Friday, September 28, 2007

IBD - Admin's User Detail

Admin User List

Admin User ListWhenever I sign up for an application, particularly one like the Dashboard, I tend to wonder what is going on behind the scenes, and if my experience is safe & secure. I'm sure many of you have had the same concerns or curiosities. In order to establish a level of trust, I wanted to show you some of the behind-the-scenes views of the Dashboard, and give you an idea as to what I am able to control & modify.

The primary page that I've been spending a lot of time on since Monday has been the Admin User List, shown at the beginning of the post. As you can see, I have a lot of information at my fingertips, but I've tried to make it concise without being overwhelming.
  • First is the indicator for Administrators in the system. Based on user adoption, I think 3-5 would be the magic number, that way one person isn't solely responsible for the entire operation of the site.
  • After that is whether the user is new, or joined less than 48 hours ago. This isn't hugely critical, but has helped to indicate any new registration & possibly to welcome new users in the future.
  • Username is self-explanatory, and the link on this text leads to the Admin User Edit page.
  • The IB icon is for anyone that has entered an IB profile URL, and can help me jump between the sites.
  • E-mail address.
  • Indicator as to whether someone would like to be contacted with news or information about the site (although I haven't used this feature yet since I don't want to abuse it).
  • In the last login time, I have code that determines if someone has visited within the last hour, and if so, I turn the entire row pink. It's another useful feature to help show peak usage times & when people are using the site more often.
  • The red icon helps me reset any user's password to a default value, and the trash can gives me the option to delete a user entirely, including their associated icon sets. However, each of these are tied to "Are you sure?" javascript functions so that I can't do anything without purpose.

Admin User Edit

Admin User EditThe Admin User Edit page, as you can see, is quite simple really. It gives me the ability to change a username or nickname (in the event of someone choosing something inappropriate), e-mail address, notification setting, and whether to allow administrative control. Nowhere on this page do I even display their current password.

Sure, it might make it easier to have full admin control & change passwords when requested, but honestly, I don't want it. Since I know from my previous experience that passwords can often be similar or the same for related sites, I didn't want users to be concerned that I could pillage that data. Now, don't get me wrong. This isn't a bank site. If I was so determined, I could download the database, remove the input mask from the text field, and then find out someone's password. But really, I don't care that much. Really. I have a lot more things to occupy my time.

So I hope that gives you a bit of insight into how I've designed part of the Admin section. Over the coming weeks, I have more planned, and even some features that will travel to the users as well. Don't worry, I'll gladly be sharing what I can, and keeping your minds at ease about your personal information.

2 comments:

misterhaan said...

I could download the database, remove the input mask from the text field, and then find out someone's password.

this sounds like you are storing passwords in plain text. have you considered doing a one-way hash on the password and storing that instead? that’s how i’ve always done it, but i’m not sure if classic asp provides any one-way hash functions like php and .net do.

Ben said...

Yes, passwords are plain text at this time. I had briefly looked into encrypting them somehow, but it quickly went way above my head. I'm sure it's possible that some one-way hash functions exist for ASP, but I'm not very familiar with the process.

It's definitely something I'll add for version 2, but again, I personally have no interest in looking at the password data.

Any other thoughts?