Restricting users to contexts

Hello all,

I have several domains running in the same instance of Modx , which also works very well since then. My admin user sees all contexts and I can edit everywhere quickly and comfortably. But now I want to enter a separate user for each context, so that these users can then only view and edit the respective context in the resources.

I have already tried several things, via the ACL and user groups, but had the problem here that the user with the “Sudo user” always sees all contexts, regardless of whether they were restricted via the ACL. If I remove the “Sudo user” attribute, I can’t log in with the user at all.

Does anyone know this well and can support? Have no problem leaving a small donation via PayPal or similar as a thank you.

Kind regards,
Sven

What I have done so far:

Created a new user group under “Contexts” in the respective context in the tab “Access rights”. For this purpose, a user was created to whom the group was assigned.

The user can log in, but sees all contexts.

Then removed the “Sudo User” attribute from the user, now the user cannot log in at all.

Did you give the user group the users belongs to access to the manager (mgr) context?

I would say no, because I have no idea how to do this. Could you explain it? Thanks in advance!

To start first, the sudo user always has access to everything. That’s why you see everything. But without sudo you can’t login to the manager. That’s probably because they don’t have access to the “mgr” context.

So in order for them to login to the manager, you probably have to edit the user group → access permissions → Contexts → Add Context → mgr with the Minimum Role and Access Policy you want them to have.

Great, thanks for your explanation. ACL and the roles and access policies are completely new for me. I’ve added a group in Access Control Lists, but I do not find where to add the Minimum Role. Is there any chance you could help using Screensharing by next week? I would pay for your time of course!

Hey @svenf2k, I’m going to loop in @bobray and @halftrainedharry to see if they might have any ability to aid you.

What you’re asking is not hard but does require a significant amount of configuration across Revo including Users, Contexts, ACLs, and plugins (if you’re also limiting access to specific Resource children). If it’s just contexts, it might not be too too hard.

That would be great! Thank you very much!

I will do nothing at the moment in order not to destroy anything and wait for a response. I’m available almost 24/7 and willing to pay for any help here of course!

I think you’ll find it easier to ignore the minimum role (authority level), or give everyone the same number. The authority level is set on the “Roles” tab when you create a new role, but you can also edit it there.

Here’s what I think you want:

  • You’re the only member of the Administratrator group.

  • You have a number of Context Access ACL entries giving you access to all the various contexts.

  • Each of the other users belongs to a different user group (one for each context).

  • There is a Context Access ACL entry for each user group (with only one member), giving the group access to the context the user in that group can see.

  • No one is a sudo user

  • Clear the site cache, and log out all users before testing any changes.

There’s information here about creating ACL entries.

And more information here about Revolution permissions in general.

There’s also a 55 minute video of me explaining the permissions system from the inside out here.

The key to hiding things in MODX is to use ACL entries to connect the item you want to hide to a user group that the forbidden user is not a member of. If you can remember that, it will make permission work a lot easier.

Welcome to MODX :slight_smile:

1 Like