Cartly /
testing / CAR-16-Test-Plan
QA-002: Sprint 1 Test Plan — Auth, RBAC, Company/Store Setup
Issue: CAR-16
Status: Draft (QA)
Author: QA Agent
Date: 2026-07-03
PRD Reference: PRD-001 v0.7, PRD-001-Gherkin-Acceptance-Criteria.md
Blocked by: CAR-15 (DEV Sprint 1 Implementation)
Ziel
Vollständiger Testplan für Sprint 1 MVP Features:
- User Authentication (Login, Registration, Password Reset)
- Role-Based Access Control (RBAC)
- Company & Store Management
- User Management
Testumgebung
| Parameter |
Wert |
| API Base |
http://10.10.1.195:3100/api |
| Company |
f9a8031f-2a84-4c59-960c-87d3fb0c7c80 |
| Running Environment |
Local (localhost) |
| Tech Stack |
Node.js + Fastify + Prisma + PostgreSQL |
Test-Accounts (nach DEV-Setup zu erstellen):
Test Scope
In Scope (Sprint 1 MVP)
- F1.1 Email/Password Login (AC-001 bis AC-008)
- F1.2 User Registration (AC-010 bis AC-014)
- F1.3 Password Reset Flow (AC-020 bis AC-023)
- F2.1 RBAC Rollen & Permissions (AC-030 bis AC-034)
- F2.2 Rollen Zuweisung & Management (AC-040 bis AC-043)
- F3.1 Company Management (AC-050 bis AC-052)
- F3.2 Store Management (AC-060 bis AC-064)
- F4.1 User Management CRUD (AC-070 bis AC-075)
- F5.1 Product Stammdaten CRUD (AC-080 bis AC-087)
- F5.2 Category Management
Out of Scope (Sprint 2+)
- POS Sale Transaction Flow
- Inventory Management
- Reporting/Dashboard
- Email-Verification (SMTP mocks für Sprint 1)
Test Cases
TC-001: F1.1 — Erfolgreicher Login
| Feld |
Wert |
| Test Case ID |
TC-001 |
| Feature |
F1.1 Email/Password Login |
| Title |
Erfolgreicher Login mit gültigen Credentials |
| Gherkin Ref |
AC-001 |
| Priority |
P0 (Critical) |
| Preconditions |
User sarah@meinladen.de existiert, Account ist active |
| Test Steps |
POST /auth/login mit email + password |
| Expected Result |
200 OK, JWT access token + refresh token (HTTP-only cookie) |
| Actual Result |
TBD |
| Status |
Pending (DEV not implemented) |
TC-002: F1.1 — Login mit falschem Passwort
| Feld |
Wert |
| Test Case ID |
TC-002 |
| Feature |
F1.1 Email/Password Login |
| Title |
Login schlägt fehl bei falschem Passwort |
| Gherkin Ref |
AC-002 |
| Priority |
P0 |
| Test Steps |
POST /auth/login mit korrektem email, falschem password |
| Expected Result |
401, keine tokens, error "Invalid credentials" |
| Actual Result |
TBD |
| Status |
Pending |
TC-003: F1.1 — Login mit nicht-existierendem User
| Feld |
Wert |
| Test Case ID |
TC-003 |
| Feature |
F1.1 Email/Password Login |
| Title |
Login schlägt fehl bei nicht-existierendem User |
| Gherkin Ref |
AC-003 |
| Priority |
P0 |
| Test Steps |
POST /auth/login mit unbekannter email |
| Expected Result |
401, error "Invalid credentials" |
| Actual Result |
TBD |
| Status |
Pending |
TC-004: F1.1 — Login Validierung leeres Email-Feld
| Feld |
Wert |
| Test Case ID |
TC-004 |
| Feature |
F1.1 Email/Password Login |
| Title |
Login schlägt fehl bei leerem Email-Feld |
| Gherkin Ref |
AC-004 |
| Priority |
P1 |
| Test Steps |
POST /auth/login mit email="" |
| Expected Result |
400, validation error für field "email" |
| Actual Result |
TBD |
| Status |
Pending |
TC-005: F1.1 — Login Validierung ungültiges Email-Format
| Feld |
Wert |
| Test Case ID |
TC-005 |
| Feature |
F1.1 Email/Password Login |
| Title |
Login schlägt fehl bei ungültigem Email-Format |
| Gherkin Ref |
AC-005 |
