[Solved] User with permissions to edit users, but not to edit any admin account

Hello, I already created an user called Support.
I created a role support with 555 authority for that user
and I created an access policy with all the necessary restrictions.

I need that the user Support can see and edit other users but admins.

I see this post from 7 years ago regarding this topic:
https://forums.modx.com/thread/86784/allow-client-to-see-edit-and-create-users-but-not-to-edit-the-main-admin-account

Here @bobray is saying: Unfortunately, MODX user permissions are not that granular, though they probably will be in an upcoming version. Either the user can edit users or they can’t. There’s no easy way to control which users they edit.

Somebody know if that is possible now?
Thanks!!!

Thanks!

maybe that helps:

1 Like

@bruno17 mate, AMAZING, thank you very much!!! :+1:

Now the admins are not in the list, GOOD, but in the access permissions the User Group - Admin ** and super user - Role still available, is there a way to hide those too?
Thanks Bruno.

Can anyone help me with this one please?

I still need to hide **User Group - Admin ** and super user - Role for a non admin user.
This is in the Add User to Group option inside Access Permission tab in the user details area.

Will appreciate it, cheers!

looking at the security/group/getlist - processor this should be possible with a similiar plugin or could be done within the same plugin by setting the exclude - property/ $_POST - value

1 Like

Hello @bruno17

Tried adding the exclude parameter to the query like this

if ($action == 'security/group/getList') {
    $modx->log(modX::LOG_LEVEL_ERROR, 'Setting param for group getlist');
    $_POST['query'] = 'pp'; //Supposed to match a group called support
    $data = array(1);
    $dataString = json_encode($data);
    $_POST['exclude'] = $dataString;
}

But it did’t work, also tried asigning the array directly to the post, and after looking at security/group/getlist, we added the following just as a test to make sure that we are pointing to the rigth processor

$c->where(array(
            'id:!=' => 1,
	));

An in this case it hidded the admin entry succesfully, any idea of what are we missing to connect our plugin with the processor?

We also noticed this action is called when the users list windows is displayed in case is of any use

Cheers!

1 Like

maybe

security/group/getList

should be

security/group/getlist
2 Likes

Thanks a lot @bruno17 I was also struggling with the same and you guys probably saved me hours of work and headaches

Here is the solution in case somebody need it, special thanks to @bruno17 and @camicase82. :+1:

Plugin Name: usersFilter
System Event: OnMODXInit

<?php
    //Check user group
    $user = $modx->getUser();
    $profile = $user->getOne('Profile');
    $userGroupList = $user->getUserGroupNames();
    $userGroup = $userGroupList[0];

    $action = $modx->getOption('action', $_REQUEST, '');

    // If the user belong to an specific group apply the rules
    if ($userGroup == 'Members') {

//Access Permissions Area

        // Filter User groups
        if ($action == 'security/group/getlist') {
            $modx->log(modX::LOG_LEVEL_ERROR, 'Setting param for group getlist');
            // Pick what groups do you want to hide, you can hide more than one separating the id's with coma
            $data = array(1,6);
            $_POST['exclude'] = $data;
        }

        // Filter Roles
        if ($action == 'security/role/getlist') {
            $modx->log(modX::LOG_LEVEL_ERROR, 'Setting param for user getlist');
            // Pick what roles do you want to display
            $data = array(1);
            $_POST['id'] = $data;
        }

        //Filter Users list
        if ($modx->context->get('key') == "mgr") {
            switch ($modx->event->name) {
            case 'OnMODXInit':
                $modx->log(modX::LOG_LEVEL_ERROR, 'Setting inner param for getlist');
                $action = $modx->getOption('action', $_REQUEST, '');
                if ($action == 'security/user/getList') {
                    // Only display users that belong to the user group with ID 3
                    $_POST['usergroup'] = 3;
                }
            break;
            }
        }
        return;

    }
    return;

Done!!! :grinning: :+1:

1 Like

Thanks for posting the final solution.
@sottwell was so kind and extended the example on the cookbook recipe, too.

3 Likes

This post is extremely important and deserves to be highly visible.

This is MODx community on its best.
Thank you guys!.

@ysanmiguel cool solution. Be aware technically you are still able to modify admins. By this I mean URL manipulation to enter the admin detail form or request the user update processor directly.
E.g. admin id is 1 update your URL to manager/?a=security/user/update&id=1 and voila you are able to modify the admin. If you consider this a issue you have to put similair code in the right places to make sure the admin isn’t modifble by any means.

1 Like

Excellent mate thanks. I’ll take that in consideration!
Cheers!