MODX 3 ACLs not working at all

snowcreative · March 27, 2023, 9:41pm

I’ve got MODX 3.0.3 installed on a couple of sites and having issues with ACLs. One site I upgraded from 2.8.4, so the ACLs haven’t changed at all. But now it’s like everyone is SUDO; they have access to everything. I also just set up a new MODX 3 site from scratch, created an Editor user group, and created a new access policy based on the Administrator template, with a reduced number of authorized actions. Same story there; people assigned to this group and access level can access everything.

Is there some additional step involved in setting up ACLs in MODX 3? Anyone else having these issues?

dev_willis · March 27, 2023, 9:54pm

ACLs are working normally in my 3.0.3 installs, FWIW.

dejaya · March 27, 2023, 10:02pm

Hey @snowcreative …

I’ve got a good few MODX 3.0.3 sites running with restricted manager [editor] users - set up just like you described.

These seem to behave as expected - so I wonder if there’s maybe something else going on there?

Just tried with a fresh install as well. All OK.

snowcreative · March 27, 2023, 10:41pm

OK, this gets weirder. In the new installation, when I delete all of a user’s permissions in the user settings, they can still log in and see everything! How is that possible?

snowcreative · March 27, 2023, 10:47pm

Did you install 3.0.3 fresh, or are those sites upgraded from previous versions of 3.0?

dejaya · March 28, 2023, 8:08am

They’re a mixture of both.

I’m guessing you’ve already checked that your custom ACL policy is selected against the Manager context in the User Group “Access Permissions” settings?

And you definitely don’t have a SUDO user logged in the same browser instance? You could test using another browser / incognito mode etc.

snowcreative · March 28, 2023, 6:31pm

Yes, tested with user in a different browser, with all cookies deleted. There are no sudo users in the sites. When I remove ALL access permissions for a user, so they don’t belong to any group, when that use logs in, they have full access to everything.

Also, I can’t view any unpublished pages as an administrator, even though view_unpublished is enabled in the ACLs. It’s like MODX is using some unknown ACL for everybody.

snowcreative · March 28, 2023, 11:21pm

OK, interesting fact. Changing PHP from 7.4 to 8.1 fixed the ACL problem for the site that is a new installation. Why would that be?

On the other site, which was upgraded from MODX 2.8.4 to 3.0 and then up to 3.0.3, changing php to 8.1 makes the site crash. Must be some incompatible plugin in that site.

dejaya · March 29, 2023, 8:56am

I tried reverting a 3.0.3 test site back to PHP 7.4 but still can’t replicate your issue. Everything seems to work as expected.

Let me know if I can test anything else for you - hopefully someone else might have some ideas too.

snowcreative · March 29, 2023, 3:01pm

Is there a list somewhere of required PHP extensions for MODX 3?

dejaya · March 29, 2023, 3:02pm

All here I think.

“zlib , json , gd , pdo (specifically pdo_mysql ), imagick , simplexml (php-xml ), curl , and mbstring”

snowcreative · March 29, 2023, 6:39pm

Really, imagick is required? That’s not enabled in my PHP 8 site and it works fine, nor is it enable on my PHP 7.4 sites as a rule.

snowcreative · March 30, 2023, 2:26pm

So, I went into the new MODX 3 installation again today and . . . ACLs now work. I didn’t change anything. Very bizarre.

dejaya · March 30, 2023, 3:13pm

Did it not start working on that one when you moved PHP to 8.1? Or was that a different site?

snowcreative · April 5, 2023, 2:36am

Yes, sorry, I meant I went into the one that is NOT new and it was working.