@nextsparkjs/theme-default 0.1.0-beta.20 → 0.1.0-beta.22

package/tests/cypress/e2e/uat/roles/editor-role.cy.ts

@@ -0,0 +1,210 @@
+/// <reference types="cypress" />
+
+/**
+ * Editor Role - Permission Restrictions
+ *
+ * Tests for the custom "editor" role (hierarchy level 5).
+ * Editor has limited permissions:
+ * - customers: list, read only (no create/update/delete)
+ * - Cannot access Superadmin (superadmin only)
+ * - Cannot access Dev Zone (restricted zone)
+ *
+ * Test user: Diego Ramírez (diego.ramirez@nextspark.dev) - Everpoint Labs
+ */
+
+import * as allure from 'allure-cypress'
+
+import { CustomersPOM } from '../../../src/entities/CustomersPOM'
+import { loginAsDefaultEditor } from '../../../src/session-helpers'
+
+describe('Editor Role - Permission Restrictions', {
+  tags: ['@uat', '@feat-teams', '@security', '@role-editor', '@regression']
+}, () => {
+  const customers = CustomersPOM.create()
+
+  beforeEach(() => {
+    allure.epic('UAT')
+    allure.feature('Permissions')
+    allure.story('Editor Role Restrictions')
+    customers.setupApiIntercepts()
+    loginAsDefaultEditor()
+  })
+
+  describe('UI Restrictions - Buttons Hidden', { tags: '@smoke' }, () => {
+    it('EDIT_ROLE_001: Editor can view customers list', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+
+      customers.visitList()
+      customers.api.waitForList()
+      customers.waitForList()
+
+      // Editor should see the customers table
+      cy.get(customers.selectors.table).should('be.visible')
+
+      cy.log('✅ Editor can view customers list')
+    })
+
+    it('EDIT_ROLE_002: Create Customer button not visible for Editor', { tags: '@smoke' }, () => {
+      allure.severity('critical')
+
+      customers.visitList()
+      customers.api.waitForList()
+      customers.waitForList()
+
+      // Create button should NOT exist for Editor (no create permission)
+      cy.get(customers.selectors.addButton).should('not.exist')
+
+      cy.log('✅ Create button correctly hidden for Editor')
+    })
+
+    it('EDIT_ROLE_003: Edit/Delete buttons not visible for Editor', () => {
+      allure.severity('critical')
+
+      customers.visitList()
+      customers.api.waitForList()
+      customers.waitForList()
+
+      cy.get('body').then($body => {
+        if ($body.find(customers.selectors.rowGeneric).length > 0) {
+          // Edit action buttons should NOT exist for Editor
+          cy.get(customers.selectors.rowActionEditGeneric).should('not.exist')
+
+          // Delete action buttons should NOT exist for Editor
+          cy.get(customers.selectors.rowActionDeleteGeneric).should('not.exist')
+
+          cy.log('✅ Edit/Delete buttons correctly hidden for Editor')
+        } else {
+          cy.log('⚠️ No customers to check edit/delete permissions')
+        }
+      })
+    })
+
+    it('EDIT_ROLE_004: Editor has no row actions menu (no edit/delete permissions)', () => {
+      customers.visitList()
+      customers.api.waitForList()
+      customers.waitForList()
+
+      cy.get('body').then($body => {
+        if ($body.find(customers.selectors.rowGeneric).length > 0) {
+          // Row actions menu should NOT exist for Editor
+          // EntityList only shows actions menu if user has canUpdate or canDelete
+          // Editor has neither, so the menu trigger should not exist
+          cy.get('[data-cy^="customers-actions-"]').should('not.exist')
+
+          cy.log('✅ Row actions menu correctly hidden for Editor (no edit/delete permissions)')
+        } else {
+          cy.log('⚠️ No customers to check row actions')
+        }
+      })
+    })
+  })
+
+  describe('URL Access Restrictions - Permission Denied', () => {
+    it('EDIT_ROLE_005: Direct URL to /customers/create shows Permission Denied', () => {
+      allure.severity('critical')
+
+      cy.visit(`/dashboard/${customers.entitySlug}/create`)
+
+      // Check for permission denied component OR redirect
+      cy.get('body').then($body => {
+        if ($body.find('[data-cy="permission-denied"]').length > 0) {
+          cy.get('[data-cy="permission-denied"]').should('be.visible')
+          cy.log('✅ Permission Denied component shown for /create')
+        } else {
+          // App redirects to permission-denied page
+          cy.url().should('include', 'permission-denied')
