Settings
Profile Management
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-001 | User views profile information | Logged in as any role | 1. Go to /settings 2. Click "Profile" tab | Profile tab loads with user's full_name, email, phone fields pre-filled | High |
| SET-002 | User updates full name only | Logged in, at Profile tab | 1. Clear full_name field 2. Type "Jane Smith" 3. Click Save | Success toast appears. Profile updates. Page stays at Profile tab | High |
| SET-003 | Non-manager cannot edit email or org phone | Logged in as Agent, at Profile tab | 1. Try to edit email field 2. Try to edit phone field | Email and phone fields are disabled (read-only) for non-managers | High |
| SET-004 | Manager can edit email and phone | Logged in as Manager/Admin with manage_organization permission, at Profile tab | 1. Change email to "newemail@example.com" 2. Change phone to "+14155552671" 3. Click Save | Success toast. Both fields update. Changes persist after refresh | High |
| SET-005 | Validation: empty phone when manager edits | Logged in as Manager, at Profile tab | 1. Clear phone field (if it had a value) 2. Click Save | Error toast: "Phone number cannot be empty." Phone field remains empty, not saved | Medium |
| SET-006 | Validation: invalid E.164 phone format | Logged in as Manager, at Profile tab | 1. Enter phone "123456" (invalid format) 2. Click Save | Error message: "Please enter a valid mobile number." Phone not saved | Medium |
| SET-007 | Validation: valid E.164 phone with leading + | Logged in as Manager, at Profile tab | 1. Enter phone "+1 (415) 555-2671" or "+14155552671" 2. Click Save | Success toast. Phone saves in E.164 format | High |
| SET-008 | No changes does not trigger save | Logged in, at Profile tab with values pre-filled | 1. Do not change any field 2. Click Save | Success toast appears (idempotent) | Low |
| SET-009 | Profile save error handling | Logged in, at Profile tab, API is down | 1. Make any change 2. Click Save | Error toast displays. Form retains values for retry | Medium |
Password Management
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-010 | User views password change form | Logged in, at Settings Profile tab | 1. Scroll to "Change Password" section | Password form displays with current_password, new_password, confirm_password fields | High |
| SET-011 | Valid password change | Logged in, at password form | 1. Enter current password 2. Enter new password "NewP@ssw0rd!" 3. Enter same in confirm field 4. Click Save | Success toast: "Password updated." Form clears | High |
| SET-012 | Validation: incorrect current password | Logged in, at password form | 1. Enter wrong current password 2. Enter new password 3. Click Save | Error: "Current password is incorrect." Password not changed | High |
| SET-013 | Validation: new password too short | Logged in, at password form | 1. Enter current password 2. Enter new password "abc" 3. Click Save | Error: "Password must be at least 8 characters." | Medium |
| SET-014 | Validation: confirm password mismatch | Logged in, at password form | 1. Enter current password 2. Enter new password "NewP@ssw0rd!" 3. Enter different confirm "Different123!" 4. Click Save | Error: "Passwords do not match." | Medium |
| SET-015 | Validation: new password same as current | Logged in, at password form | 1. Enter current password "OldP@ssw0rd!" 2. Enter same in new password field 3. Click Save | Error: "New password must be different from current password." | Medium |
WhatsApp Accounts
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-016 | User views WhatsApp accounts list | Logged in, at least one WhatsApp account connected | 1. Go to /settings 2. Click "WhatsApp" tab | List displays all connected accounts with phone_number_id, display_phone_number, verified_name, quality_rating, is_active status | High |
| SET-017 | Empty WhatsApp accounts state | Logged in, no WhatsApp accounts connected | 1. Go to /settings 2. Click "WhatsApp" tab | Empty state message displays. "Connect Account" button visible | High |
| SET-018 | Connect WhatsApp account via Facebook picker | Logged in, at WhatsApp tab with no accounts | 1. Click "Connect Account" button 2. Facebook authentication modal opens 3. Select a phone number from Meta account 4. Click Confirm | Account added to list. success toast. Page refreshes to show new account | High |
