This question has been answered by BobRay. See the first response.
<?php //injects a CSS, where you can hide fields if ($modx->event->name == 'OnUserFormPrerender') { $usergr = implode(', ', $modx->user->getUserGroups()); if ($usergr == 1) { //do nothing; } else { $modx->regClientCSS('../assets/css/userAdminCSS.css'); } } //restrict listing of users to the group the user is in. if ($modx->context->get('key') == "mgr") { switch ($modx->event->name) { case 'OnMODXInit': $action = $modx->getOption('action', $_REQUEST, ''); if ($action == 'security/user/getList') { $group = $modx->user->getPrimaryGroup(); $_POST['usergroup'] = $group->get('id'); } break; } }
$actionDenied = FALSE; // Perform lots of checks // ... // Deny action? if($actionDenied) { //$modx->sendUnauthorizedPage(); //$modx->error->failure($modx->lexicon('access_denied')); $modx->sendRedirect("http://www.domain.com/manager"); exit($modx->lexicon('access_denied')); }
$msg = "You don't have permission to delete a user"; $_SESSION['AccessDeniedMessage'] = $msg';
return $_SESSION['AccessDeniedMessage'];
$modx->event->_output = $msg; return; // also try return false;
return $msg;
if($actionDenied) { // Deny the action // Thanks Bob! - https://forums.modx.com/thread/99968/restricting-modx-manager-access#dis-post-541494 $modx->event->_output = "This action was denied due to your access level. Please contact an administrator to make your changes."; return; }
<?php // mgrRestrictions plugin // Prevents back-end users with access to the mgr from certain sensitive operations. // // This includes: // 1. Creating/Saving any user which either has or would grant access to a privileged group. // 2. Creating/Saving any user with the sudo flag. // 3. Deleting any user which belongs to a privileged group.. // // Should be executed on these events: OnBeforeUserFormSave, OnBeforeUserFormDelete ////////////////////////////////////////////////////////////////////// // Configuration - A list of privileged user groups (the array maps user group id to user group name). // We will not allow these users to be edited/deleted by anyone other than an Administrator. $privilegedGroups[1] = 'Administrator'; $privilegedGroups[3] = 'Editor'; $privilegedGroups[5] = 'Senior Editor'; // For ease of use later, get a zero-index array of privileged user group id's and user group names. $privilegedGroupsIds = array_keys($privilegedGroups); $privilegedGroups = array_merge($privilegedGroups); // This only applies to the mgr context if ($modx->context->get('key') == "mgr") { // Restrictions only apply to non-Administrators if(!$modx->user->isMember('Administrator')) { // Get request parameters $action = $modx->getOption('action', $_REQUEST, ''); $id = intval($modx->getOption('id', $_REQUEST, '')); // Perform checks based on event name switch ($modx->event->name) { case 'OnBeforeUserFormSave': case 'OnBeforeUserFormDelete': // Should we deny the action? $actionDenied = FALSE; // Updating a user from the grid ////////////////////////////////////////////////////////////////////// if($action == "security/user/updatefromgrid") { // Fetch the json data $jsonData = $modx->getOption('data', $_REQUEST, ''); if(!empty($jsonData)) { // Decode to an array, we want an id $data = json_decode($jsonData, TRUE); if(!empty($data) && is_array($data) && array_key_exists('id', $data)) { // Got a user id? $id = intval($data['id']); if($id > 0) { $modUser = $modx->getObject('modUser', array('id' => $id)); if(!empty($modUser)) { // Prevent privileged users from being edited if($modUser->isMember($privilegedGroups)) { $actionDenied = TRUE; } } } } } } // Updating a user (from a form) or creating a new user ////////////////////////////////////////////////////////////////////// else if($action == "security/user/update" || $action == "security/user/create") { // Fetch the groups being applied to the user $jsonGroups = $modx->getOption('groups', $_REQUEST, ''); if(!empty($jsonGroups)) { // Decode to an array $groups = json_decode($jsonGroups, TRUE); if(!empty($groups) && is_array($groups)) { // Check both the group id and group names (belt and braces!) foreach($groups as $group) { // We expect to have a usergroup and name for each group if(array_key_exists('usergroup', $group)) { // Prevent privileged users from being edited if(in_array(intval($group['usergroup']), $privilegedGroupsIds)) { $actionDenied = TRUE; break; } } if(array_key_exists('name', $group)) { // Prevent privileged users from being edited if(in_array($group['name'], $privilegedGroups)) { $actionDenied = TRUE; break; } } } } } // Has sudo access been requested? $sudo = $modx->getOption('sudo', $_REQUEST, ''); if(intval($sudo) === 1) { $actionDenied = TRUE; } } // Deleting a user from the grid or form ////////////////////////////////////////////////////////////////////// else if($action == "security/user/delete") { // Got a user id? if($id > 0) { $modUser = $modx->getObject('modUser', array('id' => $id)); if(!empty($modUser)) { // Prevent administrators from being edited on the grid if($modUser->isMember($privilegedGroups)) { $actionDenied = TRUE; } } } } // Deny the action? ////////////////////////////////////////////////////////////////////// if($actionDenied) { // Debug $modx->log(modX::LOG_LEVEL_ERROR, "mgrRestrictions(".$modx->event->name.") - The following action (requested by ".$modx->user->get('username')." #".$modx->user->get('id').") was denied ($action, $id)\r\n".print_r($_REQUEST, TRUE)); // Deny the action // Thanks Bob! - https://forums.modx.com/thread/99968/restricting-modx-manager-access#dis-post-541494 $modx->event->_output = "This action was denied due to your access level. Please contact an administrator to make your changes."; return; } break; } } } ?>