| Priority |
P1 |
| Test Steps |
POST /auth/login mit email="kein-email" |
| Expected Result |
400, validation error für field "email" |
| Actual Result |
TBD |
| Status |
Pending |
TC-006: F1.1 — Token Refresh
| Feld |
Wert |
| Test Case ID |
TC-006 |
| Feature |
F1.1 Email/Password Login |
| Title |
Refresh Token liefert neuen Access Token |
| Gherkin Ref |
AC-006 |
| Priority |
P0 |
| Test Steps |
1. Login, 2. POST /auth/refresh mit refresh token cookie |
| Expected Result |
200, neuer access token, alter token invalidiert |
| Actual Result |
TBD |
| Status |
Pending |
TC-007: F1.1 — Abgelaufener Refresh Token
| Feld |
Wert |
| Test Case ID |
TC-007 |
| Feature |
F1.1 Email/Password Login |
| Title |
Refresh Token läuft ab → 401 |
| Gherkin Ref |
AC-007 |
| Priority |
P0 |
| Test Steps |
POST /auth/refresh mit abgelaufenem refresh token |
| Expected Result |
401, error "Token expired" |
| Actual Result |
TBD |
| Status |
Pending |
TC-008: F1.1 — Tenant-Binding im JWT
| Feld |
Wert |
| Test Case ID |
TC-008 |
| Feature |
F1.1 Email/Password Login |
| Title |
JWT enthält company_id und restricts Zugriff |
| Gherkin Ref |
AC-008 |
| Priority |
P0 |
| Test Steps |
Login als User von Company A, Versuch auf Company-B-Ressourcen |
| Expected Result |
JWT enthält korrekte company_id, Cross-Tenant-Zugriff 403 |
| Actual Result |
TBD |
| Status |
Pending |
TC-009: F1.2 — Erfolgreiche Registration
| Feld |
Wert |
| Test Case ID |
TC-009 |
| Feature |
F1.2 User Registration |
| Title |
Erfolgreiche Registration mit Email-Verifikation |
| Gherkin Ref |
AC-010 |
| Priority |
P0 |
| Test Steps |
POST /auth/register mit email, password, company_name |
| Expected Result |
201, User + Company erstellt, admin Rolle, pending_verification status |
| Actual Result |
TBD |
| Status |
Pending |
TC-010: F1.2 — Registration mit existierender Email
| Feld |
Wert |
| Test Case ID |
TC-010 |
| Feature |
F1.2 User Registration |
| Title |
Registration mit bereits existierender Email → Fehler |
| Gherkin Ref |
AC-011 |
| Priority |
P0 |
| Test Steps |
POST /auth/register mit bereits existierender email |
| Expected Result |
409, error "Email already registered" |
| Actual Result |
TBD |
| Status |
Pending |
TC-011: F1.2 — Registration mit schwachem Passwort
| Feld |
Wert |
| Test Case ID |
TC-011 |
| Feature |
F1.2 User Registration |
| Title |
Registration mit schwachem Passwort → Fehler |
| Gherkin Ref |
AC-012 |
| Priority |
P1 |
| Test Steps |
POST /auth/register mit password="12345" |
| Expected Result |
400, validation error für field "password" |
| Actual Result |
TBD |
| Status |
Pending |
TC-012: F1.3 — Password Reset Request
| Feld |
Wert |
| Test Case ID |
TC-012 |
| Feature |
F1.3 Password Reset Flow |
| Title |
Password Reset Email angefordert |
| Gherkin Ref |
AC-020 |
| Priority |
P1 |
| Test Steps |
POST /auth/password-reset mit email |
| Expected Result |
200, reset email gesendet, token mit 1h expiry gespeichert |
| Actual Result |
TBD |
| Status |
Pending |
TC-013: F1.3 — Password Reset für nicht-existierenden User
| Feld |
Wert |
| Test Case ID |
TC-013 |
| Feature |
F1.3 Password Reset Flow |
| Title |
Password Reset für nicht-existierenden User gibt 200 zurück (Security) |
| Gherkin Ref |
AC-021 |
| Priority |
P0 |
| Security Relevance |
Verhindert Email-Enumeration |