| SET-019 | Validation: cannot add duplicate phone_number_id | Logged in, one account exists with phone_number_id "123", at WhatsApp tab | 1. Click "Connect Account" 2. Select same phone_number_id "123" from Meta 3. Click Confirm | Error toast or validation prevents duplicate. Original account remains | High |
| SET-020 | Meta API error during account fetch | Logged in, at WhatsApp tab, Meta API returns 401 | 1. Click "Connect Account" 2. Modal attempts to fetch accounts | Modal displays error: "Unable to fetch Meta accounts. Please check your Facebook connection." | Medium |
| SET-021 | User can view account metadata on WhatsApp tab | Logged in with one account, at WhatsApp tab | 1. Look at displayed account row | Display shows: waba_id, phone_number_id, display_phone_number, verified_name, quality_rating, messaging_limit_tier, is_active toggle | High |
| SET-022 | Disable/enable WhatsApp account | Logged in with active account, at WhatsApp tab | 1. Click is_active toggle for an account | Account is_active status toggles. Visual indicator (badge color) updates. Change persists after page refresh | High |
| SET-023 | Delete WhatsApp account | Logged in with multiple accounts, at WhatsApp tab | 1. Click Trash icon on an account 2. Confirm deletion | Account removed from list. Success toast. Related contacts/conversations still accessible (soft delete or archival) | High |
Organization Settings
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-024 | Admin views organization details | Logged in as Admin, at Organization tab | 1. Go to /settings 2. Click "Organization" tab | Organization name, timezone, country, contact email, contact phone displayed | High |
| SET-025 | Non-admin cannot view organization settings | Logged in as Agent, at Settings | 1. Try to access Organization tab (if visible) 2. Click it | Tab is disabled/hidden OR page redirects with 403 error | High |
| SET-026 | Admin edits organization name | Logged in as Admin, at Organization tab | 1. Change org name to "Acme Corp 2.0" 2. Click Save | Success toast. Name updates. Change visible in org switcher header after refresh | High |
| SET-027 | Admin edits organization timezone | Logged in as Admin, at Organization tab | 1. Open timezone dropdown 2. Select "America/Los_Angeles" 3. Click Save | Success toast. Timezone updates. All dates/times in UI reflect new timezone | High |
| SET-028 | Admin edits organization contact info | Logged in as Admin, at Organization tab | 1. Update contact_email to "admin@newcompany.com" 2. Update contact_phone to "+15551234567" 3. Click Save | Success toast. Contact info updates for invoices/billing | High |
| SET-029 | Validation: invalid email in org contact | Logged in as Admin, at Organization tab | 1. Enter contact_email "invalid-email" 2. Click Save | Error: "Please enter a valid email address." | Medium |
| SET-030 | Validation: invalid phone in org contact | Logged in as Admin, at Organization tab | 1. Enter contact_phone "123" (invalid E.164) 2. Click Save | Error: "Please enter a valid phone number." | Medium |
Members Management
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-031 | Admin views all organization members | Logged in as Admin, at Members tab | 1. Go to /settings 2. Click "Members" tab | List displays all members with email, full_name, role_name, is_active, user_id | High |
| SET-032 | Non-admin cannot view members list | Logged in as Agent, at Settings | 1. Try to navigate to Members tab | Tab is disabled/hidden OR 403 error | High |
| SET-033 | Admin invites new member | Logged in as Admin, at Members tab | 1. Click "Invite Member" button 2. Enter email "newuser@example.com" 3. Select role "Agent" 4. Click Send Invite | Success toast: "Invitation sent." User added to list with status "invited" (pending acceptance) | High |
| SET-034 | Validation: duplicate member email invitation | Logged in as Admin, at Members tab with "john@example.com" already member | 1. Click "Invite Member" 2. Enter "john@example.com" 3. Click Send Invite | Error: "User is already a member of this organization." | Medium |