+          cy.log('✅ Redirected to permission denied page')
+        }
+      })
+    })
+
+    it('EDIT_ROLE_006: Direct URL to /customers/[id]/edit shows Permission Denied', () => {
+      allure.severity('critical')
+
+      customers.visitList()
+      customers.api.waitForList()
+
+      cy.get('body').then($body => {
+        if ($body.find(customers.selectors.rowGeneric).length > 0) {
+          // Extract customer ID from first row
+          cy.get(customers.selectors.rowGeneric).first()
+            .invoke('attr', 'data-cy')
+            .then((dataCy) => {
+              const customerId = dataCy?.replace(`${customers.entitySlug}-row-`, '')
+
+              if (customerId) {
+                // Try to access edit URL directly
+                cy.visit(`/dashboard/${customers.entitySlug}/${customerId}/edit`)
+
+                // Should show permission denied or redirect
+                cy.get('body').then($body2 => {
+                  if ($body2.find('[data-cy="permission-denied"]').length > 0) {
+                    cy.get('[data-cy="permission-denied"]').should('be.visible')
+                    cy.log('✅ Permission Denied shown for /edit')
+                  } else {
+                    cy.url().should('not.include', '/edit')
+                    cy.log('✅ Redirected away from /edit (no permission)')
+                  }
+                })
+              }
+            })
+        } else {
+          cy.log('⚠️ No customers to test edit URL restriction')
+        }
+      })
+    })
+  })
+
+  describe('Restricted Zones - Access Denied', () => {
+    it('EDIT_ROLE_007: Editor cannot access Superadmin', () => {
+      allure.severity('blocker')
+
+      cy.visit('/superadmin', { failOnStatusCode: false })
+
+      // Should be redirected to dashboard with access_denied error
+      cy.url().should('include', '/dashboard')
+      cy.url().should('include', 'error=access_denied')
+
+      cy.log('✅ Editor correctly blocked from Superadmin')
+    })
+
+    it('EDIT_ROLE_008: Editor cannot access Dev Zone', () => {
+      allure.severity('blocker')
+
+      cy.visit('/devtools', { failOnStatusCode: false })
+
+      // Should be redirected to dashboard with access_denied error
+      cy.url().should('include', '/dashboard')
+      cy.url().should('include', 'error=access_denied')
+
+      cy.log('✅ Editor correctly blocked from Dev Zone')
+    })
+
+    it('EDIT_ROLE_009: Editor UI does not show Superadmin button', () => {
+      allure.severity('critical')
+
+      cy.visit('/dashboard')
+
+      // Superadmin button should NOT exist in toolbar/header for Editor
+      cy.get('[data-cy="sector7-button"]').should('not.exist')
+      cy.get('[data-cy="admin-toolbar"]').should('not.exist')
+
+      cy.log('✅ Superadmin button not visible for Editor')
+    })
+
+    it('EDIT_ROLE_010: Editor UI does not show Dev Zone button', () => {
+      allure.severity('critical')
+
+      cy.visit('/dashboard')
+
+      // Dev Zone button should NOT exist for Editor
+      cy.get('[data-cy="dev-zone-button"]').should('not.exist')
+
+      cy.log('✅ Dev Zone button not visible for Editor')
+    })
+  })
+
+  after(() => {
+    cy.log('✅ Editor role restriction tests completed')
+  })
+})

package/tests/cypress/e2e/uat/roles/member-restrictions.bdd.md

@@ -0,0 +1,450 @@
+# Member Role - Permission Restrictions (Format: BDD/Gherkin - Bilingual)
+
+> **Test File:** `member-restrictions.cy.ts`
+> **Format:** Behavior-Driven Development (BDD) with Given/When/Then
+> **Languages:** English / Spanish (side-by-side)
+> **Total Tests:** 8
+
+---
+
+## Feature: Member Role Permission Restrictions
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+As a **Member**
+I want to **be restricted from unauthorized actions**
+So that **the system enforces proper role-based access control**
+
+**Security Focus:** These tests validate that UI buttons are hidden and direct URL access is blocked for unauthorized operations.
+
+</td>
+<td>
+
+Como **Member**
+Quiero **estar restringido de acciones no autorizadas**
+Para que **el sistema aplique control de acceso basado en roles**
+
+**Enfoque de Seguridad:** Estos tests validan que los botones UI estan ocultos y el acceso directo por URL esta bloqueado para operaciones no autorizadas.
