Skip to content

Admin Controls


Accessing the Admin Panel

  1. Navigate to /admin/login
  2. Enter admin email address
  3. Enter OTP received by email
  4. Admin session established (23-hour lifetime)

Admin access is controlled by user.is_admin = True in the database. Set via SQL or via another admin user.


AdminControlFlags (Global Toggles)

These flags affect all users platform-wide. Modified via admin dashboard → Feature Flags section:

Flag Effect when True
auto_approve_collaboration_requests Collaboration requests auto-matched without manual admin review
enable_razorpay_payment Razorpay payment UI visible to users
enable_choosing_plan_options Users can self-select subscription plans
enable_wasabi_cloudflare_setup Wasabi URLs served via Cloudflare CDN
enable_dark_theme Dark theme applied across all platform pages

Only one row exists in the admin_control_flags table. All flags are columns on that single row.


User Management Operations

Operation How
View all users Admin dashboard → Users list
Delete a user User list → Delete (cascades to related records)
Toggle admin status User detail → Toggle Admin
Update plan User detail → Change Plan
Set storage limit User detail → Storage Limit (GB)
Enable guest upload User detail → Enable Guest Upload
Enable encryption User detail → Enable Encryption (generates key if none)
Rotate encryption key User detail → Rotate Key

Encryption Dashboard

Admin Panel → Encryption Management:

  • Check master key status — confirms MASTER_KEY env var is set
  • View all users with encryption — lists users with encrypt_data_b=True
  • View key versions — shows current active key version per user
  • Rotate a user's key — generates new key, retains old for decryption
  • Generate new master key — emergency use only (requires re-wrapping all user keys)

Do not rotate master key unless absolutely necessary

Master key rotation requires re-encrypting every user's key. Old encrypted files remain readable only if the old per-user key is retained. Coordinate this operation carefully.


Lab Portal Management

Admin Panel → Lab Portal:

  • Grant access — enter user email → generates lab_id and lab_pin → async email sent to lab
  • Revoke access — sets enable_lab_portal=False — lab can no longer log in
  • View all labs — lists all active lab portal accounts

Safe Admin Panel Usage

  • Always verify the user email before making changes
  • Encryption operations are irreversible (key rotation, master key generation)
  • User deletion cascades — S3 files are NOT auto-deleted (manual S3 cleanup needed)
  • Use the local DB mirror for read-only queries (user list, search) — it’s faster
  • Write operations always go to PostgreSQL — don’t query local SQLite for authoritative data

TL;DR

Access: OTP-based admin login at /admin/login. Controls: Feature flags, user management, encryption keys, lab access, subscription plans. Safety: Encryption ops are irreversible. User deletion does not delete S3 files. Feature flags affect all users instantly.