MODX ACL Security Tutorial

Posted on Jan 10, 2012 | Tags: , , | Comments (8)

Yesterday a fellow MODXer @anselmhannemann tweeted about MODX ACLs and how freaking complicated they are (they really are, trust me), the real problem is there hasn't been a real world case scenario tutorial that show us how to accomplish adding a user group and limiting what they can edit and see in MODX.

The awesome @splittingred aka: Shaun McCormick MODX Senior Core Developer made a pretty in depth video tutorial on how ACLs work the problem is it's pretty lengthy and a lot to take in and analyze.

In this tutorial I will try to make understanding ACLs as easy as possible, so if you've spent countless hours, days, weeks or months pulling your hairs trying to understand MODX ACLs I hope this tutorial will help you from becoming bald (unless you are already, I apologize for not making this tutorial sooner saving you some hair).

What we will accomplish

This tutorials goal is to create a new User Group, create a New User with Editor permissions which restrict their access in the manager and create Resource Groups for both the Admin User Group and the Editors User Group

Step 1: Create a New User Group

Go to the Security tab in the MODX manager menu, then click on Access Controls.

modx-acl (1).jpg

In the Access Controls page you will see the list of user groups MODX usually ships with the Administrator and Anonymous user groups, proceed to click on the New User Group button and create your new user group I named mine Editor you can do the same or use whatever you prefer.

modx-acl (2).jpg

Step 2: Create a New User

Go to the Security tab in the MODX manager menu, then click on Manage Users.

modx-acl (3).jpg

Once in the User page click New User

modx-acl (6).jpg

In the New User page under General Information tab fill in the information for the new user you are creating.

modx-acl (7).jpg

Then go to the Access Permissions tab click Add User to Group and in the User Group drop down select Editor (this is the User Group we created in step 1) and in the Role drop down select Super User.

modx-acl (8).jpg

Step 3: Create Resource Groups

Resource Groups are just that a group of resources that are used to specify what MODX resources a user group will have access to.

Once again go to the Security tab in the MODX manager menu and click on Resource Groups.

modx-acl (9).jpg

Now we will have to create 2 Resource Groups I will explain why shortly, click on the Create Resource Group button and type the name you want for your first resource group, I named mine Admin after you click save, click on the Create Resource Group again and type the name you want, I named mine Editor.

modx-acl (10).jpg

You should end up with something like this if you used my naming convention.

modx-acl (11).jpg

So why do we need 2 Resource Groups? you may be asking yourself, because of the way MODX works we need to make a resource group for the Admin User Group and another for the Editor User Group this is how we will prevent the Editor User Group from seeing the resources in the Admin Resource Group, in this case I want the Editors to only have access to create and/or edit blog posts.

In order to achieve this you have to drag and drop from the right column the resources you want the Admin Resource Group to have access to (usually all resources) and then do the same for the resource or resources you want the editor user group to have access to the Editor Resource Group.

modx-acl (12).jpg

Step 4: Access Controls - Admin Resource Group

Go to Security tab once again and click on Access Controls

modx-acl (1).jpg

Then right click on your Administrators User Group and select Update User Group

modx-acl (13).jpg

Now go to the Resource Group Access tab click on Add Resource Group in the Resource Group drop down select Admin (this is the Admin Resource Group we created in step 3) in the Context drop down select mgr this is the manager context or admin side of MODX, in the Minimum Role drop down select Super User - 0 and in the Access Policy drop down select Resource and click save.

modx-acl (14).jpg

Hint: The Permissions in Selected Policy box will display what permissions the user group will have for the resources in the Resource Group, the text displayed here will change based on the policy you choose.

Step 5: Access Controls - Editor Resource Group

Go to Security tab once again and click on Access Controls

modx-acl (1).jpg

Then right click on your Editors User Group and select Update User Group

modx-acl (15).jpg

Now go to the Resource Group Access tab click on Add Resource Group in the Resource Group drop down select Editor (this is the Editor Resource Group we created in step 3) in the Context drop down select mgr this is the manager context or admin side of MODX, in the Minimum Role drop down select Super User - 0 and in the Access Policy drop down select Resource and click save.

modx-acl (16).jpg

Step 6: Editor User Group Context Access

Now while still on the User Group page proceed to go to the Context Access Tab and click on Add Context button, here we will give the user group access to the manager, in the Context drop down select mgr, in the Minimum Role drop down select Super User and in the Access Policy select Content Editor.

modx-acl (17).jpg

Repeat these steps now to give the user group access to the web context all settings remain the same except the Context drop down this should be changed to web.

modx-acl (18).jpg

Hint: The manager (mgr) is a hidden context in MODX that is why we have to give the user group access to the mgr context and the web context if you just give them access to the mgr and not the web context they will be able to log in to the MODX manager but not be able to see any context or resources.

