Ask HN: How do you implement site Admin?

10 points by albahk ↗ HN
I have been making a list of things I would, as Administrator of a web-app, want to manage and control from a single secure interface. The list is getting quite long and includes the following:

* Approving comments, users, new content etc

* browsing the phpdoc or javadoc for the app

* view stats (basic awstats)

* "Contact Form" submissions that need responses

* Advertising A/B test results, notes, figures, values etc

* viewing user accounts for billing/overdue

* process payment refunds

* give users a freebie such as 30 days free

* Make text notes about setups, configurations, relevant urls, server IPs etc.

Has anyone here just used a mediawiki install at https://admin.yourdomain.com and put everything in there? Is this secure?

P.S. I am thinking of something much more than simply a performance dashboard.

5 comments

[ 3.9 ms ] story [ 17.8 ms ] thread
If it needs access to the production DB, I use regular ol' authentication/authorization for pages built into the site. If you're not me and you access it, you get kicked out. (There are a variety of reasons why one would not choose this approach for extraordinarily sensitive setups, but it is quick to implement and adequate for teaching tools.)

Things typically get promoted to my admin panels after I get sick of doing them manually on another site (e.g. log into Paypal for refunds or parse-and-crunch a CSV repeatedly).

I keep all my notes either in paper or Dropbox. If I had a team, I'd have a wiki running on a physically separate machine. (Putting software with that sort of risk profile on a machine with production data scares me.)

Good point about waiting for things to really annoy you before promoting to the admin panel. I'm wary of spending too much time on this given the userbase is 1.

When you say auth access, do you mean a .htaccess password over SSL? I had not thought of such a simple solution.

I generally use HTTP Digest Authentication for personal projects - since I don't really require fancy login boxes, and it's really trivial to implement.

    $ pip install django
The Django admin gives you the basics for free, and it's quite easy to add admin controls to the existing pages. All you have to do is add a boolean field to the admin form (which creates a checkbox in the object's admin page) and then override the admin form's save method so you can check the value of the field.
I use SQL/SSH as the admin interface at first. Then I gradually migrate things to a web-based version for tasks that are common or need to be accessible by others.

For me the slowest part about implementing most of an app's functionality is making it simple and hand-holding. For admin functionality I only do that when it's really helpful, the rest of the time it's barebones, which means it's fast to do.

Security wise I highly recommend putting all the admin functionality on a VPN/tunneled-only accessible URL/IP/Server with appropriate IP ACLs. This prevents a lot of the most common types of security mistakes from becoming big problems.