Security setup error? User for managing a sub tree of the website

Hi,

I'm totally lost in the security concept of Modx Revo.
I'm looking for a Use Case covering the following issue:

+ a new user should gain full managing acces to a sub tree of our school website (e.g. parents).
+ this should include all resources (web pages) and the corresponding media (in a subtree of the assets folder)

As far as I understood it (at least I hope so):
+ I need to create a special resource group and assign it to the main page of the sub tree
+ A separate Media Source can be used to restrict (?) access to the media tree in assets...

Do I need to create another resource group for all the rest of the pages?
And what are the other steps I need to do?

I didn't find a tutorial covering the concepts this in such a detail.

Thanks for your help in advance

Thomas [ed. note: hochmohr last edited this post 11 years, 5 months ago.]

[Edit] First of all, do a backup of your database...before messing around with your acls...see next posts for the why... [/Edit]

First of all Second you need to create a usergroup, maybe "parents.sectionname" in your case.

then create a test user "papi". don't assign it to the usergroup yet.

Then you create an access policy (I would duplicate the Content Editor policy, then rename it to something like "Parents Rights" and edit the permissions inside) and and a new role "Parents" with some number as authority (doesn't really matter), I would pick maybe 6666. Pay special attention to the media source permissons.

Then you go into the edit mode of the user group > tab "Users" and assign the user "papi" with role "Parents" to the usergroup "parents.sectionname"

Then you click the tab "Context access" and add mgr with access policy "Parents Rights", role "Parents" and web with access policy "Parents Rights" (probably the "Load" policy would be enough...not sure about that, that's just how I do it) and role "Parents" > all that depends on the structure of your site, do you have it split up in context or in subfolders (according to your post I think you organized it in subfolders right?).

Flush all permissions and try to log in with "papi", you should see all resources (because you didn't protect them yet with resource groups)

Then create a resource group "admin" and add everything to it and assign it to the Administrator user group. Add another resource group called "parents.sectionname" (again, ya, very creative...=D) and add the desired Container (don't know if that's enough, or if you have to add every resource one by one, tell me...) to that parents resource group

Then you create a new Media Source (Filesystem) and set the paths to the directory the parents should be able to see and then add the usergroup "parents.sectionname" to that media source. For the existing Filesystem Media Source you should add only the Administrator usergroup.

Flush permissions again and login with "papi" and try to upload some files (via Files tab if you give that to them or via image/file TV and the FileManager of MODx), when you go to the files tab you should only see the directory (and it's files and folders) you specified in the Media Source for the parents.


not sure if I missed something =)...

for basic introduction to the MODx security permissions watch the following screencasts:

http://www.youtube.com/watch?v=PKdBvhmZtIw
http://www.youtube.com/watch?v=3mw0jLNVFp0

you can also check the following links:

http://www.bmv-interactive.com/home/modx-acl-tutorial.html
http://rtfm.modx.com/display/revolution20/Security (with Screencast)
http://bobsguides.com/revolution-permissions.html [ed. note: exside last edited this post 11 years, 5 months ago.]

And Bob has done it again... http://modxpo.eu/schedule/sessions/modx-revolution-security-permissions-system

Thanks exside for your detailed description.
I tried it up to the point where I relogin with the new user... it doesn't show anything in the resource browser. Is there something I have to set up for the web context in general?

Thanks

Thomas

Quote from: hochmohr at Dec 05, 2012, 06:29 PM

Thanks exside for your detailed description.
I tried it up to the point where I relogin with the new user... it doesn't show anything in the resource browser. Is there something I have to set up for the web context in general?

Hm, but login into the manager works and by resource manager you mean the resource tree on the left, right?

Maybe I shouldn't have taken the step with the resource groups before re-login, I think there lies the problem. Did you create the resource groups and added the resources (in both of them)? And also connected the resource groups with the corresponding usergroup?

Hello exside,

I created both resource groups (admin and parents).
The resource group parents is assigned to the parents user group, context mgr, minimum role "parents".
I added the parents resource group to just one document in the resource tree and the admin to 2 other documents (all other documents are untouched and belong to no resource group).

Any idea what's missing?

If I add the parents to the "web" context (top level of the resource tree), the logged in parents user can manipulate all documents... strange.


Thomas

Found my error by myself:

I forgot to add the web context to the user group (sorry)...

... so basically it works. Is there a way to assign my admin resource group to all existing documents and to all new documents automatically?


probably this post could solve that issue (but the script does not work on my site):
http://forums.modx.com/thread/44055/revo-set-a-default-resourcegroup-for-a-modresource


Thomas [ed. note: hochmohr last edited this post 11 years, 5 months ago.]

Hi again,

another strange behavior:

A subtree of my resource tree is assigned to the admin resource group. The documents contained in that subtree are assigned to no resource group at all.

The limited parents user cannot see the protected subtree. But when searching a specific page in that subtree, it can be found and changed!

Is that a desired behavior? If so, I need to assign the admin resource group manually to all documents (and never forget that in the future)...


And a last error: I can't assign a user group to a media source: It asks me for a access policy but the field is empty and I can't save it.



Thomas [ed. note: hochmohr last edited this post 11 years, 5 months ago.]

I give up... and reset everything again. Will give it a new try when I'm not so tired anymore (10.30 pm in Germany).

Looks like I mashed up the system. When I'm not logged in - I can't even access my created pages anymore. So basically the (anonymous) access does not work anymore.

[update] Deleted everything again AND had to switch the access policy on the web context back to "load, list and view" for the (anonymous) user. Can't remember having touched this.

Thomas [ed. note: hochmohr last edited this post 11 years, 5 months ago.]

Sounds like (the more or less usual) struggle with the permissions system^^,

to add resources to resource groups: I'm not sure about that, but I always did it manually and for every single resource, that was really something that made me think "I m not doing it right" too...so there I cannot help you because I have never searched for a solution to add resources automatically to a resource group...never needed it really because I never had a very big amount of resources that had to be protected...

I suggest to read/watch the provided tutorials and resources carefully and maybe try out some things in a more simple setup, so you can gain some experience with the acl system. Basically you shouldn't mess with the web context at all (more or less), what you want to do affects only the mgr permissions (as far as I get it...). Maybe a more precise description of your setup would also help to solve your issues. [ed. note: exside last edited this post 11 years, 5 months ago.]