Step 7: Flush Sessions

The last step in our process is to go to Security tab and click on Flush All Sessions this will flush all permissions and log out every user.

modx-acl (19).jpg

Step 8: Test Admin and Editor accounts

In order to properly test you need to log in to the manager in 2 different browsers, log in with the Admin account on one and with the Editor account on the other or just log in as the Admin user, then log out and log in again with the Editor user.

Your Admin account should have access to all the resources you put in the Admin Resource Group and your Editor should only have access to the resources in the Editor Resource Group.

Admin View

modx-acl (20).jpg

Editor View

modx-acl (21).jpg

Conclusion

So we just got you restricting user groups in MODX although it may seem a bit easier now I still have some bad news for you I don't know if this is a user error on my behalf (it probably is I'm not that smart) but every time you create a new resource and you don't want the Editor User Group to have access to it you will have to go to the Access Group tab and select what group the new resource is part of.

modx-acl (22).jpg

You can also use the Resource Group method by going to Security > Resource Group and drag and drop the new resource to the Admin Resource Group (yes, I know this is very tedious and a PITA) I really hope there is some setting that can be changed so this can be avoided if not then it's just something we're going to have to deal with until MODX comes up with a revamped ACL system.

modx-acl (12).jpg

The way MODX works in terms of permissions is it grants every user access to all resources regardless of user group and you have to specify which ones you want to prevent them from having access to (I know this seems backwards to me to and was part of my initial confusion as well, feel free to join our discussion on how to make ACLs easier to use in this MODX forum post).

For more info on MODX Security check out Bobs website, you know the guy who wrote the MODX book.

Need help on your next project? Feel free to contact me for my rates, I love collaborating with fellow MODXers and Developers.

Like this tutorial? Want to see more like it? Send me a message and let me know what tutorial you would like me to do next, feel free to leave your questions, thoughts and comments on how to improve my tutorials below.


Share This Article

Leave a Comment


Comments (8)

  1. Susan Ottwell:
    Jan 10, 2012 at 07:19 AM

    While I am by no means a Revo permissions expert, I can say that all resources are by default "public"; that is all users can see them from the web as well as work with them in the Manager. A resource must be specifically assigned to a resource group in order to be protected. Keep in mind that MODx as a whole is very much resource-centered as opposed to user-centered; everything about MODx revolves around processing the resource. Managing a user primarily prepares him for his interaction with the resource.

  2. Bob Ray:
    Jan 11, 2012 at 01:43 AM

    Hi Ben. Nice tutorial. I only have a couple of comments.

    One is trivial. I would add a comma in this phrase:

    they really are trust me -> they really are, trust me

    Second, the tutorial would work much better with an explanation at the top of what you're trying to accomplish. e.g., I want to let editors log in to the Manager but keep them from seeing x and doing y.

    You might consider a link to my security tutorials page here: http://bobsguides.com/revo-security-tutorials.html.

    I'll put a link to your page up somewhere when I get a chance.

    Bob

  3. benmarte:
    Jan 11, 2012 at 02:13 AM

    Bob,

    First of all thank you for taking some of your time to check my tutorial and thank you very much for the suggestions you made as well.

    I already made the changes you suggested and added a link to your site, thanks for all your help and the support you give the MODX community.

  4. Sepia River:
    Jan 12, 2012 at 10:00 PM

    Nice tutorial, Ben!! We need more security tuts and even though there are a couple of different ways to do things yours seems pretty bomb-proof! I love that you used 2.2 screenshots too :)

    Tips:
    1. Add sharing buttons to your site.
    2. The words "security" and "permissions" gets more searches in Google than "ACL" so if you want people to find your tutorials organically include the more popular strings in your pagetitles and/or aliases.
    3. Send an update to Pingomatic and su.pr to scatter the content around a bit :P

    Awesome work!!!!

  5. benmarte:
    Jan 13, 2012 at 03:54 AM

    Sepia,

    Thanks for the comments and suggestions, I haven;t added none of those features to this site because this was my first site done in MODX and its technically a mess.

    I am planning on finishing CMSTricks formerly MODXTricks (long story) and I will repost this and many more tutorials regarding MODX Security and many other cool things I've learnt using MODX this year I got some really cool stuff to share with the MODX community, I just need time to actually finish it.

  6. goldsky:
    Jan 19, 2012 at 03:23 PM

    This permission system should not make Administrator level be restricted.
    That level should pass all the permission entry.

    I don't know whether it's a bug or a feature.

  7. Mike Smull:
    Aug 08, 2012 at 02:14 AM

    This visual guide and personal help from Ben are what got me through the very confusing world of ModX Revo permissions. I'm hoping they do a much better job with Modx Cloud but I'm guessing it's going to be pretty similar.

  8. Greg:
    Aug 20, 2012 at 10:14 AM

    Thanks for tutorial.
    Lets face the truth - MODX ACL sucks. User's permissions depend on too many factor to be efficient.

This thread has been closed from taking new comments.