admin/freealberta
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
freealberta/map/instruct/TEMP_USER_TEST.md

147 lines
3.7 KiB
Markdown
Raw Permalink Blame History

# Temp User Implementation Test Guide
## Testing the Implementation
### 1. Database Setup
Before testing, ensure your NocoDB Login table has these columns:
- `UserType` (Single Select: admin, user, temp)
- `ExpiresAt` (DateTime, nullable)
- `CreatedAt` (DateTime)
- `ExpireDays` (Integer, nullable)
### 2. Test User Creation via Admin Panel
1. **Access Admin Panel**
- Login as an admin user
- Navigate to `/admin.html`
- Go to the "Users" section
2. **Create Regular User**
- Email: `testuser@example.com`
- Name: `Test User`
- Password: `password123`
- User Type: `Regular User`
- Click "Create User"
3. **Create Temp User**
- Email: `tempuser@example.com`
- Name: `Temp User`
- Password: `password123`
- User Type: `Temporary User`
- Expires After: `30` days
- Click "Create User"
4. **Create Admin User**
- Email: `adminuser@example.com`
- Name: `Admin User`
- Password: `password123`
- User Type: `Admin`
- Click "Create User"
### 3. Test User Permissions
#### Test Temp User Restrictions:
1. **Login as temp user** (`tempuser@example.com`)
2. **Verify UI Elements Hidden:**
- No "Shifts" link in navigation
- No "Profile" link in navigation
- User email shows "Temp" badge
- Map search only shows "docs" mode (no database search)
3. **Test Location Operations:**
-**Add Location**: Should work
-**Edit Location**: Should work
-**Delete Location**: Delete button should be hidden in edit form
-**Move Location**: Move button should be hidden in popup
4. **Test Restricted Access:**
- Navigate to `/shifts.html` → Should redirect or show 403
- Navigate to `/user.html` → Should redirect or show 403
- Navigate to `/admin.html` → Should redirect or show 403
#### Test Regular User:
1. **Login as regular user** (`testuser@example.com`)
2. **Verify Full Access:**
- ✅ Can access shifts page
- ✅ Can access user profile
- ✅ Can add, edit, and delete locations
- ✅ Can use database search
- ❌ Cannot access admin panel
#### Test Admin User:
1. **Login as admin user** (`adminuser@example.com`)
2. **Verify Admin Access:**
- ✅ Full access to all features
- ✅ Can access admin panel
- ✅ Can create/manage users
### 4. Test Backend API Endpoints
Use browser console or testing tool:
```javascript
// Test temp user cannot delete location
fetch('/api/locations/1', { method: 'DELETE' })
.then(r => r.json())
.then(console.log); // Should return 403 error for temp users
// Test temp user cannot access shifts
fetch('/api/shifts')
.then(r => r.json())
.then(console.log); // Should return 403 error for temp users
```
### 5. Expected Results
#### User Table Display:
- Regular User: Blue "User" badge
- Temp User: Orange "Temp" badge + expiration date
- Admin User: Green "Admin" badge
#### Authentication Response:
```json
{
"authenticated": true,
"user": {
"email": "tempuser@example.com",
"name": "Temp User",
"isAdmin": false,
"userType": "temp"
}
}
```
### 6. Troubleshooting
**If temp user can access restricted features:**
- Check middleware is properly imported in routes
- Verify session includes `userType`
- Check browser console for JavaScript errors
**If user creation fails:**
- Verify NocoDB table has required columns
- Check server logs for database errors
- Ensure column names match exactly
**If UI elements not hiding:**
- Check browser console for auth errors
- Verify `currentUser.userType` is set
- Check CSS classes are applied correctly
### 7. Security Verification
Temp users should receive **403 Forbidden** responses for:
- `DELETE /api/locations/:id`
- `GET /shifts.html`
- `GET /user.html`
- `GET /admin.html`
- `GET /api/shifts`
All restrictions should be enforced server-side, not just hidden in UI.
Reference in New Issue View Git Blame Copy Permalink