Non-sudo users can't create resources (access denied)


Non-sudo users can’t create resources.
No matter if on root, child page, resource creation in collection…

Error message:
An error occurred…
Access denied.

Didn’t see any error message.
Played a lot with ACLs until I noticed, that only sudo users are able to create resources.

Any help is appreciated! Thank in advance!!

Step to reproduce

Don’t know how to reproduce. I have a lot of instances, but had newever this issue.

Observed behavior

Blank page with:
An error occurred…
Access denied.

Expected behavior

Resource form should appear.


MODX Revolution 2.8.3-pl
V-Server with Ubuntu 18.04.6 LTS
PHP 7.4.23
MariaDB 10.1.48

What context policy do you have set up for non-sudo users for the mgr?

From memory they’d need at minimum create and new_document, for the other resource types they now also need new_symlink, new_weblink, new_static_resource in the mgr context policy.

This might be a result of the Policy Template you used for the Context Access Policy you created for your non-sudo users. For example, if you used the ContextTemplate, ResourceTemplate, or ElementTemplate instead of the AdministratorTemplate, the users couldn’t have the permissions markh listed.

Thanks for your answers and hints, markh and bobray! :+1:

create, new_document, new_symlink, new_weblink and new_static_resource are in the editor Context Access Policy of mgr context.

My usual approach of starting with full admin rights and reduce them step by step didn’t work here.
Even if I assign administrator Context Access Policy for mgr context, I still get the error message above.

Unfortunately I wasn’t able to see any log entries. How would you debug this?

That’s really odd. The only thing I can think of is a plugin that executes for those pages and requires some other permission.

Can you show a screenshot of your user group > permissions > context access for both the affected and admin user groups, and also show the user group/role assignment for an affected user?

Of course, Mark.

Hope that helps! Thanks for your time.

Do your resources belong to resources groups that might be affected by Resource Group Access ACL entries?

So far no resource groups are assigned, bobray.

After backing up I yesterday tried to deactivate a few extras to check if they are the cause for this issue.
However, two of the extras could not be deactivated. Redactor and Content Blocks. Today it seems, that both extras are not active (but still not correct deactivated in installer) and now I’m getting a blank page when I try to edit existing resources with non-sudo users.

Try deactivating their respective plugins in the Elements tab. Likely the uninstall failed for some reason (license?), removing the files but not the plugins leaving you with a partial install.

In your permissions, try replacing the Administrator policy on the web context with the standard Context policy?

Thanks for your help, Mark!

Removing cleanly and reinstalling Redactor and ContentBlocks works now. You were right, it should have been a licence issue.

Replacing the Administrator policy on the web context with the standard Context policy is useful, but unfortunately has not brought anything.

Now I could break it down to Redactor. If I uninstall it, non-sudo users can see the new-resource-form. If I install it, I still get: An error occurred… Access denied.

Hmm… interesting… after uninstalling Redactor and ContentBlocks, both respectively leave behind a Context Access-entry with blank Access Policy. Is that how it should be?

If I leave this old entry with blank Context Access-entry from Redactor and reinstall it, non-sudo users can create resources. Does this perhaps help to isolate the cause?

The Redactor and ContentBlocks policies/permissions only affect their respective component pages - I struggle to see how those would have any impact at all on creating a new resource. However if you believe Redactor is the differentiator here between when it works and when it doesn’t, please email with an admin and an affected login and I’ll take a look.

Thanks a lot, Mark.
So far I think it still has to do with Redactor at least and emailed you the needed credentials last wednesday. I am curious to find out exactly what the problem is. At least (with the empty access policies from removing redactor) I have a temporary workaround, therefore… no hurry.