Evo 1.0.8 - Web group/user access issues

Hi There,

I am having problems with web groups, web users and access. It seems that if a web user belongs to more than one web group, there can be access permissions difficulties for resources.

So, I set up webuser1 and webgroups 1 and 2 (wg1 & wg2) and set up resource group 1 and 2 (rg1 & rg2) and link rg1 with wg1 and rg2 with wg2.

I then associate webuser1 with wg1 and then with wg2.

webuser1 has access to all resources in rg1, but though they can see the title of rg2 resources in menus and lists, selecting the resource leads to an access denied issue. When I remove wg1 from webuser1, they see wg2 resources perfectly. It is almost as though a web user can only be associated with one web group or resource group.

Can anyone explain why I am having these issues in an area that really should simply be working - it seems to be set up so that web users can belong to more than one web group, but the permissions of each group seem to be confusing each other.

Thanks very much to anyone who can explain this issue to me.

Kathy [ed. note: kathycee last edited this post 11 years ago.]

Well I accomplished what I wanted by setting up a third webgroup and resource group that had access to the resources of the other two and made my web user a member of that webgroup. A bit clunky but at least the user can see both the authorised areas that they are supposed to.

So, am I right in thinking that a web user can only be a member of one webgroup or the permissions cancel each other out somehow?

Is the reason nobody is answering that nobody knows or that it is too basic a question to be bothered to answer? I honestly can't find anything that explains this anywhere. I have no idea why I cannot make a web user a member of two groups and have them see all the resources in each. Is that supposed to happen? Or is my user supposed to see both sets of resources?

That should work. A user should be able to be assigned to multiple groups. I haven't used Evo for some time, though, so I can't really say for sure what the problem is here.

Hi Kathy.

apologies on the non-responsiveness and I am glad you found a workaround. If you ever have questions feel free to @message me on Twitter. I usually see those on my phone. If I don't know an answer I can pester someone who does. A lot of the forum post-ers are Revo peeps but Evo devs are out here.

Make sure that "Use access permissions" is set to Yes in the User tab of Tools -> Configuration.

tool to check user group:
http://pm-fx.com/en/blog/2011/modx-evo-checking-user-group

and more on doc access permissions in Evo is here:

http://wiki.modxcms.com/index.php/Document_Access_Permissions

When creating or editing a document in MODX Evo if you scroll down to the bottom of the page in the MODx Manager, you should see a section titled: Access Permissions.
The default option is: 'All Document Groups (Public)' - there will be other options if you have created new document groups.
To set access permissions:
Create a new document.
Assign this document to a group or groups. NOTE: If you assign this document to the PUBLIC document group, it is accessible on both the frontend and the backend by all users. Also if you select the PUBLIC option, you cannot select additional groups.
If you do not assign any web users to this document group, this makes it public in frontend.
If you assign this document group to a managers group, then only that managers group can edit it.
You can assign any document to any group. Access restrictions only apply in the following situations:
FRONTEND: Assign web users to this document group. Do not assign any web users to this document group to make it PUBLIC.
BACKEND: Assign manager users to this document group.
Creating a document group

From the MODx Manager page:
Select the Security Tab.
Select the Web Permissions Link. (under the Security Tab, sure? - for sure this does not relate to REV 2.0.3 and/or 2.0.4Italic text)
You should see 3 tabs now: Web User Groups, Document Groups, and User/Document Group Links. Select the Document Groups Tab.
Type the name of the new Document Group into the input box and click the Submit Button.
Select the Managers Permissions Link.
Same as number 3 above.
Same as number 4 above.
You have now created a new document group that exists in both the FRONTEND (Web Users) and the BACKEND (Managers). Once you have created the document groups, they will appear listed at the bottom of the document editing screen in the MODx Manager for each document. To assign the document to a document group, just edit the document, check the checkbox for that group, and save the document.
You can see a master list of which documents are assigned to which groups by selecting: Security | Web Permissions (or Manager Permissions) | Document groups. You can also manage document groups for multiple documents at the same time by selecting: Modules | Doc manager | Document Permissions.
Document Permission Rules

Any document that is not assigned to a document group is open for everyone.
A document in a document group that is not connected to a user group is open for everyone.
As soon as a document is assigned to a document group that is connected to a user group, it can only be accessed by users belonging to that user group.
The above rules apply to both Manager User permissions and Web User permissions, BUT:
Manager User permissions (which apply in the Manager) and Web User permissions (which apply in the front-end) are entirely separate.
Setting Manager User permissions has no effect on Web users and vice versa.
The same document group can be connected to either or both, however.
Some real information that would explain reality and be really useful would be really helpful - just a thought ;-)
Examples

Imagine This document and user groups scenario:
Manager Users Groups
MugEditors
Darlene
Alfalfa

MugReviewers
Spanky
Buckwheat

Web Users Groups
WugFans
Happy
Grumpy

WugNewbies
Doc
Sleepy

WugNobody
(no members)

Document Groups
NewsBriefs -- assigned to no user group
Reviews -- assigned to MugReviewers, WugFans
Events -- assigned to MugEditors, WugFans
Gossip -- assigned to MugEditors, MugReviewers
FanOnly -- assigned to MugEditors, WugFans
Ed-Private -- assigned to MugEditors, WugNobody
Rev-Private -- assigned to MugReviewers, WugNobody
ManagerOnly -- assigned to WugNobody
NewbieOnly -- assigned to WugNewbies
Documents
Doc1 -- assigned to no document group (accessible to: anyone)
Doc2 -- assigned to NewsBriefs (accessible to: anyone -- not assigned to a doc. group)
Doc3 -- assigned to Reviews (accessible to: Spanky, Buckwheat, Happy, Grumpy)
Doc4 -- assigned to Events (accessible to: Darlene, Alfalfa, Happy, Grumpy)
Doc5 -- assigned to Gossip (accessible to: Spanky, Buckwheat, Happy, Grumpy, all front-end users)
Doc6 -- assigned to FanOnly (accessible to: Darlene, Alfalfa, Happy Grumpy)
Doc7 -- assigned to Ed-Private (accessible to: Darlene, Alfalfa)
Doc8 -- assigned to Rev-Private (accessible to: Spanky, Buckwheat)
Doc9 -- assigned to Ed-Private, Rev-Private (accessible to: Darlene, Alfalfa, Spanky, Buckwheat)
Doc10 -- assigned to ManagerOnly (accessible to: all Manager Users, no front-end users)
Doc11 -- assigned to NewbieOnly (accessible to: all Manager Users, plus Doc and Sleepy)
Note that in this setup, the Manager Users would not see many of the documents in the front-end when not logged into the Manager unless added to the appropriate Web User groups.

I would double check your resource access permissions???