User permissions, ACLs, resource-groups, media sources, contexts

I am sad…or I am just to dump to get it…at the moment it seems everything I touch makes it worse…so…I just ran into the next problems…

I rarely had to use more than two users - admin and content-editor. This always worked fine!

But now I am struggling with the ACLs, resource-groups etc. for another project, where I have to create several users with different permissions on creating or editing resources.

First all went smooth…

I have four contexts:

1. context-a
2. context-b
3. context-c
4. context-d

I want to have one user for each context, plus the admin-/sudo-user.

The user-context-a shall have access to all four contexts.
The user-context-b just for context-b.
The user-context-c just context-c.
And the user-context-d just context-d.

So I created the needed four additional users, one for each context, with the same name as the contexts.

After that I created four user-groups in the ACL-panel. There I defined the name for the user-group (same as the context), added the user I created before (as Super-User - 0; to be honest, I never did really get the difference between Member and Super-User), defined the context and created a resource-group in the “Add user-group”-popup.

For each user-group I added the “mgr”-context (Role 9999) with access-policy “Content Editor” and the context related to the user (context-b for context-b-user, etc.) - again with Role 9999 and access-policy “Context”.

This all works perfect: when I log in to the manager with one of the context-users, I see the resource-tree related to the context that got defined before - that’s what I wanted. The other contexts are hidden and not editable/viewable for the context-user. The user can also create and edit resources and save changes/new resources. Excellent!

AND now here comes my issue:

Additionally, I need another “trainee”-user for each context, who only shall have access to some resources, but not to all of the ones that exist in the related context. I just started adding one trainee-user for context-b.

First I created the new user (“trainee-context-b”) and added another user-group in the ACL-panel with the same name, added the “trainee-context-b”-user, gave this user access to the related context “context-b” as Member 9999 and access-policy “Context”, plus the “mgr”-context, same Role (9999) and access-policy “Content-Editor” - just the same I did before.

Then I added another resource-group (“trainee-context-b”), and gave the user-group “trainee-context-b” access to this resource-group “trainee-context-b”.

Then I opened the index-resource, went to the “resource-group”-tab and gave access to the Admin-resource-group plus to the context-b-resource-group. I don’t want the trainee to edit anything on the index-resource, so i did not select this checkbox.

After I’ve done that I logged out with the admin-user, and logged back in with the user “trainee-context-b”.

Et voilà - like I wanted, the index-resource does not appear in the resource-tree for user “trainee-context-b”. Excellent as well!

BUT:
then I logged out with the user “trainee-context-b” and back in with user “context-b”. As I wrote before I defined in the index-resource on the “resource-group”-tab, that the admin-resource-group and the context-b-resource-group shall have access to the index-resource. But the index-resource is missing for the context-b-user as well?! I don’t get it…

I thought by selecting the resource-group I want to give access to this particular resource in the “resource-groups”-tab, the related user - who has access to the selected resource-group via the settings in the user-group ACL-panel - will be able to see this resource. But nope… Even the user context-a, who has access to all four contexts, can’t see this resource. I added this user to the user-group “context-b” as well.

Additionally I tried to define the media-source-access for user “context-b” in the user-group ACL-panel. This works without any problems on resource-edit - when adding an image or file, the image or file gets uploaded to the correct path (which I defined in the media-source itself). I am using Redactor from modmore, for which I defined the different media-sources. And everything works fine while editing the content of a resource.

But when I change the media-source-access in the user-group ACL-panel to the mediasource of context-b, on the files-tab in the manager I see all media-sources except the one i defined and wanted to see?! I expected to only see the one that I defined, and the other media-sources will be hidden. What am I doing wrong on here?

Thanks in advance to everyone who is willing to help…

(EDIT) Additional info…i just found out when only selecting one resource-group on the resource-group-tab, it seems to be working. Having only “context-b” selected on the resource-group-tab on the index-resource, shows the resource in the ressource-tree, when logged in with the user context-b…adding the “admin”-resource-group leads back to the described issue - resource not available in the resource tree for user context-b…

(EDIT2) having just selected resource-group-context-b does also show the resource in the ressource-tree for user trainee-context-b…this is getting weird…

It’s difficult to know where you’re going wrong, but I’ll make a guess.

Resources are protected (hidden) when they’re in a resource group connected to a user group and the current user is not a member of that group.

By creating a connection between one user group and a resource group, everyone outside that group is denied access to that resource (including you), unless you create another Resource Group Access ACL entry that links another user group to that same resource group. Also, remember that users can be in more than one user group.

The purpose of roles (which I seldom use) is to give users in the same user group different capabilities. Unless your site will have many users at many different levels, I don’t consider it worth the effort. I just put users with different capabilities in different groups, as it appears you’re doing.

That said, I would not use the ‘member’ role for anyone in the Manager. That’s a role given to anonymous users and is usually very restricted. I’d create a new role with an authority level of, say, 15, and give that to all non-admin users.

Something else that might be tripping you up. When you create an ACL entry, you set an “authority” level for it. That ACL entry will not apply to users with a role in their group that is greater than that number

Aloha Bobray,

and thanks a lot for hopping in here as well and trying to help - I appreciate that!

That’s the way I am understanding this to work as well.

…this far I can follow you, but then…

So - to stay with the example of context-b - I just want the context-related user-group (user-context-b) have access to each resource, plus the admin, plus user-contex-a (who shall have access to all contexts), plus the traineee - but the trainee with restricted access.

This means to me that I check each user-group (Administrator, user-context-a, user-context-b and trainee-user-b) to have resource-group-access in the permissions-tab to the related context-b - CHECK! This far I’ve done it this way I would say…

Yeah, I agree…and in my understanding, this is what I am doing. Each context has it’s user and user-group, plus the trainee-user and trainee-user-group for each context.

Ok, I am understanding this now more clearly, thanks.
So I created a new ACL-role called “editor” with authority of 15, and set this new role for the user-contex-b in the user-group-context-b.

You’re speaking of every new entry I do in the ACL permissions-tab for each user-group, right? But yeah, in here I can define the “Minimum Role” , which I set to “Editor” - 15 as well.

But I am still not getting the expected result…

So let’s try to clear this up with some real screenshots and the names, etc I’m using in this project - maybe the whole contex-a-b-c stuff is making it more complicated…hopefully this will clear things up…

So how to start.

Let’s start with the index-resource (ID 190) of contex-d, which is called “stimmenafrikas” . This is the view with the admin-user having the “resource-groups”-tab in focus.

image1915×944 101 KB

As you can see I gave access to the “Admin”- and “stimmenfrikas”-resource-groups. You can see another resource-group called “praktikum-stimmenafrikas” in here, which shall be shown if selected for trainee-users called “praktikum-stimmenafrikas”. So as I do not want this trainee-user to be able to see/edit the index-resource (ID 190), I do not select this resource-group here. This is for now the only resource I gave access to a resource-group so far. Every other resource does not have any resouce-group selected.

On the “Access Controll Lists” I have another user-group called “stimmenafrikas”, in which I included the related user “stimmenafrikas” with a role of “Editor - 15”. Additionally there is another user called “Autor”, who has the “Super user - 0”-role - this user is the one, who shall have access to all contexts.

image1915×944 81.7 KB

When clicking on “Update” for the user-group “stimmenafrikas”, you can see this on the permissions-tab in the context-access-area:

image1915×944 76.6 KB

and this in the resource-group-access-area:

image1915×944 76.1 KB

So having these things set I would expect to login with the user “stimmenafrikas”, who can only see it’s related context “stimmenafrikas” - which is working. Additionally this user shall see all resources, that have resource-group access set to “stimmenafrikas” - plus the ones that dont have any resource-group-access set .

But now, when I log in to the manager with user “stimmenafrikas” I do see all resources of the correct context “stimmenafrikas”, but NOT the one index-resource (ID 190) I gave resource-access “stimmenafrikas” to:

image1915×944 64.2 KB

This index-resouce (ID 190) is missing.

