T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/lavocat.ca/private_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/lavocat.ca/private_html/IMPERSONATION_TESTING_GUIDE.md
# ๐Ÿ”„ Impersonation System Testing Guide

## ๐ŸŽฏ **Quick Start Testing**

### 1. **Login as Super Admin**
- **URL**: `https://localhost:3443/auth/login`
- **Email**: `dannywperez@msn.com`
- **Password**: `your_password`

### 2. **Access User Management**
- **URL**: `https://localhost:3443/admin/users`
- Look for **"๐Ÿ”„ Sign In As"** buttons next to each user

### 3. **Test Different User Types**

## ๐Ÿ‘ฅ **Available Test Users**

| Role | Name | Email | Password | Expected Features |
|------|------|-------|----------|-------------------|
| ๐Ÿ‘ค **USER** | Danny PEREZ | support@gositeme.com | - | Basic dashboard, profile, applications |
| ๐Ÿ“‹ **SECRETARY** | Isabelle Gagnon | legal.secretary@lmep.ca | demo123 | Admin dashboard, case support, documents |
| ๐Ÿ“š **CLERK** | Sophie Tremblay | law.clerk@lmep.ca | demo123 | Research tools, document access, case viewing |
| โš–๏ธ **LAWYER** | Marie Dubois | lead.attorney@lmep.ca | demo123 | Full case access, assignments, analytics |
| โš–๏ธ **LAWYER** | Jean-Pierre Martin | assistant.lawyer@lmep.ca | demo123 | Case management, client communication |
| ๐Ÿ‘ฉโ€โš–๏ธ **ADMIN** | Admin User | admin@example.com | - | User management, newsletter, export functions |

## ๐Ÿงช **Step-by-Step Testing Process**

### **Step 1: Test USER Role**
1. Click **"๐Ÿ”„ Sign In As"** next to Danny PEREZ (USER)
2. **Expected Behavior**:
   - โœ… Redirected to `/user/dashboard`
   - โœ… Orange impersonation banner appears at top
   - โœ… Limited navigation (no admin options)
   - โœ… Can access profile, applications
   - โŒ Cannot access admin features

### **Step 2: Test SECRETARY Role**
1. Click **"Stop Impersonating"** to return to Super Admin
2. Click **"๐Ÿ”„ Sign In As"** next to Isabelle Gagnon (SECRETARY)
3. **Expected Behavior**:
   - โœ… Access to admin dashboard
   - โœ… Can view case management
   - โœ… Document handling capabilities
   - โŒ Cannot create new users
   - โŒ Limited admin features

### **Step 3: Test CLERK Role**
1. Stop impersonation and try Sophie Tremblay (CLERK)
2. **Expected Behavior**:
   - โœ… Research tools access
   - โœ… Document viewing
   - โœ… Case viewing (read-only)
   - โŒ Cannot assign cases
   - โŒ No user management

### **Step 4: Test LAWYER Role**
1. Stop impersonation and try Marie Dubois (LAWYER)
2. **Expected Behavior**:
   - โœ… Full case access
   - โœ… Case assignments dashboard
   - โœ… Analytics dashboard
   - โœ… Client communication
   - โœ… Can view and manage assigned cases
   - โŒ Cannot manage users (unless also ADMIN)

### **Step 5: Test ADMIN Role**
1. Stop impersonation and try Admin User (ADMIN)
2. **Expected Behavior**:
   - โœ… User management access
   - โœ… Newsletter system
   - โœ… Export functions (PDF/CSV)
   - โœ… All admin features
   - โŒ Cannot impersonate others (only SUPERADMIN can)

## ๐Ÿ” **What to Verify During Each Test**

### **Navigation Access**
- Check sidebar menu items
- Verify role-appropriate features are visible
- Confirm restricted features are hidden

### **Page Access**
- Try accessing admin URLs directly
- Verify proper redirects for unauthorized access
- Check error handling

### **Functional Testing**
- Test creating/editing within role permissions
- Verify data access is properly scoped
- Check API endpoint restrictions

## ๐Ÿšจ **Security Validation**

### **Critical Security Tests**
1. **Cannot Impersonate SUPERADMIN**
   - Verify no "Sign In As" button for SUPERADMIN users
   - API should reject attempts to impersonate SUPERADMIN

2. **Session Logging**
   - Check database for impersonation session records
   - Verify IP address and user agent are logged

3. **Proper Session Cleanup**
   - Ensure stopping impersonation restores original user
   - Verify no session leakage between users

4. **Rate Limiting**
   - Try rapid impersonation attempts
   - Should be rate limited for security

## ๐ŸŽฏ **Expected User Experience Flow**

### **Successful Impersonation**
1. ๐Ÿ”„ Click "Sign In As" โ†’ Loading state
2. ๐ŸŽฏ Redirect to appropriate dashboard
3. ๐ŸŸ  Orange banner shows impersonation status
4. ๐Ÿ‘ค Navigation reflects user's role
5. ๐Ÿ”™ "Stop Impersonating" button works
6. โœ… Return to Super Admin dashboard

### **Visual Indicators**
- **Impersonation Banner**: Orange gradient at top
- **User Info**: Shows current impersonated user
- **Original User**: Shows who is impersonating
- **Stop Button**: Clear exit option

## ๐Ÿ”— **Quick Test URLs**

| Feature | URL | Purpose |
|---------|-----|---------|
| User Management | `/admin/users` | Main impersonation interface |
| Super Admin | `/admin/super` | System overview |
| Case Assignments | `/admin/case-assignments` | Test lawyer/admin access |
| Analytics | `/admin/analytics-dashboard` | Test advanced features |
| Newsletter | `/admin/newsletter` | Test admin-only features |
| User Dashboard | `/user/dashboard` | Test basic user experience |

## ๐Ÿ› **Troubleshooting**

### **Common Issues**
1. **Impersonation Not Working**
   - Check server logs for JWT callback errors
   - Verify database has ImpersonationSession table
   - Ensure user has SUPERADMIN role

2. **Permissions Not Applied**
   - Verify API endpoints include SUPERADMIN in role checks
   - Check if permissions were set up correctly
   - Review role hierarchy in auth-utils.ts

3. **Session Issues**
   - Clear browser cookies
   - Restart development server
   - Check NextAuth configuration

### **Debug Commands**
```bash
# Check user roles
npm run check-user dannywperez@msn.com

# View all users for testing
npm run test-impersonation

# Check permissions setup
npm run setup-permissions
```

## โœ… **Success Criteria**

**Impersonation system is working correctly when:**
- โœ… Can impersonate all roles except SUPERADMIN
- โœ… Each role sees appropriate features only
- โœ… Security restrictions are enforced
- โœ… Can easily stop impersonation and return
- โœ… Sessions are properly logged and managed
- โœ… No permission leakage between roles

---

**๐ŸŽ‰ Happy Testing!** The impersonation system allows you to experience your application from each user's perspective, ensuring proper role-based access control.

CasperSecurity Mini