Hello, I already created an user called Support.
I created a role support with 555 authority for that user
and I created an access policy with all the necessary restrictions.
I need that the user Support can see and edit other users but admins.
Here @bobray is saying: Unfortunately, MODX user permissions are not that granular, though they probably will be in an upcoming version. Either the user can edit users or they can’t. There’s no easy way to control which users they edit.
Now the admins are not in the list, GOOD, but in the access permissions the User Group - Admin ** and super user - Role still available, is there a way to hide those too?
Thanks Bruno.
I still need to hide **User Group - Admin ** and super user - Role for a non admin user.
This is in the Add User to Group option inside Access Permission tab in the user details area.
looking at the security/group/getlist - processor this should be possible with a similiar plugin or could be done within the same plugin by setting the exclude - property/ $_POST - value
Tried adding the exclude parameter to the query like this
if ($action == 'security/group/getList') {
$modx->log(modX::LOG_LEVEL_ERROR, 'Setting param for group getlist');
$_POST['query'] = 'pp'; //Supposed to match a group called support
$data = array(1);
$dataString = json_encode($data);
$_POST['exclude'] = $dataString;
}
But it did’t work, also tried asigning the array directly to the post, and after looking at security/group/getlist, we added the following just as a test to make sure that we are pointing to the rigth processor
$c->where(array(
'id:!=' => 1,
));
An in this case it hidded the admin entry succesfully, any idea of what are we missing to connect our plugin with the processor?
We also noticed this action is called when the users list windows is displayed in case is of any use
Here is the solution in case somebody need it, special thanks to @bruno17 and @camicase82.
Plugin Name: usersFilter
System Event: OnMODXInit
<?php
//Check user group
$user = $modx->getUser();
$profile = $user->getOne('Profile');
$userGroupList = $user->getUserGroupNames();
$userGroup = $userGroupList[0];
$action = $modx->getOption('action', $_REQUEST, '');
// If the user belong to an specific group apply the rules
if ($userGroup == 'Members') {
//Access Permissions Area
// Filter User groups
if ($action == 'security/group/getlist') {
$modx->log(modX::LOG_LEVEL_ERROR, 'Setting param for group getlist');
// Pick what groups do you want to hide, you can hide more than one separating the id's with coma
$data = array(1,6);
$_POST['exclude'] = $data;
}
// Filter Roles
if ($action == 'security/role/getlist') {
$modx->log(modX::LOG_LEVEL_ERROR, 'Setting param for user getlist');
// Pick what roles do you want to display
$data = array(1);
$_POST['id'] = $data;
}
//Filter Users list
if ($modx->context->get('key') == "mgr") {
switch ($modx->event->name) {
case 'OnMODXInit':
$modx->log(modX::LOG_LEVEL_ERROR, 'Setting inner param for getlist');
$action = $modx->getOption('action', $_REQUEST, '');
if ($action == 'security/user/getList') {
// Only display users that belong to the user group with ID 3
$_POST['usergroup'] = 3;
}
break;
}
}
return;
}
return;
@ysanmiguel cool solution. Be aware technically you are still able to modify admins. By this I mean URL manipulation to enter the admin detail form or request the user update processor directly.
E.g. admin id is 1 update your URL to manager/?a=security/user/update&id=1 and voila you are able to modify the admin. If you consider this a issue you have to put similair code in the right places to make sure the admin isn’t modifble by any means.
