We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 36756
    • 7 Posts
    Is it a possible solution, to let the site admin choose between two security systems:

    1. Simple security
    2. Advanced security

    Or does this break the security logic as well?
    • From a user perspective, this is the idea of providing Wizards for the simple/common scenarios. It will create a simple way for users to configure ACLs without revealing the complexity of the underlying system.
        • 33974
        • 156 Posts
        This sounds just great!
        But this won't affect the problem of newly added resources in root, right?
          • 36756
          • 7 Posts
          I was more thinking about a modx config setting, where you can select the security system (simple/complex). But if wizards provide an easy way for all settings, I'll be very fine with that.
          • My biggest concern is new resources created, right now I have to specify what resource group they belong to when a new one is created, if it was just me working on the site that would be fine not a big deal.

            I have a MODX install with over 25 Contexts and counting that a group of 3 developers, and 3 content editors constantly work on and honestly managing each time a user creates a new resource to make sure it's in the proper resource group is a royal PITA. This is not mentioning that resources created by Content editors can be seen by other content editors that shouldn't have access to this is mainly the issue I have in my scenario which is probably a unique one.

            There has to be some other way we can sort this out without needing to do a full revamp of the ACL system.

            The current ACL system works it just needs to be refined a bit.

            Thanks for getting back to us Jason I hope our concerns and ideas help you guys solve some of these issues to make MODX even better.
              Benjamin Marte
              Interactive Media Developer
              Follow Me on Twitter | Visit my site | Learn MODX
            • Couldn't a plugin be used to automatically set the group of new resources according to who is creating it?
                Studying MODX in the desert - http://sottwell.com
                Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                Join the Slack Community - http://modx.org
                • 30319
                • 406 Posts
                Quote from: smooth-graphics at Jan 10, 2012, 04:12 PM
                Quote from: ncrossland at Jan 10, 2012, 11:30 AM

                1) 100% of the time - hide technical resources (such as sitemap.xml) from content editors
                2) 75% of the time - restrict certain users to only edit certain sections of the site
                3) 10% of the time - allow public users to create accounts, to view certain sections of the site in the front end
                That's exactly the main usage. smiley

                Wizard to cover the above three use cases, plus DETAILED instructions and SIMPLIFIED instructions for tweaking #2, plus changing who can edit which content in which context, ACLs should be choice of global through the whole MODx installation or per-context.

                Thank you, Tom
                • @sotwell I guess but you would have to make it so it puts in the in proper resource group, context and also the admins resource group always, but since there is no Admin resource group by default I don't know how this would work unless the user has to manually create a Admin Resource Group or if the plugin will do it on install.

                  @TomMLS I just finished my MODX ACL Tutorial and I plan to cover these other 2 case scenarios you are mentioning sometime in the future.

                    Benjamin Marte
                    Interactive Media Developer
                    Follow Me on Twitter | Visit my site | Learn MODX
                    • 28215
                    • 4,149 Posts
                    Thanks guys for the responses. A few things:

                    1. We're working on the issue that causes Super Admins to not have access to groups. We'll be adding an exception for the Administrator group in the next releases that gives them "always allow" access - this should solve most peoples issues.

                    2. We're also going to look into a solution that prevents you from having to flush sessions so much - basically adding a 'stale' flag onto the user that tells MODX to refresh their sessions. Generally the need to flush sessions so much is that there's no way to actively edit a users' cached permissions for the session, since they're not directly accessible (for security reasons). However, adding a stale flag should address this and give us a secure level of separation that still preserves the integrity of the session without compromising the speed or loading times of the user.

                    3. With regards to a wizard - it's really hard to develop a wizard without use cases to make the steps of a wizard. When we've asked for use cases before, silence followed. tongue If we can get a good list of 5-10 different use cases, we can look into a wizard (either in an Extra or the core).

                    4. A "simple/advanced" toggle isn't really doable, nor worth it in development. A wizard is a far better solution.

                    5. Having a Default Resource Group setting is in the feature tracker, I believe, and something we'll look into. [ed. note: splittingred last edited this post 12 years, 2 months ago.]
                      shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com
                      • 22840
                      • 1,572 Posts
                      For me ( and this will be added on by others )

                      But I would love to see 3 user groups.

                      1: Main admin, this is always the company so nothing changes here and they have access to everything.
                      2: Client, they would have access to all the resource tree and the usability of it ( IE: upload files etc ) but not TV's, chunks and file tree.
                      3: Restricted: for this user it would be great if we could restrict them to certain resources via a checkbok and allow them edit, create delete.

                      In my personal development that would cover most things but I know you can't just build for me lol wink