Hi Ben,
I'm the first one to agree that the permission system is difficult, but I want to make some comments on your ideas -- I don't mean any of this critically -- just thinking out loud:
Quote from: benmarte at Jan 08, 2012, 12:59 PM
It would be nice if we could make user groups and each user group would have a resource group specific to it, then we can drag and drop as usual in the resource group.
This would be more efficient and help keep the resource groups organized by user group instead of having all resource groups in one page and not know to what group it belongs to.
If you're saying that a user group could only be connected to one resource group, I think it would require a re-build of the permission system and would break a lot of existing sites. You can already choose to have each user group connected to only one user group (and I think that's a common setup), though I agree that it would be nice if were easier to do.
Another thing that needs to be fixed is when you create a new resource you have to go and drag it to the specific resource group because everyone has access to new resources, this is a real PITA when you have multiple contexts and resource groups.
Take a look at the Access Permissions tab the next time you create a new document.
Everyone should be denied access to resources in the manager except the admin and the admin should then allow access to the user group of what resources they can have access to.
This would avoid having to make a user group for admins which I do not understand why you can restrict and admin user group, an admin account should always have access to everything, that's why you have user groups to restrict non admin users.
If this is how you want things (not everyone does), you can create a resource group called AllDocs, put every document in it, and connect that resource group to the Administrator group with a minimum role of Super User and a context of 'mgr'. When you create a new document, just go to the Access Permissions tab and check the AllDocs box. The docs will be protected from all other users until you give them explicit permission.
You can also create a plugin that puts all resources in that group when they are created, though I think a default_resource_group System Setting would be nice.
ACLs are very powerful and I understand that you want to give us full control but there's so many different thing in ACLs right now that affect what a user group can and can't do, roles, policy templates resource groups it's pretty confusing mix in multiple context and you got yourself a huge mess to deal with.
There's only 2 things I wish MODX had that I know if it did it would help MODX gain more users, easier permissions and a built in front end editor (even though many think it's not necessary)
1. Can't argue with you there.
2. Have you looked at NewsPublisher?
---------------------------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using . . . PLEASE!
MODx info for everyone:
http://bobsguides.com/MODx.html