Every other resource doesn’t have a resource-group set, so this is why I am seeing these other resources - how I understand this behaviour. So that is correct for me.

My aim is that another trainee-user for this context called “praktikum-stimmenafrikas” will have access to the same context “stimmenafrikas”, but this user can only see resources who have access to the resource-group “praktikum-stimmenafrikas”.

So I am still confused, as trying and double-checking everything after I’ve read your post and re-doing it all while writing this answer just to check everything again.

A few questions and suggestions:

1. Do you really need contexts for what you’re doing? They complicate things and if all you’re trying to do is allow and restrict access to certain resources, they’re kind of overkill.

2. Does the stimmenafrikas user group have access to the ‘mgr’ context with a policy that allows the necessary resource permissions?

Try changing the Context policy for the stimmenafrikas from “Context” to “Administrator.” (flush permissions and log out all users before testing). If that solves your problem, the issue is that the “Context” policy doesn’t have the necessary permissions. You probably don’t want to use the full Administrator Policy for that group, so duplicate it, uncheck permissions you don’t want them to have (especially “access_permissons”) and use the duplicate for that ACL entry.

BTW, since you now have some understanding of permissions, you might want to take a look at this video for a detailed explanation of MODX permissions and how they work. Fair warning: it’s about 50 minutes long.

Hello again Bob!

Yes, I do need these four contexts as those will each manage a different domain. So this is not only for allowing and resticting access to certain resources.

The user-group stimmenafrikas did have “Content Editor”-policy for the “mgr”-context and “Context”-policy for the stimmenafrikas-resource-group.

I followed your advice and changed the context-policy for stimmenafrikas to “Administrator”, then flushed permissions and logged out all users, and logged in as stimmenafrikas-user - still no change.

I also changed the context-policy for the manager to “Administrator”, flushed/logged out/logged back in…same…

I also tried to set the “Minimum Role” of the permissions to “Member 9999” (the stimmenafrikas-user has Role “Editor - 15”, so this should be ok)…flushed permissions and logged out again with admin-user and re-logged in as stimmenafrikas-user - still the same…

I’m pretty lost here…anything else doesn’t seem even logical to me…

But - this can’t be related to the PHP-version, that is used on the site, right? Because at the moment I still have to use PHP 5.6, I can switch up to PHP 7.2+ once the site is finished, but not right now…but I don’t think that this is related to each other?

And thank you for the link to the video. I’m gonna check this out in the next days!

I don’t think it’s related to the PHP version. I don’t see anything obviously wrong with what you’re doing, but TBH, I don’t have the time to analyze your stuff fully.

Some people love using multiple contexts, but I tend to avoid them because I tend to run into permission problems when I try to use them.

Hi again!

Thank you for your opinion on the PHP-versions!

And also thanks for trying to help so far! I would even pay for sorting this out, but since you don’t seem to be comfortable with contexts, I’m not going to ask you

I wouldn’t have time right now anyway, but thanks for thinking of me.

More tips:

1. If making the user a sudo user solves the problem, it’s definitely a problem with permissions.

2. Be sure to log out all users after making a change before you test things. (I also clear the cache manually with the CacheClear extra.)

3. The “Cache Killer” Chrome browser extension is handy because it takes the browser cache completely out of the equation.

Hi again Bob!

And thanks for your additional tips on this!

I tried to make the related user a sudo-user, but this way I “lost” the ability to see only the related context.

I usually cleared the whole core->cache-folder to be sure that no chached files/settings are getting used. Havent tried the CacheClear-extra yet, gonna have a look on that.

And the “Cache Killer” extension sounds promising too. But I normally do have the developer-window open, with settings “Disable-cache (while DevTools is open)”, so I thought i would be save…but I’m gonna have a look on that extension too…thanks!

I know that Disable-cache didn’t always work for me, though maybe this has been fixed. It also slows things down a lot to have DevTools open all the time, especially in the MODX Manager.

Cache Killer definitely prevents everything from being cached.

my bad…of course I don’t use the DevTools in the manager…didn’t think of that…

Cache Killer installed and testing now…