Edit Only Resources in MODX

By Ann Torockio

When we set up MODX sites for our clients, we always create a few pages that we want the site publishers to never delete nor unpublish. We want these pages to be "edit only" for publishers and we also don't want them duplicating them. For us, this applies to the home page, page not found, search results page, and a special resource that we use for site-wide configurations. Yes, we have had publishers delete the homepage even though we said not to.

Fortunately, we have some ways to protect users from themselves; the MODX permissions system allows us to set up edit-only access to certain resources for a MODX user group. There are three or four main parts to setting this up.

The first is to set up a new resource group which you can assign to your resources. Resource groups allow you to specify a set of permissions to a set of resources. This is how to create a resource group: 

  1. Go to Content > Resource Groups in the top menu
  2. Click the "Create Resource Group" button, then fill in the following:
    • Name: Edit Only or whatever you would like to call your resource group
    • Contexts: mgr
    • Automatically Give Administrator Group Access: Checked or not, depending on your use case
    • Click "save"
  3. Add any existing resource that you want to protect to the new resource group, you can do this either
    • From the resources groups manager page OR
    • On the "Resource Groups" when editing a resource

The next step is to create an access policy which defines the permissions that you can apply to any resource group for any user group.

  1. Go to the Access Policies tab (Cog Icon > Access Control Lists > Policy Templates tab)
  2. Click the "Create Access Policy" button, fill out the form that pops up:
    1. Name: Edit Only
    2. Policy Template: ResourceTemplate
    3. Description: Edit Only permission for resources.
    4. Click "Save"
  3. Right-click to update new policy
  4. Ensure only the permissions you want to grant are enabled, for example:
    • view
    • save
    • load
    • list
  5. Click "Save", then "Close"

You may want your access policy to control permissions that are not controlled by the default MODX access policies. To do that we need to edit the "ResourceTemplate" policy template and add the resource_duplicate permission to the template. The idea of policy templates could be a bit confusing. On their own, policy templates do not grant or deny permissions but the template allows a policy that uses that template to control all of the permissions assigned to the policy template that it uses. If you are familiar with MODX templates and template variables (TVs), this is similar to giving template access for a template to a TV. In this case, the permission for an access policy is like a template variable for a resource.

Edit an Access Policy Template

  1. Go to Cog Icon > Access Control Lists > Policy Templates tab
  2. Right-click & update ResourceTemplate
  3. Click the "Add Permission to Template" button
  4. Choose "resource_duplicate" from the dropdown list, remember you can type to search the list
  5. Click "Add"
  6. Click "Save", then "Close"

Finally, we assign the new access policy to a user group. We have an existing publisher group that we want to assign this policy to. If you don't have such a group, see "Create a Publisher User Group in MODX" for how to create such a group.

  1. Go to the User Groups & Users tab  (Cog Icon > Access Control Lists > User Groups & Users tab)
  2. Right click the group you want to restrict and choose "Update User Group"
  3. Go to the Permissions tab > Resource Group Access sub-tab
  4. Click the "Add Resource Group" button, fill out the form that pops up:
    • Resource Group: Edit Only
    • Context: mgr
    • Minimum Role: Super User - 0
    • Access Policy: Edit Only
    •  Click "Save"
  5. Save & Close

At this point you are done setting up the new access policy and you can add users to your Publisher group and they will have only limited access to change the resources in the new "Edit Only" resource group. We would recommend testing this out with a test user and test content. We have had to do some experimenting and adjusting permissions to get a set up that works best for us.

If you are looking for more information about the different aspects of permissions in MODX Revolution, see Bob's Guides on Revolution Permissions for an in-depth lesson.

Posted on Mar 21, 2018 | Tagged:  Access Policies,  Permissions,  Resource Groups

© The Trustees of the University of Pennsylvania
Site best viewed in a supported browser.
Report Accessibility Issues and Get Help
Privacy Policy
Site Design: PMACS Web Team.
Background Image: D Sharon Pruitt