Resource Tree Not Showing Assets for Second Administrative User

The resource tree works fine when I access the manager context via the default administrative user that gets set up with the initial MODX install. I just created another administrative user, however, and although there is no problem logging in, the resource tree does not list any of the resources contained within the group associated with the new user. I have seen some posts that speak of turning off 'compress_css and compress_js', but, before I start messing with the Database, I was wondering if I should even go to the trouble since it seems that if these settings are the culprit, the resource tree would not show resources for ANY users. Again -- the resource tree works just fine for the main administrative user.

My sense is that it won't hurt anything for me to get into the DB and turn off the two settings in question, but if anyone on the forum has additional insights here, they would be greatly appreciated.

Thanks much.

So. I went in to the DB and turned off compress_css and compress_js. I then deleted all of the subdirectories and files contained in the core/cache folder and flushed all cache from my browser. Unfortunately, the problem I described above persists: When I log in to the manager as the default primary administrator, everything is fine. When I log in as the second administrative user, the resource tree does not load any of the resources that should be available to the user. Any advice on what I can try now?

Other user groups need a Context Access ACL entry with a Context of 'web' (or whatever the context is called) in order to see the resources in the tree. It's kind of counter-intuitive since you're in the Manager, but it's definitely necessary.

Look at the Context ACL entries for the Administrator group and you'll see one there for the 'web' context.

BobRay -

Thank you very much for the input. I have tried (I believe) every possible permutation of rights / group / context assignments possible, but I just cannot get the resource tree to show up for this second administrative user. Indeed, right now, the new user is not even able to log in at all. I noticed that the default (primary) Administrator has access to both the Web and Mgr contexts. So, does this mean that any user to whom you want to give administrative capability will also need access to both contexts? I did, in fact, experiment with giving the user access to both contexts, but I still cannot get things to work properly.

You are correct -- it is all pretty counterintuitive.

So, does this mean that any user to whom you want to give administrative capability will also need access to both contexts?

Yes, definitely if they need to see the resources in those contexts in the tree. They need a Context Access ACL entry for each context. Access to the mgr context lets them log in. Access to the web context lets them see the resources in the tree.

If the resources are in a Resource Group that's connected to the Administrator group with a Resource Group Access ACL entry, the resources are protected, so their User Group also needs a Resource Group ACL entry for that Resource Group.

Remember to flush both permissions *and* sessions after making any changes before you test them.

This 50-minute video explains the Revolution permission system from the inside out.

Bobray. Thanks again for the input; really do appreciate it. I plan (when I have a bit more time) to view the video you recommend and see if it offers the insights I need to push forward. Until the next installment ...

There's also quite a bit of information here.

BobRay. Again - thanks much. I started watching the video you recommended but -- somehow -- it stopped playing after about 9 minutes or so and I could not get beyond that point. I may try again a bit later.

The good news, however, is that I crossed a critical threshold in terms of my progress with MODX permissions. The second admin user that I have been struggling to set up DOES now have access to topics in the Resource tree. I still need to make some major adjustments to the permissions, and my general understanding still needs to be nourished and refined, but I feel there has been some forward movement, and this encourages.

Really appreciate your input.

Two issues persist:

1. I have assigned the new administrative user to a group that is supposed to only have access to one item (page) in the Resource Tree. However, the Resource Tree displays all items when this user logs in.

2. The following error displays in a small dialog window whenever the new administrative user clicks on any of the items in the Resource Tree -- including the one item / page that the user should be able to access and update.

Code: 200 OK
{"success":false,"message":"Permission denied!","total":0,"data":[],"object":[]}

Interestingly, in spite of the error, all items in the tree do actually load AND can be updated for this administrative user.

I know you obviously have not seen the specific structure of my site or ACL configuration, but do you have any intuitions on why these behaviors are present? Again -- the user is assigned to a user group with only ONE page falling under its dominion.

Thanks much.

It sounds like you've given the user rights to that page, but possibly you haven't taken away the user's rights to the other pages.

The only way to do that is to put *all* the sites resources in a Resource Group and connect that Resource Group to a User Group the user is not a member of (e.g., Administrator), using a Resource Group Access ACL entry with a context of 'mgr'. You can use the DefaultResourceGroup extra to put future pages into that group automatically.

Be sure to flush both permissions and sessions after making any changes.

I recommend having only one member (you) in the Administrator group. It gives you more flexibility and helps prevent errors in assigning permissions.

If you have a lot of pages, this utility snippet should add all of them to that user group. Just put a tag for it on a page and this code in the snippet (create the resource group first):



I think you may also be able to use the Batcher extra to bulk assign resources to the group, but I'm not sure.