Resource Groups in MODx Revolution...

Bear in mind that tree_root_id doesn’t really protect the resources. It’s fine for naive users who can be trusted, but if a user can guess the correct URL for editing a resource in the Manager, they can still do it.

Quote from: BobRay at Jan 07, 2011, 07:05 AM

Bear in mind that tree_root_id doesn’t really protect the resources. It’s fine for naive users who can be trusted, but if a user can guess the correct URL for editing a resource in the Manager, they can still do it.

Yeah I don’t think I’m going to do that.
OK so I think I got it working after much toil, blow by blow account below.

1. I created a new Resource Group called "Developer Resources".
2. To this I added all the resources with snippets that I wanted to hide from my client.
3. I now created a new Role in Security -> Access Controls -> Roles [I called it "Editor" and gave it a priv of 1]
4. I created a new User Group called "Client Editor" in Security -> Access Controls -> User Groups
5. I now created a new User in Security -> Manage Users -> Add User. I added this user to the user group "Client Editor" with a Role of "Editor"
6. I now edited the User Group called "Client Editor" created in step 4.
7. In Users tab I added the user I created in step [5]
8. In Context Access I setup the following:
Context: mgr | Minimum Role: Editor | Access Policy: Content Editor (ensures this guy can login to manager)
Context: web | Minimum Role: Editor | Access Policy: Content Editor

9. In Resource Group Access I setup:
Resource Group: Developer Resources | Minimum Role: Editor | Access Policy: Load Only | Context: mgr (means this guys cannot see these docs in mgr context....which is what I want)
Resource Group: Developer Resources | Minimum Role: Editor | Access Policy: Load Only | Context: web

10. Save

Still with me....

11. Edit the Administrator User Group now.
12. In Resource Group Access add the following:
Resource Group: Developer Resources | Minimum Role: Super User | Access Policy: Resource | Context: mgr (means this guys can see these docs in mgr context, and still edit etc)
Resource Group: Developer Resources | Minimum Role: Super User| Access Policy: Resource | Context: web

13. Save and then Flush permissions.

DONE!! I now have an admin user who can see everything, and an Editor user who sees all documents but the ones I hide from them in my "Developer Resources" group.

I’m off to get a coffee
I think the thing that did not sit well in my head was the fact the admin can hide documents from themselves, this to me seems very odd (I am the admin after all) I make the rules!!!

Thanks guys for replying to this thread!

Looks good. Thanks for laying it out for others.

I could be wrong, but don’t think the two rules in #9 are necessary since #12 should hide the resources and #8 should let the editors log in.

I think this is exactly what I have been struggling with - thanks for documenting your process. The management of users and resource permissions in Revolution seems to be so complicated. I’m sure once you get your head around it, it’s worth while and probably a lot better for customisation etc. But part of me still misses the Evolution set up where I could just create a user and tick boxes on what they are and aren’t allowed to do.

I have some other things to get finished first but I will definitely be coming back here to follow these steps thanks!

Hi, thanks for the explanation but I have a problem, the resources that allow for the client can’t see, to explain better, this is the structure of the web site:

Resources:

- Inicio
- Información (container)
- Area exterior
- Eventos
- Noticias (Container, hidden from menu)
- Contacto

The client can only modify the contents of

- Información (container)
- Noticias (Container, hidden from menu)

I follow the explanation but the client user can’t see the resources. What happend??

I want to know how to have the client user may only modify the contents of "Información" (can’t delete or add more resources within’re container) and container "noticias" can’t erase the contents it has but add more content.

Thanks and really is very confusing that the permissions on the MODx and sorry for my english

Quote from: JoZ3 at Jan 10, 2011, 05:32 PM

Thanks and really is very confusing that the permissions on the MODx and sorry for my english

No need to apol!
What version of MODx Revo u running? Please note I have only tried the above on 2.0.5
There may have been changes that effect the steps.

My Modx Revo is 2.0.7pl (traditional)

I followed the example above, except 9 - I didn’t seem to have that option in user groups. I dragged all documents into the developer usergroup and the folder I wanted into the editor. Everything seemed fine, until I tried to access the site while not logged in (or even logged in as the editor) - 404 error.

All I want to do is make 1 folder accessible in the back end to a content editor and the whole site available to everyone (without being logged in) in the front end and I can’t seem to do it after trying for ages.

Thanks in advance for any help.

RuthEd

At least one of your Resource Group ACL entries for the user group(s) has a context of ’web.’ That protects the resources in the front end (which you don’t want). If you change them all to ’mgr’ the rules won’t affect access in the front end.

Thanks for your help. I’ve managed to get the required result now (not quite understanding how!).