# Temp User Implementation Test Guide ## Testing the Implementation ### 1. Database Setup Before testing, ensure your NocoDB Login table has these columns: - `UserType` (Single Select: admin, user, temp) - `ExpiresAt` (DateTime, nullable) - `CreatedAt` (DateTime) - `ExpireDays` (Integer, nullable) ### 2. Test User Creation via Admin Panel 1. **Access Admin Panel** - Login as an admin user - Navigate to `/admin.html` - Go to the "Users" section 2. **Create Regular User** - Email: `testuser@example.com` - Name: `Test User` - Password: `password123` - User Type: `Regular User` - Click "Create User" 3. **Create Temp User** - Email: `tempuser@example.com` - Name: `Temp User` - Password: `password123` - User Type: `Temporary User` - Expires After: `30` days - Click "Create User" 4. **Create Admin User** - Email: `adminuser@example.com` - Name: `Admin User` - Password: `password123` - User Type: `Admin` - Click "Create User" ### 3. Test User Permissions #### Test Temp User Restrictions: 1. **Login as temp user** (`tempuser@example.com`) 2. **Verify UI Elements Hidden:** - No "Shifts" link in navigation - No "Profile" link in navigation - User email shows "Temp" badge - Map search only shows "docs" mode (no database search) 3. **Test Location Operations:** - ✅ **Add Location**: Should work - ✅ **Edit Location**: Should work - ❌ **Delete Location**: Delete button should be hidden in edit form - ❌ **Move Location**: Move button should be hidden in popup 4. **Test Restricted Access:** - Navigate to `/shifts.html` → Should redirect or show 403 - Navigate to `/user.html` → Should redirect or show 403 - Navigate to `/admin.html` → Should redirect or show 403 #### Test Regular User: 1. **Login as regular user** (`testuser@example.com`) 2. **Verify Full Access:** - ✅ Can access shifts page - ✅ Can access user profile - ✅ Can add, edit, and delete locations - ✅ Can use database search - ❌ Cannot access admin panel #### Test Admin User: 1. **Login as admin user** (`adminuser@example.com`) 2. **Verify Admin Access:** - ✅ Full access to all features - ✅ Can access admin panel - ✅ Can create/manage users ### 4. Test Backend API Endpoints Use browser console or testing tool: ```javascript // Test temp user cannot delete location fetch('/api/locations/1', { method: 'DELETE' }) .then(r => r.json()) .then(console.log); // Should return 403 error for temp users // Test temp user cannot access shifts fetch('/api/shifts') .then(r => r.json()) .then(console.log); // Should return 403 error for temp users ``` ### 5. Expected Results #### User Table Display: - Regular User: Blue "User" badge - Temp User: Orange "Temp" badge + expiration date - Admin User: Green "Admin" badge #### Authentication Response: ```json { "authenticated": true, "user": { "email": "tempuser@example.com", "name": "Temp User", "isAdmin": false, "userType": "temp" } } ``` ### 6. Troubleshooting **If temp user can access restricted features:** - Check middleware is properly imported in routes - Verify session includes `userType` - Check browser console for JavaScript errors **If user creation fails:** - Verify NocoDB table has required columns - Check server logs for database errors - Ensure column names match exactly **If UI elements not hiding:** - Check browser console for auth errors - Verify `currentUser.userType` is set - Check CSS classes are applied correctly ### 7. Security Verification Temp users should receive **403 Forbidden** responses for: - `DELETE /api/locations/:id` - `GET /shifts.html` - `GET /user.html` - `GET /admin.html` - `GET /api/shifts` All restrictions should be enforced server-side, not just hidden in UI.