

Ask HN: How do you implement site Admin? - albahk

I have been making a list of things I would, as Administrator of a web-app, want to manage and control from a single secure interface. The list is getting quite long and includes the following:<p>* Approving comments, users, new content etc<p>* browsing the phpdoc or javadoc for the app<p>* view stats (basic awstats)<p>* "Contact Form" submissions that need responses<p>* Advertising A/B test results, notes, figures, values etc<p>* viewing user accounts for billing/overdue<p>* process payment refunds<p>* give users a freebie such as 30 days free<p>* Make text notes about setups, configurations, relevant urls, server IPs etc.<p>Has anyone here just used a mediawiki install at https://admin.yourdomain.com and put everything in there? Is this secure?<p>P.S. I am thinking of something much more than simply a performance dashboard.
======
patio11
If it needs access to the production DB, I use regular ol'
authentication/authorization for pages built into the site. If you're not me
and you access it, you get kicked out. (There are a variety of reasons why one
would not choose this approach for extraordinarily sensitive setups, but it is
quick to implement and adequate for teaching tools.)

Things typically get promoted to my admin panels after I get sick of doing
them manually on another site (e.g. log into Paypal for refunds or parse-and-
crunch a CSV repeatedly).

I keep all my notes either in paper or Dropbox. If I had a team, I'd have a
wiki running on a physically separate machine. (Putting software with that
sort of risk profile on a machine with production data scares me.)

~~~
albahk
Good point about waiting for things to really annoy you before promoting to
the admin panel. I'm wary of spending too much time on this given the userbase
is 1.

When you say auth access, do you mean a .htaccess password over SSL? I had not
thought of such a simple solution.

~~~
arianb
I generally use HTTP Digest Authentication for personal projects - since I
don't really require fancy login boxes, and it's really trivial to implement.

------
staunch
I use SQL/SSH as the admin interface at first. Then I gradually migrate things
to a web-based version for tasks that are common or need to be accessible by
others.

For me the slowest part about implementing most of an app's functionality is
making it simple and hand-holding. For admin functionality I only do that when
it's really helpful, the rest of the time it's barebones, which means it's
fast to do.

Security wise I highly recommend putting all the admin functionality on a
VPN/tunneled-only accessible URL/IP/Server with appropriate IP ACLs. This
prevents a lot of the most common types of security mistakes from becoming big
problems.

------
endtime

        $ pip install django
    

The Django admin gives you the basics for free, and it's quite easy to add
admin controls to the existing pages. All you have to do is add a boolean
field to the admin form (which creates a checkbox in the object's admin page)
and then override the admin form's save method so you can check the value of
the field.

