Hiding Top Menu Items in the Manager

Top Menu items (and subitems) can be hidden from users in specific User Groups by adding a custom permission for them. Because you don't want your Permissions to be overwritten when you upgrade MODX, you need to create a new Policy Template and a new Policy based on that Template. The basic strategy, is to require a custom permission for the items you want to hide and give that custom permission to the admin Super User (and any other users who should see the menu items). Users without those custom permissions will not see the menu items.

It's recommended that you read this tutorial all the way through before beginning, because you might want to change some of the steps depending on your goals.

Preview

Here is a preview of the basic steps necessary to hide Top Menu items and subitems from users who are not admin Super Users. In this tutorial, we'll hide the Reports menu item (and all its subitems), though the same steps can be used to hide any menu item or subitem.

  • Create a new Access Policy Template called "MyMenuTemplate"
  • Add the custom Permission to the "MyMenuTemplate" Template
  • Create a new Policy based on the "MyMenuTemplate" Template
  • Modify the Administrator group to use the new Policy
  • Modify the Action menu to require the custom Permission.

Step-by-step Tutorial

Here are the steps for creating Manager users who can't see the Reports Menu item in the Manager's Top Menu. The links in the list below are to other mini-tutorials explaining how to perform each step. We'll assume that the User Group is called "Editors", although you can use any names as long as you're consistent. If you have performed the first steps in another tutorial, you can skip those steps and use the groups and roles you created.

  • Create the Users
  • Create a Role for the users. Call the Role "Editor" and give it an Authority level of 10
  • Create a User Group called "Editors" and add the users to it with a role of Editor
  • Add the admin Super user to the User Group with a role of admin Super User (not strictly necessary, but always a good idea)
  • Create a new Policy Template and add a custom permission to it. Call the Template "MyMenuTemplate" and the permission "see_reports_menu"
    1. Go to Security | Access Controls
    2. click on the "Policy Templates" tab if it is not the current tab
    3. Click on the "Create Policy Template" button
    4. Type MyMenuTemplate in the Name field
    5. Click on the down arrow in the "Template Group" field and select "Admin"
    6. Type "Template for custom menu permissions" in the Description field
    7. Click on the "Save" button.
    8. Right-click on "MyMenuTemplate" and select "Update Policy Template"
    9. Click on the "Add Permission to Template" button
    10. Click on the left side of the name field (Important: Don't click on the down arrow)
    11. Type see_reports_menu in the "Name" field
    12. Type "Permission to see the Reports menu item in the Top Menu" in the Description field
    13. Click on the "Add" button
    14. Click on the "Save" button at the upper right to save the Template
  • Create a new Policy based on the new Template. Call the Policy "MyMenu"
    1. Click on the "Cancel" button to go back to the Access Controls panel (be sure you've saved the Template first)
    2. Click on the "Access Policies" tab
    3. Click on the "Create Access Policy" button
    4. Type MyMenu in the "Name" field
    5. In the "Policy Template field, click on the down arrow and select the "MyMenuTemplate" Template
    6. In the "Description"field, put "Custom permissions: see_reports_menu"
    7. Click on the "Save" button in the dialog
    8. Right-click on the "MyMenu" Policy and select "Update Policy"
    9. Confirm that the see_reports_menu permission is there and is checked
  • Assign the new Policy to the Administrator group so you'll have the new permission
    1. Click on the "User Groups" tab
    2. Right-click on the "Administrator" User Group
    3. Select "Update User Group"
    4. Click on the "Context Access" tab
    5. Click on the "Add Context" button
    6. Using the down arrows, select the following options for the fields:
      • Context: mgr
      • Minimum Role: Super User - 0
      • Access Policy: MyMenu
    7. Click on the "Save" button in the dialog

Let's review what we just did and why we did it. We're going to require a new permission (see_reports_menu) in order to see the Reports Top Menu item. The first step is to give that permission to ourselves (as the Admin Super User). We could have made this much simpler by just adding that permission to the existing Administrator Template, but then we might lose the permission when MODX is upgraded to a new version. Instead, then, we created a new Policy Template, added the permission to it, created a new Access Policy based on the new Policy Template, and created a new Context Access ACL entry for the mgr Context using that Policy. That gives all admin Super Users the new permission.

  • Our next move is to make the new permission a requirement for seeing the Reports Top Menu item. Here are the steps for that:
    1. Go to System | Actions on the Top Menu
    2. On the right panel, find the "Reports" item
    3. Right-click on "Reports" and select "Update Menu"
    4. In the "Permissions" field, type see_reports_menu
    5. Be careful not to change any other fields and be sure to spell the permission exactly as it's spelled in the Policy Template
    6. Click on the "Save" button in the dialog
    7. Clear the Site Cache
    8. On the Security menu, Flush Permissions and Flush All Sessions
    9. Log back in

At this point, only members of the Administrator User Group with a role of admin Super User can see the Reports menu item.

Hiding Other Menu Items

Once you have this set up, hiding other Top Menu items is much simpler. If you will have the same group of menu items hidden from all non-Admin Super Users, you can simply add the see_reports_menu permission to all of the items in System | Actions. In that case, it would make more sense to call our custom permission something like see_admin_menu.

Note that some menu items already have permissions specified for them in the Permissions field. If that's the case, simply add a comma and your custom permission at the end in the Permissions field (no spaces).

If you want finer control of the menu items, create a new permission for each one by updating the MyMenuTemplate Policy Template and adding each permission. Then, add the required permissions to the appropriate menu items in System | Actions.

Showing Restricted Items to other Groups

If you decide to show some or all of the restricted menu items to members of other User Groups, use the following steps

  1. Go the Security | Access Controls
  2. Click on the User Groups tab
  3. Right-click on the User Group and select "Update User Group"
  4. On the Context Access tab, click on the "Add Context" button
  5. In the new entry, select the "mgr" Context
  6. Select the Role that the users have in the group
  7. Select the "MyMenu" Policy

If different user groups will have different menu permissions, you'll need to create a duplicate of the MyMenu Policy for each group. Use the group's name as part of the name of the Policy (e.g., MyEditorsMenu). On the Policies tab, Edit each group's Policy (by right-clicking on it and selecting "Update Policy") and uncheck any menu permissions that they shouldn't have. Then use the following steps for each group:

  1. Go to Security | Access Controls
  2. Click on the "User Groups" tab
  3. Right-click on the User Group and select "Upatate User Group"
  4. Click on the "Context Access Tab"
  5. Click on the "Add Context" Button
  6. Select the "mgr" Context, the Role that the users have in the group, and that group's Policy
  7. Click on the "Save" button

Security Resources at Bob's Guides

 

My book, MODX: The Official Guide - Digital Edition is now available here. The paper version of the book is available from Amazon.

If you have the book and would like to download the code, you can find it here.

If you have the book and would like to see the updates and corrections page, you can find it here.

MODX: The Official Guide is 772 pages long and goes far beyond this web site in explaining beginning and advanced MODX techniques. It includes detailed information on:

  • Installing MODX
  • How MODX Works
  • Working with MODX resources and Elements
  • Using Git with MODX
  • Using common MODX add-on components like SPForm, Login, getResources, and FormIt
  • MODX security Permissions
  • Customizing the MODX Manager
  • Using Form Customization
  • Creating Transport Packages
  • MODX and xPDO object methods
  • MODX System Events
  • Using PHP with MODX

Go here for more information about the book.

Thank you for visiting BobsGuides.com

  —  Bob Ray