Skip to content

User Management โ€‹

The admin console Users page (/admin/users) lists every account on the server and lets an admin manage them โ€” including the signup approval queue introduced with the auth.signup_mode setting. The page is admin-gated.

Account statuses โ€‹

Every user has a status:

StatusMeaning
pendingCreated via signup while the server is in approval mode. The user has no session/token and cannot log in or browse media until an admin approves them.
activeA normal, full-access account.
disabledAccess revoked. The user cannot log in, and an existing live session is revoked on its next request.

A status badge is shown per row (pending = warning, active = success, disabled = neutral). Accounts created before this feature, or via paths that don't set a status, are treated as active.

Signup mode controls how new accounts are created

The auth.signup_mode server setting (Settings โ†’ Access) decides whether signups become active immediately (open), land in the approval queue (approval, the default), or are rejected outright (disabled). The first-ever registered user is always created active + admin. See Server Settings โ†’ Signup mode.

The pending-approval queue โ€‹

When one or more users are pending, the Users page shows a prominent Pending approval section above the main table, with a count badge and per-row Approve / Reject actions:

  • Approve sets the user to active โ€” they can now log in and browse.
  • Reject deletes the pending account (after a confirmation prompt). Reject only applies to accounts still in the pending state.

Pending users also appear in the main table (with the same actions) so the list stays consistent; the queue is simply the prominent affordance.

Per-row status actions โ€‹

The main table's row actions depend on the account's current status:

Current statusAction(s)
pendingApprove (โ†’ active) ยท Reject (delete, confirmed)
activeDisable (โ†’ disabled, confirmed)
disabledEnable (โ†’ active)

Disable and Reject are confirmed via a modal โ€” they are never one-click. Disabling an account revokes a live session: status is re-checked on the token-refresh and validation paths, so the user (or admin) loses access on their next request rather than waiting for token expiry. The server also refuses to disable your own account or the last remaining admin.

The existing user actions (add/edit, set-admin, reset password, profiles) are unchanged.

Admin API โ€‹

The page consumes these admin-gated endpoints (Bearer admin token required โ€” 401 unauthenticated, 403 non-admin):

MethodPathPurpose
GET/api/v1/admin/users?status=pendingList users; optional status filter (pending / active / disabled).
POST/api/v1/admin/users/{id}/approveSet status to active.
POST/api/v1/admin/users/{id}/disableSet status to disabled (revokes the session).
POST/api/v1/admin/users/{id}/rejectDelete a still-pending user.

The user objects returned by the list endpoint (and /auth/me) carry the status field.

See Also โ€‹

BSD-3-Clause