On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • We’re looking to improve the documentation for use cases of Security/Permissions/ACLs in Revolution. So this is where we need you!

    If you all could reply to this thread with examples of Use Cases (iow, a problem you want to solve with Security in MODX), and we’ll try and get them documented. Think of this as a wishlist for more tutorials on this page:

    http://rtfm.modx.com/display/revolution20/Security+Tutorials

    Thanks!

    Currently in existence:


    • Creating a Second Super Admin User
    • Giving a User Manager Access
    • Making Member-Only Pages
      shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com
    • Martijn van Turnhout Reply #2, 10 years, 6 months ago
      Hi,

      here’s a Security wish:

      I’d like to exclude Templates for lower usergroups. When a client is logged in as a Webmaster (user who’s part of the usergroup Webmasters), I’d like to give him only access to 2 templates in the template dropdown field, instead of also giving access to the third, the Homepage template for example.

      However, a client should be able to edit a resource which uses the denied template. He should be able to edit a document which uses the Homepage template (and the TVs which go with it ofcourse), but not create a new document with that template.

      Also, and this can be trickier: I want get rid of the "(empty)" template. It was doable with ManagerManager in the Evo days.

      Thanks in advance, Shaun!
      • Quote from: Martijn at May 19, 2011, 01:25 PM

        I’d like to exclude Templates for lower usergroups. When a client is logged in as a Webmaster (user who’s part of the usergroup Webmasters), I’d like to give him only access to 2 templates in the template dropdown field, instead of also giving access to the third, the Homepage template for example.
        Element Category ACLs do need a tutorial. They are, however, very similar to Resource Groups.

        However, a client should be able to edit a resource which uses the denied template. He should be able to edit a document which uses the Homepage template (and the TVs which go with it ofcourse), but not create a new document with that template.
        (Edit) If you restrict via a Category Access ACL, you can edit. You will not be able to create, so it will work as you expect.

        Also, and this can be trickier: I want get rid of the "(empty)" template. It was doable with ManagerManager in the Evo days.
        That definitely cannot be done at the moment, but again, is worth a feature request: http://bugs.modx.com/projects/revo/
          shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com
        • Martijn van Turnhout Reply #4, 10 years, 6 months ago
          Hi Shaun,

          regarding the 2nd blockquote, what I mean is:

          I don’t want the client to create a resource with the denied template. Say "Homepage" template, for example. But, if a resource (created by an Administrator for example) using the Homepage template is already published, the client shouldn’t have any problems editing that document or its TVs.

          Kinda like ManagerManager’s behavior. Hope that clears it up smiley.

          I’ll post the FR for the (empty) template.

          • Quote from: Martijn at May 19, 2011, 01:44 PM

            I don’t want the client to create a resource with the denied template. Say "Homepage" template, for example. But, if a resource (created by an Administrator for example) using the Homepage template is already published, the client shouldn’t have any problems editing that document or its TVs.
            I see. I know currently that you can edit, however, you cannot see any TVs assigned if you dont have access to the Template. Might be worth a feature request.
              shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com
            • Martijn van Turnhout Reply #6, 10 years, 6 months ago
              Posting the FR as we speak.
              • Actually, Martin, that can be done - you just add another Element Category ACL to the user group:

                - Category: "My Category"
                - User Group: mygroup
                - Context: mgr
                - Policy: Load Only

                However, this gives them access to create documents with that Template. What’s your intention with these users? You just dont want them to specify templates at all? Or do you want them even creating Resources?

                Edit: Just tested, actually, they cannot create docs with that Template. So adding the Load Only policy should work fine.
                  shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com
                  • shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com
                  • Martijn van Turnhout Reply #9, 10 years, 6 months ago
                    Okay thanks! I haven’t checked the page yet, but it doesn’t give clients access to TVs belonging with the denied template right? I’ve justed posted a FR for that!

                    Again, this is a great move!
                    • Martijn van Turnhout Reply #10, 10 years, 6 months ago
                      Nevermind, I’ve just read the page. Excellent work!