Execute comprehensive role-based E2E testing with Playwright, testing all user flows for each role
Executes comprehensive role-based E2E testing with Playwright, testing all user flows for each role. It triggers when you need to verify access control and role-specific functionality, requiring the test plan at `tests/e2e-test-plan.md` to exist first.
/plugin marketplace add mwguerra/claude-code-plugins/plugin install e2e-test-specialist@mwguerra-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
This skill executes comprehensive role-based E2E testing using Playwright MCP. It tests all pages and flows for each user role, verifying proper access control and role-specific functionality.
Plan file: tests/e2e-test-plan.md
This skill reads role definitions and test credentials from the test plan at tests/e2e-test-plan.md. If the plan file doesn't exist, the calling command should invoke the e2e-test-plan skill first to generate it.
Ensure that:
CRITICAL: Before testing roles, verify the test plan exists.
Check for Test Plan
tests/e2e-test-plan.mdRead Role Information from Plan
Identify All Roles
Prepare Test Users
Map Role-Resource Matrix
| Resource | Guest | User | Admin |
|----------|-------|------|-------|
| /home | Yes | Yes | Yes |
| /dashboard | No | Yes | Yes |
| /admin | No | No | Yes |
Test unauthenticated access:
Public Pages
browser_navigate to each public page
browser_snapshot to verify content
Confirm: Page loads correctly
Protected Page Blocking
browser_navigate to protected page
browser_snapshot to check result
Confirm: Redirect to login OR 403 page
Guest-Specific Features
Test: Registration form accessible
Test: Login form accessible
Test: Password reset accessible
For EACH authenticated role:
Login as Role
browser_navigate to /login
browser_fill_form with role credentials:
- fields: [
{ name: "Email", type: "textbox", ref: "[email-input-ref]", value: "role@example.com" },
{ name: "Password", type: "textbox", ref: "[password-input-ref]", value: "password" }
]
browser_click on submit button
browser_wait_for dashboard or success indicator
browser_snapshot to verify logged in
Test Accessible Pages
For each page this role SHOULD access:
browser_navigate to page URL
browser_snapshot
browser_console_messages to check for errors
Verify: Page content loads correctly
Verify: Role-specific elements present
Test Blocked Pages
For each page this role should NOT access:
browser_navigate to page URL
browser_snapshot
Verify: 403 error OR redirect occurs
Verify: No unauthorized data exposed
Test Role-Specific Actions
For each action this role can perform:
Navigate to action page
Perform the action
Verify success
For each action this role CANNOT perform:
Attempt the action
Verify it's blocked
Logout
browser_click logout button
browser_wait_for login page
browser_snapshot to confirm logged out
## User Role Tests
### Profile Management
1. Navigate to /profile
2. Verify can view own profile
3. Edit profile information
4. Save changes
5. Verify changes persisted
### Data Access
1. Navigate to /my-data
2. Verify can see own data only
3. Cannot see other users' data
4. Can create new data
5. Can edit own data
6. Can delete own data
### Restricted Areas
1. Cannot access /admin
2. Cannot access /admin/users
3. Cannot modify other users
## Admin Role Tests
### User Management
1. Navigate to /admin/users
2. View all users list
3. Create new user
4. Edit existing user
5. Delete user (not self)
6. Change user roles
### System Settings
1. Access settings page
2. Modify configurations
3. Save changes
4. Verify persistence
### Admin-Only Features
1. Access reports
2. View audit logs
3. Manage permissions
Session Hijacking Prevention
Login as User A
Copy session info
Try to access User B data
Verify: Access denied
Privilege Escalation Prevention
Login as regular user
Attempt admin actions directly
Verify: Actions blocked
IDOR Testing
Login as User A
Note resource ID
Try accessing other user's resource by ID
Verify: Access denied or own data shown
// Using Playwright MCP tools
async function loginAsRole(role, credentials) {
// Navigate to login
browser_navigate({ url: "/login" });
// Fill login form
browser_fill_form({
fields: [
{ name: "Email", type: "textbox", ref: "[email-ref]", value: credentials.email },
{ name: "Password", type: "textbox", ref: "[password-ref]", value: credentials.password }
]
});
// Submit
browser_click({ element: "Login button", ref: "[submit-ref]" });
// Wait for dashboard
browser_wait_for({ text: "Dashboard" });
// Verify
browser_snapshot();
}
async function verifyAccess(url, shouldHaveAccess) {
browser_navigate({ url });
const snapshot = browser_snapshot();
if (shouldHaveAccess) {
// Should see page content
verify(snapshot.contains(expectedContent));
} else {
// Should see 403 or redirect
verify(snapshot.contains("Access Denied") || currentUrl === "/login");
}
}
const roleMatrix = {
guest: {
canAccess: ["/", "/about", "/login", "/register"],
cannotAccess: ["/dashboard", "/profile", "/admin"]
},
user: {
canAccess: ["/", "/about", "/dashboard", "/profile"],
cannotAccess: ["/admin", "/admin/users"]
},
admin: {
canAccess: ["/", "/about", "/dashboard", "/profile", "/admin", "/admin/users"],
cannotAccess: []
}
};
for (const [role, permissions] of Object.entries(roleMatrix)) {
loginAsRole(role);
for (const url of permissions.canAccess) {
verifyAccess(url, true);
}
for (const url of permissions.cannotAccess) {
verifyAccess(url, false);
}
logout();
}
# Role-Based Test Results
## Guest Role
### Accessible Pages
- [x] Home (/) - Passed
- [x] About (/about) - Passed
- [x] Login (/login) - Passed
- [x] Register (/register) - Passed
### Blocked Pages
- [x] Dashboard (/dashboard) - Correctly redirects to /login
- [x] Profile (/profile) - Correctly redirects to /login
- [x] Admin (/admin) - Correctly redirects to /login
## User Role (test@example.com)
### Login
- [x] Can login successfully
- [x] Redirected to dashboard
### Accessible Pages
- [x] Dashboard (/dashboard) - Passed
- [x] Profile (/profile) - Passed
- [x] Settings (/settings) - Passed
### Blocked Pages
- [x] Admin (/admin) - Correctly shows 403
- [x] User Management (/admin/users) - Correctly shows 403
### Role-Specific Actions
- [x] Can edit own profile
- [x] Can view own data
- [x] Cannot view other users' data
- [x] Cannot access admin features
### Logout
- [x] Logout successful
## Admin Role (admin@example.com)
### Login
- [x] Can login successfully
- [x] Redirected to admin dashboard
### Full Access
- [x] All pages accessible
- [x] Can manage users
- [x] Can access settings
- [x] Can view reports
### Admin Actions
- [x] Can create users
- [x] Can edit users
- [x] Can delete users
- [x] Can change roles
## Security Tests
- [x] Session isolation verified
- [x] No privilege escalation possible
- [x] IDOR protection verified
## Summary
| Role | Pages Tested | Passed | Failed |
|------|--------------|--------|--------|
| Guest | 7 | 7 | 0 |
| User | 10 | 10 | 0 |
| Admin | 15 | 15 | 0 |
Total: 32 tests, 32 passed, 0 failed
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.