Skip to Content
Polyant is open source under AGPL-3.0 — star us on GitHub.
Admin PanelUsers & User Settings

Users (Superadmin Only) and User Settings

This page covers two related screens: the Users tab inside Settings (Superadmin-only) and the self-service password change screen that any authenticated user can reach.

Users (Superadmin only)

The Users tab lives inside the Settings page at /settings — there is no standalone /users route. Like the rest of Settings, it is accessible only to Superadmins; regular users cannot open /settings at all.

Listing

The list shows: email, name, role, last login, status. Sort by any column. Search by email or name.

Inviting a user

Click New user. Fill in:

  • Email — must be a valid email; for Google OAuth users, must be inside the configured allowed domain (or the OAuth check must be relaxed first).
  • Name — display name.
  • RoleSuperadmin or User.
  • Initial password — optional. Leave blank to auto-generate.

Save. If the password was auto-generated, the panel shows it once on screen. Copy it now — there is no way to see it again. Hand it to the user out of band.

The new user is flagged mustChangePassword = true and will be redirected to the password-change page on first login.

Changing a role

On the user’s row, change the role dropdown and save. The system refuses to demote the last Superadmin — there must be at least one Superadmin at all times. Add a new Superadmin first, then demote the old one.

Resetting password

Click Reset password on a user’s row. The system generates a new temporary password, sets mustChangePassword = true, and shows the new password once. Communicate it out of band.

The user’s existing sessions are not invalidated automatically (JWT cannot be revoked). For an immediate lockout, also click Disable account below.

Disabling and deleting

  • Disable. The user remains in the database but cannot log in. Revert with Enable.
  • Delete. Permanent. The user’s audit trail (changes they made) is preserved with their email frozen as a string. Their session is not invalidated until the JWT expires.

Constraints

  • Cannot remove the last Superadmin.
  • Cannot delete yourself.

Self-service password change (every user)

Self-service password change is not inside Settings (Settings is Superadmin-only). It lives on a dedicated full-screen route at /password-change, the same route used by the first-login forced flow described in Authentication.

Changing your password

Navigate to /password-change. Provide:

  • The current password.
  • The new password (twice).

Save. The form re-encodes the password with bcrypt and updates the users.password_hash column. Existing sessions remain valid (the JWT does not store the password hash, so it cannot be invalidated by changing the hash). To force an immediate logout, sign out manually after saving.

Why is there nothing else here?

The user-profile page is intentionally minimal. Locale, theme, and sidebar state are persistent UI state in browser storage, not server-side preferences. Email is changed only by deletion-and-recreation. Account deletion is a Superadmin-only operation.

Last updated on
Audit LogsWrite a Skill