| Test Steps |
POST /auth/password-reset mit unbekannter email |
| Expected Result |
200, keine email gesendet |
| Actual Result |
TBD |
| Status |
Pending |
TC-014: F2.1 — Admin Full Access
| Feld |
Wert |
| Test Case ID |
TC-014 |
| Feature |
F2.1 RBAC Roles & Permissions |
| Title |
Admin kann alle Ressourcen verwalten |
| Gherkin Ref |
AC-030 |
| Priority |
P0 |
| Test Steps |
1. Login als admin@test.local, 2. Create Store, 3. Delete User, 4. Access Billing |
| Expected Result |
Alle Aktionen erlaubt (200) |
| Actual Result |
TBD |
| Status |
Pending |
TC-015: F2.1 — Manager Role Restrictions
| Feld |
Wert |
| Test Case ID |
TC-015 |
| Feature |
F2.1 RBAC Roles & Permissions |
| Title |
Manager kann keine Admin-Operationen durchführen |
| Gherkin Ref |
AC-031 |
| Priority |
P0 |
| Test Steps |
Login als manager@test.local, Delete User, Change Billing, Delete Store |
| Expected Result |
Alle 403 Forbidden |
| Actual Result |
TBD |
| Status |
Pending |
TC-016: F2.1 — Sales Role Restrictions
| Feld |
Wert |
| Test Case ID |
TC-016 |
| Feature |
F2.1 RBAC Roles & Permissions |
| Title |
Sales kann nur POS-Operationen durchführen |
| Gherkin Ref |
AC-032 |
| Priority |
P0 |
| Test Steps |
Login als sales@test.local: POS sale → allowed, Create Product → 403, Dashboard → 403 |
| Expected Result |
Nur POS erlaubt, alles andere 403 |
| Actual Result |
TBD |
| Status |
Pending |
TC-017: F2.1 — Unauthenticated Access
| Feld |
Wert |
| Test Case ID |
TC-017 |
| Feature |
F2.1 RBAC Roles & Permissions |
| Title |
Unauthenticated User wird auf Login redirectet |
| Gherkin Ref |
AC-033 |
| Priority |
P0 |
| Test Steps |
Request auf /api/* ohne Authorization header |
| Expected Result |
401, error "Authentication required" |
| Actual Result |
TBD |
| Status |
Pending |
TC-018: F2.1 — Tenant Isolation
| Feld |
Wert |
| Test Case ID |
TC-018 |
| Feature |
F2.1 RBAC Roles & Permissions |
| Title |
User aus anderem Company wird abgelehnt |
| Gherkin Ref |
AC-034 |
| Priority |
P0 |
| Security Relevance |
Kritisch für Multi-Tenant Security |
| Test Steps |
User aus Company A versucht auf Company-B-Ressourcen zuzugreifen |
| Expected Result |
403 Forbidden, error "Access denied" |
| Actual Result |
TBD |
| Status |
Pending |
TC-019: F2.2 — Admin kann Rolle ändern
| Feld |
Wert |
| Test Case ID |
TC-019 |
| Feature |
F2.2 Role Assignment & Management |
| Title |
Admin kann Rolle eines Users ändern |
| Gherkin Ref |
AC-040 |
| Priority |
P1 |
| Test Steps |
Admin ändert Rolle von manager@test.local auf sales |
| Expected Result |
200, manager@test.local hat jetzt role=sales |
| Actual Result |
TBD |
| Status |
Pending |
TC-020: F2.2 — Manager kann keine Rollen ändern
| Feld |
Wert |
| Test Case ID |
TC-020 |
| Feature |
F2.2 Role Assignment & Management |
| Title |
Manager kann keine Rollen ändern |
| Gherkin Ref |
AC-041 |
| Priority |
P1 |
| Test Steps |
Manager versucht Rolle eines Users zu ändern |
| Expected Result |
403 Forbidden |
| Actual Result |
TBD |
| Status |
Pending |
TC-021: F2.2 — Self Role Change Prevention
| Feld |
Wert |
| Test Case ID |
TC-021 |
| Feature |
F2.2 Role Assignment & Management |
| Title |
User kann eigene Rolle nicht ändern |
| Gherkin Ref |
AC-043 |
| Priority |
P1 |
| Test Steps |
Admin versucht eigene Rolle auf sales zu ändern |