| SET-035 | Admin changes member role | Logged in as Admin, at Members tab | 1. Click member row or edit icon 2. Change role dropdown from "Agent" to "Manager" 3. Click Save | Member role updates immediately in list. Changes persist after refresh | High |
| SET-036 | Admin deactivates member | Logged in as Admin, at Members tab | 1. Find active member 2. Click deactivate/toggle button | Member is_active becomes false. Badge shows "inactive". User cannot log in anymore | High |
| SET-037 | Admin reactivates deactivated member | Logged in as Admin, at Members tab | 1. Find deactivated member 2. Click activate/toggle button | Member is_active becomes true. Badge shows "active". User can log in again | Medium |
| SET-038 | Admin removes member | Logged in as Admin, at Members tab | 1. Click remove/delete icon on a member 2. Confirm | Member removed from list. Success toast. User access revoked | High |
| SET-039 | Member cannot manage other members | Logged in as Member role, at Settings | 1. Try to access Members tab | Tab is disabled/hidden OR 403 error | High |
Teams Management
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-040 | User views teams list | Logged in as Manager/Admin, at Teams tab | 1. Go to /settings 2. Click "Teams" tab | List displays all teams with name, description, member_count | High |
| SET-041 | Non-manager cannot view teams | Logged in as Agent, at Settings | 1. Try to access Teams tab | Tab is disabled/hidden OR 403 error | Medium |
| SET-042 | Manager creates team | Logged in as Manager, at Teams tab | 1. Click "Create Team" button 2. Enter name "Sales Team" 3. Enter description "Handles sales inquiries" 4. Click Save | Team added to list. Success toast. member_count shows 0 | High |
| SET-043 | Validation: team name required | Logged in as Manager, at create team modal | 1. Leave name empty 2. Click Save | Error: "Team name is required." Modal stays open | Medium |
| SET-044 | Manager edits team | Logged in as Manager, viewing a team, at Teams tab | 1. Click edit icon on team row 2. Change name to "New Sales Team" 3. Click Save | Team name updates in list. Success toast | High |
| SET-045 | Manager deletes team | Logged in as Manager, at Teams tab | 1. Click delete/trash icon on team 2. Confirm | Team removed from list. Success toast. Members no longer assigned to deleted team | High |
| SET-046 | Manager selects team and views members | Logged in as Manager, at Teams tab | 1. Click team row or "View Members" button | Team detail view opens. List of members (if any) displays with user email and full_name | High |
| SET-047 | Manager adds existing member to team | Logged in as Manager, viewing team members, at Teams tab | 1. Click "Add Member" button 2. Select a member from dropdown 3. Click Add | Member added to team. member_count increments. Success toast | High |
| SET-048 | Validation: cannot add inactive member to team | Logged in as Manager, viewing team members | 1. Click "Add Member" 2. Open dropdown | Dropdown only shows active members. Inactive members grayed out or hidden | Medium |
| SET-049 | Manager removes member from team | Logged in as Manager, viewing team members with 2+ members | 1. Click remove/X icon on a member 2. Confirm | Member removed from team. member_count decrements. Success toast. Member stays in organization | High |
| SET-050 | Member cannot manage teams | Logged in as Member role | 1. Try to access Teams tab | Tab is disabled/hidden OR 403 error | Medium |
API Keys Management
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-051 | User views API keys list | Logged in with api_keys:read permission, at API Keys tab | 1. Go to /settings 2. Click "API Keys" tab | List displays all API keys with name, key_prefix (e.g., "sk_live_abc123..."), scopes, expires_at, is_active status | High |
| SET-052 | Non-privileged user cannot view API keys | Logged in as Agent without api_keys:read permission | 1. Try to navigate to API Keys tab | Tab is disabled/hidden OR 403 error on page load | High |
| SET-053 | User creates API key | Logged in with api_keys:write permission, at API Keys tab | 1. Click "Create API Key" button 2. Enter name "Webhook Integrations" 3. Select scopes: contacts:read, messages:write 4. Set expiry "30 days" 5. Click Create | Modal displays full raw key (shown only once). Success toast. Key added to list with key_prefix visible | High |
