Resource Groups in MODx Revolution...

Hi guys,

Im trying to create an editor user that can only see a list of documents I specify.
In Evo I would basically create a resource group called "Developer Docs" and I would ensure that the user is not is this group.

I did the same in Revo, however the editor user can still access the "Developer Docs", even tho he is not a member.
Are the Resource Groups treated differently?

J

Not getting this....
If I do the following:
- Create Resource Group called: "Protected Group"
- I then create a a User Group called "Protected Users"
- If I then update the user group and associate the two, the documents in Protected Group disappear from the manager when signed in as the admin!

Is this normal behavior?
When I log in as the user its the same, the documents are not visible.
Seems strange that an admin can apply a rule to their own account to restrict access to content?

Try reading this first:
http://bobsguides.com/revolution-permissions.html

You need to give context permission, with an access policy. You’ve effectively hidden the resource group from everybody, as MODx doesn’t know what the approved groups can do with those resources. And that includes the Administrator group.

Quote from: odeclas at Jan 06, 2011, 03:26 PM

Try reading this first:
http://bobsguides.com/revolution-permissions.html

You need to give context permission, with an access policy. You’ve effectively hidden the resource group from everybody, as MODx doesn’t know what the approved groups can do with those resources. And that includes the Administrator group.

Have read that already, and the cheat sheet and all the forum posts

This is exactly what I did (I think I did all of what you said above??):
1. Create new "editor_resource_group"
2. I dragged 2 docs in then clicked
3. Security -> Access Controls
4. I created a New User Group "Backend_Restricted"
5. I updated this guy
6. I gave Context access to mgr and web with the following settings:
min role: Editor 1 (which I created)
access pol: Content Editor (as this has most of what I want my user to do)
7. Resource Group Access I added a new entry:
Resource Group:editor_resource_group
Minimum Role: Editor 1
Access Policy: Resource
Context: mgr

Save - Docs disappear.

I though this would allow the editor to see only the docs in editor_resource_group, obviously I took a wrong turn?
I just want to hide all docs but one I choose to a user other than admin?

I’m not clear what the issue is - have you given the Administrator group access to the Editor_resource_group Resource Group in the Mgr context or not?

From what I can understand of your issue, you’ve given Backend_Restricted (poor choice of name for a user group, but never mind) access, but not Administrator group - AND as none of your other documents are in restricted resource groups your editor can still see them.

There is another way of achieving what you want if all the restricted items are in one folder eg resource id 27
Update the user > Setting > Add new

Quote from: odeclas at Jan 06, 2011, 03:51 PM

I’m not clear what the issue is - have you given the Administrator group access to the Editor_resource_group Resource Group in the Mgr context or not?

Problem is, i’m not clear how to do even that!
This is my understanding:
- Create Resource group
- Create User Group
- Give User Group access to mgr context - done
- Give User Group access to Resource Group in the mgr context - done

No joy :0

Another problem I note when trying to do this last step, the only options I have available to me in Access Policy drop-down:
(No policy)
Load Only
Load, List View
Object
Resource

I have created several Access Policys myself as I was advised to duplicate etc. There shoule be at least the admin ones here also?

The last list of policies you mention only apply to resources. The access policy you want is ’Load,list and view’.

User groups (as of Revo 2.0.5) have access policies based on access policy templates, which determines what permissions a role has within that user group / context combination. For example:

- I have a user Albert, who belongs to a user group called Editors with a role of member 9999
- The Editors user group has an access policy of ’Content Editor’ based on the Administrator policy template (ships with 2.0.5+) for context ’mgr’ - for which they need to have a minimum role of ’member 9999’
- Resources are in a group ’Restricted’
- I have given my user group Editors access to resource group ’Restricted’ in context ’mgr’ with an access policy of ’load, list and view’.
- I have also given my Administrator user group access to the Restricted resource group in the mgr context.

I _could_ make it tighter by creating a new role Editor with a value between member 9999 and superuser 0, and giving Albert that role in the group Editors, but in this case I haven’t.

Thanks for that, think I need to start again with this one.
There appears to have been changes to the Permissions since I last reviewed revo, and all the documents seem to reference these.

Does anyone have an idiots bullet point guild to create a new user, and give him access to 1 document in 1 document group only? (IE he can only see one doc in mgr)
That’s all I want....

I feel like a dog with a bone on this one . User permissions are a little simpler now in 2.0.5+ (and there’s been no fundamental change other than the creation of policy templates).

To do what you want you need to do two things - INCLUDE them in users that can see the restricted resource group and EXCLUDE them from other resources (either by putting all other resources into a Resource Group that they don’t have access to, denying everyone access to them, or some more complicated manipulation of user roles).

It is much, much, easier to restrict a user in the resource tree to specific resource ids - in reply 5 above, I showed you how to restrict what a user sees in the manager - by adding a specific setting for that user - tree_root_id (Manage Users > Update User > Settings > Create New - and then add the values I put in the earlier post - but using the resource id you want them to have access to as the ’value’.

You could use this technique on its own, but other users would still have access to that resource (unless it was Resource Group protected, or every user had a specific tree_root_id set).

Quote from: odeclas at Jan 06, 2011, 08:00 PM

You could use this technique on its own, but other users would still have access to that resource (unless it was Resource Group protected, or every user had a specific tree_root_id set).

This is a nice approach, but not ideal.
I would have to out all my resources with snippets etc (My "protected resource") into one RG.
And everything else into a "Public" RC.
This could take ages with a large site, is there any other option....