+
+</td>
+</tr>
+</table>
+
+### Background
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Given I am logged in as Member (member@nextspark.dev)
+And the API intercepts are set up
+And the application is running
+```
+
+</td>
+<td>
+
+```gherkin
+Given estoy logueado como Member (member@nextspark.dev)
+And los intercepts de API estan configurados
+And la aplicacion esta corriendo
+```
+
+</td>
+</tr>
+</table>
+
+---
+
+## UI Restrictions - Buttons Hidden/Disabled `@smoke`
+
+### PERM_UI_001: Create Customer button not visible for Member `@smoke`
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Create button is hidden for Member role
+
+Given I am logged in as a Member
+When I navigate to the Customers list page
+And the customer list loads successfully
+Then the "Add" button should NOT exist
+And there should be no way to access the create form
+```
+
+**Security Verification:**
+The create button must be completely absent from the DOM.
+
+</td>
+<td>
+
+```gherkin
+Scenario: Boton crear esta oculto para rol Member
+
+Given estoy logueado como Member
+When navego a la pagina de lista de Clientes
+And la lista de clientes carga exitosamente
+Then el boton "Agregar" NO deberia existir
+And no deberia haber forma de acceder al formulario de creacion
+```
+
+**Verificacion de Seguridad:**
+El boton crear debe estar completamente ausente del DOM.
+
+</td>
+</tr>
+</table>
+
+---
+
+### PERM_UI_002: Delete Customer buttons not visible for Member
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Delete buttons are hidden in list view
+
+Given I am logged in as a Member
+When I navigate to the Customers list page
+And the customer list loads successfully
+And there are customers in the list
+Then delete action buttons should NOT exist in table rows
+```
+
+</td>
+<td>
+
+```gherkin
+Scenario: Botones eliminar estan ocultos en vista de lista
+
+Given estoy logueado como Member
+When navego a la pagina de lista de Clientes
+And la lista de clientes carga exitosamente
+And hay clientes en la lista
+Then los botones de accion eliminar NO deberian existir en las filas
+```
+
+</td>
+</tr>
+</table>
+
+---
+
+### PERM_UI_003: Edit Customer buttons not visible for Member
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Edit buttons are hidden in list view
+
+Given I am logged in as a Member
+When I navigate to the Customers list page
+And the customer list loads successfully
+And there are customers in the list
+Then edit action buttons should NOT exist in table rows
+```
+
+**Note:** Based on real system behavior, Member CANNOT edit customers.
+
+</td>
+<td>
+
+```gherkin
+Scenario: Botones editar estan ocultos en vista de lista
+
+Given estoy logueado como Member
+When navego a la pagina de lista de Clientes
+And la lista de clientes carga exitosamente
+And hay clientes en la lista
+Then los botones de accion editar NO deberian existir en las filas
+```
+
+**Nota:** Basado en el comportamiento real del sistema, Member NO puede editar clientes.
+
+</td>
+</tr>
+</table>
+
+---
+
+## URL Access Restrictions - Permission Denied Component
+
+### PERM_URL_001: Direct URL to /customers/create shows Permission Denied
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Direct URL access to create is blocked
+
+Given I am logged in as a Member
+When I navigate directly to /dashboard/customers/create
+Then I should see a "Permission Denied" component
+Or I should be redirected to a permission-denied page
+```
+
+**Verification:**
+Either `[data-cy="permission-denied"]` is visible or URL contains "permission-denied".
+
+</td>
+<td>
+
+```gherkin
+Scenario: Acceso directo por URL a crear esta bloqueado
+
+Given estoy logueado como Member
+When navego directamente a /dashboard/customers/create
+Then deberia ver un componente de "Permiso Denegado"
+Or deberia ser redirigido a una pagina de permiso-denegado
+```
+
+**Verificacion:**
+O bien `[data-cy="permission-denied"]` es visible o la URL contiene "permission-denied".
+
+</td>
+</tr>
+</table>
+
+---
+
+### PERM_URL_002: Delete button not visible on customer detail for Member
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Delete button hidden on detail page
+
+Given I am logged in as a Member
+And there is at least one customer in the list
+When I click on a customer row to view details
+Then I should navigate to the customer detail page
+And the "Delete" button should NOT exist
+```
+
+**Note:** The /delete URL route doesn't exist - delete is done from detail page.
+
+</td>
+<td>
+
+```gherkin
+Scenario: Boton eliminar oculto en pagina de detalle
+
+Given estoy logueado como Member
+And existe al menos un cliente en la lista
+When hago clic en una fila de cliente para ver detalles
+Then deberia navegar a la pagina de detalle del cliente
+And el boton "Eliminar" NO deberia existir
+```
+
+**Nota:** La ruta URL /delete no existe - eliminar se hace desde la pagina de detalle.
