MODX - access policies/security

Hello,

I’m trying to understaind modx policies for resource groups/user groups…
Is that correct if i create resource group and assign it to the user - if user without access will try to access this resource directly should be automatically redirect to unauthorized page? I’m getting redirected to 404 page - not sure if that’s how its suppose to work?

Users must have the load permission to get redirected to the unauthorized page. If they have no permission at all, they see the error page.

You usually add the “Load Only” policy to the “(anonymous)” group for the resource group to get the desired effect.

1 Like

Thank you so much for the clarification i did that and it worked!
One more question what would be the best way to check when user is logged in and check if he has correct permission in PHP?

thanks

What exactly are you trying to do? Where is this PHP code located?

If it’s in a snippet that runs on a protected page, then you probably won’t need an extra check, as unauthorized users can’t see the page.

Hi,

Thanks for your response.

Basically, i have two user groups and in some cases user will be assigned to only one. That means if he is logged in once he navigate to that protected resource that he does not have access he should see/be redirected to the page saying “You cant access this content, please contact to apply for access” or something like that - currently I’m getting 404 page.

As I’m saying above this is only if user is logged in but does not have a access to protected resources.

Currently I’m writing a plugin that attached to OnWebPagePrerender event and checking if user is logged in to web context and has a right to see the requested resource. However in current state this does not work because I’m before i check this I’m already landing on 404 page.

$current_user_id = intval($modx->user->get('id'));
if ($current_user_id > 0) {
    // User is logged in, but are they logged into the current context being requested??
    $logged_into_context = $modx->user->isAuthenticated($modx->resource->get('context_key'));
    if (!$logged_into_context) {
        // Requested document
        $requested_document = $modx->resource->get('id');

        // Special Case for "My Account" resource as it is no protected by any resource/user group
        if ($requested_document == 768) {
            $modx->sendUnauthorizedPage();
        }

        // User is not logged into the current context, does the resource requested belong to any resource groups?
        $rgrs = $modx->getCollection('modResourceGroupResource', array('document' => $requested_document));
        $groups = array();
        foreach ($rgrs as $rgr) {
            $groups[] = $rgr->get('document_group');
        }

        // Redirect to the unauthorized page?
        if (sizeof($groups) > 0) {
            $modx->sendUnauthorizedPage();
        }
    } else {
        // // User is logged into the current context, we need to check if user has access to the requested document
        // $resourceGroups = $resource->getGroupsList();
        // // Check if the user is a member of any of these groups
        // $hasAccess = false;
        // foreach ($resourceGroups as $group) {
        //     if ($user->isMember($group['name'])) {
        //         $hasAccess = true;
        //         break;
        //     }
        // }
        // // Output result based on access check
        // if ($hasAccess) {
        //     return 'User has access to this resource group.';
        // } else {
        //     return 'User does not have access to this resource group.';
        // }
    }
} else {
    // User is anonymous, no need for further action, MODX can handle security as normal
}

So if you give both user group at least load access to the resource group, shouldn’t then a user without the permission to view the resource be redirected to the unauthorized page?


Otherwise it seems to me, that you have to either loosen the restrictions for the resource group (or don’t use resource groups at all) if you want to control the access yourself in a plugin.
Or maybe use a different event. OnWebPagePrerender is invoked late in the process, when MODX already checked/handled access restrictions.

Yes i’m not logged in into web context i got redirected to unauthorized page - this is working fine.

The case is when I’m logged in and not have access to the resource - i mean i guess it would be wrong to send to unauthorized page as I’m logged in, however i want and i think that would be fine to redirect to the resource with the message like that “You don’t have access to this resource please use contact form to apply for access”.

What event would you propose? I tried a couple but couldn’t find the one that work…

You can’t redirect to a resource if you don’t have access to this resource.

You could give both user groups view access to the resource and then in a custom plugin (or snippet) check if the user is not a member of the correct group and return a message instead of the content.


Maybe you could use the event OnPageUnauthorized, test the conditions and then forward an already logged in user to a different “unauthorized page” that displays a specific error message.
Or you run a snippet on the already existing unauthorized page and return a different message based on the user’s log-in status.

No no, i dont want to redirect to the restricted resource. I want to redirect to the resource without any restrictction displaying message "You don’t have access to this resource please use contact form to apply for access”.
I got Load, list, View access to the resource groups.

" Maybe you could use the event OnPageUnauthorized"…
The issue is I’m not ending on 401 page, I’m on 404 instead. I guess that makes sense because if I’m logged in but don’t have access to the resource why modx should redirect me to Unauthorized page - so i think modx goes to 404 in that case.

No that is not how it works.

If the user has load permission, but doesn’t have view permission for the resource, they are sent to the unauthorized page. It is irrelevant if the user is logged in (to a certain context) or not. Only if the user has no load permission (for the requested resource) the error page is shown.


You probably have to adjust the ACLs.

Let’s say you have the user groups “Group1” and “Group2”.
“Group1” has access to a restricted resource in a resource group.
“Group2” also needs load permission (for the resource group), so that users that are logged in (to the “web” context) and a member of the group “Group2” (but not “Group1”) see the unauthorized page, when the try to access the restricted resource.

1 Like

FYI, the usual way of checking the user’s login status looks like this:

if ($modx->user->hasSessionContext('web')) {
    /* Logged in */
}

You can also do it this way for multiple contexts:

if ($modx->user->hasSessionContext($modx->context->get('key'))) {
    /* Logged in */
}
1 Like

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.