> ## Documentation Index
> Fetch the complete documentation index at: https://docs.auction-rise.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Admin Panel

> Super admin user management, the is_super_admin role, and database trigger protection.

# Admin Panel

The admin panel at `/admin` is accessible only to users with the `is_super_admin` flag on their `profiles` row. It provides full user management (create, edit, delete) and any other super-admin-gated tooling you add.

## The Super Admin Role

`is_super_admin` is a boolean column on the `profiles` table, defaulting to `false`. A database trigger (`prevent_super_admin_self_modify`) prevents any user from elevating their own privileges — only the service role can change this column.

An `is_super_admin()` SQL helper function is available for use in RLS policies on any table you want to restrict to super admins.

## Setting Up the First Super Admin

After running migrations, promote your account via the Supabase SQL editor:

```sql theme={null}
UPDATE public.profiles
SET is_super_admin = true
WHERE id = '<your-user-id>';
```

<Warning>
  This is the only way to create the first super admin. Afterward, existing super admins can promote others through the admin panel.
</Warning>

## User Management

The admin panel (`/admin`) supports:

* **List users** — paginated with search by name/email
* **Create user** — name, email, password, optional super admin flag
* **Edit user** — update name, email, or super admin status
* **Delete user** — requires typing the user's email to confirm

Self-protection is enforced at the action level: you cannot remove your own super admin status or delete your own account.

## Server Actions

```typescript theme={null}
import {
  checkIsSuperAdmin,
  listUsers,
  createUser,
  updateUser,
  deleteUser,
} from "@/lib/admin/actions";
```

All actions call `checkIsSuperAdmin()` internally and return an error if the caller is not a super admin. User creation and deletion use `auth.admin.createUser()` / `auth.admin.deleteUser()` via the Supabase admin client.

## Route Protection

The `/admin` prefix is in `saas.config.ts` `protectedRoutes`. An additional server-side check in each admin page/action verifies `is_super_admin`. Both layers are required — middleware only checks authentication, not role.

## Auth Context Flag

`isSuperAdmin` is available via `useAuth()` in Client Components, fetched from `profiles.is_super_admin` on sign-in. Use it to conditionally show admin navigation:

```typescript theme={null}
const { isSuperAdmin } = useAuth();
if (isSuperAdmin) return <Link href="/admin">Admin</Link>;
```
