Thanks Bob. Your ajax plus removing tinymce ideas were good guesses. The issue is not corrected, but by removing tinymce for some reason I started getting console debugging data when clicking the Install button, which then shows in chrome developer tools the connectors/index.php returning an inexplicable 403 forbidden code. I'll dig into this a bit more.
Note that the modx-core/packages seems to have the right permissions, and contains the xxxx.transport.zip downloads from a test package, which means that is being written to as expected. Actually, taking a closer look, I noticed that lazytable, the test package I'm using to debug, did in fact extract and create its directory in 'modx-core/packages'. However, it did not create that directory, or move it, not sure how it works, in 'modx-core/components'.
This gets me a lot further (anonymized slightly):
https://www.oursite.com/connectors/?_dc=1448239028869&action=workspace%2Fpackages%2FgetAttribute&attributes=license%2Creadme%2Cchangelog%2Csetup-options%2Crequires&signature=lazytable-1.0-pl&HTTP_MODAUTH=modx45833fc7c137d4.76145138_32588190c6d3576.80157686
On the working dev server, this returns 200, but on the borking live site server, it returns 403. I'll check the server itself to see if anything could be catching some other rule.
[ed. note: lizardx last edited this post 6 years, 9 months ago.]