v1.0.28 — Admin Page Placeholder Stats & Open RBAC Gap
v1.0.28 — Admin Page: What's Not Working Yet (and Why It Matters)
Version 1.0.28 surfaces two issues in the Sidekick admin dashboard that were identified during internal verification. This post explains what the problems are, where they live in the codebase, and what the intended fix looks like.
The Admin Dashboard at a Glance
Sidekick's admin page (src/app/dashboard/admin/page.tsx) is the central control panel for platform operators. It's designed to give owners and administrators a live view of platform health — how many organisations are active, how many users are registered, the state of subscriptions, and a running count of audit events.
As of v1.0.28, neither of those things works correctly.
Issue 1: Every Stat Reads Zero
The stats panel on the admin page currently renders four metrics:
- Total Organizations
- Total Users
- Active Subscriptions
- Audit Events
All four are hardcoded to 0. There are no database queries behind them. Whether your platform has 1 user or 10,000, the panel will show the same static zeros.
This is a placeholder implementation — the UI scaffolding exists but the data layer was never connected.
What the fix looks like
Each stat needs a corresponding DB query at page load time (or via a server action/API route, depending on the rendering strategy):
// Example — counts to be wired up
const [orgCount, userCount, activeSubCount, auditEventCount] = await Promise.all([
db.organization.count(),
db.user.count(),
db.subscription.count({ where: { status: 'active' } }),
db.auditEvent.count(),
]);
The results then replace the hardcoded 0 values passed to the stats panel component.
Issue 2: The RBAC Gate Is Commented Out
This is the more urgent of the two issues.
The admin page is supposed to be protected by a role-based access control (RBAC) check — only users with the owner or admin role should be able to reach it. That check exists in the codebase but is currently commented out, meaning it does nothing.
The practical consequence: any authenticated user who navigates to the admin URL can view the admin dashboard. A regular end-user with no elevated privileges has the same access as a platform owner.
What the fix looks like
The RBAC check needs to be uncommented and enforced before the page renders:
// Enforce admin/owner access only
const session = await getServerSession();
if (!session || !['owner', 'admin'].includes(session.user.role)) {
redirect('/dashboard'); // or return a 403 response
}
Until this is in place, the admin page should be considered unprotected.
Summary
| Issue | File | Severity | Status |
|---|---|---|---|
| Hardcoded zero stats | src/app/dashboard/admin/page.tsx | Medium | Open — pending DB query wiring |
| RBAC check disabled | src/app/dashboard/admin/page.tsx | High | Open — pending role enforcement |
Both issues are confined to a single file. The RBAC fix in particular should be prioritised — it is a security gap that exposes administrative UI to all authenticated users.
What's Not Affected
- All other dashboard pages are unaffected
- User-facing features (integrations, skills, messaging) are unaffected
- The admin page UI structure itself is intact — only the data and access control layers need work