I am sad…or I am just to dump to get it…at the moment it seems everything I touch makes it worse…so…I just ran into the next problems…
I rarely had to use more than two users - admin and content-editor. This always worked fine!
But now I am struggling with the ACLs, resource-groups etc. for another project, where I have to create several users with different permissions on creating or editing resources.
First all went smooth…
I have four contexts:
- context-a
- context-b
- context-c
- context-d
I want to have one user for each context, plus the admin-/sudo-user.
The user-context-a shall have access to all four contexts.
The user-context-b just for context-b.
The user-context-c just context-c.
And the user-context-d just context-d.
So I created the needed four additional users, one for each context, with the same name as the contexts.
After that I created four user-groups in the ACL-panel. There I defined the name for the user-group (same as the context), added the user I created before (as Super-User - 0; to be honest, I never did really get the difference between Member and Super-User), defined the context and created a resource-group in the “Add user-group”-popup.
For each user-group I added the “mgr”-context (Role 9999) with access-policy “Content Editor” and the context related to the user (context-b for context-b-user, etc.) - again with Role 9999 and access-policy “Context”.
This all works perfect: when I log in to the manager with one of the context-users, I see the resource-tree related to the context that got defined before - that’s what I wanted. The other contexts are hidden and not editable/viewable for the context-user. The user can also create and edit resources and save changes/new resources. Excellent!
AND now here comes my issue:
Additionally, I need another “trainee”-user for each context, who only shall have access to some resources, but not to all of the ones that exist in the related context. I just started adding one trainee-user for context-b.
First I created the new user (“trainee-context-b”) and added another user-group in the ACL-panel with the same name, added the “trainee-context-b”-user, gave this user access to the related context “context-b” as Member 9999 and access-policy “Context”, plus the “mgr”-context, same Role (9999) and access-policy “Content-Editor” - just the same I did before.
Then I added another resource-group (“trainee-context-b”), and gave the user-group “trainee-context-b” access to this resource-group “trainee-context-b”.
Then I opened the index-resource, went to the “resource-group”-tab and gave access to the Admin-resource-group plus to the context-b-resource-group. I don’t want the trainee to edit anything on the index-resource, so i did not select this checkbox.
After I’ve done that I logged out with the admin-user, and logged back in with the user “trainee-context-b”.
Et voilà - like I wanted, the index-resource does not appear in the resource-tree for user “trainee-context-b”. Excellent as well!
BUT:
then I logged out with the user “trainee-context-b” and back in with user “context-b”. As I wrote before I defined in the index-resource on the “resource-group”-tab, that the admin-resource-group and the context-b-resource-group shall have access to the index-resource. But the index-resource is missing for the context-b-user as well?! I don’t get it…
I thought by selecting the resource-group I want to give access to this particular resource in the “resource-groups”-tab, the related user - who has access to the selected resource-group via the settings in the user-group ACL-panel - will be able to see this resource. But nope… Even the user context-a, who has access to all four contexts, can’t see this resource. I added this user to the user-group “context-b” as well.
Additionally I tried to define the media-source-access for user “context-b” in the user-group ACL-panel. This works without any problems on resource-edit - when adding an image or file, the image or file gets uploaded to the correct path (which I defined in the media-source itself). I am using Redactor from modmore, for which I defined the different media-sources. And everything works fine while editing the content of a resource.
But when I change the media-source-access in the user-group ACL-panel to the mediasource of context-b, on the files-tab in the manager I see all media-sources except the one i defined and wanted to see?! I expected to only see the one that I defined, and the other media-sources will be hidden. What am I doing wrong on here?
Thanks in advance to everyone who is willing to help…
(EDIT) Additional info…i just found out when only selecting one resource-group on the resource-group-tab, it seems to be working. Having only “context-b” selected on the resource-group-tab on the index-resource, shows the resource in the ressource-tree, when logged in with the user context-b…adding the “admin”-resource-group leads back to the described issue - resource not available in the resource tree for user context-b…
(EDIT2) having just selected resource-group-context-b does also show the resource in the ressource-tree for user trainee-context-b…this is getting weird…