Bug? getLoginUserID does not work for Manager Users on the Frontend

Hi all.
Luke (new user) and I just figured out (the hard way) that the getLoginUserID function does not work for Manager users when they’re on the frontend. It seems to be because the "isbackend" isn’t true.

This seems to be at least a moderately large issue if only because the NewsPublisher snippet relies on this function to set the author. Forum post here:http://modxcms.com/forums/index.php/topic,1298.0.html. This post was marked "solved", but only the second issue was "solved".

The way we got it to work (which almost the same way that QuickEdit works) was like this: $userid = $_SESSION[’mgrInternalKey’].

Has anybody run into and/or fixed this issue? Just want to check before we attempt a fix!
-Brett

Hi Brett,

I don´t have a solution for this, but wanted to thank you for your workaround

Greetz Marc

Hi Brett,

I believe you may be right. getLoginUserID validates Managers based on isBackEnd() and the $_SESSION[’mgrInternalKey’] variable.

I’ve had a quick check through the bug tracker and can’t find a report for this, so can you log it please?

As for a fix, I think line 1794 of manager/includes/document.parser.class.inc.php has the answer

Thanks, Garry

I would be inclined to agree; while we may want to keep web users out of the backend altogether, there are many occasions when we might want a manager user to be working throught the front-end.

Logged: http://modxcms.com/bugs/task/299

And now... back to work!

Is this why only web users can see my restricted documents? I log in as admin with Manager Login but cannot access the restricted document. Shouldn’t admin have access to ALL documents whatever restrictions it might have?

FYI, 0.9.5 RC2 introduced some changes to getLoginUserID that made it return the manager user ID on the front-end, if no web user was logged into the front-end. I reverted this behavior as of revision 2001 today because it was causing problems with various components that rely on it not returning an ID for a manager in the front end. Instead, I modified the function to accept an optional parameter called context. This parameter can be either ’web’ or ’mgr’ for now, and will return a logged in user ID of the specified type (web or mgr) regardless if the code is running in the front-end or back-end. I am also specifically loading any manager user settings now in the front-end, so that QuickEdit can take advantage of the manager user language settings if available.

See FS#299 for more information.

Quote from: feary at Nov 12, 2006, 04:21 PM

Is this why only web users can see my restricted documents? I log in as admin with Manager Login but cannot access the restricted document. Shouldn’t admin have access to ALL documents whatever restrictions it might have?

No; admins can see through unpublished documents, but they cannot see through Web User permissions. This is kind of a testing feature, as I like to stay logged into the admin while I test web user permissions a lot of times, and the fact that as admin, I can see unpublished allows me to even test such permissions before publishing the pages to the frontend at all.

Ok, so logging in from the ManagerLogin snippet would be rather useless if I would access restricted documents?


here’s my story (if interested)..

i’ve recently released my first major MODx website for a client *applause*. It works damn fine (for the visitor, that is) with it’s bells and whistles. I love making websites with MODx, really. However, it is this crucial issue i cannot figure out. I use ManagerLogin to let my client get access to QuickEdit. Works perfectly. But being a manager user he cannot access restricted documents which contain some custom scripts I made for him. The only way to access these secret pages is by being a web user. so I have to create a web user group in order to prevent the document being public. But since QuickEdit only works with manager users I must ditch the whole idea of web users.

To access these restricted documents at all I’ve set the documents access permissions to public. In other words, you don’t have to be Kevin Mitnick to hack this one. I’ve been messing around with manager permission and web users and vice versa, tried every combination and even tried to merge manager WebLogin with ManagerLogin without success (noob).

Is this a bug or am I? lol.

Quote from: feary at Nov 12, 2006, 10:22 PM

Ok, so logging in from the ManagerLogin snippet would be rather useless if I would access restricted documents?

Is this a bug or am I? lol.

You just have to give him a web user login to access those pages; there is an add-on available to synchronize web and manager users I believe. What I can’t figure out is why would you have secret pages restricted from web users that contain custom scripts? I’m not following that...but regardless, why not just unpublish them? As a manager user, he will have access to unpublished pages, but web users will not.

hehe, that wasn’t so hard after all. I had no idea that unpublishing was the solution. I thought if I’d unpublish them, they would not be accessable at all. Thanks for clearing that up! This CMS is just getting better and better, awesome.

regarding the synchronization, the plugin is called Web2Manager.

thanks