MODX User File Browser & Upload Permissions

On a few different sites now, I’ve been having trouble setting an Access Policy that will allow the user to upload a media or image file through associated TVs.

I’ve tried the default Content Editor Policy with ALL the file_etc and directory_etc keys enabled, but the user account cannot view any subdirectories (can only see root in the File Browser) and trying to upload results in "Permission Denied" message in the Upload Window. It takes a long time to test because I have to wait for a file to fully upload before getting the error message

I’ve also tried a new Access Policy based on Administrator, with Element access etc stripped off - but that produces the same result.

Is there an Access Policy key that I’m missing that will grant the user File Browsing and Upload permissions correctly? I’m getting this consistently across several 2.0 sites, and I think even a 2.1 site so I think I’m just missing something obvious...???

Thanks in advance, MODX Community

I know this may be a give in but did you make sure you had permissions at the directory itself on the server? Try giving it full super user status and see if it works, and it may help to use a smaller test file till you resolve the issue.

Thank you for this. I appreciate your thoughts on it.
Quote from: tmlove84 at Aug 09, 2011, 06:24 AM

I know this may be a give in but did you make sure you had permissions at the directory itself on the server?

My Administrator user account can access every file and directory from the web root down, so it seems to be something with the user/user group specifically.
Quote from: tmlove84 at Aug 09, 2011, 06:24 AM

... it may help to use a smaller test file till you resolve the issue.

VERY good point!

Looking through the code, the user could get a permission denied error if they don’t have:
* the file_upload permission in the mgr context
* the load permission for the context they’re uploading the file to

OK. Mark and I just went through the Access Policies again, still no dice. Here’s what didn’t work:

1. Enabling ALL permissions in the Access Policy assigned to the Role.
2. Assigning Original, Unmodified Administrator Access Policy to the Role.

Even by doing these two things, the file browser is broken for the Editor Role, which is granted mgr Context Access in the Editor User Group.
This makes me think that either new User Groups cannot use the file browser for some reason, or Roles other than Administrator (although Roles only function via Access Policies, right?)

Anyways, we’re stumped. Anyone else got any ideas at all?

Definitely will post huge tutorial on this when figured out.

I’m sure you’ve done this, but just in case -- you did flush permissions and sessions after making the changes, right?

Thanks for taking the time to respond, Bob. Unfortunately, I was hitting the "Flush" button like I was playing a hack ’n’ slash RPG, LOL

FIXED!!! This might be a bug, but here’s the solution:

The User Group that was having troubles must have MGR Context Access with a Super User role that is granted the Administrator Access Policy. I don’t have any users in this User Group with the Super User role, the Context Access is just there as part of the User Group. The users have the lower-level Editor role, with limited permissions, and NOW they can upload files and use the file browser.

It’s as though without a Super User role in the User Group, the User Group as a whole cannot have access to certain permissions. Weird, but it works

I always add myself to every group with a role of admin Super User (and a corresponding Context Access ACL entry), which might be why I haven’t seen what you experienced.

Can someone write simple hoe to create that kind of user, txanks in advance