| Expected Result |
400, error "Cannot change own role" |
| Actual Result |
TBD |
| Status |
Pending |
TC-022: F3.1 — Admin kann Company bearbeiten
| Feld |
Wert |
| Test Case ID |
TC-022 |
| Feature |
F3.1 Company Management |
| Title |
Company-Admin kann Company-Daten bearbeiten |
| Gherkin Ref |
AC-050 |
| Priority |
P1 |
| Test Steps |
Admin PATCH /companies/{id} mit name update |
| Expected Result |
200, name geändert |
| Actual Result |
TBD |
| Status |
Pending |
TC-023: F3.1 — Non-Admin Company Edit blocked
| Feld |
Wert |
| Test Case ID |
TC-023 |
| Feature |
F3.1 Company Management |
| Title |
Nicht-Admin kann Company-Daten nicht bearbeiten |
| Gherkin Ref |
AC-051 |
| Priority |
P1 |
| Test Steps |
Manager PATCH /companies/{id} |
| Expected Result |
403 Forbidden |
| Actual Result |
TBD |
| Status |
Pending |
TC-024: F3.2 — Admin kann Store anlegen
| Feld |
Wert |
| Test Case ID |
TC-024 |
| Feature |
F3.2 Store Management |
| Title |
Admin kann neuen Store anlegen |
| Gherkin Ref |
AC-060 |
| Priority |
P0 |
| Test Steps |
Admin POST /stores mit name, address, timezone, currency |
| Expected Result |
201, Store erstellt und mit Company verknüpft |
| Actual Result |
TBD |
| Status |
Pending |
TC-025: F3.2 — Manager kann keinen Store anlegen
| Feld |
Wert |
| Test Case ID |
TC-025 |
| Feature |
F3.2 Store Management |
| Title |
Manager kann keinen Store anlegen |
| Gherkin Ref |
AC-061 |
| Priority |
P1 |
| Test Steps |
Manager POST /stores |
| Expected Result |
403 Forbidden |
| Actual Result |
TBD |
| Status |
Pending |
TC-026: F3.2 — Store Soft Delete
| Feld |
Wert |
| Test Case ID |
TC-026 |
| Feature |
F3.2 Store Management |
| Title |
Admin kann Store deaktivieren (Soft Delete) |
| Gherkin Ref |
AC-063 |
| Priority |
P1 |
| Test Steps |
Admin PATCH /stores/{id} mit deleted_at oder status=deactivated |
| Expected Result |
200, Store nicht mehr in aktiver Liste, aber in DB vorhanden |
| Actual Result |
TBD |
| Status |
Pending |
TC-027: F4.1 — Admin kann User einladen
| Feld |
Wert |
| Test Case ID |
TC-027 |
| Feature |
F4.1 User Management CRUD |
| Title |
Admin kann neuen User einladen |
| Gherkin Ref |
AC-070 |
| Priority |
P0 |
| Test Steps |
Admin POST /users/invite mit email, role, store_id |
| Expected Result |
201, invitation email gesendet, user status=pending |
| Actual Result |
TBD |
| Status |
Pending |
TC-028: F4.1 — Admin kann User deaktivieren
| Feld |
Wert |
| Test Case ID |
TC-028 |
| Feature |
F4.1 User Management CRUD |
| Title |
Admin kann User deaktivieren |
| Gherkin Ref |
AC-074 |
| Priority |
P0 |
| Test Steps |
Admin PATCH /users/{id} mit status=deactivated |
| Expected Result |
200, deaktivierter User kann sich nicht mehr einloggen |
| Actual Result |
TBD |
| Status |
Pending |
TC-029: F4.1 — Deaktivierter User Login blocked
| Feld |
Wert |
| Test Case ID |
TC-029 |
| Feature |
F4.1 User Management CRUD |
| Title |
Deaktivierter User erhält 401 bei Login |
| Gherkin Ref |
AC-075 |
| Priority |
P0 |
| Test Steps |
Login mit deactivated@test.local |
| Expected Result |
401, error "Account deactivated" |
| Actual Result |
TBD |
| Status |
Pending |
TC-030: F5.1 — Admin kann Produkt anlegen
| Feld |
Wert |
| Test Case ID |
TC-030 |
| Feature |
F5.1 Product Stammdaten CRUD |
| Title |
Admin kann Produkt mit allen Pflichtfeldern anlegen |
