We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered How does the unauthorized_page setting work

  • jrotering Reply #1, 12 years, 6 months ago
    I am trying to use the unauthorized_page system setting. I presume this should come in to play when an anonymous user requests a resource which belongs to a resource group that has ownership in the web context.

    I have 'unauthorized_page' set to a resource that is published and publicly available. And I have the 'anonymous' group with a 'load' policy for the 'web' context (this is specified on the 'unauthorized_page' rtfm page, and I think the 'anonymous' group comes with this policy by default now).

    When I put a page in a restricted group, and then try to view it as anonymous, I get my error_page rather than the unauthorized_page. Furthermore, the first line in my log file is a 404.

    Any idea what is wrong here?

    This question has been answered by multiple community members. See the first response.

    • discuss.answer
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 12 years, 6 months ago
      Is the anonymous user a member of the group that has access to those resources? If not, the page doesn't exist for that user and they get sent to the error page.

        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
      • discuss.answer
        opengeek Reply #3, 12 years, 6 months ago
        Just add an ACL to the Resource Group( s ) for anonymous that have the "load" permission. The same principle for access to a protected Context by anonymous applies to access to protected Resource Groups.
          Jason Coward
          Chief Architect @ MODX
          http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek
        • discuss.answer
          jrotering Reply #4, 12 years, 6 months ago
          Quote from: BobRay at Oct 28, 2011, 02:02 AM
          Is the anonymous user a member of the group that has access to those resources? If not, the page doesn't exist for that user and they get sent to the error page.

          If that's the case, then when does "unauthorized" ever even come into effect? If I add the user to the group w/ access to the resource, then isn't the user by definition "authorized"?

          @opengeek - I added an ACL w/ "load" to the anonymous user group for my protected resource group. Manually cleared cache. I'm still getting the error message.

          Is the theory behind this related to what Bob said, though? (And my question about it?) Having "load" permissions for the restricted Resource Group should prevent the page from "not existing" for the user, and thus allow the determination of "unathorized" status?

          Maybe I'm just fundamentally not understanding the concept of unauthorized...

          • opengeek Reply #5, 12 years, 6 months ago
            Is this supposed to be marked solved? I'm confused...

            After changing permissions, especially for anonymous users, make sure you Flush All Sessions before testing further.

            The idea is that if a piece of data is protected, it cannot be loaded at all, as if it does not exist. In order to be unauthorized to something, first you need to know it exists, so by giving anonymous users the ability to "load" the data, they know it exists but still cannot necessarily "list" or "view" it. This gives you the ability to protect resources further by making them appear not to exist at all (404) versus their existence being revealed (401).
              Jason Coward
              Chief Architect @ MODX
              http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek