We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 10525
    • 247 Posts
    I have created three user groups (Customer, Market and Research) and three matching resource groups.

    The groups' resources are collected into a container resource (ids 10, 11 and 12) for each group.

    I set up the Login extra according to
    https://docs.modx.com/extras/revo/login, and
    https://docs.modx.com/extras/revo/login/login.tutorials/login.basic-setup,
    the only difference being that I have converted the tutorial's Members Home Page in to a redirect page. This redirects each logged-in user to the homepage of their group, using the redirectUsergroups extra:

    [[!redirectUsergroups? &redirs=`Customer:10,Market:11,Research:12`]]

    All pages use the same Template, and I have a simple wayfinder menu with several calls to it in that template, one for public pages, and one for each user group:

    [[!Wayfinder? &startId=`0` &outerTpl=`outerTpl` &rowTpl=`rowTpl` ]]
    [[!Wayfinder? &startId=`10` &level=`2` &outerTpl=`outerTpl` &rowTpl=`rowTpl` ]]
    [[!Wayfinder? &startId=`11` &level=`2` &outerTpl=`outerTpl` &rowTpl=`rowTpl` ]]
    [[!Wayfinder? &startId=`12` &level=`2` &outerTpl=`outerTpl` &rowTpl=`rowTpl` ]]

    The result is that each logged-in user sees a menu with the public pages and their own user group pages, on the same menu.

    This all works fine (though I don't know how secure it is).

    However, if I am logged into the manager with the default admin in the same browser, this automatically logs the admin user into the front end too, and shows every page from each user group on the menu. And I cannot log the admin user out from the front end using Login.

    I remembered that when creating the resource groups, I ticked the "Automatically give administrator group access". So I tried removing access this for one group. But this made no difference and the admin still shows all groups on the menu.

    So my questions are:

    1. How can I develop and test in the same browser without interference from the admin user?
    2. How can I remove admin user access to any resource group?
    (3. Does my security structure look ok for preventing cross-group access?)

    This question has been answered by BobRay. See the first response.

    • discuss.answer
      • 3749
      • 24,544 Posts
      Resources are only protected in the web context if there is a Resource Group Access ACL entry with a context of 'web' connecting the resource group to a user group. They are then hidden from anyone (including the admin super user, if not a sudo user) who is not a member of the user group.

      1. You really can't do this reliably. If you want to test access for another user, you should always do it from another browser where you are not logged in to the Manager.

      2. See the first paragraph above.

      3. To see if your method is secure, log in as a user in another browser and enter the URL of a protected resource the user shouldn't have access to in the browser's address bar. If your system works, you'll get sent to the page specified in the error_page System Setting (or the unauthorized_page if you've set that up properly - see the Unauthorized Versus Error page section near the bottom of this page), though I'd suggest getting things working correctly before messing with that.
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 10525
        • 247 Posts
        Thanks for your reply Bob, all makes sense. I will just do it the two-browser way.