Consider the following site structure:
Root (0)
|_Associations(1)
|_Football club (4)
|_Something else (2)
|_Miscellaneous (3)
I want to give to the president of the football club the right to edit the page 4 only.
Although I was close to achieve this,
I believe that it is impossible with MODx Evolution (version 1.0.14) because of wrong design in the management of permissions.
The procedure
1. In "Users > Role management",
1.1 create new role "Edit Football Page"
and give it rights to modify and save pages.
1.2 create new role "View Football Parent Docs"
Don't give any permission to this role.
2. In "Users > Manager authorizations > Users groups",
2.1 create group "Football club"
2.2 create group "Super-users"
3. In "Users > Manager authorizations > Ressources groups"
3.1 create group "Read-write pages for football club"
3.2 create group "Read-only pages for football club"
3.3 create group "Protected pages"
4. In "Users > User groups/Ressource groups bindings",
4.1 link to the "Football club" group:
4.1.1 the "Read-write pages for football club"
4.1.2 "Read-only pages for football club"
4.2 link to the "Super-users" group:
4.2.1 the "Protected pages"
5. In "Users > Users management",
5.1 create user "President Football Club"
and assign to him the role "Read-write pages for football club"
6. In "Modules > Doc Manager > Ressources permissions"
6.1 Check "Protected pages", assign to it the ID range: 0**
6.2 Check "Read-write pages for football club"
and assign to it the ID: 4
6.3 Check "Read-only pages for football club"
and assign to it the IDs : 0,1
7. Log out
8. Log in as "President of the football club"- The user "President of the football club" will see the partial tree (nodes 0,1,4): this is correct
- The user "President of the football club" can edit and save document 4: this is correct
- The user "President of the football club" can edit and save documents 0 and 1: this is wrong and problematic as the user can edit parent pages to which it should not have write access. This comes from the fact that only one role can be attributed to a user, and in this case we had to choose the "Read-write pages for football club", so that the user can edit the document 4.
- Steps 1.2, 3.2, 4.1.2 and 6.3 are necessery to make the sub-tree visible. Without doing them, when loging in a "President of the football club" no document tree is visible, making impossible to access and edit document 4. Hence, documents 0 and 1 have to be made visible to this user.
What seems wrong in the way access rights are designed:
- I believe that at step 5.1, a user group should be attributed to the user, and not a (unique) user role, because a user group can have several roles and because the management of rights is done between "user groups" and "ressource groups".
Other suggested improvements
- When a node can be accessed by a user (or better, a user group), the parent nodes should be made visible automatically in read-only mode.
Then, the complicated steps 1.2, 3.2, 4.1.2 and 6.3 would be useless.
- I would suggest that a default "document group 0" is created and when a new document is created, it is attached automatically to it if the site manages user rights. Then, it would not be necessary to park newly created documents to a manually set "Protected documents" groups and a whole site could easily be switched in "read-only" mode for non-administrator users.
- When attaching documents to a Ressource group through Doc Manager, the default "Void" value remains at the top of the list. It should be removed if the Ressource group has one or more documents attached to it.
I hope that my understanding of how permissions should work is correct.
