How to create editor / limited access to modx manager using default access policies ??

I admit, that modx manager permissions are still confusing to me. I understand basic principles and how it works... but always I have problems when dealing with them

I managed to create editor permissions for my clients which I use on most of my sites. At that time I just duplicated admin template and turn off all I didn't needed.

Now I want to try and create a simple "editor user group" with resource editing access only. I wan't to do this using only existing policies. Is this even possible ??

Anyway... I've done this:

1. Created a new role "editor test" with authority 10
2. Created a news user group "Editor test" and add one user to it and assign editor test role
3. Added context access mgr / Editor test - 10 / Editor test
4. Added context access web / Member - 9999 / Editor test

When I login with editor user I see MGR and WEB context. All seems to work fine and in some way it does. I can create a new resource or update existing one.

Every save I get a notice:
Code: 200 OK
{"success":false,"message":"Permission denied!","total":0,"data":[],"object":[]}

Resource is saved, but that annoying pops out every time. I dealt with that message previously and If I'm not mistaken is something related with some "user access" permission.

Anyway.. Can someone please give me step by step direction how to properly create simple editor access using only default policies if this is even possible??

I think it's one of the view_ permissions that's missing. IIRC, it's view_template.

Hello.
What permissions do you wanna use via new role ?

@BobRay => My question is not so much about what is causing that error but what default policies to use to avoid that. Is there a policy I need to add to avoid that error? Or I have to add manually missing permission ?
@cere6ellum => I just want to create a group with editing resource permissions (edit resources only).

If check view_user in content editor policies then problem is fixed. This should be checked by default.

Can someone explain me what is the relations between permissions "publish_document", "unpublish_document" and "view_unpublished" in Content Editor access policies vs. "publish" and "unpublish" in resouce access policies?

I checked the first three because I thought that I can set this permissions individualy for each resource group access with publish / unpublish.

Here's a brief explanation:

It has to do with the type of the policy they are listed in.

The first ones (for Content Editor) are part of a "Context" policy. It applies to the whole context and only makes sense in a Context Access ACL entry. If it's the 'mgr' context and the user doesn't have those permissions, they can't perform those actions anywhere in the Manager.

The second group are part of an "Object" policy (the Resource policy is an example). They control what you can do with specific MODX objects, such as Resources in a Resource Group.

The context permissions take priority. If you don't have save_document permission in the Context Access ACL that gives you access to the current context, you can't save documents -- period. If you do have that permission, but don't have save permission for the resource's resource group, you still can't save it.

If you want to understand how MODX security permissions work under the hood (which really helps when you're trying to set them up), see this ~50 minute presentation I gave at modExpo: https://vimeo.com/54360208.