Access Control doesn't work after upgrade

Hello,

after I upgraded to 2.1 from 2.0.8 advanced, access control doesn’t work anymore.
No matter what I do, users have all rights, they can delete a resource although they shouldn’t, for instance.

Access controls are tricky sometimes in MODx, but although I struggled as a MODx-newbie, I now understand the system behind it (of course with the help of this forum) and got it working. So I’m pretty sure it I configured everything right (and of course it worked in 2.0.8).

Before I post all the details and start testing again which will take me definetely a lot of time, I just want to ask:

Did anybody experience something similiar?

Thank you,
stetus

stetus, did you do an upgrade install after installing the new files?

I’d also try manually deleting the files in the core/cache directory and clearing your browser cache and cookies.

Hi Bob,

thanks for your answer.
I just copied the core-files again, ran the installer and cleared the cache-files manually: still it isn’t working.
I’m very curious why nobody else seems to have this problem.

I assume you are talking specifically about 2.1.0-rc1? And specifically about Resource Group Access in the mgr Context?

Thank you Jason for your answer,

yes indeed: How did you know? Couldn’t find anything in the bugtracker.

Quote from: stetus at Apr 06, 2011, 08:30 PM

Thank you Jason for your answer,

yes indeed: How did you know? Couldn’t find anything in the bugtracker.

Well, there have been some changes going on to allow users to manually turn off all ACL queries per Context (new system settings for access_resource_group_enabled, access_category_enabled, access_context_enabled), but after reviewing when the changes occurred, this should only affect certain commits in the release branch post RC1 release. Are you using the RC1 distribution or working from the release branch in Git? If this is a bug that is slipping through the cracks here, I’d definitely like to know what is causing your issue. Any additional information you can provide about the Access Control policies you have applied would be helpful as well...

Ok Jason,

thank you for explaining.
I am using the RC1 distribution.

I’ll try to post every information about the Access Control policies I’ve applied below, I hope it will be useful for you (my English isn’t the
best), if not, you can also have access to the system and see for yourself, if that’s faster or easier for you.

Usergroups:
- Administrator
Context Acess: Administrator (everything activated), Resource (everything activated), both mgr + web, QuipModeratorPolicy (everything activated) for mgr
["Resource" is a Resource-Template. I don’t know why I assigned it to Context Access anymore, it doesn’t really make sense, far more interesting:
I can not replicate this any more. When I right-click context-access for the Administrator-usergroup, there is no "Resource"-Template in the dropdown-
box anymore, it shows "1".]
Resource Group Access: Administrator (everything activated), mgr + web

- User
Context Access: User (*^1), web + mgr, QuipModeratorPolicy (everything activated) mgr
Resource Group Access: Just Edit (*^2), mgr

*^1 User:


*^2 Just Edit:


Resource Groups:
Hidden: There is a container with several resources in it in this group. Access Control seems to work with this group, which means that the usergroup "Users" can’t see it.
Just Edit: This group contains a view resources, Access Control doesn’t work with it. I tried to give all the resources in a container to see if this might be somehow related to the problem, it seems as if it’s not.

Thanks for your help and fantastic work!

Context Access ACL entries should never use the Resource policy (that’s why it no longer shows). They should always use a policy based on the Administrator template. That could be your problem.

The matchups should generally all look like this:

- Context Access ACL: Administrator policy

- Resource Group Access ACL: Resource policy

- Element Category Access ACL: Element policy

Hi Bob,

I deleted the Element-policy from the context-access, unfortunately it still doesn’t work.

Any other hints?

Hi Stetus,

I would first upgrade to RC3 -- there were some problems with the earlier RCs of 2.1.

I’m not sure this will help, but to protect the resources, they need to be in a resource group and the resource group needs to be connected to a user group (usually the Administrator group) with a Resource Group Access ACL entry with a policy of Resource (or a policy based on the Resource template).

User’s who shouldn’t be able to access those resources at all should generally not be members of that user group.

To give them limited access, put them in their own user group and create a Resource Group Access ACL entry for them with a policy that is a duplicate of the Resource policy and has the actions they shouldn’t perform unchecked.

Be sure to flush permissions and sessions after making changes.