After upgrade to 2.2.8 problem "access denied" on save

Do any of you experiencing this issue have custom Policy Templates that might be related?

The site with major problem has custom Policy Templates,
occasionally it happens also to site with standard policy and only one administrator.

May be connecting from different clients can cause it?

Yep, i am using custom policy templates too.

I have the same problem with 2.2.8 installation in two site.

I don't have any custom policy templates, the number of sites that have this problem is over 30 sites now, getting frustrated with clients saying, getting 'access denied' when saving a resource.

It's unlikely with so many people experiencing the problem, but it could be mod_security causing a problem in some cases.

Has anyone found a solution? I am forced to install the 2.2.7 because the 2.2.8 have this problem and I'm having a lot of problems with my customer.

After working through this on a few sites over in MODX Cloud, I think I have a general solution, though not a scripted one yet.

You will need to update these two tables:

• {prefix}_access_policies (modAccessPolicies or "Access Policies")
• {prefix}_access_policy_templates (modAccessPolicyTemplate or "Policy Templates")

1. Identify the Access Policy records that are *not* in this list:
   
   
   • Administrator
   • Resource
   • Load Only
   • Load, List and View
   • Object
   • Element
2. The MODX upgrade script will have created some new Policy Template records based on the names of those Access Policies identified above, then changed the 'template' field of the Access Policies to relate to these new Policy Templates. You will need to figure out which Policy Template these Access Policies should be using, and update them. Then you can delete the Policy Templates that MODX errantly created.

I can't guarantee that this is foolproof, but it should definitely get you in the right direction. Comments, questions, confirmations would be appreciated.

Mike, Thanks for all your work on this.

I could use some more information about what to look for to see if I even have this problem and what to do about it.

I have a number of Access Policies that are not on that list. Some I created myself, some were created by extras like Quip or NewsPublisher, some I'm not sure about. Can you give us the names of the new Policies and created during the upgrade?

Here are some candidates:

• Content Editor (don't think this is new)
• Media Source Admin
• Media Source User
• Developer
• Context

I assume that when you say "based on the names of those Access Policies identified above," you mean the ones that are *not* on the list, but the ones on the list are also "identified above" so I'm not sure.

With respect to the fix, are you saying that the new Policies we identify should all be based on the older Policy Templates:

• Administrator
• Resource
• Object
• Element
• MediaSource?

Finally, can we create a list of the bogus Policy Templates that are being created? That would help fix things and also make sure that we don't delete important Policy Templates.

Thanks again

Thanks netProphET! I didn't see any policy templates that looked like they shouldn't be there. However, I did have one access policy that had its template set to 0. That's obviously not correct, and the policy wasn't showing up on the access policy grid. I change its template to 1 and now it shows up on the grid.

It's too soon to tell if this has helped with the issue or not, as the issue seems to occur at random. I'll post again to let you know if it seems to have worked.