Profile — Reference
The Profile surface is the operator self-service plane for SGEN. It owns the slice of the user record an operator may edit on their own behalf — display name, avatar, password, notification preferences, connected accounts — without holding the broader Users capability.
This page is a reference for platform engineers and integrators who need to understand the surface before extending it, scripting against it, or scoping a permission model. Customer-facing how-tos live in the customer docs set; this page describes the shape of the surface, not the steps to drive it.
Overview
Profile lives at the top of the SG-Admin shell, behind the operator avatar menu. The module renders three primary views — the profile editor, the notification preferences panel, and the connected accounts list — and exposes a small set of write operations scoped to the calling operator.
The module is paired by convention: one half renders the views and prepares the data, the other half handles writes and returns AJAX responses. Engineers reading the SG-Admin source will see this split across two controller files; the reference below describes the combined surface as it appears to a calling integration.
Profile is the operator-scoped cousin of the Users surface. Where Users covers any-operator administration with role gates, Profile covers self-only writes available to every authenticated operator regardless of role. The two surfaces share a data model — Profile writes update the same fields on the same user record — but the capability check and the field set are different.
Where it lives in SG-Admin:
- Top bar: avatar menu → Profile
- URL prefix:
/sg-admin/profile/ - View templates:
application/views/Admin/Profile/
┌──────────────────────────────────────────────────────────────────────┐│ Profile jerome@sgen.com │├──────────────────────────────────────────────────────────────────────┤│ Display name [ Jerome Cruz ] ││ Avatar [ avatar.png ] [ Replace ] [ Remove ] ││ Locale [ English (Philippines) ▾ ] ││ Time zone [ Asia/Manila (UTC+8) ▾ ] ││ ││ ─── Password ───────────────────────────────────────────────────── ││ Current password [ ************ ] ││ New password [ ] ││ Confirm new [ ] ││ ││ ─── Notifications ──────────────────────────────────────────────── ││ Email digest [✓] Daily [ ] Weekly [ ] Off ││ In-app alerts [✓] On ││ ││ [ Save ] │└──────────────────────────────────────────────────────────────────────┘Actions
The Profile surface exposes the following operations. Each is described by what it does to the data, not by its internal method name.
View own profile
Returns the editable slice of the calling operator's user record — display name, avatar, locale, time zone, notification preferences, and the list of connected accounts. Role and email are present as read-only, never as form fields. The response is shaped for direct binding to the form view.
Update own profile
Replaces the stored profile slice with the posted values. Fields left blank do not clear server-side values (the form is partial-update by default). The operation runs through the same validators used by the Users edit path, scoped to the fields visible on this surface.
Change own password
A dedicated write path. Accepts the current password and a new password, validates length and complexity against the site policy, and rewrites the hash. Returns success or a structured failure naming the rule that rejected the value — too short, missing class, matches one of the recent N passwords. The operation invalidates other active sessions for the operator by default; the surface offers an opt-out checkbox to keep other sessions alive.
Update notification preferences
Writes the operator's notification opt-ins — email digest cadence, in-app alert toggle, mention notifications, comment notifications. Preferences live on the user record but are surfaced as a separate section because they cluster naturally and update independently of profile identity fields.
Upload avatar
Accepts an image upload, resizes it to the standard avatar dimensions, stores it under the Media library, and writes the resolved URL onto the user record. The prior avatar is not deleted from Media — it remains as an authored upload owned by the operator.
Remove avatar
Clears the avatar URL on the user record. The avatar slot falls back to the platform's initials-based placeholder. The prior file remains in Media.
List connected accounts
Returns the third-party identity providers the operator has linked — typically SSO accounts (Google, Microsoft) where the platform is configured for them. Each entry carries the provider slug, the remote subject identifier, and the link timestamp. Connected accounts allow login without password against the linked provider.
Disconnect account
Removes a linked third-party identity. The operator's primary password-based login is unaffected. Disconnect is allowed only when the operator retains at least one functioning login path — disconnecting the last login method is rejected with a structured response.
Generate API token
For operators with the capability to drive integrations on their own account, issues a personal API token scoped to the operator's role. Tokens are returned in plaintext once; subsequent reads return only a label, a fingerprint, and the issued-at timestamp. Revocation is one-way and immediate.
