Admin cant do anything special
Closed this issue ยท 12 comments
This might be a mistake on my part but is the admin user just pointless? I was testing this yesterday and the admin user cant see links created by other users or see that other users exist in the first place. Is there a hidden page for admin stuff?
If this is intended maybe add the admin capabilities to the instructions so people know what it can do.
You're right, I left It behind thinking about configuring more the app (see change the SMTP from env to a setting voice in the front end admin panel)
But I changed my mind and forgot to clean up
๐
Is there a chance to reanimate your admin panel plans?
A user management would be appreciated!
With user management, I mean changing the password as well as set a limit on how many links a person can create.
Also, if the registration is disabled, a "create user" feature would be useful.
I'll take the time to arrange that. I just can't promise that in a insert span of time as it is a side project and i'm a developer only for hobby, but I should be able to do it.
Grate, thanks!
Take your time, no worries ^^
I found your project and saw that it had an admin account, so I hoped it'll support user management because that's the main reason why I'm in search for a new shortener.
But if I'll need to wait a bit longer, it's not a problem!
i'll try my best, let's start with what you have in mind, what kind of user management?
- allow / disallowORfreeze registration /multi_user from backend?
- create delete ban user by username? (username is actually the id provider for prisma and lucia, switch to email would freak out with older version of the app updates, i presume as a profane)
- report link and reported link dashboard? (could be useful for reporting abuse on the shortened link which point to dubious website, but i actually can't think on a way to report the link by end users) i accept suggestion and ideas of course.
maybe also a more robust admin definition than "the first user getting registered" even thou that could be actually works due to the small size of this app. I seriously doubt that could leverage and scale on a big audience.
but yet, i've not tried it nor tested it if not by feedback on this repository so...
i would say it could be a start?
thank you for taking your time actually trying and exploring my app, and proposing a new feature, i really appreciate that since i'm trying to improve my skill and it's difficult to gather feedbacks from an hobby small side-project without a youtube channel or stuff. ๐
edit: for full disclosures and being eu based i'm trying to keep it privacy first, so exposing all urls from users to an admin seems out of boundaries but i may be wrong. i'm dubious about this
allow / disallowORfreeze registration /multi_user from backend?
I don't really understand what you mean by freeze? Do you mean like a registration request?
So you would have 3 states:
Allow โ Anyone with an Email address can register for an account
Disallow โ No one can register
Freeze โ You can register but first need to be approved to use Snapp
If this is what you mean with freeze, it would be interesting, but I don't think I would use it.
The main things would be allow and disallow.
create delete ban user by username?
This would be awesome!
I never thought about the differentiation of delete and ban, but it makes total sense! Maybe to clean the user management up a bit, the ban could be integrated in the delete process.
During deletion, there could be an option to transfer the user's links to another user or delete them.
The Addition of an email address could be useful for password resets. I would add an optional checkbox somewhere if the email is required on registration. This way, the ID could remain to be the username, which lets the newer versions be compatible with older versions. Also, not every use case requires an email registration.
If you want to get really advanced (which by all means would be awesome, but definitely a nice to have and not a must-have!!!) would be the possibility to user Keycloak or Authentik as identity provider.
report link and reported link dashboard?
Interesting idea, never saw that on a self-hosted application, but n a business environment it could make sense.
I don't really know how to implement a report feature, so a user finds the report feature easily.
The simplest way would be to add an extra step where the user needs to click on a button before he gets redirected, but that would be counterproductive.
An alternative would be the implementation of domain blacklists.
You could check destination links against the VirusTotal API on every request. If they are on a blacklist, you could either block the link from being user completely, or you can warn the user before he gets redirected.
There is a free plan which allows for 500 requests per day, so a cache of 24 hours with already checked domains would be good.
maybe also a more robust admin definition
I think the current system isn't bad. Others do it as well, even if you pay for it. For example, a Synology NAS.
An option to improve this aspect could be user groups, but that adds a whole new level of complexity.
edit: for full disclosures and being eu based i'm trying to keep it privacy first, so exposing all urls from users to an admin seems out of boundaries but i may be wrong. i'm dubious about this
I'm also EU based, but I think that URLs aren't critical to keep private.
You could add a disclosure on the creation page that every Administrator will be able to see the URL.
But to be honest, even if you don't display the URLs on the Frontend, if the admin connects to the database, he has access to them anyway. Also, the Access to the URL's on the frontend would allow manual checks if a URL is a thread or not.
