Admin Panels Are Not Configuration Systems

I learned this the annoying way: admin panels are not configuration systems.

They can become one, but not by accident.

Early on, it feels harmless. Someone needs to change a headline. Someone wants to hide a section for one customer. Sales needs a different value on one account. Support needs to fix something without waiting on engineering.

So a field gets added.

Then another one.

Then another one.

At some point the admin panel becomes the place where “configuration” happens, except nothing about it is really controlled. It is just a form writing into something the product reads.

That is fine until people start forgetting what the original default was. Then nobody knows whether a value is global or customer-specific, whether a saved draft is live, whether a generated record used the old value or the new one, or whether rolling something back is going to affect one account or everyone.

That is when the admin panel stops being useful and starts becoming dangerous.

A default workflow carries more weight than people usually admit. Support has learned it. Documentation points to it. Billing logic was built around it. Other parts of the product assume it will still be there tomorrow.

So I do not treat defaults like casual settings anymore.

The source should stay locked. If a customer needs something different, create an override. Duplicate the thing. Version it. Preview it. Activate it when it is ready. But do not let a customer-level edit mutate the source template.

A rough version looks like this:

const sourceTemplate = {
  id: "default_workflow",
  locked: true,
  sourceOfTruth: true,
  sections: [
    { key: "intro", title: "Welcome", visible: true },
    { key: "setup", title: "Setup", visible: true },
    { key: "review", title: "Review", visible: true }
  ]
};

const customerConfig = {
  customerId: "customer_123",
  sourceTemplateId: "default_workflow",
  status: "draft",
  overrides: {
    sections: {
      setup: {
        title: "Account Setup",
        visible: true
      },
      review: {
        visible: false
      }
    }
  }
};

The original stays intact. The customer gets a different version. The admin panel edits the duplicate or the override, not the source.

The status is where a lot of products get sloppy.

I do not want production reading “whatever was saved last.” Saved and live are not the same thing. A draft can be saved. A preview can be rendered. An archived version can still exist for history. None of those should control production.

I usually want something closer to this:

const CONFIG_STATUS = {
  DRAFT: "draft",
  PREVIEW: "preview",
  ACTIVE: "active",
  ARCHIVED: "archived"
};

Production reads active. Not latest. Not preview. Not the thing someone saved five minutes ago while they were still testing copy.

That sounds strict until you have seen the alternative.

The alternative is a support person saving a draft and accidentally changing what customers see. Or a sales override becoming the new default because it was easier to edit the existing object than create a customer-specific layer. Or a generated document pulling today’s value even though it was supposed to reflect what was approved last week.

Those bugs are not always dramatic. Most of the time they are just messy. And messy bugs waste a lot of time because there is no single failing line of code. The product is doing exactly what it was told to do. The problem is that nobody can explain what it was supposed to do.

That is why I prefer resolving configuration in one place.

Do not make every component figure out which version it should use. Do not scatter account checks, copy overrides, feature flags, pricing rules, and visibility logic all over the app. That turns the product into a junk drawer.

Give the app the effective config and let it render.

function resolveEffectiveConfig(customer) {
  const source = getLockedSourceTemplate();
  const activeConfig = getActiveCustomerConfig(customer.id);

  if (!activeConfig) {
    return source;
  }

  return mergeSourceWithOverrides(source, activeConfig);
}

The resolver should be boring. It checks for an active customer config. It ignores drafts and previews in live paths. It falls back to the locked source when nothing active exists. It merges only the allowed overrides.

Everything else should be able to trust the result.

The tests should be boring too.

I want tests that prove drafts do not leak. I want tests that prove previews do not leak. I want tests that prove archived configs do not suddenly become live because they happened to be the last record created.

expect(resolveLiveConfig(customerWithDraftOnly)).toEqual(sourceDefault);
expect(resolveLiveConfig(customerWithPreviewOnly)).toEqual(sourceDefault);
expect(resolveLiveConfig(customerWithArchivedOnly)).toEqual(sourceDefault);
expect(resolveLiveConfig(customerWithActiveConfig)).toEqual(expectedOverride);

That is the kind of test that looks unimpressive until it saves you from a bad release.

Generated records need the same discipline.

If something gets generated from configuration, and that thing needs to remain historically accurate, snapshot the values. Do not keep pointing back to the live config and assume it will still mean the same thing later.

Invoices, agreements, receipts, audit logs, approvals, customer confirmations — anything like that should preserve the values used when it was created.

const generatedSnapshot = {
  customerId: "customer_123",
  generatedAt: "2026-06-14T00:00:00Z",
  configVersion: "v3",
  values: {
    setupFee: 12000,
    monthlyMinimum: 2500,
    transactionSharePercent: 20
  }
};

The current config can change tomorrow. The record from yesterday should not.

Otherwise history starts moving. A document that was generated with one set of values appears to have another. An invoice no longer matches what was approved. A customer asks why the number changed, and the answer is basically, “because the object was still live.”

That is not a good answer.

I have also become much stricter about what gets sent to the browser. The frontend usually does not need the full internal configuration object. It needs the small part required to render the page.

The full object may contain pricing, internal notes, admin flags, version history, legal variables, draft states, implementation details, or things that are not technically private but still should not be sitting in the browser.

So project it.

function projectPublicConfig(effectiveConfig) {
  return {
    sections: effectiveConfig.sections
      .filter(section => section.visible)
      .map(section => ({
        key: section.key,
        title: section.title,
        body: section.body,
        cta: section.cta
      }))
  };
}

The browser gets rendering data. That is all it needed anyway.

The version I trust looks like this:

const effectiveConfig = resolveEffectiveConfig(customer);
const publicConfig = projectPublicConfig(effectiveConfig);

return publicConfig;

For generated records:

const effectiveConfig = resolveEffectiveConfig(customer);
const snapshot = createImmutableSnapshot(effectiveConfig);

saveGeneratedRecord({
  customerId: customer.id,
  snapshot,
  generatedAt: new Date().toISOString()
});

For production UI:

const config = resolveLiveConfig(customer);

renderWorkflow(config);

For preview:

const previewConfig = resolvePreviewConfig(customer, draftConfigId);

renderPreview(previewConfig);

I do not like live and preview sharing the same loose path. That is how preview work becomes production behavior by accident.

None of this is about making configuration fancy. I am not interested in elaborate admin systems for their own sake. The point is control.

Customers will need different things. Internal teams will need to move quickly. The product will need account-level behavior eventually. That is normal.

The problem starts when every one of those needs is solved by making the default more editable.

If an admin panel can change the source, change what is live, change what gets generated, and expose internal state through the same path, it will eventually create a problem that is harder to unwind than it would have been to model correctly in the first place.

The questions I want the system to answer are simple:

What is the locked default?

What is the active customer override?

What is only a draft?

What values were used when this record was generated?

What is safe to send to the client?

If those answers are not clear, the product does not really have a configuration layer. It has a form connected to production.

That might be acceptable for a while. Early products make tradeoffs. I understand that.

But once the system touches real customers, real billing, generated records, or account-specific behavior, the boundary has to get stricter.

Lock the source. Duplicate before editing. Preview before activation. Resolve active config only. Snapshot generated outputs. Send the client only what it needs.

That is the version I trust.