Users & Roles
The users panel (admin/users.php) controls every account that can log into the site — admin staff, contributors, and subscribers. Role assignments here determine what each person can see and do.
Roles
jekcms ships with five built-in roles, ordered by privilege:
- Admin — Full access. Settings, users, API keys, danger zone. Can promote others to admin
- Editor — Publish/edit any post, moderate comments, manage media. Cannot change site settings or manage users
- Author — Write and publish their own posts. Cannot touch others' work
- Contributor — Write drafts, cannot publish. Editor or admin approval required
- Subscriber — Read-only. Can comment, save bookmarks, access subscriber-only content. No admin panel access
Roles are hardcoded; custom roles aren't supported. Capability overrides for individual users also aren't supported by design — pick the closest role or promote carefully.
Creating a user
Click Add New. Fields:
- Username — Unique, URL-safe. Appears in author bylines and
/author/{username}URLs - Email — Unique. Used for password reset and notifications
- Password — Minimum length enforced by policy (see below). Leave blank to email a setup link instead
- Role — Dropdown of the five roles
- Send setup email — Sends the user a magic link to set their own password
First-time admins should always use Send setup email — it forces the user to pick their own password rather than receiving one over email.
Password policy
Under Settings → Security → Password Policy:
- Minimum length — Default 10, max 64
- Require mixed case — On/off
- Require number — On/off
- Require symbol — On/off
- Block common passwords — Checks submitted passwords against a 10k-entry compromised-password list
- Expire after — Force password change every N days (0 = never)
Tightening policy applies to new passwords only. Existing users aren't forced to change until they next reset. To force everyone to reset, use Bulk → Invalidate passwords on the users panel.
Two-factor authentication
Each user enrolls themselves:
- Login → top-right profile menu → Security → Enable 2FA
- Scan the QR with Authenticator app (Authy, Google Auth, 1Password)
- Enter a current 6-digit code to confirm
Backup codes (10 single-use) are shown once — users must save them. A lost authenticator without backup codes requires an admin to disable 2FA from the user's edit page (only admins can do this; the user can't self-recover).
Admins can also require 2FA role-wide under Settings → Security → Require 2FA for roles. Users in those roles are redirected to enrollment on next login.
Google OAuth sign-in
Under Settings → Integrations → Google OAuth:
- Create a project in Google Cloud Console, enable OAuth consent screen
- Add
https://yoursite.com/auth/google/callbackas an authorized redirect URI - Paste the Client ID and Client Secret
Once configured, the login page shows a Sign in with Google button. Users matched by email auto-link to existing accounts; new Google sign-ins create a Subscriber account by default (promote manually if they're staff).
Avatars and profile
Each user has a profile editable under Users → [user] → Profile:
- Avatar — Upload a square image (auto-cropped to 256×256). Falls back to Gravatar if unset, then to initials
- Display name — Shown in bylines; defaults to username
- Bio — Markdown-enabled. Appears on post pages for authors + on
/author/{username}archive - Social links — Twitter, Mastodon, LinkedIn, personal website. Rendered as icons on the author archive
Deleting a user
Delete on any user row prompts a confirmation with an important choice:
- Reassign posts to — Pick another user. All posts, comments, and media uploaded by the deleted user get reassigned. This is the safe choice
- Delete posts too — Removes all content alongside the user. Irreversible without a backup
You can't delete yourself or the last remaining admin. The UI disables the button; the API rejects the request.
Banning (lock)
Locking is non-destructive:
- Row action → Lock account
- Sets status =
lockedin theuserstable - Active sessions are invalidated immediately
- Login attempts return "account suspended"
- Posts, comments, profile remain visible
Unlock restores login access with the same password. Use lock for suspected compromises, ToS violations, or staff offboarding where you want a reversal path.
Login attempt history
Users → [user] → Security → Login history shows the last 90 days:
- Timestamp
- IP address
- User agent
- Outcome (success / wrong password / 2FA failed / locked out)
After 5 failed attempts in 15 minutes the account auto-locks for 30 minutes. Admins can unlock immediately from the same panel.
Session management
Every login creates a session record. The Security tab lists active sessions with device, IP, last-seen time. Actions:
- Revoke — Kills one session
- Revoke all except current — Emergency "someone else is logged in as me"
- Force logout everywhere — Admin action on any user, kills every session including web + API tokens
Password reset automatically revokes every session.
Password reset flow
User clicks "Forgot password" → enters email → receives a link valid for 1 hour → sets new password → all sessions revoked → redirected to login.
Links are single-use and cryptographically signed. If email delivery fails, admins can generate a reset link manually from Users → [user] → Send reset link and copy/paste it via another channel.