As soon as a user reports a URL, an Admin needs to see it anyway.
Wow, that got longer then expected ^^'
thank you for taking your time actually trying and exploring my app, and proposing a new feature, i really appreciate that since i'm trying to improve my skill and it's difficult to gather feedbacks from an hobby small side-project without a youtube channel or stuff. ๐
I'm glad to help!
Thank you for listening to feedback and creating this project in the first place!
I previously used another shortened and thought to give this one a try. And till now I'm pretty happy!
Thank you for your answer, i'll quote you too to get a better understanding of the topic.
I don't really understand what you mean by
freeze? Do you mean like a registration request?
So you would have 3 states:
Allow โ Anyone with an Email address can register for an account
Disallow โ No one can register
Freeze โ You can register but first need to be approved to use SnappIf this is what you mean with freeze, it would be interesting, but I don't think I would use it.
The main things would be allow and disallow.
sorry, my bad, i meant to say instead of env var put it in the admin panel with a toggable to activate deactivate users signups.
Admin powers could be a check in edit / create user from admin panel.
authorized account, so to be activate in the backend could be a feature, but i will put it forward on after the basics :)
This would be awesome!
I never thought about the differentiation of delete and ban, but it makes total sense! Maybe to clean the user management up a bit, the ban could be integrated in the delete process.
During deletion, there could be an option to transfer the user's links to another user or delete them.
so:
- delete user and cascade urls
- delete user and change ownership of urls, meta, analytics "and stuff" in case of check in panel during delete process
- ban username | list of banned username with erase from banlist, or more standard single setting field with username banned comma separeted, i'll see how can i improve ui side, but the mechanics seems simple from this pov.
The Addition of an email address could be useful for password resets. I would add an optional checkbox somewhere if the email is required on registration. This way, the ID could remain to be the username, which lets the newer versions be compatible with older versions. Also, not every use case requires an email registration.
If you want to get really advanced (which by all means would be awesome, but definitely a nice to have and not a must-have!!!) would be the possibility to user Keycloak or Authentik as identity provider.
no wait, my bad, password recovery via smtp and mail are already in the schema and functional, it's just more about the username, just i wouldn't switch identity provider for lucia from username to email.
SSOs maybe later, i'm not really an expert about it ^^"
Interesting idea, never saw that on a self-hosted application, but n a business environment it could make sense
Same tought but the problem of how to report stays. even tho i'm using it to learn and to host my urls, but actually haven't used actively yet since when i released it. it's more about the challange of doing it. so if somebody get paid by this: please remember about me! ๐
I don't really know how to implement a report feature, so a user finds the report feature easily.
The simplest way would be to add an extra step where the user needs to click on a button before he gets redirected, but that would be counterproductive.
same though, put a step during redirect seems major failure in a shortner and it looks like an ad-gatcha, fly,etc. not really into it.
An alternative would be the implementation of domain blacklists.
You could check destination links against the VirusTotal API on every request. If they are on a blacklist, you could either block the link from being user completely, or you can warn the user before he gets redirected.
There is a free plan which allows for 500 requests per day, so a cache of 24 hours with already checked domains would be good.
mh, this could be interesting, and makes much more sense. Not sure about the api, couldn't be used the dns lists for adblock and similar?
Like firebog.net and similar. maybe i'm wrong, but it could be easy to just scrape those for updates and reference theme (i'm not really into API's with soft caps, since i'm an amateur my requests tend to skyrocket at minimal error XD
but still. 'm open to change my mind
I think the current system isn't bad. Others do it as well, even if you pay for it. For example, a Synology NAS.
An option to improve this aspect could be user groups, but that adds a whole new level of complexity.
let's keep first user as admin, and check on profile for adminship empowered users from an admin to another. maybe an "hidden-setting" super-admin just to avoid late hour admins dethronizing the original admin.
I'm also EU based, but I think that URLs aren't critical to keep private.
You could add a disclosure on the creation page that every Administrator will be able to see the URL.
But to be honest, even if you don't display the URLs on the Frontend, if the admin connects to the database, he has access to them anyway. Also, the Access to the URL's on the frontend would allow manual checks if a URL is a thread or not.
As soon as a user reports a URL, an Admin needs to see it anyway.
let me say that i originally thought about encrypting them.
also true that we are talking about redirections, so it's always something existings somewhere else beyond our control.
