HSNAKDValidation Labhakdogan.com

Admin Panel

Role permissions

Non-admins receive a 403-style empty state on /admin; the route does not even render the data shell.

User story

As a non-admin, I should not see the admin shell or receive admin payloads; the route should reject me cleanly.

Acceptance criteria

  • Non-admins see a 'Insufficient role' state
  • No admin API calls are made for non-admins
  • Admin nav link is hidden for non-admins
  • Server still enforces RBAC on the API

Manual test steps

  1. 1.Sign in as a non-admin
  2. 2.Open /admin
  3. 3.Inspect the network tab for admin calls

Expected result

Insufficient role copy is visible; no /api/admin/* requests fire.

Possible bug risks

  • Client gates the UI but server returns 200
  • Admin link is only hidden via CSS
  • Refresh on /admin briefly flashes the data shell

Reference Playwright spec

role-permissions.spec.ts
ts
1
2
3
4
5
6
7
8
9
10
import { test, expect } from '@playwright/test';

test('non-admin rejected from admin route @smoke', async ({ page }) => {
  await page.goto('https://lab.hakdogan.com/login');
  await page.getByRole('button', { name: /use demo account/i }).click();
  await page.getByRole('button', { name: /sign in/i }).click();

  await page.goto('https://lab.hakdogan.com/admin');
  await expect(page.getByText(/insufficient role/i)).toBeVisible();
});