I find problem, but i not find solution. Needs Jason`s help. (and looks like not perfect in security (but may be not critical))
Major cause: nulled $_SESSION['modx.mgr.user.token'] (not undefined).
You may set $_SESSION['modx.mgr.user.token'] = '0'; via
Console and reload page. Then manager panel will work almost correctly except resource/update. Reasone: many JS objects extends element and send requests via MODX.ajax that must send not only request params, but and request headers (modAuth); See core/modx.layout.js
Ext.Ajax.defaultHeaders = {
'modAuth': config.auth
};
Ext.Ajax.extraParams = {
'HTTP_MODAUTH': config.auth
};
config.auth sets in modmanagercontroller
$siteId = $this->modx->user->getUserToken('mgr');
.....
$o .= '<script type="text/javascript">Ext.onReady(function() {
'.$state.'
MODx.load({xtype: "modx-layout",accordionPanels: MODx.accordionPanels || [],auth: "'.$siteId.'"});
});</script>';
And when we have $_SESSION['modx.mgr.user.token'] == '0';, we have ,auth: "0". And if we send header modAuth:"0" and param HTTP_MODAUTH:"0" we got:
$_SERVER['HTTP_MODAUTH'] == $_REQUEST['HTTP_MODAUTH'] == $this->modx->user->getUserToken($this->modx->context->get('key') ($siteId) == "0" in modconnectorresponse.
But if we do quickly resource/update via resource_tree, we have all this params and have not problems. But if we try to update resource in full resource editor, we have not header modAuth in request and got "Access denied".