make ACLs easier or provide wizard

Also agree, way too complicated for the average requirement.

Hi Ben,

I'm the first one to agree that the permission system is difficult, but I want to make some comments on your ideas -- I don't mean any of this critically -- just thinking out loud:

Quote from: benmarte at Jan 08, 2012, 12:59 PM

It would be nice if we could make user groups and each user group would have a resource group specific to it, then we can drag and drop as usual in the resource group.

This would be more efficient and help keep the resource groups organized by user group instead of having all resource groups in one page and not know to what group it belongs to.

If you're saying that a user group could only be connected to one resource group, I think it would require a re-build of the permission system and would break a lot of existing sites. You can already choose to have each user group connected to only one user group (and I think that's a common setup), though I agree that it would be nice if were easier to do.

Another thing that needs to be fixed is when you create a new resource you have to go and drag it to the specific resource group because everyone has access to new resources, this is a real PITA when you have multiple contexts and resource groups.

Take a look at the Access Permissions tab the next time you create a new document.

Everyone should be denied access to resources in the manager except the admin and the admin should then allow access to the user group of what resources they can have access to.

This would avoid having to make a user group for admins which I do not understand why you can restrict and admin user group, an admin account should always have access to everything, that's why you have user groups to restrict non admin users.

If this is how you want things (not everyone does), you can create a resource group called AllDocs, put every document in it, and connect that resource group to the Administrator group with a minimum role of Super User and a context of 'mgr'. When you create a new document, just go to the Access Permissions tab and check the AllDocs box. The docs will be protected from all other users until you give them explicit permission.

You can also create a plugin that puts all resources in that group when they are created, though I think a default_resource_group System Setting would be nice.

ACLs are very powerful and I understand that you want to give us full control but there's so many different thing in ACLs right now that affect what a user group can and can't do, roles, policy templates resource groups it's pretty confusing mix in multiple context and you got yourself a huge mess to deal with.

There's only 2 things I wish MODX had that I know if it did it would help MODX gain more users, easier permissions and a built in front end editor (even though many think it's not necessary)

1. Can't argue with you there.
2. Have you looked at NewsPublisher?

---------------------------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using . . . PLEASE!
MODx info for everyone: http://bobsguides.com/MODx.html

Quote from: BobRay at Jan 09, 2012, 06:58 AM

Another thing that needs to be fixed is when you create a new resource you have to go and drag it to the specific resource group because everyone has access to new resources, this is a real PITA when you have multiple contexts and resource groups.

Take a look at the Access Permissions tab the next time you create a new document.

Everyone should be denied access to resources in the manager except the admin and the admin should then allow access to the user group of what resources they can have access to.

This would avoid having to make a user group for admins which I do not understand why you can restrict and admin user group, an admin account should always have access to everything, that's why you have user groups to restrict non admin users.

If this is how you want things (not everyone does), you can create a resource group called AllDocs, put every document in it, and connect that resource group to the Administrator group with a minimum role of Super User and a context of 'mgr'. When you create a new document, just go to the Access Permissions tab and check the AllDocs box. The docs will be protected from all other users until you give them explicit permission.

You can also create a plugin that puts all resources in that group when they are created, though I think a default_resource_group System Setting would be nice.

You are describing an additional step that won't be nessecary if it's the way ben described. What exactly is the problem to give an admin(!) all rights and other users not? This is how it works everywhere in the world in every kind of service.

And if I have to create a plugin for such things this is (nearly for every standard-user) a no-go for the CMS. And will be for me, too, on future sites that need at least a simple permission system. If I'm honest that are not many sites but there are. And that's why Wordpress or Drupal or Joomla are booming. It's super easy there.

About the possible site breaking change we'd expect if the system is changed: This is how it is. And we had this for TVs too in Revolution twice.

You are describing an additional step that won't be nessecary if it's the way ben described. What exactly is the problem to give an admin(!) all rights and other users not? This is how it works everywhere in the world in every kind of service.

I've lobbied in the past for giving the admin Super User complete access to everything, so you'll get no argument from me there. I would suggest, though, that the extra step is necessary because not everyone want to set things up that way.

If I get a little spare time (fat chance), I'll do the plugin that puts all new resources in a default resource group as an extra.

Guys check out my MODX ACL tutorial and let me know what you think or how I can improve it, I appreciate your feedback.

http://bmv-interactive.com/home/modx-acl-tutorial.html

Bob I would love to hear your feedback regarding this tutorial please point out if there is anything I missed or that can be improved.

Thanks.

P.S. Bob I have used NewsPublisher I've just always had issues with it that you couldn't replicate regarding more than 1 rich text field and uploading images through it. I think MODX needs a front end editor built in so it doesn't break when upgrading or when using multiple contexts.

I'm not trying to undermine or discredit NewsPublisher or FrontPage I'm just saying there's a need for something like this that we can rely on that just works and not have it be an extra but something built into the core.

I apologize if my comment seems offensive as I value and respect every other developer that takes his time to make a MODX extra and help make it better. [ed. note: benmarte last edited this post 12 years, 4 months ago.]

Perhaps it's because I have worked exclusively with MODx since before its inception (I started with Etomite using the MODx extensions), but I find the general concept of resource groups/user groups quite logical. The rest of the Revo ACL business will definitely take some getting used to. But I would like to add my vote to a universal Admin user. I found the lack of a "root" user to be quite a shock.

I have to strongly agree - while the current system is undoubtedly powerful, because it takes in so many edge cases it is overkill for 98% of sites we produce. We actively try and avoid anything but the most basic user and permission setups now. Most of the time what we want to do is:

1) 100% of the time - hide technical resources (such as sitemap.xml) from content editors
2) 75% of the time - restrict certain users to only edit certain sections of the site
3) 10% of the time - allow public users to create accounts, to view certain sections of the site in the front end

I've just spent the last 1.5 days troubleshooting, and trying to set up permissions for a site which has about 10 sections, with different authors for each (each can only see their own section). The number of clicks it has taken to do this (and I'm not finished yet) is ridiculous.

I would very much like a far more basic authorisation system, with a more complex one (like current one) available as an optional plugin.

Hope MODX listen to users on this...

We are definitely listening folks; your feedback is absolutely invaluable. We are very aware that the security model is too complex for average requirements and we are working to simplify it by providing wizards and/or installable packages to handle many common scenarios.

Sounds good. I hope providing these kind of high-level usage scenarios of our everyday requirements is helpful in this.

Quote from: ncrossland at Jan 10, 2012, 11:30 AM

1) 100% of the time - hide technical resources (such as sitemap.xml) from content editors
2) 75% of the time - restrict certain users to only edit certain sections of the site
3) 10% of the time - allow public users to create accounts, to view certain sections of the site in the front end

That's exactly the main usage.