# Role Permission Matrix

Human testers must verify both allowed and forbidden actions.

| Role | Must be able to access | Must be blocked from |
|---|---|---|
| Public visitor | Home, Discover, public event pages, organiser application page, sign in/register | Account pages, organiser console, admin console, private APIs, checkout draft/customer data |
| Customer | My tickets, orders, profile/privacy, booking checkout | Organiser console, admin console, other customer orders/tickets, fee rules, venue/event management |
| Organiser | Own organiser events, venues, reusable seat maps, ticketing, finance/Stripe readiness, own media | Platform admin, other organisers' data, customer lists outside allowed order context, super admin roles |
| Platform organiser | Permitted organiser contexts, organiser workflows in selected context | Platform admin, fee rule management, organiser approval, super admin, unrelated customer PII |
| Platform admin | Organiser applications, fee rules, readiness, platform monitoring | Unsafe self-escalation to platform_super_admin, secret values, direct customer payment method data |

## Required Negative Tests

- Change IDs in URLs/API calls for events, venues, seat maps, media, orders, tickets, checkout drafts.
- Open admin pages as customer/organiser/platform organiser.
- Open organiser pages as customer/public.
- Use stale browser tab after switching platform organiser context.
- Attempt role/permission changes outside allowed scope.
- Confirm every denial is 403/redirect/404 without private data.