| Gherkin Ref |
AC-080 |
| Priority |
P0 |
| Test Steps |
Admin POST /products mit name, sku_code, price, category, attributes |
| Expected Result |
201, Produkt erstellt mit tenant_id der Company |
| Actual Result |
TBD |
| Status |
Pending |
TC-031: F5.1 — Produkt ohne Pflichtfeld name → Fehler
| Feld |
Wert |
| Test Case ID |
TC-031 |
| Feature |
F5.1 Product Stammdaten CRUD |
| Title |
Produktanlage ohne Pflichtfeld "name" → Fehler |
| Gherkin Ref |
AC-081 |
| Priority |
P1 |
| Test Steps |
Admin POST /products ohne name |
| Expected Result |
400, validation error für field "name" |
| Actual Result |
TBD |
| Status |
Pending |
TC-032: F5.1 — Fashion-Attribute (Size, Color, Season)
| Feld |
Wert |
| Test Case ID |
TC-032 |
| Feature |
F5.1 Product Stammdaten CRUD |
| Title |
Produkt mit Fashion-spezifischen Attributen |
| Gherkin Ref |
AC-082 |
| Priority |
P1 |
| Test Steps |
Admin POST /products mit size, color, season attributen |
| Expected Result |
201, attribute korrekt gespeichert |
| Actual Result |
TBD |
| Status |
Pending |
TC-033: F5.1 — Manager kann Produkte anlegen
| Feld |
Wert |
| Test Case ID |
TC-033 |
| Feature |
F5.1 Product Stammdaten CRUD |
| Title |
Manager kann Produkte anlegen |
| Gherkin Ref |
AC-085 |
| Priority |
P1 |
| Test Steps |
Manager POST /products |
| Expected Result |
201 (Manager hat product creation Rechte) |
| Actual Result |
TBD |
| Status |
Pending |
TC-034: F5.1 — Sales kann keine Produkte anlegen
| Feld |
Wert |
| Test Case ID |
TC-034 |
| Feature |
F5.1 Product Stammdaten CRUD |
| Title |
Sales kann keine Produkte anlegen |
| Gherkin Ref |
AC-086 |
| Priority |
P0 |
| Test Steps |
Sales POST /products |
| Expected Result |
403 Forbidden |
| Actual Result |
TBD |
| Status |
Pending |
TC-035: F5.1 — Tenant Isolation bei Products
| Feld |
Wert |
| Test Case ID |
TC-035 |
| Feature |
F5.1 Product Stammdaten CRUD |
| Title |
User aus Company A sieht keine Produkte aus Company B |
| Gherkin Ref |
AC-087 |
| Priority |
P0 |
| Security Relevance |
Multi-Tenant Isolation |
| Test Steps |
User A GET /products → darf Product von Company B nicht sehen |
| Expected Result |
Company-B-Produkte nicht in Ergebnissen |
| Actual Result |
TBD |
| Status |
Pending |
Testmetriken (Zielwerte)
| Metrik |
Ziel |
| Test Coverage (Gherkin AC) |
≥ 95% |
| Critical Bugs vor Release |
0 |
| P0 Test Cases Pass Rate |
100% |
| Security Issues |
0 |
| Test Automation |
≥ 70% (API Tests) |
Bug Report Template
## Bug Report: [Kurztitel]
**Issue ID:** BR-[Nr]
**Severity:** P0 / P1 / P2 / P3
**Feature:** F[x.y]
**Test Case:** TC-[xxx]
**Reported By:** QA
**Date:** YYYY-MM-DD
### Beschreibung
[Klare Beschreibung des Bugs]
### Schritte zur Reproduktion
1. [Schritt 1]
2. [Schritt 2]
3. [Schritt 3]
### Erwartetes Verhalten
[Was sollte passieren]
### Tatsächliches Verhalten
[Was tatsächlich passiert]
### Umgebung
- API: http://10.10.1.195:3100/api
- Company: f9a8031f
- User/Rolle: [Test-Account]
### Screenshots/Logs
[Falls verfügbar]
### Priorität Begründung
[Warum diese Severity]
Anhang: API Endpoints (Expected)
| Method |
Endpoint |
Auth |
Beschreibung |
| POST |
/auth/login |
None |
Email/Password Login |
| POST |
/auth/register |
None |
User Registration |
| POST |
/auth/refresh |
Cookie |
Token Refresh |
| POST |
/auth/password-reset |
