Case study · 2026

Pacific Trips Admin

Internal admin panel for a Pakistani travel agency. Built to let the owner and team manage every piece of content on pacific-trips.com — from trip packages to blog posts to customer enquiries.

Year

2026

Type

Client work

Timeline

30 days . Secure . Custom RBAC

Status

Live

https://pacific-admin-panel.vercel.app/dashboard/trips

The problem

Pacific Trips had no way to update their public website without going through a developer. The owner and staff were emailing edits, which slowed down publishing and caused version drift. They needed a self-serve tool that let multiple team members manage content with different levels of access.

What I built

I built a full-stack admin dashboard on Next.js 16 and Supabase. It covers every content type on the public site and ships with a role-based permission system so the owner can control exactly what each team member can see or edit.

Security layer
Supabase RLS at the database level, JWT sessions, Cloudflare Turnstile CAPTCHA on login, and CSP headers throughout.
9-step trip wizard
Multi-step form for creating trip packages — card info, images, itinerary, gallery, FAQs, SEO metadata, and publish status, all validated per-step with Zod.
Blog editor with inline images
Tiptap rich-text editor with markdown support, inline image uploads to Supabase Storage, and automatic orphaned-image cleanup on delete.
Granular role based access system
Three roles (super admin, admin, viewer) with per-module permissions across 8 sections. Permissions are cached for 5 minutes to avoid redundant DB hits.
Bulk operations
Batch delete and status updates across trips, blogs, enquiries, contact queries, and more — all powered by TanStack Table with pagination and search.
Contact form with spam protection
Public-facing contact form validates each submission against Cloudflare Turnstile before touching the database. Clean submissions are inserted into Supabase; spam is dropped before insert.
Email notifications via Resend
A Supabase Edge Function triggers on every new contact_messages row insertion and fires a transactional email through Resend — so the team gets notified the moment a lead comes in, without polling the dashboard

The result

The owner and team can now publish trip packages, blog posts, and respond to enquiries without any developer involvement. Role-based access means support staff only see what they need. Image uploads that used to require manual FTP now take seconds from the dashboard.

modules

API routes

Multi step forms

User roles

Stack

Next.jsReactTypescriptTailwind CSSSupabaseReact Hook FormZodTiptapShadcnCloudflareResend

Build timeline

Day 1–4

Project setup, Supabase API, auth, dark mode. Users CRUD, contact submissions, reviews, trips table, 9-step trip wizard, trip metadata modules (types, activities, locations), detail modal, sidebar nav.

Day 5–7

FAQs CRUD, profile & password management, trip editing flow. Blogs module with categories and editing. YouTube carousel. Super admin role, basic RBAC. Turnstile CAPTCHA, half-star ratings.

Day 8–10

SEO fields for trips and blogs. Detail modals for all modules. Eliminated duplicate fetches. Storage orphan cleanup. Signed uploads, image compression, Next.js Image. Granular per-module permission system with viewer role.

Day 11–14

TanStack Query migration and custom hook extraction for all modules. Rich text editor for trips. Contact alert email via Edge Function + Resend. Security headers, safe errors, two hardening rounds, API audit.

Day 15–19

Login page redesign. Trip enquiries module. Sticky header, favicons. Iconify icons. User restriction rules. withAuth wrapper across all 16 API groups. Rate limiting, RLS hardening, quick-create dialogs.

Day 20–24

Custom JWT → Supabase Auth migration. Banner image crop (trips + blogs). Tiptap inline images for blogs with alt-text editing. Orphaned image edge function. Inline publish/delete toggles. Refresh buttons, cache fixes.

Day 25–26

WebP compression. React.cache() deduplication. Lazy-load Tiptap. Parallel DB queries. In-memory caching for auth and permissions. Direct Supabase reads — removed API GET layer entirely.

Building something similar? I take on one SaaS or MVP project per month. Two-week scopes, weekly demos.

Start a conversation →

All projects← back to work