# Permission Verification Matrix & UI Testing Plan (103 Actions) This document outlines the strategy for verifying the full role-based access control (RBAC) system, covering all **103 UserActions** across all established **UserTypes**. ## ๐Ÿš€ Requirement Definition Verify that every defined action in `App\Enums\UserActions` is correctly integrated into the permission system and that the UI correctly handles these permissions for different user roles (`ULTIMATE`, `SUPER_OPERATOR`, `OPERATOR`, `RIDER`, `POS_TERMINAL`, etc.). ## ๐Ÿ—๏ธ Technical Approach ### 1. Grouped Matrix (Reference) | Action Group | ULTIMATE | SUPER_OP | OPERATOR | RIDER | POS_TER | USER | | :--- | :---: | :---: | :---: | :---: | :---: | :---: | | **All Actions** (103) | โœ… | Grouped | Grouped | Focused | Focused | Limited | ### 2. User Creation Strategy To test systematically, we need a stable user for each role: - All test users use password: `123123` - Existing Ultimate: `777` ### 3. Verification Methodology - **UI Element Presence**: Check if buttons/tabs corresponding to actions are visible. - **Route Guarding**: Verify direct URL access (e.g., `/ultimate-console`) for unauthorized roles. - **API Guarding**: Verify that the backend returns `401/403` when unauthorized user types hit specific endpoints. - **Dropdown Filtering**: Specifically for `UserActions::CreateUser`, verify the role dropdown is filtered correctly. ## ๐Ÿ“ฆ Key Affected Files - `App\Enums\UserActions`: Definition of all 103 actions. - `App\Http\Controllers\Helpers\Permissions\UserPermissions`: RBAC logic and roles assignment. - `App\Http\Controllers\Support\VueRouteMap`: Page-level route protection. - `resources/js/Pages/CreateUser.vue`: UI for role selection during user creation. - `resources/js/Pages/Fragments/Home/HomeUltimate.vue`: Dashboard visibility logic. ## ๐Ÿงช Validation Criteria - **Ultimate**: 100% action availability. - **Super Operator**: Full management except system-level `ULTIMATE` actions. - **Operator**: Operational management only. - **Specialized Roles**: Access limited strictly to their functional domain. - **Public**: Minimal read-only access (Marketplace only).