(Tutorial) Making member-only pages in Revolution [WIP] - My Forums

Re: (Tutorial) Making member-only pages in Revolution [WIP]

marmas — Feb 27, 2018, 12:35 PM

Hi there,
I have recently installed MODX 2.6.1, followed "Making Member-Only Pages" guide (https://docs.modx.com/revolution/2.x/administering-your-site/security/security-tutorials/making-member-only-pages) but anonymous users can freely access protected resources (tried accessing from different browser than manager and even from another PC). This happens in my local dev environment as well as in cloud hosting.
I see other members had the same issue but couldn't find the solution posted.

Any ideas what I might be missing?
Thank you!

Re: (Tutorial) Making member-only pages in Revolution [WIP]

BobRay — Jul 24, 2016, 11:31 PM

Quote from: mcwu07 at Dec 09, 2014, 02:58 AM

I am having a similar issue in that if the user goes directly to the URL, they can bypass the Login feature. I am able to get it to work properly on our UNIX server, but it's not working for our client's Windows server. I did notice all of their permissions were set to 777 for both folders and files and was wondering if that could be the cause - similar to what orbryy experienced above?

Any thoughts or suggestions on what may be causing this issue would be appreciated.

File permissions shouldn't affect this. Did you flush permissions and sessions (log everyone out), on the Main menu after making your changes?
You might also try deleting all files in the core/cache directory. Also, make sure you're logged out of the Manager when you test.

Since you've been testing, it may be that the pages are still in the browser cache.

As a kind of belt and suspenders method, you can also create a snippet with the following code and put a tag for it on the protected pages. It will redirect any users who are not logged in to the Login page:

[[!LoginCheck]]

user->hasSessionContext('web') ) {
    $url = $modx->makeUrl($loginId, "", "", "full");
    $modx-sendRedirect($url);
}

This assumes that the protected pages are in the 'web' context. If you have multiple front-end contexts, use this:

if (! $modx->user->hasSessionContext($modx->context->get('key')) ) {

Re: (Tutorial) Making member-only pages in Revolution [WIP]

mpohlmann — Jul 24, 2016, 05:20 AM

Seems the Access Wizard has changed in 2.5. Are Resource Groups still available or is this condensed within the User Group Wizard?

Re: (Tutorial) Making member-only pages in Revolution [WIP]

mcwu07 — Dec 08, 2014, 08:58 PM

I am having a similar issue in that if the user goes directly to the URL, they can bypass the Login feature. I am able to get it to work properly on our UNIX server, but it's not working for our client's Windows server. I did notice all of their permissions were set to 777 for both folders and files and was wondering if that could be the cause - similar to what orbryy experienced above?

Any thoughts or suggestions on what may be causing this issue would be appreciated.

Re: (Tutorial) Making member-only pages in Revolution [WIP]

BobRay — Apr 28, 2014, 07:55 AM

I don't see how that could be, but I'm glad you got it sorted.

Re: (Tutorial) Making member-only pages in Revolution [WIP]

orbryy — Apr 28, 2014, 04:23 AM

After all, it turned out that the problem was in server configuration, because when I moved the site to hosting service, resources became private as they are supposed to be, and are only accessible to logined users.

Re: (Tutorial) Making member-only pages in Revolution [WIP]

orbryy — Apr 28, 2014, 12:59 AM

Well, let me tell my whole setup, just in case i got my vision dimmed and miss something. I got a resource group called 'Profile', and 5 resources that belong to it. I also have a user group called 'Users', and a user with name 'User' attached to it. The 'User' role is 'Member - 9999'. 'Users' group has context ACL attached:
context = web
policy = Load, List and View
min role = Member-9999

and a resource ACL attached:
context = web
resource group = Profile
policy = Resource
min role = Member-9999

The only two other user groups I have are (anonymous) and Administrator. The (anonymous) group has nothing in resource ACL tab, and has a context ACL:
context = web
policy = Load only
min role = Member-9999

The administrator group has only one default admin in it, two default context ACL, and a resource ACL:
context = web
resource group = Profile
policy = Resource
min role = Member-9999

That's it, now, all the test I was doing in differnet browser, after flushing permissions, sessions, clearing modx cache and deleting old session cookies in that browser. And I could access any page within Profile resource group without logging in. I tryed removing resource ACL from administrator group, didn't help. I tryed making a new role, with authority 1000, and making it as minimum role in resource ACL for that resource group, didn't help. I really have no idea, in your book you say that as soon as we add ACL which connects resource group and user group, that resource group becomes private, but it feels like in my case it doesn't happen. The last thing I might try is move the site to real hosting and see if the problems remains...

Re: (Tutorial) Making member-only pages in Revolution [WIP]

BobRay — Apr 27, 2014, 09:58 PM

The php.ini setup should have nothing to do with the permissions.

Often, you need to flush all sessions as well as permissions. Also, if you're viewing from the Manager, it can confuse MODX about who you are and your login status.

I can't think of anything else that would cause your problem as long as the User Group is connected to the Resource Group with a Resource Group Access ACL entry and the (anonymous) user is not a member of the Resource Group.

Unless the Resource also belongs to another Resource group that the (anonymous) user has access to.

Re: (Tutorial) Making member-only pages in Revolution [WIP]

orbryy — Apr 27, 2014, 05:39 PM

Hello!

I`ve bumped into a problem with this guide. I`ve gone through all the steps, made a resource group, attached a resource to it, made a user group, attached a user to it, made context ACL and resource ACL for that resource group, just like in tutorial. The problem is the resource is still viewable for anonymous users. I`ve flushed all permissions, cleared site cache, viewed page from different browsers (erased all cookies just in case), but nothing helps, the page is still accessible. I`ve checked the anonymous user group, just in case - it has no access to that resource group. Even tryed to restart Apache...

Any ideas what could be the problem?

P.S. I`m running MODX 2.2.13-pl
P.P.S. Oh, and one more thing, I`m runing this site on localhost, and sometime ago I had an error which erased my php.ini file, I`ve downloaded new one from PHP package, and enabled this extensions:
php_curl.dll
php_mbstring.dll
php_mysqli.dll
php_pdo_mysql.dll

Could the problem be caused by php.ini configuration? Did I miss some required extensions?

P.P.P.S. Tryed the tutorial from MODX: The official Guide book, didn`t work either, though it`s basically the same as in this tutorial, no wonder it didnt work, must be something with my setup.

Re: (Tutorial) Making member-only pages in Revolution [WIP]

BobRay — Apr 01, 2014, 05:08 PM

If it were an issue with caching, you'd expect to see the same menu every time.

If you're viewing in the same browser where you're logged in to the Manager, it will give you unusual results. Make sure you're testing from another browser where you're not logged in to the Manager.