Manager Customization: Restrict Menu Items and Actions for Some Users

Use existing permissions to hide MODX Manager menu items from specific users to improve security and customize the Manager for better UX.

By Bob Ray  |  Updated: December 28, 2021  |  5 min read
Manager Customization: Restrict Menu Items and Actions for Some Users

This is the first article in a three-part series on MODX Manager customization (click here for the second and here for the final). There are a variety of reasons to customize the back-end Manager UI for your users or groups. These include making frequently used items more accessible, preventing access to things that could cause problems, protecting confidential data, or removing things they should never see in the first place.

Rather than do extensive customization of the MODX Manager’s Top Menu, you might just want to hide a few options. This is actually quite easy to do, even for a non-programmer. The trick is to add a permission to the menu item that the user doesn’t have.

This article uses an existing permission to hide menu items. We’ll be looking at another way to hide menu items in the next article, which uses a custom permission to hide the menu items and may be more appropriate if you will be hiding multiple menu items from multiple user groups. You may want to take a look at that article before you decide on which method to use.

Say that we want to hide the “Manager Log” menu item from some users. We could take away the logs permission, but we want them to be able to see the error log and removing that permissions would prevent that. What we need to do is add a required permission (that the user doesn’t have) to the Manager Log menu item.

Identifying the Policy

Before messing with the menu items, we need to find a permission that the user doesn’t have (and isn’t likely to get). This assumes that you have Manager users with restricted permissions already.

  1. Go to System (gear Icon) → Access Control Lists.
  2. Click On the “User Groups & Users” tab if you’re not there already.
  3. Right-click on the user’s user group and select “Update User Group” in the drop-down menu.
  4. On the next screen, Click on the “Context Access” tab. (We’re not going to change anything here, we’re just checking to see what policy is used).
  5. Look at the “Policy” column in the row for the 'mgr' Context Access ACL entry and make a note of the policy (note all policies if there is more than one entry).
  6. Write down the policies.
  7. Click on the “Close” button at the upper right (That will take you back to the main Access Control Lists panel).

Selecting a Permission

Now that we know the policy that controls what the users can do and see in the Manager, we’ll check its specific permissions. Again, we’re not going to change anything here, we’re just looking for a permission to use.

  1. Click on the “Access Policies” tab.
  2. Right-click on a policy you just noted and select “Update Policy” in the drop-down menu.

You should see a grid showing a number of permissions. The “Enabled” column shows checkboxes that determine whether the user group has a permission or not. Find one that the user group doesn’t have. The access_permissions is often a good choice. No user other than a very high-level admin should have this permission since it allows them to change their own security status (and yours in the current version of MODX). Write down the “Name” of the permission you’ve chosen carefully (it’s in the leftmost column). In the next step, it has to be spelled exactly as it appears here. Do this for each policy you’ve noted in the step above and find a permissions that is not enabled on any of those policies.

Setting the Permission

Now, we’re going to add the permission that the user doesn’t have to the menu item we want to hide. We want to let the user see the Error Log, but not the Manager Log.

Go to System (gear icon) → Menus. That will open up a panel with a tree showing all the menu items. You can click and drag menu items around in the tree to customize the menu (though that’s not needed for what we’re doing here). You can even put options under another parent, though it’s not recommended.

To hide the Manager Log:

  1. Click on the “Manage” menu item to expand it.
  2. Click on the “Reports” item to expand it.
  3. Right-click on the “Manager Log" item (under Reports) in the tree and select “Update Menu”.
  4. In the last field (“Permissions.”) you’ll see that it’s set to logs by default.
  5. The “Permissions” field determines what permissions the user needs (if any) to see that particular menu item, and it will accept a comma-separated list of permissions (no spaces).
  6. Change the “Permissions” field to look like this:

  7. Click on the “Save” button to save your changes.

Now, only users with both permissions will see the Reports → Manager Log menu item. You’ll need to use the “Manage” menu to Flush Your Permissions and Logout All Users before the change will take effect. That will log you out. If you log back in as a user in the user group we’ve modified, the “Manager Log” item should be hidden. Even if the user can guess the URL of the menu option, they won’t be able to reach it without the necessary permissions.

You can add the same permission to any menu item you want to hide using the method described above. If the “Permissions” field is blank, just type in the permission you’ve selected. If not, add a comma followed by the permission.

Using a Custom Permission

If you will be hiding lots of menu items from multiple user groups, it will be easier to just create a custom permission for yourself and any other users who should see all menu items. We’ll see how to do that in the next article.

Bob Ray is the author of the MODX: The Official Guide and dozens of MODX Extras including QuickEmail, NewsPublisher, SiteCheck, GoRevo, Personalize, EZfaq, MyComponent and many more. His website is Bob’s Guides. It not only includes a plethora of MODX tutorials but there are some really great bread recipes there, as well.