Other than the actual urls could be useful have a single user page for admin to check how many urls, last access, resend password recovery, change their email,.. all stuff that could be easy solved with a disclaimer probably, but again, not an expert on gdpr but paranoid about it.
I'm glad to help!
Thank you for listening to feedback and creating this project in the first place!
I previously used another shortened and thought to give this one a try. And till now I'm pretty happy!
no really, thank you!
sorry, my bad, i meant to say instead of env var put it in the admin panel with a toggable to activate deactivate users signups.
Admin powers could be a check in edit / create user from admin panel.
I don't see that as a big issue.
Editing the compose file is done quickly, and a restart takes a couple of seconds. Also, this isn't a feature you turn on and off every day.
Anyway, it would be an improvement in handling the .env options, although I would prefer the SMTP settings in the Admin panel rather than the disable/enable registration ^^
authorized account, so to be activate in the backend could be a feature, but i will put it forward on after the basics :)
Got it.
I think this would be a less used feature which can be solved with other tools like sending a mail to the person in control of account managing which creates an account manually.
so:
delete user and cascade urls
delete user and change ownership of urls, meta, analytics "and stuff" in case of check in panel during delete process
ban username | list of banned username with erase from banlist, or more standard single setting field with username banned comma separeted, i'll see how can i improve ui side, but the mechanics seems simple from this pov.
I can't translate the delete user and cascade urls. Does this mean just delete the user and redirects?
I think a "ban username" isn't necessary.
If it would be a publicly seeable username like on social media, there would be a need of control. But since the username is only used internal and is never seen by anyone beside the Admins, I don't see the point in spending time for this.
If I noticed such a name as Admin, I would rather rename the account instead of ban him.
But if you'd like such a feature, i would suggest a rename feature for accounts, as well as a list on the admin panel with a list of banned usernames. This list should only block such names on registration. If an account already exists with a banned name, there could be a warning which needs to be addressed manual.
SSOs maybe later, i'm not really an expert about it ^^"
Would be an advanced feature anyway ^^
same though, put a step during redirect seems major failure in a shortner and it looks like an ad-gatcha, fly,etc. not really into it.
I'm totally on your side about this!
I would only show this extra step if the URL to redirect is on a blacklist.
mh, this could be interesting, and makes much more sense. Not sure about the api, couldn't be used the dns lists for adblock and similar?
There are public Malware lists to use, but sometimes they don't get updated that often, I guess.
We would need to search a good and up-to-date list which works.
If you want to use lists instead of an API i would suggest a option on the Admin panel to add and remove lists and not hard code this. Let the user decide.
The benefit of the Virus total API would be the enterprise level of data you get there.
It collects data from the biggest antivirus companies and therefore the data is pretty accurate.
Also, these lists provide a way for domain owners to appeal their entry on such a list, which is not guaranteed on public lists.
I once got flagged with one domain and got on three block lists, and was pretty glad I could appeal this.
I only noticed I was on the blacklist because my ISP blocked my domain on their DNS servers... ^^'
i'm not really into API's with soft caps, since i'm an amateur my requests tend to skyrocket at minimal error XD
Would be a way to improve your API skills ^^
As said before, I would strongly suggest a 24h cache for requests.
About the Limit, this is per IP, so every hosted version has its own cap.
let's keep first user as admin, and check on profile for adminship empowered users from an admin to another. maybe an "hidden-setting" super-admin just to avoid late hour admins dethronizing the original admin.
Sounds good to me!
Maybe make it only the super-admin can remove the admin role from others.
Other than the actual urls could be useful have a single user page for admin to check how many urls, last access, resend password recovery, change their email,.. all stuff that could be easy solved with a disclaimer probably, but again, not an expert on gdpr but paranoid about it.
The only personal data probably would be the IP and E-Mail address and maybe the Username.
If you anonymize the Statistics you gather about shorted-URL access, there should be no problem about protecting personal data, except if you use an external service to get the geolocation.
But the gdpr is not necessarily about "what does the admin see", it's more about "what do you do with the data and who gets access"
I don't see that as a big issue. Editing the compose file is done quickly, and a restart takes a couple of seconds. Also, this isn't a feature you turn on and off every day. Anyway, it would be an improvement in handling the .env options, although I would prefer the SMTP settings in the Admin panel rather than the disable/enable registration ^^
TBF at this point i have mapped emails, usernames, and domains, in three distinct column on a dedicated blacklist page.
