E2E Role-Based Testing Skill
Overview
This skill executes comprehensive role-based E2E testing using Playwright MCP. It tests all pages and flows for each user role, verifying proper access control and role-specific functionality.
Standard Test Plan Location
Plan file: tests/e2e-test-plan.md
This skill reads role definitions and test credentials from the test plan at tests/e2e-test-plan.md . If the plan file doesn't exist, the calling command should invoke the test-plan skill first to generate it.
Purpose
Ensure that:
-
Each user role can access appropriate resources
-
Unauthorized access is properly blocked
-
Role-specific features work correctly
-
Cross-role security is maintained
Workflow
Step 0: Test Plan Verification (REQUIRED FIRST)
CRITICAL: Before testing roles, verify the test plan exists.
Check for Test Plan
-
Look for tests/e2e-test-plan.md
-
If the file exists, read the "User Roles" and "Test Credentials" sections
-
If the file does NOT exist, STOP and report that the plan must be generated first
Read Role Information from Plan
-
Extract role names and descriptions
-
Extract test credentials for each role
-
Extract role-resource access matrix
-
Use this information for testing
Step 1: Prepare Role Testing
Identify All Roles
-
List all user roles in the system
-
Note the role hierarchy
-
Map permissions per role
Prepare Test Users
-
Identify login credentials for each role
-
Ensure test users exist
-
Note any role-switching mechanisms
Map Role-Resource Matrix
| Resource | Guest | User | Admin |
|---|---|---|---|
| /home | Yes | Yes | Yes |
| /dashboard | No | Yes | Yes |
| /admin | No | No | Yes |
Step 2: Guest Role Testing
Test unauthenticated access:
Public Pages
browser_navigate to each public page browser_snapshot to verify content Confirm: Page loads correctly
Protected Page Blocking
browser_navigate to protected page browser_snapshot to check result Confirm: Redirect to login OR 403 page
Guest-Specific Features
Test: Registration form accessible Test: Login form accessible Test: Password reset accessible
Step 3: Authenticated Role Testing
For EACH authenticated role:
Login as Role
browser_navigate to /login browser_fill_form with role credentials:
-
fields: [ { name: "Email", type: "textbox", ref: "[email-input-ref]", value: "role@example.com" }, { name: "Password", type: "textbox", ref: "[password-input-ref]", value: "password" } ] browser_click on submit button browser_wait_for dashboard or success indicator browser_snapshot to verify logged in
Test Accessible Pages
For each page this role SHOULD access: browser_navigate to page URL browser_snapshot browser_console_messages to check for errors Verify: Page content loads correctly Verify: Role-specific elements present
Test Blocked Pages
For each page this role should NOT access: browser_navigate to page URL browser_snapshot Verify: 403 error OR redirect occurs Verify: No unauthorized data exposed
Test Role-Specific Actions
For each action this role can perform: Navigate to action page Perform the action Verify success
For each action this role CANNOT perform: Attempt the action Verify it's blocked
Logout
browser_click logout button browser_wait_for login page browser_snapshot to confirm logged out
Step 4: Role-Specific Flow Testing
User Role Flows
User Role Tests
Profile Management
- Navigate to /profile
- Verify can view own profile
- Edit profile information
- Save changes
- Verify changes persisted
Data Access
- Navigate to /my-data
- Verify can see own data only
- Cannot see other users' data
- Can create new data
- Can edit own data
- Can delete own data
Restricted Areas
- Cannot access /admin
- Cannot access /admin/users
- Cannot modify other users
Admin Role Flows
Admin Role Tests
User Management
- Navigate to /admin/users
- View all users list
- Create new user
- Edit existing user
- Delete user (not self)
- Change user roles
