freealberta/map/instruct/TEMP_USER_TEST.md

Temp User Implementation Test Guide

Testing the Implementation

1. Database Setup

Before testing, ensure your NocoDB Login table has these columns:

• UserType (Single Select: admin, user, temp)
• ExpiresAt (DateTime, nullable)
• CreatedAt (DateTime)
• ExpireDays (Integer, nullable)

2. Test User Creation via Admin Panel

1. Access Admin Panel

   • Login as an admin user
   • Navigate to /admin.html
   • Go to the "Users" section

2. Create Regular User

   • Email: testuser@example.com
   • Name: Test User
   • Password: password123
   • User Type: Regular User
   • Click "Create User"

3. Create Temp User

   • Email: tempuser@example.com
   • Name: Temp User
   • Password: password123
   • User Type: Temporary User
   • Expires After: 30 days
   • Click "Create User"

4. Create Admin User

   • Email: adminuser@example.com
   • Name: Admin User
   • Password: password123
   • User Type: Admin
   • Click "Create User"

3. Test User Permissions

Test Temp User Restrictions:

1. Login as temp user (tempuser@example.com)

2. Verify UI Elements Hidden:

   • No "Shifts" link in navigation
   • No "Profile" link in navigation
   • User email shows "Temp" badge
   • Map search only shows "docs" mode (no database search)

3. Test Location Operations:

   • ✅ Add Location: Should work
   • ✅ Edit Location: Should work
   • ❌ Delete Location: Delete button should be hidden in edit form
   • ❌ Move Location: Move button should be hidden in popup

4. Test Restricted Access:

   • Navigate to /shifts.html → Should redirect or show 403
   • Navigate to /user.html → Should redirect or show 403
   • Navigate to /admin.html → Should redirect or show 403

Test Regular User:

1. Login as regular user (testuser@example.com)

2. Verify Full Access:

   • ✅ Can access shifts page
   • ✅ Can access user profile
   • ✅ Can add, edit, and delete locations
   • ✅ Can use database search
   • ❌ Cannot access admin panel

Test Admin User:

1. Login as admin user (adminuser@example.com)

2. Verify Admin Access:

   • ✅ Full access to all features
   • ✅ Can access admin panel
   • ✅ Can create/manage users

4. Test Backend API Endpoints

Use browser console or testing tool:

// Test temp user cannot delete location
fetch('/api/locations/1', { method: 'DELETE' })
.then(r => r.json())
.then(console.log); // Should return 403 error for temp users

// Test temp user cannot access shifts
fetch('/api/shifts')
.then(r => r.json())
.then(console.log); // Should return 403 error for temp users

5. Expected Results

User Table Display:

• Regular User: Blue "User" badge
• Temp User: Orange "Temp" badge + expiration date
• Admin User: Green "Admin" badge

Authentication Response:

{
  "authenticated": true,
  "user": {
    "email": "tempuser@example.com",
    "name": "Temp User",
    "isAdmin": false,
    "userType": "temp"
  }
}

6. Troubleshooting

If temp user can access restricted features:

• Check middleware is properly imported in routes
• Verify session includes userType
• Check browser console for JavaScript errors

If user creation fails:

• Verify NocoDB table has required columns
• Check server logs for database errors
• Ensure column names match exactly

If UI elements not hiding:

• Check browser console for auth errors
• Verify currentUser.userType is set
• Check CSS classes are applied correctly

7. Security Verification

Temp users should receive 403 Forbidden responses for:

• DELETE /api/locations/:id
• GET /shifts.html
• GET /user.html
• GET /admin.html
• GET /api/shifts

All restrictions should be enforced server-side, not just hidden in UI.