forked from gnowgi/ndf-studio
-
Notifications
You must be signed in to change notification settings - Fork 0
ADMIN_SYSTEM
GN edited this page Jun 29, 2025
·
1 revision
The NDF Studio admin system provides comprehensive user management capabilities with automatic first-user superuser promotion and a complete admin interface for user management.
- Mechanism: The first user to register in the system is automatically promoted to superuser status
-
Implementation: Handled in
UserManager._make_first_user_superuser()method - Logging: All superuser promotions are logged with SECURITY level events
- Safety: Only applies to the very first user in the system
All admin endpoints require superuser privileges and are prefixed with /auth/admin/:
-
GET /auth/admin/users- List all users with statistics -
POST /auth/admin/users- Create new user -
PUT /auth/admin/users/{user_id}- Update user details -
POST /auth/admin/users/{user_id}/promote- Promote user to superuser -
POST /auth/admin/users/{user_id}/demote- Demote superuser to regular user -
DELETE /auth/admin/users/{user_id}- Delete user -
GET /auth/admin/stats- Get system statistics
- Location: Accessible via the "Admin" tab in the Knowledge Base panel
- Access Control: Only visible to superusers
-
Features:
- User listing with status indicators
- Create new users
- Edit existing users
- Promote/demote users
- Delete users
- System statistics dashboard
- All admin endpoints require superuser authentication
- Non-superusers receive 403 Forbidden responses
- Frontend hides admin panel from non-superusers
- Self-Demotion Prevention: Admins cannot demote themselves
- Self-Deletion Prevention: Admins cannot delete themselves
- Superuser Deletion Prevention: Superusers cannot be deleted (configurable)
All admin actions are logged with SECURITY level events:
logger.security(
f"Admin '{current_user.username}' promoted user '{user.username}' to superuser",
event_type="admin_user_promotion",
admin_user_id=str(current_user.id),
promoted_user_id=str(user.id),
promoted_username=user.username,
reason=request.reason
)class UserPromoteRequest(BaseModel):
user_id: str
reason: Optional[str] = None
class UserDemoteRequest(BaseModel):
user_id: str
reason: Optional[str] = None
class AdminUserCreate(BaseModel):
username: str
email: str
password: str
is_superuser: bool = False
is_active: bool = True
class UserUpdateRequest(BaseModel):
username: Optional[str] = None
email: Optional[str] = None
is_active: Optional[bool] = None
is_superuser: Optional[bool] = NoneResponse:
{
"users": [
{
"id": "uuid",
"username": "string",
"email": "string",
"is_active": true,
"is_superuser": false,
"is_verified": true,
"created_at": "timestamp"
}
],
"total": 5,
"superusers": 1,
"active_users": 4
}Request:
{
"username": "newuser",
"email": "[email protected]",
"password": "securepassword",
"is_superuser": false,
"is_active": true
}Response:
{
"message": "User created successfully",
"user": {
"id": "uuid",
"username": "newuser",
"email": "[email protected]",
"is_active": true,
"is_superuser": false
}
}Request:
{
"username": "updated_username",
"email": "[email protected]",
"is_active": true,
"is_superuser": false
}Request:
{
"reason": "User needs admin access for project management"
}Request:
{
"reason": "User no longer needs admin access"
}Response:
{
"message": "User 'username' deleted successfully"
}Response:
{
"total_users": 10,
"active_users": 8,
"inactive_users": 2,
"superusers": 2,
"regular_users": 8,
"system_info": {
"first_user_created": true,
"has_superusers": true
}
}The AdminPanel component provides a complete user management interface:
- User List: Table view with user details and status indicators
- Create User: Modal form for creating new users
- Edit User: Modal form for updating user details
- Actions: Promote, demote, and delete buttons for each user
- Statistics: Dashboard showing system statistics
{activeTab === "admin" && userInfo?.is_superuser && (
<div className="p-4">
<AdminPanel />
</div>
)}
{activeTab === "admin" && !userInfo?.is_superuser && (
<div className="p-4 text-center">
<div className="bg-red-100 border border-red-400 text-red-700 px-4 py-3 rounded">
<strong>Access Denied:</strong> Admin privileges required to access this panel.
</div>
</div>
)}Run the comprehensive admin system test:
python test_admin_system.pyThe test script verifies:
- Automatic first-user superuser promotion
- Admin user management operations
- Access control and security measures
- User promotion and demotion
- User creation and deletion
- System statistics
- Self-protection mechanisms
-
First User Registration:
- Register the first user in a fresh system
- Verify they become superuser automatically
- Check logs for promotion event
-
Admin Panel Access:
- Login as superuser
- Navigate to Knowledge Base → Admin tab
- Verify admin panel is visible and functional
-
User Management:
- Create new users via admin panel
- Promote regular users to superuser
- Demote superusers to regular users
- Update user details
- Delete users
-
Access Control:
- Login as regular user
- Verify admin panel is not accessible
- Verify admin API endpoints return 403
No additional environment variables are required. The admin system uses existing authentication configuration.
The admin system uses the existing User model with the is_superuser field:
class User(SQLModel, table=True):
id: UUID = Field(default_factory=uuid4, primary_key=True)
email: str = Field(nullable=False, unique=True, index=True)
hashed_password: str = Field(nullable=False)
is_active: bool = Field(default=True, nullable=False)
is_superuser: bool = Field(default=False, nullable=False)
is_verified: bool = Field(default=True, nullable=False)
username: str = Field(nullable=False, unique=True, index=True)-
First user not promoted to superuser:
- Check if there are existing users in the database
- Verify the
_make_first_user_superusermethod is called - Check logs for any errors
-
Admin panel not visible:
- Verify user has
is_superuser: true - Check browser console for errors
- Verify the admin tab is added to DEV_PANEL_TABS
- Verify user has
-
Admin API endpoints returning 403:
- Verify user authentication
- Check if user has superuser privileges
- Verify token is valid and not expired
-
User creation/deletion failing:
- Check database permissions
- Verify user directory creation
- Check logs for specific error messages
Admin actions are logged with specific event types:
first_user_superuser_promotionadmin_user_creationadmin_user_updateadmin_user_promotionadmin_user_demotionadmin_user_deletion
Search logs for these event types to track admin activities.
- Token Security: Admin operations require valid JWT tokens
- Audit Trail: All admin actions are logged with detailed information
- Self-Protection: Admins cannot accidentally remove their own privileges
- Access Control: Non-superusers cannot access admin functionality
- Input Validation: All user inputs are validated and sanitized
- Role-Based Access Control: Support for multiple admin roles
- Bulk Operations: Batch user management operations
- User Activity Monitoring: Track user login patterns and activity
- Advanced Statistics: More detailed system usage analytics
- Email Notifications: Notify users of role changes
- Two-Factor Authentication: Enhanced security for admin accounts