Roles & Access
Cittopia organises admins into four jurisdictional tiers — Super, Regional, City, District — plus capability roles within each. Sidebar nav, dashboards, data scope, and matchmaking are all filtered to the active tier.
Four jurisdictional tiers #
Every admin login resolves into exactly one tier. The tier determines which sidebar items are visible, which dashboard you land on, and whether your data is scoped to a single municipality, a region of municipalities, or the whole platform.
| Tier | Lands on | Sidebar | Data scope | Demo login |
|---|---|---|---|---|
| 👑 Super Admin | /super-admin | All workspace + impersonation | Whole platform | super_admin |
| 🗺️ Regional Admin (NEW) | /region | Region-tier only (8 items) | One voivodeship / NUTS-2 | mazovia_admin |
| 🏛️ City Admin | /overview | City-tier (13 items) | One city + its districts | warsaw_admin, istanbul_admin, sofia_admin, varna_admin |
| 🏘️ District Admin (NEW) | /overview with district hero | City-tier (inherits parent) | One sub-district | besiktas_admin |
🗺️ Regional Admin tier — what's different
Regional admins represent marshal offices, regional development agencies (RDAs), or provincial coordinators. Their dashboard aggregates data across every member city and surfaces region-only tools:
- Regional Overview — KPIs across all member cities, regional Pulse score, Leaflet map
- Member Cities table — every city under jurisdiction with Pulse, projects, sister-cities
- Regional Quality of Life — population-weighted aggregate, top/bottom city performers
- Regional Infrastructure — inter-city corridor scores (rail / motorway / fiber / energy)
- Cross-Region Matchmaking — peer regions across Europe (excludes same-country)
- Regional Projects — coordinate regional initiatives, invite member cities to participate
- EU Funds Pipeline (BETA) — Allocated / Contracted / Disbursed / Unallocated tracker
- Public Region Profile — open-access marketing page for the region
Pilot region: Mazowieckie Voivodeship (Warsaw + 6 other cities · 5.4M citizens · €4.5B 2021–27 ROP).
🏘️ District Admin tier — what's different
District admins (e.g. Beşiktaş in İstanbul) share their parent city's data infrastructure but their dashboards are scoped to the district population, projects, and partnerships. The hero on every page renders the district name; the parent city is shown as the "country line" context.
Capability roles #
Within each tier, capability levels constrain WHAT the admin can do (read/write/approve/delete). The current platform ships every demo login as a clerk-tier specialist — the staff who actually use the platform daily, not elected mayors or marshals.
| Capability | Read | Write | Approve | Delete |
|---|---|---|---|---|
| City Administrator | All | All | ✓ | ✓ (with confirmation) |
| Department Lead | All | Own department | Own scope | Soft-delete only |
| Specialist / Coordinator (default for demo logins) | All | Drafts + their workflow | — | — |
| Read-only | All | — | — | — |
Example clerk roles in production demo accounts:
- Warsaw — Specjalista ds. miast partnerskich (Sister Cities Specialist)
- İstanbul — Dış İlişkiler Uzmanı (External Relations Specialist)
- Sofia — Експерт международни проекти (International Projects Officer)
- Varna — Координатор по партньорства (Partnerships Coordinator)
- Beşiktaş — Dış İlişkiler Koordinatörü (External Relations Coordinator)
- Mazovia — Koordynator funduszy regionalnych (Regional Funds Coordinator)
Authentication model #
The current implementation is a demo-grade client-side gate with credential validation against a server-issued map. Production deployments will move credential validation server-side (planned for Phase 6 of the roadmap). See assets/js/auth-gate.js for the source.
Anti-spam on public forms #
All public-facing forms (Wall of Belief, Bring-your-city, district claim, Agora post) ship a layered anti-spam stack:
- HMAC token + time-trap — server issues a signed timestamp; submissions faster than 3s or older than 30min are rejected.
- Three honeypot fields — invisible fields that real users never fill but bots do.
- "I'm not a robot" checkbox — Cittopia-branded checkbox component sets a hidden
_humanfield cryptographically tied to the form's_ts. - Per-IP rate limiting + per-email cooldown (24h on the Wall).
- Content sanity checks — disposable-email blocklist, URL-density check, repetition heuristics → block / flag / OK verdicts.
Rotating credentials #
Email hello@cittopia.com with the subject Rotate handle: <handle>. Cittopia issues a new authentication key within 24 hours and revokes the old one on confirmation.