RFQ Compare scenario evidence
Overview / Foreman

Foreman 8 findings

Foreman is a field/site role that creates orders and views assigned work; covered here via exploratory bug-hunt evidence.

Foreman was covered by an exploratory bug-hunt (live MCP-driven probe of staging), not the scripted Playwright suite. Each card below is a finding (F-FORE-00x), not a test case. The foreman fixture was missing during the hunt, so Office was used as a higher-privilege fallback for foreman-adjacent observations.

F-FORE-001

Foreman fixture account missing in staging seed

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Navigate to /login and submit foreman@staging.example.test with the documented password.
  2. Login submit succeeds visually but the URL never redirects away from /login.
  3. Root cause: the seed-staging script never created the foreman fixture, although the foreman role exists in /api/v1/roles.
  4. Impact: no foreman-scope flow (accept orders, foreman inventory, urgent orders) could be tested.
  5. Fix: seed the foreman fixture and grant the foreman role on the staging tenant (PR #143, auto-seed-on-deploy in PR #147).
  6. CLOSED 2026-05-29 — login now succeeds; /api/v1/users/me returns Frank Foreman, id 9, roleId 3.
F-FORE-002

Login form shows no visible error on rejected credentials

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Attempt to log in with a non-existent account.
  2. Form fields stay populated; no toast, no inline error, no banner is shown.
  3. User gets no signal whether credentials were rejected, the request timed out, or nothing happened.
  4. Expected: an inline "Invalid email or password" error under the form, or a snackbar toast.
  5. Severity P3 (UX) — users may assume the site is broken and retry, adding load and lockout pressure.
F-FORE-003

/pending-approve-orders returns 403 for Office user

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Logged in as Office (fallback for the missing foreman), navigate to /pending-approve-orders.
  2. Observed "You don't have permission to access this page. 403".
  3. The route requires canAcceptOrders; only the foreman role carries that permission, so Office is correctly blocked.
  4. Because the foreman fixture was missing, no role could exercise the "accept orders" flow at all — a total blocker.
  5. CLOSED 2026-05-29 — downstream of F-FORE-001; foreman now has canAcceptOrders and the sidebar link appears (PR #143 + #144 + #147).
F-FORE-004

/due-soon-items returns 403 for Office user

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Logged in as Office, navigate to /due-soon-items.
  2. Observed "You don't have permission to access this page. 403".
  3. The Office sidebar presents this as "Due soon items", yet the route is not reachable by Office.
  4. Expected: either the route should be visible to Office, or the sidebar entry should be hidden for that role.
  5. Severity P3 — likely the same cause as F-FORE-003; needs the foreman fixture to verify the intended owner.
F-FORE-005

Office sidebar exposes admin and logistic links the user cannot use

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Log in as Office and observe the left sidebar.
  2. Sidebar shows links that 403 when clicked: "Pending approved orders", "Due soon items", the "Logistic" group, "Roles and permissions", and "Company".
  3. Same anti-pattern as F-REQ-001: the client-side menu is not driven by the same permission map as server-side RBAC.
  4. Expected: hide any sidebar link whose route returns 403 for the current role (info disclosure + dead links).
  5. CLOSED 2026-05-29 — foreman sidebar now shows only Projects, Inventory, Suppliers, Orders, and Settings → Profile; no admin items leak (PR #138).
F-FORE-006

Typo in seed role permission string ACCPET_DECLINE_ORDERS

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Logged in as any role, fetch /api/v1/roles and inspect the foreman permissions array.
  2. Observed ACCPET_DECLINE_ORDERS where it should read ACCEPT_DECLINE_ORDERS.
  3. Risk: any code checking permissions.includes('ACCEPT_DECLINE_ORDERS') silently returns false for foreman, and the typo is encoded in production-shaped migrations.
  4. Fix: correct the spelling via an explicit DB migration so existing tenants do not lose the permission.
  5. CLOSED 2026-05-29 — /api/v1/roles now returns the corrected ACCEPT_DECLINE_ORDERS; migration applied (PR #144, stuck migration force-resolved in PR #146).
F-FORE-007

/api/v1/roles leaks all role permission definitions to any logged-in user

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Log in as requester@staging.example.test, the lowest-privilege role.
  2. Fetch /api/v1/roles with credentials included.
  3. Observed the full role catalog with internal permission strings for foreman, logistic, office, and more.
  4. Impact: a phished low-privilege credential yields a free map of the entire permission system (OWASP broken function level authorization).
  5. Fix: gate the endpoint on canManageRoles or filter the response to the caller's own role for non-admins.
  6. CLOSED 2026-05-29 — foreman and requester now receive only their own role as a one-item array (PR #140).
F-FORE-008

Stale e2e test data on staging (cross-run pollution)

docs/staging-bug-hunt-2026-05-26/foreman/findings.md
foreman
  1. Log in as Office and visit /stats/.
  2. Projects Stats lists leftover projects from previous runs, e.g. e2e-x1-test-1779755569322-tsns5, alongside the legitimate seed projects.
  3. Expected: staging seed should reset, or test setup/teardown should delete the projects it creates.
  4. Severity P3 — cumulative pollution makes empty-state visual checks unreliable and inflates DB size over time.

Screenshot evidence

Captured against staging 2026-05-26. Click any shot to enlarge. Filenames preserved as captions.

new-order-FIXED.png
new-order-FIXED.png
sidebar-FIXED.png
sidebar-FIXED.png