Documentation / User Management

User Management

Luminal CMS supports multiple users with role-based access control. This guide covers user administration, password management, and the authentication system.

User Roles

The CMS has two primary roles:

  • Admin — Full access to all modules, settings, and system features. Can manage other users.
  • Staff — Restricted access based on module permissions. Typically limited to content management (pages, galleries, media) without access to system settings.

Role permissions are enforced by the guard.php authentication helper, which every module includes at the top of its entry file.

Adding New Users

  1. Navigate to User Manager in the System section.
  2. Click + Add User.
  3. Fill in the username, display name, email, and password.
  4. Select the user role (Admin or Staff).
  5. Click Save.

User accounts are stored in admin/data/users.json. Passwords are stored as bcrypt hashes — never in plain text.

Editing User Profiles

Click the Edit button on any user card to modify their display name, email, role, or password. Changes take effect immediately on the next page load.

Password Reset

Via Admin UI

If you have admin access to User Manager:

  1. Open User Manager.
  2. Click Edit on the target user.
  3. Enter a new password in the password field.
  4. Click Save.

Via Command Line (Emergency Recovery)

If you cannot access the admin panel, you can reset passwords directly:

  1. SSH into the server.
  2. Generate a bcrypt hash:
php -r "echo password_hash('newpassword', PASSWORD_BCRYPT) . PHP_EOL;"
  1. Edit admin/data/users.json and replace the password hash for the target user.
  2. Fix file ownership:
chown www-data:www-data admin/data/users.json
chmod 0664 admin/data/users.json

Critical: After editing any file in admin/data/ as root via CLI, you must fix ownership to www-data:www-data. Files owned by root cannot be written by the CMS.

Session Management

Luminal uses PHP sessions for authentication state. Sessions are stored in the server's default session directory. Key behaviors:

  • Sessions expire after the configured PHP timeout (typically 24 minutes of inactivity).
  • Logging out destroys the session immediately.
  • Each browser/device maintains its own session.

The guard.php Auth System

Every module uses guard.php from the UserManager module for authentication:

require_once __DIR__ . '/../../modules/UserManager/guard.php';
guard_require_auth();

This helper:

  • Checks for a valid session
  • Redirects to the login page if not authenticated
  • Provides guard_require_role('admin') for role-based access
  • Exposes guard_get_user() for accessing current user data

Best Practices

  • Use strong, unique passwords for all admin accounts.
  • Grant the Staff role to content editors who do not need system access.
  • Periodically review user accounts and remove inactive users.
  • Never share admin credentials — create individual accounts for each person.
Site Settings Media & Files All Documentation