| SET-054 | Raw API key is displayed only once | Logged in, just created an API key | 1. Observe the revealed key modal 2. Close modal without copying 3. Refresh page | Key no longer shown. User must regenerate to obtain new key. key_prefix still visible in list | High |
| SET-055 | User copies API key from modal | Logged in, at revealed key modal | 1. Click "Copy" button next to raw key | Key copied to clipboard. Toast shows "Copied!" | High |
| SET-056 | Validation: API key name required | Logged in with api_keys:write permission, at create modal | 1. Leave name empty 2. Click Create | Error: "Name is required." Modal stays open | Medium |
| SET-057 | Validation: at least one scope required | Logged in with api_keys:write permission, at create modal | 1. Enter name "Test Key" 2. Deselect all scopes 3. Click Create | Error: "At least one scope must be selected." | Medium |
| SET-058 | User updates API key name | Logged in with api_keys:write permission, viewing a key | 1. Click edit icon or key name 2. Change name to "Updated Key Name" 3. Click Save | Name updates in list. Success toast. Raw key unchanged | High |
| SET-059 | User deactivates API key | Logged in with api_keys:write permission, viewing active key | 1. Click is_active toggle on key row | is_active becomes false. Key no longer works for API calls. Badge shows "inactive" | High |
| SET-060 | User reactivates API key | Logged in with api_keys:write permission, viewing inactive key | 1. Click is_active toggle on key row | is_active becomes true. Key works again. Badge shows "active" | Medium |
| SET-061 | User deletes API key | Logged in with api_keys:delete permission, at API Keys tab | 1. Click delete/trash icon on a key 2. Confirm | Key removed from list. Success toast. Key no longer valid for API calls | High |
| SET-062 | Non-privileged user cannot create API key | Logged in without api_keys:write permission | 1. Try to click "Create API Key" button | Button is disabled or hidden | Medium |
| SET-063 | Non-privileged user cannot delete API key | Logged in with api_keys:read but not api_keys:delete permission | 1. View API key in list 2. Try to click delete icon | Delete icon is disabled or hidden | Medium |
| SET-064 | Audit log created for API key creation | Logged in with api_keys:write permission, creates new API key | 1. At API Keys tab, create key "Test Audit" 2. Go to Audit Logs tab | Audit entry shows: action=api_key.created, resource_id=key_id, metadata includes name | High |
| SET-065 | Audit log created for API key deletion | Logged in with api_keys:delete permission, deletes key | 1. At API Keys tab, delete a key 2. Go to Audit Logs tab | Audit entry shows: action=api_key.deleted, resource_id=key_id | High |
Roles & Permissions
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-066 | Admin views roles and permissions list | Logged in as Admin, at Roles tab | 1. Go to /settings 2. Click "Roles" tab | List displays built-in roles (Admin, Manager, Member, Agent) with permission counts | High |
| SET-067 | Non-admin cannot view roles tab | Logged in as Agent, at Settings | 1. Try to click Roles tab | Tab is disabled/hidden OR 403 error | High |
| SET-068 | Admin views role detail and permissions | Logged in as Admin, at Roles tab | 1. Click a role row (e.g., "Agent") | Detail panel opens showing all permissions assigned to that role with checkboxes | High |
| SET-069 | Admin cannot delete built-in roles | Logged in as Admin, viewing a built-in role detail | 1. Look for delete button | Delete button is disabled or hidden for built-in roles | Medium |
| SET-070 | Admin views permission hierarchy | Logged in as Admin, at Roles tab | 1. Click on a role and view permissions section | Permissions are organized by resource type (contacts, messages, organization, api_keys, audit) | High |
Audit Logs
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-071 | User with audit:read views audit logs list | Logged in as Admin, at Audit Logs tab | 1. Go to /settings 2. Click "Audit Logs" tab | Paginated list displays audit entries with timestamp, action, resource_type, user, ip_address, metadata | High |
| SET-072 | Non-privileged user cannot view audit logs | Logged in as Agent without audit:read permission | 1. Try to access Audit Logs tab | Tab is disabled/hidden OR 403 error | High |
