Users & Roles

User management is controlled by role-based permissions. Super admins have full access, while other users need explicit custom role permissions (e.g. a "Prospect Manager" role) to manage users from Admin > Users.

User Roles

The platform has four base access levels. Admins and users can be extended with custom roles for granular table-level permissions:

Role	Description	Manager Access
`visitor`	Not signed in. Can only view published content.	None
`user`	Signed in. Can manage their own profile, orders, and favorites.	None
`admin`	Baseline admin label. Gets visitor + user-level access by default. All other table access requires explicit custom role permissions.	Requires custom roles (no blanket access)
`super`	Full access to all tables and actions.	Full

Permissions

Base permissions by role. Admins can gain additional permissions through custom roles assigned by a Super admin:

Action	Visitor	User	Admin (base)	Super
Read public records	Yes	Yes	Yes	Yes
Read own user data	-	Yes	Yes	Yes
Update own profile	-	Yes	Yes	Yes
CRUD data tables	-	-	Via custom roles	Yes
Manage users	-	-	Via custom roles	Yes
Assign roles	-	-	Via custom roles (cannot assign super/admin)	Yes
Delete records	-	-	-	Yes
Edit site config	-	-	-	Yes

Custom Roles

Custom roles grant specific table-level permissions to admins. A Super admin creates custom roles from Admin > Roles and assigns them to users. For example:

Editor - Can create, read, and update articles, products, categories, slides, pages, and assets.
Prospect Manager - Can create, read, and update users and read roles (for the role dropdown). Used by sales admins to onboard prospect users and assign them limited roles.
Comm Team - Can manage contacts, subscribers, and feedback.

Security: Non-super users can never assign the super or admin roles, and no user can modify their own roles. User deletion remains super-only.

Creating Users & Onboarding

Users can be created in two ways: self-registration (if sign-up is enabled in Site Config) or admin onboarding (a Super admin creates the account manually).

Self-Registration

When a visitor signs up, they provide their name, email, and password. The account is created with the user role by default and an active status. Sign-up can be disabled entirely from Site Config > Security > Allow sign up.

Admin Onboarding

Users with the appropriate custom role permissions (e.g. "Prospect Manager") or Super admins can create accounts on behalf of others from the Users table. This triggers the welcome email flow:

Admin enters the new user's name and email.
The system creates the account with pending status and generates a secure onboarding token.
A welcome email is sent with the subject "Welcome to [Site Name] - Set up your account".
The email contains a link to the onboarding page where the user sets their password.
The onboarding token expires after 7 days. If it expires, the admin must trigger a new one.
Once the user completes setup, their status changes to active and they can sign in normally.

The welcome email uses the site's branding (logo, colors, fonts) configured in Site Config. It is sent from the no-reply email address with the support email as reply-to.

User Status

Every user account has a status that controls their ability to sign in and access the platform:

Status	Can Sign In	Description
`active`	Yes	Normal operating state. Full access based on assigned roles.
`pending`	No	Account created via admin onboarding but user has not completed setup.
`suspended`	No	Temporarily blocked by an admin. User cannot sign in until reinstated.
`inactive`	No	Deactivated account. User cannot sign in until reactivated.

Revoking Access

To revoke a user's access, a Super admin changes their status to suspended or inactive from the Users table (user status is a super-only field). This has two effects:

Immediate prevention of new sign-ins - The user cannot authenticate.
Active session termination - On the next session refresh, the system re-checks the user's status from the database. If the status is no longer active, the session is invalidated and the user is signed out.

To reinstate access, change the status back to active. The user can then sign in again with their existing credentials.

Sessions

The platform uses JWT-based sessions. When a user signs in, a JSON Web Token is created containing their identity, roles, and status. Key behaviors:

Session duration - Sessions expire after 30 minutes of inactivity. Active usage refreshes the token automatically.
Token refresh - On each refresh, the system re-fetches the user's current data from the database, ensuring role changes and status updates take effect without requiring a manual sign-out.
Session payload - Includes user ID, name, email, roles, status, theme preference, avatar, and 2FA status.
Secure cookies - Session tokens are stored in HTTP-only cookies with a configurable prefix.

Managing Users

From the Users table, authorized users can:

View all users - See account details, roles, status, and activity. (Requires custom role with USER READ_MANY permission)
Create users - Onboard new users with name, email, and role assignment. (Requires custom role with USER CREATE permission)
Assign roles - Edit role assignments on other users. Non-super users cannot assign the super or admin roles, and nobody can modify their own roles.
Update profiles - Edit user details like name, email, or account balance. (Requires custom role with USER UPDATE permission)
Change status - Suspend, deactivate, or reactivate accounts. (Super only)
Delete users - Remove user accounts. (Super only)

Profile Page

Every signed-in user has access to their profile at Dashboard > Profile. The profile page allows users to manage their personal information:

Avatar - Upload a profile image (max 1 MB, 1:1 aspect ratio).
Name & email - Update display name. Email changes may require re-authentication.
Handle - A unique username for public profile URLs (if public profiles are enabled).
Bio & location - Optional personal information.
Social links - A list of social media profile URLs.
Addresses - Shipping and billing addresses, pre-filled during checkout.
Theme preference - Choose light or dark mode (if the site supports both).
Password reset - Request a password reset email.
2FA management - Enable or disable two-factor authentication.

Users can also make their profile public, which creates a viewable profile page at their handle URL. Public profiles display the user's name, avatar, bio, location, and social links.

Two-Factor Authentication

Users can enable 2FA from their profile using a TOTP authenticator app (Google Authenticator, Authy, etc.). Once enabled, sign-in requires both the password and a time-based one-time code.

Setup - User scans a QR code with their authenticator app and confirms with a verification code.
Backup codes - Generated during setup for account recovery if the authenticator is lost.
Admin visibility - Users with appropriate permissions can see whether a user has 2FA enabled but cannot configure it on their behalf.
Admin reset - If a user loses access to their authenticator and backup codes, a Super admin can reset their 2FA settings, allowing the user to set it up again.

Roles Table

The Roles table (Admin > Roles) defines the available roles in the system. The default roles (visitor, user, admin, super) are built-in. Super admins manage the Roles table and create custom roles.

Each role has a name, description, and set of table-level permissions. Roles are assigned to users as an array, meaning a user can hold multiple roles. Permissions from all assigned roles are combined — the union of all granted actions determines effective access.

Custom roles like "Editor", "Prospect Manager", or "Comm Team" allow fine-grained delegation without granting full admin or super access.

Loading...