Posted on Jan 10, 2012 | Tags: , , | Comments (8)
Yesterday a fellow MODXer @anselmhannemann tweeted about MODX ACLs and how freaking complicated they are (they really are, trust me), the real problem is there hasn't been a real world case scenario tutorial that show us how to accomplish adding a user group and limiting what they can edit and see in MODX.
In this tutorial I will try to make understanding ACLs as easy as possible, so if you've spent countless hours, days, weeks or months pulling your hairs trying to understand MODX ACLs I hope this tutorial will help you from becoming bald (unless you are already, I apologize for not making this tutorial sooner saving you some hair).
What we will accomplish
This tutorials goal is to create a new User Group, create a New User with Editor permissions which restrict their access in the manager and create Resource Groups for both the Admin User Group and the Editors User Group
Step 1: Create a New User Group
Go to the Security tab in the MODX manager menu, then click on Access Controls.
In the Access Controls page you will see the list of user groups MODX usually ships with the Administrator and Anonymous user groups, proceed to click on the New User Group button and create your new user group I named mine Editor you can do the same or use whatever you prefer.
Step 2: Create a New User
Go to the Security tab in the MODX manager menu, then click on Manage Users.
Once in the User page click New User
In the New User page under General Information tab fill in the information for the new user you are creating.
Then go to the Access Permissions tab click Add User to Group and in the User Group drop down select Editor (this is the User Group we created in step 1) and in the Role drop down select Super User.
Step 3: Create Resource Groups
Resource Groups are just that a group of resources that are used to specify what MODX resources a user group will have access to.
Once again go to the Security tab in the MODX manager menu and click on Resource Groups.
Now we will have to create 2 Resource Groups I will explain why shortly, click on the Create Resource Group button and type the name you want for your first resource group, I named mine Admin after you click save, click on the Create Resource Group again and type the name you want, I named mine Editor.
You should end up with something like this if you used my naming convention.
So why do we need 2 Resource Groups? you may be asking yourself, because of the way MODX works we need to make a resource group for the Admin User Group and another for the Editor User Group this is how we will prevent the Editor User Group from seeing the resources in the Admin Resource Group, in this case I want the Editors to only have access to create and/or edit blog posts.
In order to achieve this you have to drag and drop from the right column the resources you want the Admin Resource Group to have access to (usually all resources) and then do the same for the resource or resources you want the editor user group to have access to the Editor Resource Group.
Step 4: Access Controls - Admin Resource Group
Go to Security tab once again and click on Access Controls
Then right click on your Administrators User Group and select Update User Group
Now go to the Resource Group Access tab click on Add Resource Group in the Resource Group drop down select Admin (this is the Admin Resource Group we created in step 3) in the Context drop down select mgr this is the manager context or admin side of MODX, in the Minimum Role drop down select Super User - 0 and in the Access Policy drop down select Resource and click save.
Hint: The Permissions in Selected Policy box will display what permissions the user group will have for the resources in the Resource Group, the text displayed here will change based on the policy you choose.
Step 5: Access Controls - Editor Resource Group
Go to Security tab once again and click on Access Controls
Then right click on your Editors User Group and select Update User Group
Now go to the Resource Group Access tab click on Add Resource Group in the Resource Group drop down select Editor (this is the Editor Resource Group we created in step 3) in the Context drop down select mgr this is the manager context or admin side of MODX, in the Minimum Role drop down select Super User - 0 and in the Access Policy drop down select Resource and click save.
Step 6: Editor User Group Context Access
Now while still on the User Group page proceed to go to the Context Access Tab and click on Add Context button, here we will give the user group access to the manager, in the Context drop down select mgr, in the Minimum Role drop down select Super User and in the Access Policy select Content Editor.
Repeat these steps now to give the user group access to the web context all settings remain the same except the Context drop down this should be changed to web.
Hint: The manager (mgr) is a hidden context in MODX that is why we have to give the user group access to the mgr context and the web context if you just give them access to the mgr and not the web context they will be able to log in to the MODX manager but not be able to see any context or resources.
Step 7: Flush Sessions
The last step in our process is to go to Security tab and click on Flush All Sessions this will flush all permissions and log out every user.
Step 8: Test Admin and Editor accounts
In order to properly test you need to log in to the manager in 2 different browsers, log in with the Admin account on one and with the Editor account on the other or just log in as the Admin user, then log out and log in again with the Editor user.
Your Admin account should have access to all the resources you put in the Admin Resource Group and your Editor should only have access to the resources in the Editor Resource Group.
So we just got you restricting user groups in MODX although it may seem a bit easier now I still have some bad news for you I don't know if this is a user error on my behalf (it probably is I'm not that smart) but every time you create a new resource and you don't want the Editor User Group to have access to it you will have to go to the Access Group tab and select what group the new resource is part of.
You can also use the Resource Group method by going to Security > Resource Group and drag and drop the new resource to the Admin Resource Group (yes, I know this is very tedious and a PITA) I really hope there is some setting that can be changed so this can be avoided if not then it's just something we're going to have to deal with until MODX comes up with a revamped ACL system.
The way MODX works in terms of permissions is it grants every user access to all resources regardless of user group and you have to specify which ones you want to prevent them from having access to (I know this seems backwards to me to and was part of my initial confusion as well, feel free to join our discussion on how to make ACLs easier to use in this MODX forum post).
Need help on your next project? Feel free to contact me for my rates, I love collaborating with fellow MODXers and Developers.
Like this tutorial? Want to see more like it? Send me a message and let me know what tutorial you would like me to do next, feel free to leave your questions, thoughts and comments on how to improve my tutorials below.