None |
Password Reset Request |
| POST |
/auth/password-reset/confirm |
None |
Password Reset Confirm |
| GET |
/companies/:id |
JWT |
Company Details |
| PATCH |
/companies/:id |
JWT (admin) |
Company bearbeiten |
| POST |
/stores |
JWT (admin) |
Store anlegen |
| GET |
/stores |
JWT |
Stores auflisten |
| PATCH |
/stores/:id |
JWT (admin) |
Store bearbeiten |
| DELETE |
/stores/:id |
JWT (admin) |
Store deaktivieren |
| POST |
/users/invite |
JWT (admin) |
User einladen |
| GET |
/users |
JWT |
Users auflisten |
| PATCH |
/users/:id |
JWT (admin) |
User bearbeiten |
| DELETE |
/users/:id |
JWT (admin) |
User deaktivieren |
| POST |
/products |
JWT (admin/manager) |
Produkt anlegen |
| GET |
/products |
JWT |
Produkte auflisten |
| PATCH |
/products/:id |
JWT (admin/manager) |
Produkt bearbeiten |
| DELETE |
/products/:id |
JWT (admin) |
Produkt deaktivieren |
| POST |
/categories |
JWT (admin) |
Kategorie anlegen |
| GET |
/categories |
JWT |
Kategorien auflisten |
Hinweis: Exakte Endpoints sind von DEV Sprint 1 Implementation abhängig — nach CAR-15 Fertigstellung zu verifizieren und hier zu aktualisieren.
Ergänzt: Security & Edge-Case Tests (F6)
Ergänzt durch QA Review (2026-07-03) — AC-110 bis AC-115
TC-036: F6 — Account Lockout nach 5 fehlgeschlagenen Login-Versuchen
| Feld |
Wert |
| Test Case ID |
TC-036 |
| Feature |
F6 Authentication Security |
| Title |
Account wird nach 6 Fehlversuchen 30 Min. gesperrt |
| Gherkin Ref |
AC-110 |
| Priority |
P0 |
| Security Relevance |
Brute-Force Protection |
| Test Steps |
1. Falsches Passwort 6x hintereinander, 2. Login-Versuch mit korrektem Passwort |
| Expected Result |
429, error "Account temporarily locked" |
| Actual Result |
TBD |
| Status |
Pending |
TC-037: F6 — JWT Manipulation detection
| Feld |
Wert |
| Test Case ID |
TC-037 |
| Feature |
F6 Authentication Security |
| Title |
Modifizierter JWT → 401 |
| Gherkin Ref |
AC-111 |
| Priority |
P0 |
| Security Relevance |
Token Integrity |
| Test Steps |
1. JWT payload ändern (role → admin), 2. Request mit modifiziertem Token |
| Expected Result |
401, error "Invalid token signature" |
| Actual Result |
TBD |
| Status |
Pending |
TC-038: F6 — Rate Limiting
| Feld |
Wert |
| Test Case ID |
TC-038 |
| Feature |
F6 Authentication Security |
| Title |
Rate Limit: 21 Login-Versuche/Min → 429 |
| Gherkin Ref |
AC-112 |
| Priority |
P0 |
| Security Relevance |
DoS Protection |
| Test Steps |
21 Login-Versuche in 1 Minute von gleicher IP |
| Expected Result |
429, error "Rate limit exceeded" |
| Actual Result |
TBD |
| Status |
Pending |
TC-039: F6 — XSS in Email-Feld
| Feld |
Wert |
| Test Case ID |
TC-039 |
| Feature |
F6 Authentication Security |
| Title |
XSS im Email-Feld → wird abgelehnt/escaped |
| Gherkin Ref |
AC-113 |
| Priority |
P0 |
| Security Relevance |
Input Validation |
| Test Steps |
Registration mit email="@test.de" |
| Expected Result |
400 oder XSS escaped in DB |
| Actual Result |
TBD |
| Status |
Pending |
TC-040: F6 — SQL Injection Prevention
| Feld |
Wert |
| Test Case ID |
TC-040 |
| Feature |
F6 Authentication Security |
| Title |
SQL Injection im Login-Feld → 401 (kein SQL-Error leak) |
| Gherkin Ref |
AC-114 |
| Priority |
P0 |
| Security Relevance |
Injection Prevention |
| Test Steps |
Login mit email="' OR '1'='1" |
| Expected Result |
