Users & Roles
Managing user accounts, roles, and access control.
User Roles
| Role | Access Level | Description |
|---|---|---|
| super_admin | Full access | Can manage all sites, all users, platform settings, and billing. Typically the platform owner. |
| site_admin | Own sites only | Can create and manage their own sites. Cannot see other users' sites or platform settings. |
Managing Users
The Users page (/admin/users.php) is accessible to super_admin only. You can:
- View all registered users with their role, plan, and last login
- Change a user's role (promote to super_admin or demote to site_admin)
- Assign a user to a specific site (sets their default site)
- Reset a user's password
- Delete a user account
Security Features
- bcrypt hashing — passwords are hashed with cost factor 12
- Rate limiting — IP blocked after 5 failed login attempts in 15 minutes
- Session fixation prevention — session ID regenerated on login
- 30-minute session timeout — inactive sessions are expired
- Two-Factor Authentication (2FA) — TOTP-based 2FA available per user
- CSRF protection — all forms include CSRF tokens
Two-Factor Authentication
Users can enable 2FA from their profile settings. The system uses TOTP (Time-based One-Time Password) compatible with Google Authenticator, Authy, and similar apps.
1
Go to Profile → Security
Click your username in the top-right corner of the admin panel.
2
Scan the QR code
Open your authenticator app and scan the QR code shown on screen.
3
Enter the verification code
Enter the 6-digit code from your app to confirm setup.
Plans & Billing
The Plans & Pricing page (/admin/pricing.php) shows available plans and handles upgrades via Razorpay. Plan limits are enforced at the API level:
| Limit | Free | Starter | Pro | Business |
|---|---|---|---|---|
| Sites | 5 | 10 | 25 | Unlimited |
| AI Generations/mo | 10 | 50 | 200 | Unlimited |
| Image Uploads/mo | 50 | 500 | 2000 | Unlimited |
| Custom Domain | ✗ | ✓ | ✓ | ✓ |
| E-Commerce | ✗ | ✗ | ✓ | ✓ |