Hi,
I'm trying to protect some web context pages so only specific logged in users can see them. I've followed every tutorial, and cleared cache/permissions probably 8 million times. I'm stumped, so I've deleted everything and started over with the
https://docs.modx.com/revolution/2.x/administering-your-site/security/security-tutorials/making-member-only-pages tutorial, and I cannot get it to work. I'm starting to wonder if there's a bug in the permissions system, which would be catastrophic. This is ModX 2.5.7-pl, fresh install from yesterday.
The ultimate failure is that the protected pages *always* load for anonymous users, and WayFinder *always* lists them in the menu.
So, imagine a site with two pages:
- Public
- Private
- I've created a Resource Group "Protected", context:web, automatically give admin group access, do not give anonymous group access, do create parallel user group.
- I've added the Private page to the Protected Resource Group.
- I've created a user e.g. SpecialUser, who is a member of the Protected group.
- The Protected group has a Context Access of web, Member, Load/List/View policy, and a Resource Group Access of Protected, Member, Load/List/View policy.
- The (anonymous) group has a Context Access of web, Member, Load Only, and no Resource Group access.{/li]
[li]The Administrator group has obviously the default web/mgr access, and Resource Group access of Protected, Member, Resource policy, Context:web.
Basically, nothing matters. The Private page will always load in a browser. Separate browser (IE instead of Chrome), history cleared, ModX cache cleared and logged out of all sessions every single time.
I've tried what feels like every combination of settings, and it's just not working. Even removing all access for the anonymous group, which one would think would block all access, will just has happily load protected pages and include them in the WayFinder menu.
After having spent two days basically doing the above steps again and again (and flushing caches), I'm about to give up and go to a simpler way like Bob's easy way of protecting pages. It just bothers me because (1) it should work, and (2) it's not great for layered permissions where multiple groups can get access to the same pages. This is an admin panel for 6 different types of users, and I'd have to bake probably 30 snippets to account for the combinations of group membership that has to be evaluated for any given page. And it's a pity to throw out what ought to work.
Anyway, any help is appreciated. And I hope I haven't found a bug, because that would be a whopper of a bug.
Thanks,
Per