Answered All users of admin panel have FULL access to everything!

Hello, everyone!
Recently (2 weeks ago exactly) the site had 3 users (administrator, administrator with limited rights and editor). Groups were created for all users, rights were registered, and everything worked.

Yesterday it turned out that all users have full administrator access!
I tried to reduce the rights of the user "administrator", but it still has full access to everything after changing. Moreover, I created a new user, did not assign him any rights, i logged in the admin panel through him - he has full access!

I made a backup of the site, deleted the database and files, downloaded the latest version of Modx (2.6), installed it (there were no errors during the installation), created a new user (besides the administrator), did not assign him any rights. I logged in - again full access to everything.
Apparently, the problem connect with some changes in the server (VPS).

Recently there were problems with the availability of the site (there were problems with updating the https-certificate in the ISP manager).
I asked the hosting provider to help. As a result, the hosting provider updated the ISP manager (version 5 remained the same) and the question was resolved. I do not know whether this is related to access problem or not. I did not change anything last 2 weeks (system settings or anything else).

I ask to help, I did not expect that on Modx something like this could happen ...

I can confirm everything is working fine for me. Are you sure you've setup your ACL correctly?

The users in question are not Sudo - Users?

Quote from: Bruno17 at Dec 01, 2017, 09:29 AM

The users in question are not Sudo - Users?

They are active, but not sudo users.

Quote from: lkfranklin at Dec 01, 2017, 09:28 AM

I can confirm everything is working fine for me. Are you sure you've setup your ACL correctly?

I installed Modx in my local server, created a new user (not sudo user), gave him no right, tried to logging in - NOTHING.
I returned to VPS, created a new user (not sudo user), gave him no right, tried to logging in - LOGGED IN with FULL rights...

User have no rights according to settings, but have FULL rights according to practise (in attachments).
https://gyazo.com/843fa975492001984bfe819550464b14
https://gyazo.com/e8d5b2726649d17739784033b92c4406
https://gyazo.com/2e075d87fdd087b2846682cd498d8708
https://gyazo.com/7b75f5feeea2c5ac148feb55230e94cc
https://gyazo.com/14f86a7bba8d75307877e1dbf618340d [ed. note: salamander last edited this post 6 years, 5 months ago.]

Unfortunately attachments no longer work on the forums. Could you upload your screen shots somewhere else and link to them?

Why is this thread set to "answered"? Was the reason discovered?

Quote from: andytough at Dec 01, 2017, 02:08 PM

Unfortunately attachments no longer work on the forums. Could you upload your screen shots somewhere else and link to them?

I already did it (there were links to gyazo.com, they are available).
And I am sure now, the problem connected with server configuration (I use nginx + apache).
I tried to change it to "nginx+php-fm" and the access permission rights worked correctly.
The problem appear inside "nginx + apache" configuration.
I will make new experiments on Monday.

Quote from: muzzstick at Dec 02, 2017, 01:05 AM

Why is this thread set to "answered"? Was the reason discovered?

I don't know, it was automatically.
I remove "flag as answer".

The user's rights depend on the Policy specified in the Context Access ACL entry for the user's User Group. If the user belongs to no User Group, the rights of the (anonymous) user apply. The Settings tab has nothing to do with user permissions.

It's very unlikely, imo, that this has anything to do with the server.

Is the user a member of the Administrator group? That would explain it.