Hiding the System Menu

Hiding the System Menu in the Manager using CSS


In the previous articles, we used a plugin to hide various Manager-page elements. In this article we'll look at how to hide the System Menu (Gear Icon) from non-administrators.


MODX logo

The Official Method

The proper method for hiding the System Menu (Gear Icon) is to take away the menu_system permission. It's a safer and more secure method, but it's difficult to implement if users belong to more than one group. In my tests, I was unable to make it work at all even after an hour of work. The user I was logging in as definitely didn't have the permission, but could still see the menu and execute all the sub-menu items even after flushing permissions and sessions and deleting all cache files. It's possible that I made a mistake but even if I did, it shows the difficulty of using this method.

A Word of Warning

You should always think twice about hiding the Security Menu, messing with Menus in general, or changing permissions. It's easy to paint yourself into a corner by taking away your ability to undo what you just did. If you accidentally take away the access_permissions permission from yourself, for example, you can't give it back without going into the database. Sometimes, you can escape the corner by making yourself a sudo user, but not always.

Hiding the System Menu

We'll use the CSS injection technique we used in the previous articles. Create a plugin connected to the OnManagerPageBeforeRender System Event (check that box on the System Events tab when editing the plugin). The code of the plugin should look like this:

if (! $modx->user->isMember('Administrator')) {
    $css = '
    <style>
        #limenu-admin {
            display: none !important;
        }
    </style>
    ';

    $modx->regClientCSS($css);
}
return '';

Security Concerns

This method is not completely secure. A user who has the knowledge and tools can modify the CSS in their browser. This would allow them to see the menu and perform any of the actions on it. This isn't much of an issue with hiding the Help button or question mark, since defeating the system wouldn't let the users do any serious harm to the site. That's not the case with the System menu. That said, few users would have both the ability and the inclination to do this, and if you've let such a user into the MODX Manager in the first place, you probably have bigger problems than this, so I would have no problem using this technique. Using the MODX security permissions system would be a much more secure solution, though, since if you got it right, it would absolutely prevent the users from executing any of the actions you've prohibited.

Coming Up

In the next article, we'll see how to hide some page elements on the Create/Edit Resource page using this same technique. We'll also see how to prevent our plugin from executing on pages where it shouldn't.


For more information on how to use MODX to create a web site, see my web site Bob's Guides, or better yet, buy my book: MODX: The Official Guide.

Looking for high-quality, MODX-friendly hosting? As of May 2016, Bob's Guides is hosted at A2 hosting. (More information in the box below.)



Comments (0)


Please login to comment.

  (Login)