First of all thanks to MODx community for all information and guides.
I’m continuing to misunderstand ACLS. Each time i get to know more more but there are cases that MODx is acting strange.
Its all about whether user has access or not to the resource and displaying the appropriate page - unauthorized.
Its the same for both of the user groups.
Correct me if I’m wrong - as per @halftrainedharry comment to get user which is not logged in or its not in the user group to unauthorized page“Give the user group at least load permission for the resource group and the admin user should see the unauthorized page as well.”
Is this set up on the image okay? Or it should be just “Load only”?
Not sure if i get this part correct.
Bascily the case is that if the user is logged in and its not in the user groups it gets redirected to 404 page instead 401…
In MODX, a individual user has no permissions. Only user groups have permissions.
When a user requests a page, the code tries to load the resource from the database. If the resource is in a resource group and no user group (where this user is a member of) has load permission to the resource group in question, the user gets redirected to the error page.
If any of the user groups (this user is a member of) has load permission (to the resource group in question), but no user group has view permission, the user is redirected to the unauthorized page.
If the user is a member of a user group that has load and view permission for the resource group (the resource in question belongs to), the requested resource is returned to the user.
A user that is not logged in, is a member of the (anonymous) user group.
A logged in user isn’t a member of the (anonymous) user group anymore.
yes, this user is a member of on of the user groups - but I want to cover all the cases (user has no user groups (annoymouns), user has one user groups, user have all user groups).
Sorry this is clear and working if the user is not logged in (I’m coming with direct link to the restricted resource being anonymous). The case is when I’m logged in and I’m trying to load the resource which has a resource group but this user (currently logged in) is not a member of the user group - getting redirected to page not found…
A user is only anonymous (and a member of the (anonymous) group) if they are not logged in.
If a user is logged in, they are only a member of the user groups assigned to them.
I guess, you’ll have to create another user group, with Load only permission for every resource group and make sure that every user is a member of (at least) this user group.
Yep, i understand thank you so much for the explanation, however, i think it is kind of common case isn’t it? If you would be in my case would you do it as you proposed? What i mean is not sure would should be desired behavior.
A logged in user that isn’t a member of a user group has no permissions at all.
If you want such a user to have load permission for a resource group (so that they are redirected to the “unauthorized page”), you have to make them a member of a user group.
Yes, make sure that every user is a member of (at least) one user group.
I’m not sure it’s relevant to this issue, but you might be interested in this talk I gave a while back ad modExpo explaining MODX Security Permissions. It’s about 50 minutes long.
aaaah! yeah i understand, i thought i need some sort of default resource group or something for that, but the we need default user groups with just load only permissions - that is working as expected! thank so much, i think i have a better understanding of that in general now, thanks!
