Stats
Actions
Tags
From e2e-test-specialist
Executes role-based E2E tests with Playwright, verifying access controls, user flows, and role-specific functionality from a test plan.
How this skill is triggered — by the user, by Claude, or both
Slash command
/e2e-test-specialist:role-testThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill executes comprehensive role-based E2E testing using Playwright MCP. It tests all pages and flows for each user role, verifying proper access control and role-specific functionality.
This skill executes comprehensive role-based E2E testing using Playwright MCP. It tests all pages and flows for each user role, verifying proper access control and role-specific functionality.
Plan file: tests/e2e-test-plan.md
This skill reads role definitions and test credentials from the test plan at tests/e2e-test-plan.md. If the plan file doesn't exist, the calling command should invoke the test-plan skill first to generate it.
Ensure that:
CRITICAL: Before testing roles, verify the test plan exists.
Check for Test Plan
tests/e2e-test-plan.mdRead Role Information from Plan
Identify All Roles
Prepare Test Users
Map Role-Resource Matrix
| Resource | Guest | User | Admin |
|----------|-------|------|-------|
| /home | Yes | Yes | Yes |
| /dashboard | No | Yes | Yes |
| /admin | No | No | Yes |
Test unauthenticated access:
Public Pages
browser_navigate to each public page
browser_snapshot to verify content
Confirm: Page loads correctly
Protected Page Blocking
browser_navigate to protected page
browser_snapshot to check result
Confirm: Redirect to login OR 403 page
Guest-Specific Features
Test: Registration form accessible
Test: Login form accessible
Test: Password reset accessible
For EACH authenticated role:
Login as Role
browser_navigate to /login
browser_fill_form with role credentials:
- fields: [
{ name: "Email", type: "textbox", ref: "[email-input-ref]", value: "[email protected]" },
{ name: "Password", type: "textbox", ref: "[password-input-ref]", value: "password" }
]
browser_click on submit button
browser_wait_for dashboard or success indicator
browser_snapshot to verify logged in
Test Accessible Pages
For each page this role SHOULD access:
browser_navigate to page URL
browser_snapshot
browser_console_messages to check for errors
Verify: Page content loads correctly
Verify: Role-specific elements present
Test Blocked Pages
For each page this role should NOT access:
browser_navigate to page URL
browser_snapshot
Verify: 403 error OR redirect occurs
Verify: No unauthorized data exposed
Test Role-Specific Actions
For each action this role can perform:
Navigate to action page
Perform the action
Verify success
For each action this role CANNOT perform:
Attempt the action
Verify it's blocked
Logout
browser_click logout button
browser_wait_for login page
browser_snapshot to confirm logged out
## User Role Tests
### Profile Management
1. Navigate to /profile
2. Verify can view own profile
3. Edit profile information
4. Save changes
5. Verify changes persisted
### Data Access
1. Navigate to /my-data
2. Verify can see own data only
3. Cannot see other users' data
4. Can create new data
5. Can edit own data
6. Can delete own data
### Restricted Areas
1. Cannot access /admin
2. Cannot access /admin/users
3. Cannot modify other users
## Admin Role Tests
### User Management
1. Navigate to /admin/users
2. View all users list
3. Create new user
4. Edit existing user
5. Delete user (not self)
6. Change user roles
### System Settings
1. Access settings page
2. Modify configurations
3. Save changes
4. Verify persistence
### Admin-Only Features
1. Access reports
2. View audit logs
3. Manage permissions
Session Hijacking Prevention
Login as User A
Copy session info
Try to access User B data
Verify: Access denied
Privilege Escalation Prevention
Login as regular user
Attempt admin actions directly
Verify: Actions blocked
IDOR Testing
Login as User A
Note resource ID
Try accessing other user's resource by ID
Verify: Access denied or own data shown
// Using Playwright MCP tools
async function loginAsRole(role, credentials) {
// Navigate to login
browser_navigate({ url: "/login" });
// Fill login form
browser_fill_form({
fields: [
{ name: "Email", type: "textbox", ref: "[email-ref]", value: credentials.email },
{ name: "Password", type: "textbox", ref: "[password-ref]", value: credentials.password }
]
});
// Submit
browser_click({ element: "Login button", ref: "[submit-ref]" });
// Wait for dashboard
browser_wait_for({ text: "Dashboard" });
// Verify
browser_snapshot();
}
async function verifyAccess(url, shouldHaveAccess) {
browser_navigate({ url });
const snapshot = browser_snapshot();
if (shouldHaveAccess) {
// Should see page content
verify(snapshot.contains(expectedContent));
} else {
// Should see 403 or redirect
verify(snapshot.contains("Access Denied") || currentUrl === "/login");
}
}
const roleMatrix = {
guest: {
canAccess: ["/", "/about", "/login", "/register"],
cannotAccess: ["/dashboard", "/profile", "/admin"]
},
user: {
canAccess: ["/", "/about", "/dashboard", "/profile"],
cannotAccess: ["/admin", "/admin/users"]
},
admin: {
canAccess: ["/", "/about", "/dashboard", "/profile", "/admin", "/admin/users"],
cannotAccess: []
}
};
for (const [role, permissions] of Object.entries(roleMatrix)) {
loginAsRole(role);
for (const url of permissions.canAccess) {
verifyAccess(url, true);
}
for (const url of permissions.cannotAccess) {
verifyAccess(url, false);
}
logout();
}
# Role-Based Test Results
## Guest Role
### Accessible Pages
- [x] Home (/) - Passed
- [x] About (/about) - Passed
- [x] Login (/login) - Passed
- [x] Register (/register) - Passed
### Blocked Pages
- [x] Dashboard (/dashboard) - Correctly redirects to /login
- [x] Profile (/profile) - Correctly redirects to /login
- [x] Admin (/admin) - Correctly redirects to /login
## User Role ([email protected])
### Login
- [x] Can login successfully
- [x] Redirected to dashboard
### Accessible Pages
- [x] Dashboard (/dashboard) - Passed
- [x] Profile (/profile) - Passed
- [x] Settings (/settings) - Passed
### Blocked Pages
- [x] Admin (/admin) - Correctly shows 403
- [x] User Management (/admin/users) - Correctly shows 403
### Role-Specific Actions
- [x] Can edit own profile
- [x] Can view own data
- [x] Cannot view other users' data
- [x] Cannot access admin features
### Logout
- [x] Logout successful
## Admin Role ([email protected])
### Login
- [x] Can login successfully
- [x] Redirected to admin dashboard
### Full Access
- [x] All pages accessible
- [x] Can manage users
- [x] Can access settings
- [x] Can view reports
### Admin Actions
- [x] Can create users
- [x] Can edit users
- [x] Can delete users
- [x] Can change roles
## Security Tests
- [x] Session isolation verified
- [x] No privilege escalation possible
- [x] IDOR protection verified
## Summary
| Role | Pages Tested | Passed | Failed |
|------|--------------|--------|--------|
| Guest | 7 | 7 | 0 |
| User | 10 | 10 | 0 |
| Admin | 15 | 15 | 0 |
Total: 32 tests, 32 passed, 0 failed
npx claudepluginhub mwguerra/claude-code-plugins --plugin e2e-test-specialistExecutes end-to-end user flow tests using Playwright MCP from tests/e2e-test-plan.md. Verifies multi-step journeys, state persistence, error handling in auth, business, and admin flows.
Drives web app UI through core positive flows using Playwright automation. Verifies end-to-end user journeys with snapshots and bug reporting.
Executes end-to-end tests for full user workflows across frontend and backend using Playwright, Cypress, or Selenium. Use for specialized testing of user journeys.