| SET-073 | Filter audit logs by action | Logged in with audit:read permission, at Audit Logs tab | 1. Click "Filter" or action dropdown 2. Select "user.login" 3. View results | List filters to only show login actions. Pagination updates | High |
| SET-074 | Filter audit logs by resource type | Logged in with audit:read permission, at Audit Logs tab | 1. Click resource_type filter 2. Select "api_key" 3. View results | List filters to show only api_key-related actions | High |
| SET-075 | Pagination: view next page of audit logs | Logged in with audit:read permission, 50+ audit entries exist | 1. At Audit Logs tab (page 1) 2. Click "Next" or page 2 button | Page 2 loads with different entries. Total count and page indicator update | Medium |
| SET-076 | Audit log entry shows metadata | Logged in with audit:read permission, at Audit Logs tab | 1. View an audit entry (e.g., api_key.created) 2. Expand or hover over metadata section | Metadata displays additional context (e.g., "name": "My Key") | High |
| SET-077 | Audit logs read-only | Logged in as Admin, at Audit Logs tab | 1. Try to delete, edit, or modify any audit entry | No delete/edit icons visible. Audit logs are immutable | High |
Form Tokens Management
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-078 | User with leads:view views form tokens list | Logged in with leads:view permission, at Form Tokens tab | 1. Go to /settings 2. Click "Form Tokens" tab | List displays form tokens with name, token_prefix, allowed_origins, rate_limit_per_hour, is_active status | High |
| SET-079 | Non-privileged user cannot view form tokens | Logged in as Agent without leads:view permission | 1. Try to access Form Tokens tab | Tab is disabled/hidden OR 403 error | High |
| SET-080 | User with leads:manage creates form token | Logged in with leads:manage permission, at Form Tokens tab | 1. Click "Create Token" button 2. Enter name "Website Form" 3. Enter allowed_origins "https://example.com, https://www.example.com" 4. Set rate_limit_per_hour to 100 5. Click Create | Modal displays raw token (shown once). Success toast. Token added to list with token_prefix visible | High |
| SET-081 | Raw form token displayed only once | Logged in, just created form token | 1. Observe revealed token modal 2. Close without copying 3. Refresh page | Raw token no longer shown. User must regenerate. token_prefix still visible | High |
| SET-082 | User copies form token from modal | Logged in, at revealed token modal | 1. Click "Copy" button next to raw token | Token copied to clipboard. Toast shows "Copied!" | High |
| SET-083 | Validation: form token name required | Logged in with leads:manage permission, at create modal | 1. Leave name empty 2. Click Create | Error: "Name is required." Modal stays open | Medium |
| SET-084 | Validation: invalid origin URL format | Logged in with leads:manage permission, at create modal | 1. Enter allowed_origins "not-a-url" 2. Click Create | Error: "Invalid URL format." | Medium |
| SET-085 | User updates form token | Logged in with leads:manage permission, viewing a token | 1. Click edit icon on token 2. Change name to "New Name" 3. Update allowed_origins 4. Click Save | Name and origins update in list. Success toast. Raw token unchanged | High |
| SET-086 | User deactivates form token | Logged in with leads:manage permission, viewing active token | 1. Click is_active toggle on token row | is_active becomes false. Form submissions using this token are rejected. Badge shows "inactive" | High |
| SET-087 | User reactivates form token | Logged in with leads:manage permission, viewing inactive token | 1. Click is_active toggle on token row | is_active becomes true. Form submissions accepted again. Badge shows "active" | Medium |
| SET-088 | User deletes form token | Logged in with leads:manage permission, at Form Tokens tab | 1. Click delete/trash icon on token 2. Confirm | Token removed from list. Success toast. Form submissions with this token are rejected | High |
| SET-089 | User regenerates form token | Logged in with leads:manage permission, viewing token | 1. Click "Regenerate" button on token 2. Confirm (modal warns old token will stop working) | Modal displays new raw token. Old token invalidated immediately. List updates. Success toast | High |