Every entry on the three columns will be clickable for a confirm popup that will then erase the entry on confirmation.
maybe the api in the end would be good, i'm having trouble with my magic idea to allow stored regex, so back to api we go, 24h cache and that's it.
i'll take a look on that, i was about to do it when i noticed your answer
Got it. I think this would be a less used feature which can be solved with other tools like sending a mail to the person in control of account managing which creates an account manually.
At the moment i put the enable-signups on admin panel (it switches enable-multiuser). if not set in db will take the env value, else it takes the stored value for checks.
admin created users are allowed signup always. even with multiuser off
I can't translate the
delete user and cascade urls. Does this mean just delete the user and redirects?
yeah i meant cascade the rows in the db, as in delete all the user_id related entry in referenced tables (redirection and so on)
i put both possibility, this and to search for another user and assign the url on user removal
I think a "ban username" isn't necessary. If it would be a publicly seeable username like on social media, there would be a need of control. But since the username is only used internal and is never seen by anyone beside the Admins, I don't see the point in spending time for this.
too late, already done. maybe it can allows removal of offensive or derogatory names.
I'm totally on your side about this! I would only show this extra step if the URL to redirect is on a blacklist.
makes sense
There are public Malware lists to use, but sometimes they don't get updated that often, I guess. We would need to search a good and up-to-date list which works. If you want to use lists instead of an API i would suggest a option on the Admin panel to add and remove lists and not hard code this. Let the user decide.
The benefit of the Virus total API would be the enterprise level of data you get there. It collects data from the biggest antivirus companies and therefore the data is pretty accurate. Also, these lists provide a way for domain owners to appeal their entry on such a list, which is not guaranteed on public lists.
About the Limit, this is per IP, so every hosted version has its own cap.
i'll defintely will take a look at this.
i'm not really into API's with soft caps, since i'm an amateur my requests tend to skyrocket at minimal error XD
yeah it's more the idea to make people signup to services if they don't want them. as in umami for example. it expands metrics already in the app.
maybe i'll put a green ping for API activated on Env variable set with the api of the service, on the contrary will show red and just match literal domains.
i'll keep literals also usernames and mails.
maybe ill hardcode a way to block providers with double at @@gmail.com block every gmail account (change the check in endsWith instead of equal) and the use of % % for partial, let's see what can i do.
Would be a way to improve your API skills ^^ As said before, I would strongly suggest a 24h cache for requests.
yeah yeah you are right, is just the idea of paying or being signed up to externals non foss services. it's a limit of mine. once i mapped the italian aeronautical bulletin instead of a generic weather api. it's just something wrong inside of me XD
Sounds good to me! Maybe make it only the super-admin can remove the admin role from others.
Makes sense that only the super admin empowers and removes admin roles, i also put a block on editing own profile from users
in order to disallow people from changing own role status. (users panel is only visible by admin, but you'll never know)
The only personal data probably would be the IP and E-Mail address and maybe the Username. If you anonymize the Statistics you gather about shorted-URL access, there should be no problem about protecting personal data, except if you use an external service to get the geolocation.
geolocation should be already included with max-mind database in the release, if i'm not wrong, so it should be anonymized as i don't store the ip, but discard it after the generic retrieval of the city. i stop at that, and i'm not using the most precise version of the api anyway, so it should be anonymous enough. nothing stops the generic user to invite people on their instance and manually coping the email in their ponzi scheme newsletter, but that would like to happens anywhere with anything so...
But the gdpr is not necessarily about "what does the admin see", it's more about "what do you do with the data and who gets access"
metrics are already anonymous. the admins would be able to create and edit profile, accessing emails and username.
i think email has to be accessible in order to send invitation on admin side creation (first password is generated randomly and porpousely lost in order to force a welcoming reset your password because you have been granted an account), maybe future version will have a more delicate approach but this should works atm
i'll take this conv to the judge just to show my bona fide ๐คฃ
anyway i think i'm already at a good point, i'll update you soon with a new release, i hope :)
would you like to be involved in testing release before a release to latest version?
v0.6 up >> https://github.com/urania-dev/snapp/blob/main/CHANGELOG.md
now they do :)
That was.... Fast!
I love the new update!
Just made Snapp at least 200% better than before in my opinion!
I'll test it and will give you some feedback and new ideas!
Should I create one issue per idea or one collection?
well try a collection, if it became too much will divide in packages of what can be done :)