Skip to content

test(e2e): Add security test for guest status enforcement #911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timothyfroehlich merged 2 commits into from
Feb 2, 2026
Merged

test(e2e): Add security test for guest status enforcement #911

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
14607cf
test(e2e): Add security test for guest status enforcement
timothyfroehlich Feb 2, 2026
1f0f260
fix(e2e): Navigate to detail page for status verification on mobile
timothyfroehlich Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions e2e/smoke/public-reporting.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
import { test, expect } from "@playwright/test";
import { cleanupTestEntities } from "../support/cleanup";
import { fillReportForm } from "../support/page-helpers";
import { loginAs } from "../support/actions";
import { TEST_USERS } from "../support/constants";

const PUBLIC_PREFIX = "E2E Public Report";

Expand Down Expand Up @@ -215,4 +217,51 @@ test.describe("Public Issue Reporting", () => {
expect(machineAfterReset).toBe(defaultMachineId);
expect(machineAfterReset).not.toBe(selectedMachineId);
});

test("anonymous issue should have status forced to 'new'", async ({
page,
}, testInfo) => {
// Security test: Verify server-side enforcement of status='new' for anonymous users
// Even if form data were manipulated, the server should force status to 'new'

const issueTitle = `${PUBLIC_PREFIX} Security Test ${Date.now()}`;

// 1. Submit anonymous issue
await page.goto("/report");
await page.getByTestId("machine-select").selectOption({ index: 1 });
await expect(page).toHaveURL(/machine=/);

await fillReportForm(page, {
title: issueTitle,
description: "Testing that status is forced to new for anonymous users.",
includePriority: false,
});

await page.getByRole("button", { name: "Submit Issue Report" }).click();
await expect(page).toHaveURL("/report/success");

// 2. Login as admin to verify the issue
await loginAs(page, testInfo, {
email: TEST_USERS.admin.email,
password: TEST_USERS.admin.password,
});

// 3. Search for the issue we just created
await page.goto("/issues");
await page.getByPlaceholder("Search issues...").fill(issueTitle);
await page.keyboard.press("Enter");
await page.waitForURL((url) => url.searchParams.has("q"));

// 4. Verify the issue appears in search results
const issueRow = page.getByRole("row", { name: new RegExp(issueTitle) });
await expect(issueRow).toBeVisible();

// 5. Click the issue title link to navigate to detail page (status column may be hidden on mobile)
await issueRow.getByTestId("issue-title").click();
await expect(page).toHaveURL(/\/m\/[A-Z0-9]+\/i\/\d+/);

// 6. Verify status badge shows 'New' on the detail page
const statusBadge = page.getByTestId("issue-status-badge");
await expect(statusBadge).toHaveText(/New/i);
});
});
Loading