Protecting Multi-Author Sites with NewsPublisher

Create a bullet-proof site where users can only edit articles they author with NewsPublisher.

By Bob Ray
November 16, 2021
Protecting Multi-Author Sites with NewsPublisher

The NewsPublisher Extra lets user create and edit Resource in the front end of the site. This means you don't have to provide Manager access to those users and set up all the necessary security limitations that keep them from performing unwanted actions in the Manager. If you've never used NewsPublisher, you may wish to read Front-End Authoring with NewsPublisher before continuing with this tutorial.

If you are using the NewsPublisher Extra for MODX Revolution and would like to restrict users to editing only pages they created, there's a fairly simple solution.

If you are using a very old version of NewsPublisher that doesn't have the &ownpagesonly property for the NpEditThisButton Snippet, you'll need to upgrade to the current version to get this feature to work.

When you put the [[NpEditThisButton]] tag on a page, front-end visitors who are logged in will see a button labeled Edit on each page. Clicking on it will launch NewsPublisher with that page loaded in the editor. The secret to keeping users from editing other user's pages is to just not show them the button unless the page was created by the current user. To do this, simply add this to the NpEditThisButton tag: &ownpagesonly=`1`, like this:

[[!NpEditThisButton? &ownpagesonly=`1`]]

That's all there is to it. When the NpEditThisButton Snippet sees that property, it will check the createdby field of the Resource. If the user created the page, they will see the Edit button. If not, there will be nothing at all where the Snippet tag was.

Important: Be sure to call the NpEditThisButton Snippet uncached (with the exclamation point). Otherwise, the cached version of the Snippet may have been run with a different user and the Snippet won't work as you expect it to.

Resources with the Wrong Author

The only catch is that you might have originally created the pages for the users, or used an Extra that created them. In that case, the createdby field may contain your ID instead of the user's ID. No users will be able to edit any pages until you reset that field. Fortunately, the Batcher Extra provides a relatively easy way to do that.

In Batcher, put a checkmark next to all the pages belonging to a particular user. Click on the Bulk Actions dropdown and select the Change Authors option. Click on the Created By dropdown and select the user. Then click on the Save button. Once you've done that, the user's ID will be stored in the Resource's createdby field and the Snippet will work as it should.


Bob Ray is the author of the MODX: The Official Guide and dozens of MODX Extras including QuickEmail, NewsPublisher, SiteCheck, GoRevo, Personalize, EZfaq, MyComponent and many more. His website is Bob’s Guides. It not only includes a plethora of MODX tutorials but there are some really great bread recipes there, as well.