Data model
A profile write touches the following fields on the user record. The Profile surface does not own a separate table — it is a scoped view of the Users data model, restricted to fields the operator may edit on their own behalf.
| Field | Type | Notes |
|---|---|---|
name | string | Display name. Editable. |
avatar_url | string | Editable via upload / remove. Resolves against Media. |
locale | string | Editable. Falls back to site default if blank. |
time_zone | string | Editable. IANA zone identifier. |
password_hash | string | Editable only through the change-password path. Never exposed in reads. |
email | string | Read-only on this surface. Changes route through Users edit. |
role | enum | Read-only on this surface. |
notification_prefs | object | Editable. Sub-fields below. |
connected_accounts | array | List-managed via the connected accounts actions. |
api_tokens | array | List-managed via the token actions. |
| Sub-field | Type | Notes |
|---|---|---|
email_digest | enum | daily · weekly · off. |
in_app_alerts | bool | Master toggle for the in-shell notification tray. |
mention_notifications | bool | Direct mentions in posts and comments. |
comment_notifications | bool | Replies on authored content. |
| Sub-field | Type | Notes |
|---|---|---|
provider | enum | Provider slug — google, microsoft, saml. Set of available providers depends on site configuration. |
remote_subject | string | The provider's stable identifier for the operator. |
linked_at | timestamp | When the link was established. |
PROFILE-SCOPED USER RECORD├── Editable on this surface│ ├── name│ ├── avatar_url│ ├── locale│ ├── time_zone│ ├── password_hash (change-password path only)│ └── notification_prefs│ ├── email_digest│ ├── in_app_alerts│ ├── mention_notifications│ └── comment_notifications│├── Read-only on this surface│ ├── email│ └── role│└── List-managed (separate write paths)├── connected_accounts[]└── api_tokens[]Permissions
Access to the Profile surface is gated at two layers.
Layer 1 — admin gate. Every action under SG-Admin passes through the platform's standard admin access check at request entry. An unauthenticated request never reaches the Profile surface.
Layer 2 — per-action capability. Within SG-Admin, every Profile action is scoped to the calling operator's own user record. The capability map is uniform across the default role configuration:
| Capability | Administrator | Editor | Viewer |
|---|---|---|---|
| View own profile | ✔ | ✔ | ✔ |
| Update own profile | ✔ | ✔ | ✔ |
| Change own password | ✔ | ✔ | ✔ |
| Update notification preferences | ✔ | ✔ | ✔ |
| Upload / remove avatar | ✔ | ✔ | ✔ |
| List connected accounts | ✔ | ✔ | ✔ |
| Disconnect account | ✔ (with last-login guard) | ✔ (with last-login guard) | ✔ (with last-login guard) |
| Generate / revoke API token | ✔ | configurable | configurable |
Self-protection rules. Profile writes cannot remove the operator's last functioning login method — disconnecting the last connected account on an SSO-only operator, or clearing a password on a password-only operator, is rejected with a structured response. Password changes invalidate other sessions by default (opt-out available); the calling session always survives the change.
Audit. Every write — profile edit, password change, preference change, avatar upload, account disconnect, token generation, token revocation — emits an Activity Log entry. The log records the acting operator (always self on this surface), the field shape that changed, and a hashed reference to the new value where the cleartext is sensitive.
PROFILE REQUEST│▼┌───────────────────────────┐│ Admin gate │ unauth → reject│ (every /sg-admin/* call) │└─────────────┬─────────────┘│ authed▼┌───────────────────────────┐│ Scope check │ target = self → allow│ (this surface = self only)│ target = other → 404└─────────────┬─────────────┘│ self▼┌───────────────────────────┐│ Self-protection rules │ last-login removal → reject│ │ password reuse → reject└─────────────┬─────────────┘│ passes▼action executes│▼Activity Log entry(self · field shape · hashed sensitive value)Related references
- Users — Reference. Owns the full user record and the cross-operator administration surface. Profile is a scoped view of the same data.
- Two-Factor — Reference. Operator-facing enrollment is mirrored inside the Profile module, though the writes target the Two-Factor surface.
- Settings — Reference. Owns password complexity rules, the available locale list, the time-zone catalog, and the providers configured for SSO.
- Media — Reference. Avatar uploads land in the Media library. Operator uploads remain owned by the operator after avatar replacement.
- Notifications — Reference. Receives the notification preferences set on this surface and gates downstream channel sends accordingly.
- Activity Log — Reference. Stores audit events emitted by Profile writes alongside Users events and other admin writes.
/docs/profile.