I’m developing a site with some membership functionality. To get login functionality i have installed “Login” extra - which works great! I have two User Groups and that also works well.
My user is “Super Admin” and assigned to both these groups to see the resources that should be visible only if access is granted - this part is working too.
The problem is that when I’m logged into manager and in the same time not logged into web context i still see the resources that should be hidden. When I’m logged out from modx manager everything is fine.
The desired behaviour would be that resources assigned to specific Resource Groups should be not visible for both the Manager and Web context even if the user is the administrator. On the front end (Web context) to see resources assigned to specific Resource Groups should be visible only you if you are log in into this context.
Is there any way to achieve that like specific access group configuration?
So as every single modx fresh install i have two contexts:
mgr
web
Then i have two new user groups and resource groups - so few resources are restricted for the “anonymous” users from the web - and that works well.
My user is a Super User and is added also to these two new user groups created. Checkbox “Sudo User” is unchecked for now but within access permission tab for my user I’m within Administrator group with “Super User” role.
The issue is that if I’m log in into MODX manager then the resources that should be hidden on the front should are visible because for MODX somehow I’m authenticated even if i did not log in to the front end (i have Login plugin for handling that). - seems like for modx mgr context and web context does not matter in that case? I’m just not sure.
What I’m after is that resources within new resource groups should not be visible if I’m authenticated into modx manager but only if I’m authenticated on the front end.
UPDATE:
I guess the session is not isolated so once I’m logged in mgr, context assumed yes I’m logged in to front end too… Is there any way how to isolate session for mgr and context?
As far as I can tell this is not the case. MODX keeps track of what contexts you are logged in to.
It just seems to be the case, that when a user accesses a resource, MODX only checks whether this user has “view” permissions for this resource in the “web” context. And not if the user is actually logged in to the “web” context.
My guess is, that if you only want to show a resource to someone that is actually logged in to the “web” context, you have to do this check yourself in a (uncached) snippet (using the function $modx->user->isAuthenticated('web') or modx->user->hasSessionContext('web')).
Hmm thats is interesting… however i just realized that there is this system setting “session_cookie_path” and i have it blank for now, and that means I’m using the same session on the mgr and web, should have this settings set up for each context so it will be isolated? If so how do i do that?
I very much doubt that changing this value would change anything in the MODX behaviour.
I honestly still don’t get why you’re so insistent on changing the way MODX works. If it’s just for testing, use a new private browser window (or a different browser).
You were right, i have followed your suggestion and have done it this way:
I have plugin that is fired on OnLoadWebDocument event
Plugin content:
// Current user id
$current_user_id = intval($modx->user->get('id'));
if($current_user_id > 0)
{
// User is logged in, but are they logged into the current context being requested??
$logged_into_context = $modx->user->isAuthenticated($modx->resource->get('context_key'));
if(!$logged_into_context)
{
// Requested document
$requested_document = $modx->resource->get('id');
// User is not logged into the current context, does the resource requested belong to any resource groups?
$rgrs = $modx->getCollection('modResourceGroupResource', array('document'=>$requested_document));
$groups = array();
foreach($rgrs as $rgr) {
$groups[] = $rgr->get('document_group');
}
// Redirect to the unauthorized page?
if(sizeof($groups) > 0)
{
//$modx->sendRedirect($modx->makeUrl($modx->getOption('unauthorized_page')));
$modx->sendUnauthorizedPage();
return;
}
}
else
{
// User is logged into the current context, no need for further action, MODX can handle security as normal
}
}
else
{
// User is anonymous, no need for further action, MODX can handle security as normal
}
and that’s always check if user is logged into resource context!
This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.