| SET-090 | Non-privileged user cannot create form token | Logged in without leads:manage permission | 1. Try to click "Create Token" button | Button is disabled or hidden | Medium |
| SET-091 | Non-privileged user cannot delete form token | Logged in with leads:view but not leads:manage permission | 1. View form token in list 2. Try to click delete icon | Delete icon is disabled or hidden | Medium |
Notifications (if visible in tabs)
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-092 | User views notification preferences | Logged in, at Notifications tab | 1. Go to /settings 2. Click "Notifications" tab | Checkboxes or toggles for notification types: email_leads, sms_alerts, daily_digest, etc. with current user preferences | High |
| SET-093 | User enables email notifications | Logged in, at Notifications tab | 1. Toggle "Email Leads" to ON 2. Click Save | Preference saves. Success toast. User receives emails for future lead submissions | High |
| SET-094 | User disables SMS alerts | Logged in, at Notifications tab | 1. Toggle "SMS Alerts" to OFF 2. Click Save | Preference saves. Success toast. SMS alerts stop | High |
| SET-095 | Notification frequency preferences | Logged in, at Notifications tab | 1. Select "Daily Digest" frequency from dropdown 2. Click Save | Preference saves. Notifications consolidated daily instead of real-time | Medium |
Tab Navigation & State
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-096 | Tab navigation persists in URL | Logged in, at Settings | 1. Click "API Keys" tab 2. Note URL changes to /settings?tab=api-keys 3. Refresh page | Settings reopens at API Keys tab. URL query param restored state | Medium |
| SET-097 | Invalid tab query param defaults to profile | Logged in, navigate to /settings?tab=nonexistent | View displays Profile tab content | Profile tab is default. Invalid tab is ignored gracefully | Low |
| SET-098 | User can navigate between tabs without reloading | Logged in, at Settings with Profile tab active | 1. Click "API Keys" tab 2. Wait for content to load 3. Click "Members" tab | Tabs switch instantly. No full page reload. Content loads smoothly | High |
Permission-Based Feature Visibility
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-099 | Agent sees only Profile and Notifications tabs | Logged in as Agent (no elevated permissions), at Settings | 1. View Settings page | Tabs visible: Profile, Notifications. Tabs hidden/disabled: Organization, Members, Teams, Roles, Audit Logs, API Keys, WhatsApp (unless allowed), Form Tokens (unless allowed) | High |
| SET-100 | Manager sees Profile, Notifications, Teams, API Keys tabs | Logged in as Manager, at Settings | 1. View Settings page | Manager-level tabs visible and accessible. Admin-only tabs (Roles, Audit Logs) remain hidden | High |
| SET-101 | Admin sees all tabs | Logged in as Admin, at Settings | 1. View Settings page | All tabs visible: Profile, Notifications, WhatsApp, Organization, Members, Teams, API Keys, Roles, Audit Logs, Form Tokens | High |
Error Handling & Edge Cases
| ID | Test Case | Preconditions | Steps | Expected Result | Priority |
|---|---|---|---|---|---|
| SET-102 | Network error during profile save | Logged in, at Profile tab, API is unreachable | 1. Change full_name 2. Click Save | Error toast displayed. Form retains values for user to retry | Medium |
| SET-103 | Session expires during settings operations | Logged in, JWT token expires during form save | 1. Update profile 2. Submit form after token expiry | User redirected to login. Toast shows "Session expired." | High |
| SET-104 | Concurrent edit conflict | Two users editing same organization settings simultaneously | User A saves timezone change, then User B saves name change | Last write wins. Page does not show stale data after refresh. Audit log shows both actions | Medium |
| SET-105 | Very long form values | Logged in, at any form in Settings | 1. Enter 1000+ character string in text field 2. Click Save | Field truncated or error shown (per API validation). Form handles gracefully | Low |
| SET-106 | Special characters in form inputs | Logged in, at Organization edit tab | 1. Enter org name with emoji: "Acme Corp 🚀" 2. Click Save | Name saves correctly. Special characters preserved | Low |