Manager

Web-based admin and content manager for lazysite.

Overview

The lazysite manager is a web-based admin UI built into lazysite itself. It lets you configure the site, manage users, install themes, enable plugins, edit pages, and clear the cache - all from the browser.

Manager pages are ordinary lazysite .md pages served through the normal pipeline, using a dedicated manager theme for consistent chrome.

Enabling the manager

Add to lazysite/lazysite.conf:

manager: enabled
manager_path: /manager

The manager is disabled by default. Access is the ui capability, granted through a group on the Groups page (the seeded lazysite-admins group carries it). Bootstrap in one command:

perl tools/lazysite-users.pl --docroot /path/to/public_html setup-manager

or add a user to the admin group:

perl tools/lazysite-users.pl --docroot /path/to/public_html \
  group-add alice lazysite-admins

(The legacy manager_groups: conf key still works as a backend fallback, but capabilities on groups are the mechanism of record.)

Accessing the manager

Navigate to /manager (or the configured manager_path). You must be authenticated and in a group carrying the ui capability. Unauthenticated visitors are redirected to /login.

Pages

Site settings

/manager/ (or /manager/config) - the Site settings item. Edit site identity and review the plugin registry.

Files

/manager/files. File browser for the docroot. You can:

The editor at /manager/edit shows:

Locks expire after 5 minutes and are renewed automatically while the editor is open.

/manager/nav. Visual editor for lazysite/nav.conf:

Saves back to lazysite/nav.conf as YAML.

Plugin Manager and Plugin Config

Plugins are split across two pages: Plugin Manager (/manager/plugins) enables and disables them, and Plugin Config (/manager/plugin-config) configures the enabled ones.

On Plugin Config, each enabled plugin appears with a form generated from its config_schema. Save writes the plugin's config file (e.g. lazysite/forms/smtp.conf for the SMTP plugin).

Plugins that declare actions (e.g. Run audit) show action buttons that invoke the plugin and display the result.

Appearance

/manager/appearance (formerly "Themes"; /manager/themes redirects here). Manage layouts and themes and switch the active pair.

The same per-layout operations are available to partners over the control API and the MCP connector (layout-install / layout-delete / layouts-manifest; install_layout(update:true) redeploys a changed layout).

Users

/manager/users. User accounts (the same data files as tools/lazysite-users.pl):

Groups

/manager/groups (under Access in the menu). View, create, and delete groups, and tick membership per group. A group is defined by its membership, so creating one needs a first member. (Per-user assignment is also available on the Users page.)

Sessions

/manager/sessions (under Access). Sessions are signed cookies, not server-side records, so there is no per-session list yet (planned). The page lets you invalidate all sessions at once by rotating the signing secret - every cookie, including yours, stops working and everyone signs in again.

Cache

/manager/cache. Cache inspection and invalidation:

Audit

/manager/audit. The material-action trail (logins, edits, deletes, config/theme changes, denied attempts) with who/what/when/where and the outcome. Filter by user, target, or a From/To date range; each row records the action's target (the page, the plugin, nav, etc.). Browsing analytics live separately in Visitor statistics, not here. Viewing the audit trail requires the Analytics permission (grant it per account on the Users page, or lazysite-users.pl set <user> analytics on); it is read through an append-only cache, so only newly-appended lines are parsed on each load.

Visitor statistics

/manager/stats. A read-only dashboard from the web-server access log. Because lazysite uses no cookies or JS, it classifies traffic by log-only heuristics into real people, the logged-in operator, AI assistants, bots and probe noise (each reported separately), splits referrers into external / internal / direct, links top pages to the live page, and shows per-day counts over a configurable window, with optional IP anonymisation. If an error log is configured (or auto-detected), it also shows a synthesised summary of recent server errors (categories and counts only - never raw lines, addresses or paths). It never exposes any log file's path, and the raw logs are not downloadable through the manager. Provided by the opt-in Visitor Statistics plugin: the nav item appears only when the plugin is enabled - enable it on Plugin Manager, then set its access-log path on Plugin Config. An AI connector granted the Analytics permission can analyse the same data for trends via the analyse_visitors tool, getting only the aggregated, IP-anonymised figures (see AI connector tools and AI briefing - visitor analytics).

Admin bar on site pages

When the manager is enabled, the processor injects an admin bar on site pages (non-manager pages) for authenticated users with manager access (the ui capability). The bar shows:

The admin bar sits in normal page flow at the top (it scrolls with the page, so it never overlaps a theme's own sticky header). Unauthenticated visitors and non-manager users do not see it.

Installation

The installer copies lazysite-manager-api.pl to cgi-bin/ alongside lazysite-processor.pl. The manager pages in starter/manager/ are served as regular lazysite pages; the manager's internal template in starter/lazysite/manager/ (D013: outside both layouts/ and themes/) supplies its chrome.

For manual installation:

cp lazysite-manager-api.pl /path/to/cgi-bin/
chmod 755 /path/to/cgi-bin/lazysite-manager-api.pl
cp -r starter/manager /path/to/public_html/manager
cp -r starter/lazysite/manager /path/to/public_html/lazysite/

Security

Manager access enforcement

Access to /manager and all sub-pages is restricted to authenticated users whose groups carry the ui capability (legacy manager_groups membership also passes, as a fallback). Unauthenticated users are redirected to /login.

Blocked paths

The manager API blocks read and write access to sensitive files:

User and group management is handled through the dedicated Users page, not through direct file editing.

Path validation

All file operations validate paths with realpath() to ensure they resolve within the document root. Path traversal attempts are rejected.