Users & Roles

The users panel (admin/users.php) controls every account that can log into the site — admin staff, contributors, and subscribers. Role assignments here determine what each person can see and do.

Roles

jekcms ships with five built-in roles, ordered by privilege:

  • Admin — Full access. Settings, users, API keys, danger zone. Can promote others to admin
  • Editor — Publish/edit any post, moderate comments, manage media. Cannot change site settings or manage users
  • Author — Write and publish their own posts. Cannot touch others' work
  • Contributor — Write drafts, cannot publish. Editor or admin approval required
  • Subscriber — Read-only. Can comment, save bookmarks, access subscriber-only content. No admin panel access

Roles are hardcoded; custom roles aren't supported. Capability overrides for individual users also aren't supported by design — pick the closest role or promote carefully.

Creating a user

Click Add New. Fields:

  • Username — Unique, URL-safe. Appears in author bylines and /author/{username} URLs
  • Email — Unique. Used for password reset and notifications
  • Password — Minimum length enforced by policy (see below). Leave blank to email a setup link instead
  • Role — Dropdown of the five roles
  • Send setup email — Sends the user a magic link to set their own password

First-time admins should always use Send setup email — it forces the user to pick their own password rather than receiving one over email.

Password policy

Under Settings → Security → Password Policy:

  • Minimum length — Default 10, max 64
  • Require mixed case — On/off
  • Require number — On/off
  • Require symbol — On/off
  • Block common passwords — Checks submitted passwords against a 10k-entry compromised-password list
  • Expire after — Force password change every N days (0 = never)

Tightening policy applies to new passwords only. Existing users aren't forced to change until they next reset. To force everyone to reset, use Bulk → Invalidate passwords on the users panel.

Two-factor authentication

Each user enrolls themselves:

  • Login → top-right profile menu → SecurityEnable 2FA
  • Scan the QR with Authenticator app (Authy, Google Auth, 1Password)
  • Enter a current 6-digit code to confirm

Backup codes (10 single-use) are shown once — users must save them. A lost authenticator without backup codes requires an admin to disable 2FA from the user's edit page (only admins can do this; the user can't self-recover).

Admins can also require 2FA role-wide under Settings → Security → Require 2FA for roles. Users in those roles are redirected to enrollment on next login.

Google OAuth sign-in

Under Settings → Integrations → Google OAuth:

  • Create a project in Google Cloud Console, enable OAuth consent screen
  • Add https://yoursite.com/auth/google/callback as an authorized redirect URI
  • Paste the Client ID and Client Secret

Once configured, the login page shows a Sign in with Google button. Users matched by email auto-link to existing accounts; new Google sign-ins create a Subscriber account by default (promote manually if they're staff).

Avatars and profile

Each user has a profile editable under Users → [user] → Profile:

  • Avatar — Upload a square image (auto-cropped to 256×256). Falls back to Gravatar if unset, then to initials
  • Display name — Shown in bylines; defaults to username
  • Bio — Markdown-enabled. Appears on post pages for authors + on /author/{username} archive
  • Social links — Twitter, Mastodon, LinkedIn, personal website. Rendered as icons on the author archive

Deleting a user

Delete on any user row prompts a confirmation with an important choice:

  • Reassign posts to — Pick another user. All posts, comments, and media uploaded by the deleted user get reassigned. This is the safe choice
  • Delete posts too — Removes all content alongside the user. Irreversible without a backup

You can't delete yourself or the last remaining admin. The UI disables the button; the API rejects the request.

Banning (lock)

Locking is non-destructive:

  • Row action → Lock account
  • Sets status = locked in the users table
  • Active sessions are invalidated immediately
  • Login attempts return "account suspended"
  • Posts, comments, profile remain visible

Unlock restores login access with the same password. Use lock for suspected compromises, ToS violations, or staff offboarding where you want a reversal path.

Login attempt history

Users → [user] → Security → Login history shows the last 90 days:

  • Timestamp
  • IP address
  • User agent
  • Outcome (success / wrong password / 2FA failed / locked out)

After 5 failed attempts in 15 minutes the account auto-locks for 30 minutes. Admins can unlock immediately from the same panel.

Session management

Every login creates a session record. The Security tab lists active sessions with device, IP, last-seen time. Actions:

  • Revoke — Kills one session
  • Revoke all except current — Emergency "someone else is logged in as me"
  • Force logout everywhere — Admin action on any user, kills every session including web + API tokens

Password reset automatically revokes every session.

Password reset flow

User clicks "Forgot password" → enters email → receives a link valid for 1 hour → sets new password → all sessions revoked → redirected to login.

Links are single-use and cryptographically signed. If email delivery fails, admins can generate a reset link manually from Users → [user] → Send reset link and copy/paste it via another channel.

Be the first to know

New features, release notes & CMS guides — a couple of emails a month, no spam.