Wednesday, November 3, 2010

Modx 2 Limiting manager screen user to certain context

How do i protect my resources and allow only certain context editable by manager users A?

Filter out context #1 , and only allow context #2 to be edited by user A
Grant permission to the other context (not to be shown to user A) to administrator user group
- Edit Adminisrator user group
- Context Access
- Add context:
+ Context: #1
+ Minimum role: 0
+ Access policy: Administrator

Create a role for user A, with ID less than 9999, but above authority level 0, example:
- Role: "Editor"
- authority level: 1000

Create the user group for user A:
- "Editors"

4th: Add user A to user group "Editors"
Security: Access Control: User groups, right click, edit user group "Editor"
Users: Add user to group
- User: User A
- Role: "Editor"

5th: Goto: Security: Access Control: Access Policies
Right click resource policy, duplicate.
Edit "Duplicate of Resource" policy, permission tab.
Add "resource_tree", and rename policy name to "ResourceTree" and save.
*Note: this will allow showing of resource tree when user is editing context #2

6th: Goto: Security: Access Control: Access Policies, Add policy:
- Policy: "Editor admin", save. (to be used in manager context for user A)
Go to permission tab.
Add the following permissions:
+ change_profile
+ class_map
+ countries
+ edit_document
+ frames
+ help
+ home
+ load
+ logout
+ resource_tree
+ save_document
+ view
+ view_document
+ new_document

7th: Goto: Security: Access Control
Right click on "Editors", update user group, Goto context access tab.
Add 3 type of context:
1. Context: mgr, min role: "Editor" (1000), Access policy: "Editor admin"
2. Context: "Context #2", min role: "Editor" (1000), Access policy: "ResourceTree"
3. Context: "Context #2", min role: "member" (9999), Access policy: "Load, list and view"

Now you shall have User A be able to access and edit document in context #2, but context #1 will be hidden from User A.
And anyone logged in as Member of user A will only be able to load,list and view resources created by User A.

And please remember to flush permissions, and relogin the user to test.

How about limiting resources in Context?

This can be done by using resource group.
Those resources that you do not wish to allow user to edit resource group A
While those resource you wish to allow user to edit as resource group B

1st, setup the resource group A and resource group B.
Then assign resource to resource group accordingly.

2nd, update usergroup "adminisrator",
And goto "Resource group access", and add 2 access:
- Resource group A; min-role: super user; policy: administrator; Context: mgr
- Resource group B; min-role: super user; policy: administrator; Context: mgr
*Note: the above set both group A and B be accessible by administrator users

3rd, update usergroup "Editor",
goto "Context access" tab:
Add 2 access:
- context: mgr; min-role: "editor"; policy: "Editor admin" (as setup above)
- context: "web/mycontext/context #2", min-role: "editor", policy: "load, list, view" (this will allow resource_tree to list resources within the context"

Then, goto "resource group access" tab:
Add access:
- resource group: "resource group B", min-role: "editor"; policy: "administrator", context: mgr (this will allow view/editing/new resource)

Done :)
Hope it helps for you...

No comments: