UserSpice
Home / Master Account

Master Account

UserSpice has a trust tier above Admin called Master Account. It cannot be granted from the dashboard — it lives as a plain PHP array in users/init.php. The first user created during install is the only Master Account by default. This page covers what it actually controls, how to add or remove users, and why the rule "edit the file or it doesn't happen" exists.

  1. 01 What it is

    A short array of user IDs

    Open users/init.php and look for this line:

    $master_account = [1];

    That's it. Every user ID listed in that array has Master Account privileges. Every user ID not listed does not — even if they're a regular Admin (permission level 2). The installer puts your first user (ID 1) in there automatically. New admins you promote through the dashboard are not added.

  2. 02 What it gates

    What Master Account actually unlocks

    The list isn't arbitrary — these are the actions that, if abused, could leak source code, credentials, or the full database, or that could be used to install malicious code into your site. Verified directly from the codebase as of this writing:

    • Spice Shaker (themes / plugins / widgets)
    • Plugin manager
    • Backups & the downloader
    • Logs (admin log viewer + audit logs)
    • phpinfo() view
    • Page manager (creating/editing protected pages)
    • Widget & view management
    • Cron task runner
    • Announcements module
    • Database & file manager plugins
    • Bug reporting integration
    • Some Security Dashboard sections
    • Maintenance-mode bypass
    • Cloaking into other Master Accounts
    • Editing protected users / resetting their passwords

    In code, the check is always the same shape: in_array($user->data()->id, $master_account). Plugin authors can use the same pattern to gate sensitive features in their own code.

  3. 03 Granting it

    How to add (or remove) a Master Account

    Edit users/init.php and add the user's ID to the array. To grant Master Account to users 1, 5, and 12:

    $master_account = [1, 5, 12];

    Save the file. The change takes effect on the next request — there's no cache to clear. To revoke it, just remove the ID. Don't leave the array empty; you'll lock yourself out of every Master-Account-only screen, including Spice Shaker and the plugin manager. Keep at least one trusted ID in there.

    Find a user's ID in Admin Dashboard → Users, or directly in the users table.

  4. 04 Why a file

    Why it's a file edit, not a checkbox

    This is a deliberate defense against privilege escalation — chaining smaller bugs together to gain bigger and bigger access. There has never been a demonstrated case of a UserSpice user promoting themselves from User to Admin, but the framework has always taken the position that the most damaging actions (downloading source, installing arbitrary PHP, reading every log) should require write access to the filesystem itself.

    If an attacker can already edit users/init.php, they can write any PHP they want to your project — at that point Master Account isn't the weak link. But until they can do that, Master Account stays out of reach even if they somehow control an Admin session.

  5. 05 Maintenance mode

    Maintenance-mode bypass

    When you flip the site to offline / maintenance, all logged-in users (including normal Admins) get logged out and redirected to the maintenance page. Master Account users are the exception — they stay logged in so they can finish whatever required taking the site down in the first place.

    Practical implication: the user you log in as while doing maintenance work needs to be in $master_account. If you find yourself bounced to the maintenance page after taking the site offline, that's why.

  6. 06 Cloaking

    Cloaking restrictions

    Cloaking lets an admin temporarily browse the site as another user (great for reproducing bugs that only show up for one account). Two rules apply specifically to Master Accounts:

    • A non-Master admin cannot cloak into a Master Account user — the action is blocked and logged.
    • A Master Account can cloak into any user, including other Master Accounts.

    This prevents an admin who has somehow gained access to the cloak feature from elevating themselves into a Master session.

  7. 07 Debugging

    "I'm an admin but I keep getting redirected"

    The fastest tell that you're an admin without Master Account: you click a link in the back end (Spice Shaker, Logs, Backups, Plugins) and silently get bounced to your homepage. The hit also gets written to the audit table, so a Master Account user can confirm it from the admin logs.

    Fix: add the user's ID to $master_account in users/init.php, or decide they shouldn't have access and document it for them.

  8. 08 Best practices

    Best practices

    • Keep the array small. Most projects only need the original owner.
    • Master Accounts should use 2FA (Passkeys or TOTP). Anyone with this much trust shouldn't be one stolen password away from total control.
    • Don't share Master Account credentials between humans — give each person their own user and add their ID to the array.
    • When someone leaves the project, remove their ID from the array and disable or delete their user. Both, not one.
    • Treat users/init.php as sensitive: chmod 644 after install, never world-writable, never committed to a public repo with real credentials.