Users & Permissions

Spectra has two distinct user systems:

1. Admin / staff users — log in to the admin UI via /account-login
2. Customer accounts — shop on the storefront (see Customers)

This page covers admin/staff users.

Where to find it

Admin: /admin-vendorusers (for vendor orgs) or /admin/users depending on role

Admin user structure

Table: commerce__customers (unified in migration 009)

Key fields:

• role — customer, vendor, admin
• is_admin — bypasses all permission checks
• permissions — JSON object with fine-grained permissions
• source_id — which organization they belong to

Admin flag vs. granular permissions

Two ways to grant access:

1. isAdmin = true — full access to everything within their org
2. permissions JSON — fine-grained per-resource, per-action

Most real teams use granular permissions for non-admin users.

Permission structure

{
  "users": { "manage": true },
  "clients": { "create": true, "view_all": true, "edit_all": false },
  "buyback_quotes": { "create": true, "view_all": false, "edit_all": false },
  "repair_quotes": { "create": true, "view_all": true, "edit_all": true },
  "dashboard": { "view_all": true },
  "tickets": { "view": true, "view_all": false }
}

See Portal Users for the full permission matrix.

Changing permissions

Use the admin UI or a DB update. Every change is logged:

• Table: vendoruser_permission_log
• Fields: userId, changedBy, oldPermissions, newPermissions, changeType, timestamp

Password management

• Argon2id hashing (modern)
• Legacy MD5 hashes are auto-upgraded on next login
• Self-service password change in user profile
• Admin can reset passwords via the admin UI

MFA

Planned for future phase. Not currently supported.

Related features

• Portal Users
• Audit Log