User Group cannot delete Static Resources

dejaya · March 21, 2023, 10:56am

Hi all,

My editors group seem to be unable to delete Static Resources:

That appears when right-clicking a static resource in the tree and clicking Delete.

If I edit a static resource and check the Settings / Deleted box, then save - the resource saves but the Deleted box returns to unchecked. No error appears in that case.

My editors group uses a custom ACL with permissions granted for remove, delete_document and delete_static_resource

Administrators can delete Static Resources OK and the editors group can delete Document Resources and Weblink Resources OK.

What am I missing?

MODX 2.8.4-pl

halftrainedharry · March 21, 2023, 11:33am

Do the editors have basic delete and save permissions?

dejaya · March 21, 2023, 11:48am

Hey @halftrainedharry

They have save permission.

I don’t see a basic delete permission - they do have remove though.

halftrainedharry · March 21, 2023, 12:12pm

There is one in the “Resource” access policy.
I only saw that there is some check in the resource/delete processor.

github.com

modxcms/revolution/blob/31ad6114a61155fba9a28264ea464a30dcce7fb8/core/src/Revolution/Processors/Resource/Delete.php#L58


      
           */
          public function initialize()
          {
              $id = $this->getProperty('id', false);
              if (empty($id)) return $this->modx->lexicon('resource_err_ns');
              $this->resource = $this->modx->getObject(modResource::class, $id);
              if (empty($this->resource)) return $this->modx->lexicon('resource_err_nfs', ['id' => $id]);
          
              /* validate resource can be deleted */
              if (!$this->checkActionPermission($this->resource->get('class_key'), 'delete')
                  || !$this->resource->checkPolicy(['save' => true, 'delete' => true])) {
                  return $this->modx->lexicon('permission_denied');
              }
              $this->deletedTime = time();
              return true;
          }
          
          /**
           * {@inheritDoc}
           * @return mixed
           */

dejaya · March 21, 2023, 12:21pm

Hmm … all permissions, including delete are enabled in the Resource policy.

I tried switching the Editors group over to using the Administrator ACL policy instead of the custom one.

Flushed permissions, logged the Editor out and in again, and the result was the same.

That would appear to rule out the custom ACL policy - I think?

What else could cause this?

halftrainedharry · March 21, 2023, 2:01pm

You could (temporarily) add some code to the processor I linked above (on line 55) to check and log the permissions individually. Maybe this gives some insight.

if (!$this->modx->hasPermission('delete_document')) {
	$this->modx->log(modX::LOG_LEVEL_ERROR, "user " . $this->modx->user->get('username') . " doesn't have permission 'delete_document'");
}
if (!$this->modx->hasPermission('delete_static_resource')) {
	$this->modx->log(modX::LOG_LEVEL_ERROR, "user " . $this->modx->user->get('username') . " doesn't have permission 'delete_static_resource'");
}
if (!$this->resource->checkPolicy('save')) {
	$this->modx->log(modX::LOG_LEVEL_ERROR, "user " . $this->modx->user->get('username') . " doesn't have permission 'save'");
}
if (!$this->resource->checkPolicy('delete')) {
	$this->modx->log(modX::LOG_LEVEL_ERROR, "user " . $this->modx->user->get('username') . " doesn't have permission 'delete'");
}

dejaya · March 21, 2023, 3:28pm

This site is on MODX 2.8.4-pl - I think the above is MODX3 … ?

I tried adding your code to: core/model/modx/processors/resource/delete.class.php

But nothing appears in the Modx Error Log when I get the Permission Denied error.

halftrainedharry · March 21, 2023, 4:04pm

It seems, that in MODX 2.8.4, the code checks the permissions delete_document and delete_resource (instead of delete_document and delete_static_resource like in MODX 3).

dejaya · March 21, 2023, 4:57pm

Aye - that’s getting us somewhere …

[2023-03-21 16:22:02] (ERROR @ /home/xyz/public_html/core/model/modx/processors/resource/delete.class.php : 51) user xxyyzz doesn't have permission 'delete_resource'

But there is no delete_resource permission in either my Administrator or custom Editor policies.

halftrainedharry · March 21, 2023, 5:08pm

This seems to be a bug in MODX 2.8.4.

It’s probably fixed in 2.8.5.

dejaya · March 21, 2023, 5:12pm

That’s it

Thanks @halftrainedharry

In core/model/modx/processors/resource/delete.class.php I changed:

'modStaticResource' => 'delete_resource',

to

'modStaticResource' => 'delete_static_resource',

and all is well!

It has indeed been fixed in 2.8.5.

Thanks for your help as always!

system · March 23, 2023, 5:12pm

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.