New details... Extended resource-editor used BasicForm which not send headers (params only) (quick editor and most of enother elements used Ext.Ajax with headers). And in this case parametr $_SERVER['HTTP_MODAUTH'] - it`s very-very not usefull. A think both of $_SERVER['HTTP_MODAUTH'] and $_REQUEST['HTTP_MODAUTH'] - it`s not good. All of them gotted from request (params and headers) and not metter for security.
Some request not send HTTP_MODAUTH params or headers (for examle connectors/layout/modx.config.js.php ). And in this connector $_SERVER['HTTP_MODAUTH'] sets from session:
define('MODX_REQP',false);
require_once dirname(dirname(__FILE__)).'/index.php';
$_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key'));
$modx->request->handleRequest(array('location' => 'system','action' => 'config.js'));
So, why we use request headers modAuth? I think need to remove this.
P.S. If we update connectors/resource/index.php like this, we will have not "Access denied":
<?php
require_once dirname(dirname(__FILE__)).'/index.php';
// Insert $_SERVER['HTTP_MODAUTH'] definition
$_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key'));
$modx->request->handleRequest(array('location' => 'resource'));