System Settings
- Access settings page
- Modify configurations
- Save changes
- Verify persistence
Admin-Only Features
- Access reports
- View audit logs
- Manage permissions
Step 5: Cross-Role Security Tests
Session Hijacking Prevention
Login as User A Copy session info Try to access User B data Verify: Access denied
Privilege Escalation Prevention
Login as regular user Attempt admin actions directly Verify: Actions blocked
IDOR Testing
Login as User A Note resource ID Try accessing other user's resource by ID Verify: Access denied or own data shown
Test Patterns
Role Login Pattern
// Using Playwright MCP tools async function loginAsRole(role, credentials) { // Navigate to login browser_navigate({ url: "/login" });
// Fill login form browser_fill_form({ fields: [ { name: "Email", type: "textbox", ref: "[email-ref]", value: credentials.email }, { name: "Password", type: "textbox", ref: "[password-ref]", value: credentials.password } ] });
// Submit browser_click({ element: "Login button", ref: "[submit-ref]" });
// Wait for dashboard browser_wait_for({ text: "Dashboard" });
// Verify browser_snapshot(); }
Access Verification Pattern
async function verifyAccess(url, shouldHaveAccess) { browser_navigate({ url }); const snapshot = browser_snapshot();
if (shouldHaveAccess) { // Should see page content verify(snapshot.contains(expectedContent)); } else { // Should see 403 or redirect verify(snapshot.contains("Access Denied") || currentUrl === "/login"); } }
Role Matrix Test Pattern
const roleMatrix = { guest: { canAccess: ["/", "/about", "/login", "/register"], cannotAccess: ["/dashboard", "/profile", "/admin"] }, user: { canAccess: ["/", "/about", "/dashboard", "/profile"], cannotAccess: ["/admin", "/admin/users"] }, admin: { canAccess: ["/", "/about", "/dashboard", "/profile", "/admin", "/admin/users"], cannotAccess: [] } };
for (const [role, permissions] of Object.entries(roleMatrix)) { loginAsRole(role);
for (const url of permissions.canAccess) { verifyAccess(url, true); }
for (const url of permissions.cannotAccess) { verifyAccess(url, false); }
logout(); }
Output Format
Role Test Results
Role-Based Test Results
Guest Role
Accessible Pages
- Home (/) - Passed
- About (/about) - Passed
- Login (/login) - Passed
- Register (/register) - Passed
Blocked Pages
- Dashboard (/dashboard) - Correctly redirects to /login
- Profile (/profile) - Correctly redirects to /login
- Admin (/admin) - Correctly redirects to /login
User Role (test@example.com)
Login
- Can login successfully
- Redirected to dashboard
Accessible Pages
- Dashboard (/dashboard) - Passed
- Profile (/profile) - Passed
- Settings (/settings) - Passed
Blocked Pages
- Admin (/admin) - Correctly shows 403
- User Management (/admin/users) - Correctly shows 403
Role-Specific Actions
- Can edit own profile
- Can view own data
- Cannot view other users' data
- Cannot access admin features
Logout
- Logout successful
Admin Role (admin@example.com)
Login
- Can login successfully
- Redirected to admin dashboard
Full Access
- All pages accessible
- Can manage users
- Can access settings
- Can view reports
Admin Actions
- Can create users
- Can edit users
- Can delete users
- Can change roles
Security Tests
- Session isolation verified
- No privilege escalation possible
- IDOR protection verified
Summary
| Role | Pages Tested | Passed | Failed |
|---|---|---|---|
| Guest | 7 | 7 | 0 |
| User | 10 | 10 | 0 |
| Admin | 15 | 15 | 0 |
Total: 32 tests, 32 passed, 0 failed
Best Practices
-
Test Every Role - Never skip a role
-
Test Both Access and Denial - Verify can AND cannot access
-
Clean Session Between Roles - Logout before testing next role
-
Document Credentials - Keep test credentials in the plan
-
Check Console Errors - Look for JavaScript errors on each page
-
Verify Visual Elements - Use snapshots to verify content
-
Test Edge Cases - Empty states, large data, etc.