+
+</td>
+</tr>
+</table>
+
+---
+
+### PERM_URL_003: Direct URL to /customers/[id]/edit shows Permission Denied
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Direct URL access to edit is blocked
+
+Given I am logged in as a Member
+And there is at least one customer in the list
+When I extract a customer ID from the list
+And I navigate directly to /dashboard/customers/{id}/edit
+Then I should see a "Permission Denied" component
+Or I should be redirected away from /edit
+```
+
+</td>
+<td>
+
+```gherkin
+Scenario: Acceso directo por URL a editar esta bloqueado
+
+Given estoy logueado como Member
+And existe al menos un cliente en la lista
+When extraigo un ID de cliente de la lista
+And navego directamente a /dashboard/customers/{id}/edit
+Then deberia ver un componente de "Permiso Denegado"
+Or deberia ser redirigido fuera de /edit
+```
+
+</td>
+</tr>
+</table>
+
+---
+
+### PERM_URL_004: Direct URL to /tasks routes is ALLOWED for Member
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Tasks routes are accessible for Member
+
+Given I am logged in as a Member
+When I navigate directly to /dashboard/tasks/create
+Then I should NOT see a "Permission Denied" component
+And the task creation form should be visible
+```
+
+**Note:** Member has full CRUD access to Tasks entity.
+
+</td>
+<td>
+
+```gherkin
+Scenario: Rutas de tareas son accesibles para Member
+
+Given estoy logueado como Member
+When navego directamente a /dashboard/tasks/create
+Then NO deberia ver un componente de "Permiso Denegado"
+And el formulario de creacion de tareas deberia estar visible
+```
+
+**Nota:** Member tiene acceso CRUD completo a la entidad Tasks.
+
+</td>
+</tr>
+</table>
+
+---
+
+## Permission Messages - User Feedback
+
+### PERM_MSG_001: Permission denied message is user-friendly
+
+<table>
+<tr>
+<th width="50%">English</th>
+<th width="50%">Español</th>
+</tr>
+<tr>
+<td>
+
+```gherkin
+Scenario: Permission denied shows user-friendly message
+
+Given I am logged in as a Member
+When I navigate directly to /dashboard/customers/create
+Then I should see a permission denied indication
+And the message should contain "permission", "access", or "not allowed"
+And the message should be user-friendly (not technical error)
+```
+
+</td>
+<td>
+
+```gherkin
+Scenario: Permiso denegado muestra mensaje amigable
+
+Given estoy logueado como Member
+When navego directamente a /dashboard/customers/create
+Then deberia ver una indicacion de permiso denegado
+And el mensaje deberia contener "permiso", "acceso", o "no permitido"
+And el mensaje deberia ser amigable (no error tecnico)
+```
+
+</td>
+</tr>
+</table>
+
+---
+
+## Permission Matrix / Matriz de Permisos
+
+| Entity / Entidad | Operation / Operación | Member | Owner | Admin |
+|------------------|----------------------|:------:|:-----:|:-----:|
+| **Customers** | CREATE | **No** | Yes | Yes |
+| **Customers** | READ | Yes | Yes | Yes |
+| **Customers** | UPDATE | **No** | Yes | Yes |
+| **Customers** | DELETE | **No** | Yes | Yes |
+| **Tasks** | CREATE | Yes | Yes | Yes |
+| **Tasks** | READ | Yes | Yes | Yes |
+| **Tasks** | UPDATE | Yes | Yes | Yes |
+| **Tasks** | DELETE | **No** | Yes | Yes |
+
+---
+
+## UI Elements / Elementos UI
+
+### Permission Components
+
+| Element | Selector | Description / Descripción |
+|---------|----------|---------------------------|
+| Permission Denied | `[data-cy="permission-denied"]` | Permission denied component |
+| Add Button | `[data-cy="customers-add"]` | Create button (should not exist) |
+| Delete Button | `[data-cy="customers-delete-btn"]` | Delete button on detail |
+| Edit Button | `[data-cy="customers-edit-btn"]` | Edit button on detail |
+| Row Actions | `[data-cy^="customers-row-action-"]` | Row action buttons |
+
+---
+
+## Summary / Resumen
+
+| Test ID | Block | Description / Descripción | Tags |
+|---------|-------|---------------------------|------|
+| PERM_UI_001 | UI Restrictions | Create button hidden | `@smoke` |
+| PERM_UI_002 | UI Restrictions | Delete buttons hidden | |
+| PERM_UI_003 | UI Restrictions | Edit buttons hidden | |
+| PERM_URL_001 | URL Access | /create blocked | |
+| PERM_URL_002 | URL Access | Delete hidden on detail | |
+| PERM_URL_003 | URL Access | /edit blocked | |
+| PERM_URL_004 | URL Access | /tasks allowed | |
+| PERM_MSG_001 | Messages | User-friendly message | |