We have differentiated the CRM manager and CRM user roles since the very beginning in our specifications for the application. So far, each acceptance test began with some work on the side of database management and ended with either usage of public interface or checking some assumptions right in the management UI.
Now, it's time to really prohibit the CRM user from accessing the database management UI pages. We are going to implement the following business ruleset:
Unauthenticated (guest) users should not be able to access anything except the home page and the login form.
User-level users should be able to access the Query Customer By Phone UI.
Manager-level users should be able to access everything except the User Management UI.
Administrator-level users should be able to access everything.
Have a look at the following scheme:
We already have tests for the login and logout functionality without testing for access rights afterwards. However, now we...