Prevent MODx manager users from creating and editing .htaccess files

We just had a near disaster with our MODx site. One of our content managers stumbled across a tutorial on SEO friendly URLs and just started hacking away at .htaccess files - putting test ones in subdirectories, fiddling with different experiments, etc, until, thankfully, they brought the whole site down and got in touch.

This seems like a massive security risk, but my content admins need access to the 'files' tab. Is there any way I can block them from doing anything with files other than images etc?

In addition to the above, is there any way I can restrict their 'files' tab to eg, the /assets subdirectory?

Apologies I have had a look through docs, stackoverflow, etc, found a mention of 'static resources' on evo and played with resource groups, but I'm a bit lost.

Yes, that's exactly what Media Sources are for.

Thanks very much, I've followed the tutorial you linked to, have created my filtered Media Source and allocated it to my custom User Group. But they now have access to my restricted Media Source *and* the filesystem too. I've looked in my custom policy and it just seems able to turn on or off the whole files tab. How can I remove their access to the filesystem?

(The 'Filesystem' Media Source does not have any User Group associated.)

Sorry, scratch that, found it - assign the admin group to the Filesystem Media Source and set to super-user only.

60% there but having two issues.

Firstly, the user is still able to create .htaccess files, even though I have blocked that filename in the Media Source SkipFiles setting.

Second, and only mentioning in case it is related to the above, allowedFileTypes has no effect. I've set it to:

jpg,jpeg,pdf,png,gif,doc,docx,xls,xlsx,ppt,pptx,rtf,css

But it seems to have no effect. I can still see .zips, .inis, etc., and still create .htaccess files. (I'm less bothered by them seeing files they shouldn't as I can block php.ini, etc with SkipFiles.)

(I'm running MODx 2.2.9-pl. Yes, I know, I need to upgrade, but it is a highly customized MODx with article ID cross-references in the metadata and I don't have time to set up a test site.)

For anyone else trying this, this is a very handy tutorial:

https://docs.modx.com/revolution/2.x/administering-your-site/media-sources/securing-a-media-source/creating-a-media-source-for-clients-tutorial

Any ideas on preventing MODx manager users from creating .htaccess files?

Also, users can edit files listed in the Media Source SkipFiles setting simply by putting the filename in the URL.

If these are not solvable should they be feature requests for MODx?

Thanks

Using Media Sources, you should be able to easily prevent those users from seeing the MODX root at all. Give them access to specific sub-directories under the root and they'll never see anything else.

Any files you don't want the users to be able to edit should be in directories they can't see and wouldn't know the path to, rather than trying to use SkipFiles.

I generally move the core above the web root (with its own Media Source), give only myself access to that Media Source, and put any sensitive files under the core.