Purge does not respect access policy #modxbughunt

[wuuti]

Summary

If you purge deleted documents, all documents in all contexts and resource groups which are marked as deleted are purged, no matter if you have access to the context or not.

Step to reproduce

Create a second context B and a user group with additional permissions (compared to Content Editor) of 'purge_deleted' only for that context. Create a new user and add it to the new user group. Remove the web context access policy from the new user group. Delete a document in the web context. Logout (or use a second browser) and login with the new restricted user. You should only see the new context B in the resource tree, as you don't have any access to the web context any more. Click the recycle bin icon and confirm the purge. The document in the web context is now purged.

Observed behavior

The recycle bin icon is active and you can purge documents in contexts you don't have access to.

Expected behavior

It should not be possible for user to change (and purging is a change with a huge impact!) documents he is not even allowed to see. So purging should only work on resources the user has access to. This is especially a concern in larger installations with different sites in different contexts and with a lot of editors working in their contexts. The issue is even more important as the confirmation alert does not even name the documents which are about to get purged (see related #13448 )

Environment

MODX version 2.6.0-dev and prior versions