.1? Or was that a different site?

Yes, sorry, I meant I went into the one that is NOT new and it was working.