# Zavvion Events Lite MVP Functional Testing Plan Purpose: give human testers a practical, role-based script for finding where the Lite MVP can break before handover. This plan focuses on the first release scope: public visitors/customers buy tickets, organisers create events and prepare payment readiness, and platform admins monitor/configure the platform. Test environment: - Base URL: `http://localhost/zavvion-events/public/` for local XAMPP, or the deployed staging URL. - Test password: use the private seed password from handover notes. Do not paste it into public bug reports. - Launch roles: public visitor, customer, organiser, platform admin. - Deferred roles for this release: cashier, scanner, event manager. These must not be available in the Lite MVP UI. Bug evidence format: - Tester name: - Date/time: - Browser/device: - Login role: - Page URL: - Steps to reproduce: - Expected result: - Actual result: - Screenshot/video: - Severity: Critical / High / Medium / Low - Data created during test: ## 1. Smoke And Access | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | SM-01 | Public | Open `home.html`. | Homepage loads, logo/header is consistent, no test credentials are shown. | | | | SM-02 | Public | Open `events.html`. | Event list loads from API, filters/search work, cards open event pages. | | | | SM-03 | Public | Open `event.html?slug=demo-gala`. | Event detail loads, tickets and seat map render if available. | | | | SM-04 | Public | Open `mvp-showcase.html`. | Showcase loads and only presents customer, organiser, platform admin launch roles. | | | | SM-05 | Public | Open `mvp-profiles.html`. | Role walkthrough loads; password is not printed; tester can enter local seed password. | | | | SM-06 | Public | Try `admin.html` without login. | Access is blocked or redirects/prompts for login; admin data is not visible. | | | | SM-07 | Public | Try `organiser.html` without login. | Access is blocked or shows login prompt; organiser data is not visible. | | | ## 2. Customer Purchase Journey | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | CU-01 | Public | Browse events, open a published event. | Correct event title, date, venue, currency, timezone, tickets, and poster display. | | | | CU-02 | Public | Use search/category/date filters on event listing. | Results update correctly; clear/reset restores list. | | | | CU-03 | Public | Select a reserved section seat. | Seat becomes selected, section tab stays clear, basket shows one assigned seat. | | | | CU-04 | Public | Select seats from multiple reserved sections. | Section tabs separate the sections; each selected seat requires a ticket type. | | | | CU-05 | Public | Add a general admission ticket if the event has GA section tickets. | Quantity increases without requiring a seat. | | | | CU-06 | Public | Try child ticket without adult where the event requires adult. | Checkout is blocked server-side with a clear message. | | | | CU-07 | Public | Remove/reduce tickets and seats. | Basket, totals, and selected seats update without stale lines. | | | | CU-08 | Public | Wait for the hold timer. | Timer starts at no more than 15 minutes for the current hold and does not multiply by ticket count. | | | | CU-09 | Public | Continue to checkout. | Checkout draft is saved; final total/currency is server-calculated. | | | | CU-10 | Public | Try cash/external terminal payment online. | These options are not shown and are rejected if forced. | | | | CU-11 | Customer | Register new account. | Valid account is created; duplicate email and weak password are rejected. | | | | CU-12 | Customer | Log in, open account/wallet/orders. | Customer sees only own tickets/orders/profile/privacy requests. | | | | CU-13 | Customer | Sign out. | Session clears; protected account pages no longer expose data. | | | ## 3. Organiser Workflow | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | OR-01 | Organiser | Log in and open dashboard. | Only Lite launch organiser routes show: dashboard, events, venues, ticketing, finance/Stripe, profile. | | | | OR-02 | Organiser | Create a venue. | Venue saves and appears in venue list. | | | | OR-03 | Organiser | Create a seat map for a venue. | Seat map library shows seat map name, venue, sections, created date, seat count. | | | | OR-04 | Organiser | Create reserved section grid. | Section appears as reserved seating and creates visible seats. | | | | OR-05 | Organiser | Create general admission section. | Section appears as general admission and does not create individual seats. | | | | OR-06 | Organiser | Create a new event and select venue + seat map. | Event stores selected seat map; saving persists selection after reload. | | | | OR-07 | Organiser | Attach/change seat map from seat-map library. | Event uses the new seat map on public event page after save/publish. | | | | OR-08 | Organiser | Create reusable ticket type. | Ticket catalogue entry has no event price until allocated. | | | | OR-09 | Organiser | Allocate ticket type to event. | Allocation row shows event-specific price, quantity, currency, and max/order. | | | | OR-10 | Organiser | Remove allocated ticket type from event. | Allocation disappears only from that event; reusable catalogue type remains. | | | | OR-11 | Organiser | Map ticket types to reserved/general sections. | Public event shows section-appropriate ticket choices. | | | | OR-12 | Organiser | Save Stripe connected account details or review readiness. | UI clearly shows missing/ready charge and payout capability without exposing secrets. | | | | OR-13 | Organiser | Try deferred routes `#box-office`, `#checkin`, staff/scanner/cashier surfaces. | Deferred roles/workflows are hidden or blocked in Lite launch. | | | ## 4. Platform Admin Workflow | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | AD-01 | Admin | Log in and open admin dashboard. | Only launch-critical admin areas are visible. | | | | AD-02 | Admin | Review organiser applications. | Admin can approve/reject where pending records exist. | | | | AD-03 | Admin | Review events/orders/payments. | Data loads without customer data overexposure beyond admin role. | | | | AD-04 | Admin | Create one global country fee rule. | Rule saves if no active rule exists for that country. | | | | AD-05 | Admin | Try creating duplicate active global country fee rule. | Save is blocked with conflict message. | | | | AD-06 | Admin | Create one event-specific fee override. | Override saves for that event only. | | | | AD-07 | Admin | Try duplicate active event override. | Save is blocked with conflict message. | | | | AD-08 | Admin | Edit/deactivate/delete fee rule. | Action works only for admin and cannot create conflicts. | | | | AD-09 | Admin | Open roles/permissions. | Platform super admin is locked; platform admin cannot grant/edit super admin. | | | | AD-10 | Admin | Open health/readiness. | Missing production secrets, Stripe keys/webhook, GD, ClamAV, SSL are shown as warnings/blockers honestly. | | | ## 5. Security And Negative Tests | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | SEC-01 | Public | Request `../.env` and `../composer.json` from browser. | HTTP 403 or blocked; no sensitive file content. | | | | SEC-02 | Public | Request `/api/v1/checkout/drafts`. | HTTP 403 unless admin/signed draft token is present. | | | | SEC-03 | Customer | Try opening `admin.html` after customer login. | No admin data/menu access. | | | | SEC-04 | Customer | Try opening `organiser.html`. | No organiser data/menu access. | | | | SEC-05 | Organiser | Try opening `admin.html`. | No admin access. | | | | SEC-06 | Organiser | Try another organiser's event/venue if test data exists. | Access denied. | | | | SEC-07 | Public | Inject `` in searchable/input labels where possible. | Text is escaped; no script executes. | | | | SEC-08 | Public | Force checkout payload with frontend total/currency changed. | Server recalculates total and currency from event data. | | | | SEC-09 | Public | Force payment method `cash` or `external_card` in public checkout request. | Server rejects. | | | | SEC-10 | Public | Open deferred scanner/box-office APIs. | HTTP 403 `launch_profile_deferred`. | | | ## 6. Responsive And Usability | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | UX-01 | Public | Test 360px mobile width. | Header/menu, event cards, checkout basket, section tabs, and seat map remain usable. | | | | UX-02 | Public | Test tablet width. | Seat map can scroll/zoom without hiding checkout controls. | | | | UX-03 | Organiser | Test organiser console on laptop and tablet widths. | Sidebar toggle works once, no double-toggle, no hidden buttons. | | | | UX-04 | Admin | Test admin fees/settings forms. | Labels align, validation messages are readable, actions are visible. | | | | UX-05 | All | Keyboard tab through forms/buttons. | Focus states are visible and the journey is possible without mouse for core forms. | | | ## 7. Payment Readiness | ID | Role | Steps | Expected Result | Pass/Fail | Evidence | | --- | --- | --- | --- | --- | --- | | PAY-01 | Admin | Open Stripe/webhook readiness. | Missing keys/webhook are shown as not ready, not hidden. | | | | PAY-02 | Organiser | Open Stripe Connect area. | Connected account status is visible; no secret keys are exposed. | | | | PAY-03 | Public | Start paid checkout without Stripe ready. | User gets safe local/test message or checkout is blocked; tickets are not issued. | | | | PAY-04 | Admin/Dev | With real Stripe test keys and webhook forwarding, complete test purchase. | Signed webhook marks order paid and issues QR ticket. Browser redirect alone does not. | | | ## 8. Exit Criteria Lite MVP can proceed to human architect review when: - Critical and High functional/security bugs are closed or explicitly accepted. - Public purchase path works through checkout draft and safe payment readiness handling. - Organiser can create venue, seat map sections, event, ticket catalogue, event ticket allocations, and Stripe readiness review. - Admin can review events/organisers, manage non-conflicting fee rules, and see health/readiness. - Deferred roles remain hidden/blocked. - Full PHPUnit and smoke/readiness scripts have been run and results recorded.