401 (kein 500, kein SQL-Error in Response) |
| Actual Result |
TBD |
| Status |
Pending |
TC-041: F6 — Access Token Expiry
| Feld |
Wert |
| Test Case ID |
TC-041 |
| Feature |
F6 Authentication Security |
| Title |
Access Token läuft nach 15 Minuten ab |
| Gherkin Ref |
AC-115 |
| Priority |
P0 |
| Test Steps |
Request mit Access Token 16 Min. nach Ausstellung |
| Expected Result |
401, error "Token expired" |
| Actual Result |
TBD |
| Status |
Pending |
Ergänzt: Category & SKU Tests (F5.2, F5.3)
TC-042: F5.2 — Admin kann Hauptkategorie anlegen
| Feld |
Wert |
| Test Case ID |
TC-042 |
| Feature |
F5.2 Category Management |
| Title |
Admin kann Kategorie anlegen |
| Gherkin Ref |
AC-090 |
| Priority |
P1 |
| Test Steps |
Admin POST /categories mit name, slug |
| Expected Result |
201, Category erstellt mit tenant_id |
| Actual Result |
TBD |
| Status |
Pending |
TC-043: F5.2 — Unterkategorie mit Parent-ID
| Feld |
Wert |
| Test Case ID |
TC-043 |
| Feature |
F5.2 Category Management |
| Title |
Admin kann Unterkategorie mit parent_id anlegen |
| Gherkin Ref |
AC-091 |
| Priority |
P1 |
| Test Steps |
POST /categories mit parent_id |
| Expected Result |
201, parent_id verknüpft, Category-Tree konsistent |
| Actual Result |
TBD |
| Status |
Pending |
TC-044: F5.2 — Ungültiger Parent-ID → Fehler
| Feld |
Wert |
| Test Case ID |
TC-044 |
| Feature |
F5.2 Category Management |
| Title |
Kategorie mit nicht-existentem Parent-ID → 400 |
| Gherkin Ref |
AC-092 |
| Priority |
P2 |
| Test Steps |
POST /categories mit parent_id=999 |
| Expected Result |
400, error "Parent category not found" |
| Actual Result |
TBD |
| Status |
Pending |
TC-045: F5.2 — Manager kann Kategorien nicht löschen
| Feld |
Wert |
| Test Case ID |
TC-045 |
| Feature |
F5.2 Category Management |
| Title |
Manager hat keine Delete-Rechte für Kategorien |
| Gherkin Ref |
AC-093 |
| Priority |
P1 |
| Test Steps |
Manager DELETE /categories/{id} |
| Expected Result |
403 Forbidden |
| Actual Result |
TBD |
| Status |
Pending |
TC-046: F5.3 — SKU Eindeutigkeit pro Company
| Feld |
Wert |
| Test Case ID |
TC-046 |
| Feature |
F5.3 SKU Management |
| Title |
SKU-Code muss pro Company eindeutig sein |
| Gherkin Ref |
AC-100 |
| Priority |
P0 |
| Test Steps |
2x POST /products mit gleichem SKU in Company A |
| Expected Result |
2. Request: 409, error "SKU already exists in this company" |
| Actual Result |
TBD |
| Status |
Pending |
TC-047: F5.3 — Bestand pro Store unterschiedlich
| Feld |
Wert |
| Test Case ID |
TC-047 |
| Feature |
F5.3 SKU Management |
| Title |
Bestandsmenge pro Store individuell pflegbar |
| Gherkin Ref |
AC-101 |
| Priority |
P1 |
| Test Steps |
PATCH /products/{id}/stock mit store_id + qty für 2 Stores |
| Expected Result |
Store 1: qty=50, Store 2: qty=0 |
| Actual Result |
TBD |
| Status |
Pending |
Test Execution Checklist (Pre-Release QA Gate)
Phase 1: Setup
Phase 2: Auth Tests (F1)
Phase 3: RBAC Tests (F2)
Phase 4: Business Logic Tests (F3-F5)
Phase 5: Security Tests (F6)
Phase 6: Multi-Tenant Isolation (F7)
QA Gate Kriterien für Release
| Kriterium |
Schwellwert |
| P0 Test Pass Rate |
100% |
| P1 Test Pass Rate |
≥ 95% |
| Security Issues (P0/P1) |
0 |
| Critical Bugs Open |
0 |
Letztes Update: 2026-07-03 by QA (8d0de613) — Security + Category + SKU Tests ergänzt