Sandbox MODX Users to a Container Resource

Sandbox MODX Manager Users to edit specific Resources only.

Nov 30, 2014

What's it for?

You have a MODX CMS website, and you want to give some Users access to edit Resources, but only Resources that are children of a specific Container Resource. In other words, you want to "sandbox" these Users, so they can only edit a certain section of the site.

But wait, I love ACLs!

You could do this with the built-in Resource Groups feature in MODX, but that feature is much more suitable for protecting specific pages behind a login, rather than exposing specific Resources for editing in the Manager. 

To achieve the functionality in our example use case, you would need to add every Resource in the site to a protected Resource Group, and then provision access to every User Group other than the target User Group. It's a little clunky and backwards in this case, and I know for certain this is a requirement that comes up a lot when building websites for people. 

Ok, show me the goods.

Essentially, my idea involves a Plugin that fires just before a Resource edit form is rendered in the Manager. If the primary User Group of the current User is one of the specified "target" User Groups, and the User tries to edit any Resource other than the ones defined as "allowed", the Plugin redirects them to an allowed Resource.

You may also want to limit the nodes that the affected Users can see in the Resource Tree, otherwise they may be tempted to click on Resources you don't want them to touch. 

The Plugin code doesn't handle this – but it can be accomplished by setting the Tree Root ID system setting for the target User Groups. (Available as of MODX Revolution version 2.3.x.) You can also disable Resource Tree access entirely via MODX ACLs, and use something like the Quickstart Buttons Extra from modmore to guide Users to the appropriate Manager view. If the container Resource is a CollectionContainer, you can further customize the Manager experience considerably, to meet almost any requirement.

This Plugin hasn't been packaged for the Extras repo yet, but it's a simple thing to copy and paste from the gist:

The finer points.

User permissions is serious business. This Plugin has not been subject to security tests, nor the scrutiny of...well, anyone. Do not depend on this Plugin to protect your site from potentially malicious Users. It's my intention that this much needed functionality can be had, in situations where the risks associated with Plugin failure are low. In other words, if you trust your target User Group to play by the rules, and you want to enhance their Manager experience, this Plugin can help.

As for installing and configuring it, let's skip all the gory details here, as the code comments in the gist are verbose. Let me know how it works for you, and feel free to reach out via the comments below for help, or if you have any suggestions.