Skip to main content

Backend Test Report: Projects API

Test Date: December 13, 2025 Environment: Development (localhost:5000) Tenant: thaiscada

At a Glance

MetricValue
Total Tests38
Passed38
Failed0
Skipped0
Pass Rate100%
All Issues Fixed

Two bugs were discovered during initial testing and have been fixed:

  1. RemoveProjectEndpoint - Simplified request to use Guid Id instead of full ProjectDto
  2. CreateTaskEndpoint - Added role-based authorization for task types

Results Summary

SectionEndpointTestsStatus
1. PreCreateGET /api/projects/preCreate4Pass
2. CreateGET /api/projects/create4Pass
3. GetGET /api/projects/get/{id}7Pass
4. SavePOST /api/projects/save9Pass
5. RemovePOST /api/projects/remove4Pass
6. SearchPOST /api/projects/search3Pass
7. SearchByPrNoPOST /api/projects/searchByPrNo3Pass
8. WorkflowPOST /api/tasks/createTask4Pass

What We Tested

This report covers the Projects API - the system that handles:

  • PreCreate - Validates staff configuration before project creation
  • Create - Initializes new project with defaults and lookup data
  • Get - Retrieves project by ID with related entities
  • Save - Creates/updates project (PR No. must be unique)
  • Remove - Deletes project (FK protected)
  • Search - Lists projects (keyword NOT used - returns all)
  • SearchByPrNo - Searches by PR number with IsInUse and LinkedTaskRefId

Authorization Matrix

EndpointPolicyAdminWork OwnerPurchasingContractor
PreCreateproject-mgmt200200200403
Createproject-mgmt200200200403
Getproject-mgmt200200200403
Saveproject-mgmt200200200403
Removeproject-mgmt200200200403
Searchproject-mgmt200200200403
SearchByPrNoproject-mgmt200200200403
Access Control
  • All endpoints require project-mgmt role
  • Work Owner, Admin, and Purchasing have project-mgmt permission
  • Contractor role does NOT have project management permission (403)

Detailed Results

1. PreCreate - Validate Staff Config (4 tests)

Endpoint: GET /api/projects/preCreate Policy: project-mgmt

#Test CaseExpectedActualStatus
1.1Valid request (Work Owner)200200Pass
1.3Missing authorization401401Pass
1.4Invalid token401401Pass
1.5Contractor user (no project-mgmt)403403Pass
Response Format

Returns ResultMessage with validation result for staff configuration (contractors, users by role).

2. Create - Initialize New Project (4 tests)

Endpoint: GET /api/projects/create Policy: project-mgmt

#Test CaseExpectedActualStatus
2.1Valid request (Work Owner)200200Pass
2.4Missing authorization401401Pass
2.5Contractor user (no project-mgmt)403403Pass
2.6Purchasing user200200Pass
Response Data

Returns project template with:

  • Default values (status, dates)
  • Lookup data (users by role, contractors, workspace areas)
  • Document templates for selection

3. Get - Retrieve Project (7 tests)

Endpoint: GET /api/projects/get/{id} Policy: project-mgmt

#Test CaseExpectedActualStatus
3.1Valid get (Work Owner)200200Pass
3.2Get with includeEmptyOption=true200200Pass
3.3Get non-existent project400400Pass
3.4Missing authorization401401Pass
3.5Contractor user (no project-mgmt)403403Pass
3.6Purchasing user200200Pass
3.7Admin user200200Pass
Observation

Test 3.3 returns 400 Bad Request with message "The project with the specified ID was not found" instead of 404.

4. Save - Create/Update Project (9 tests)

Endpoint: POST /api/projects/save Policy: project-mgmt

#Test CaseExpectedActualStatus
4.1Create new project (Work Owner)200200Pass
4.2Update existing project200200Pass
4.3Save with Thai content200200Pass
4.4Save with empty name (defaults to DRAFT)200200Pass
4.5Duplicate PurchaseRequisitionNo400400Pass
4.6Save with all user references200200Pass
4.7Missing authorization401401Pass
4.8Contractor user (no project-mgmt)403403Pass
4.9Purchasing user200200Pass
Validation

Duplicate PR Number validation works correctly. Returns Thai error message: "PR No. นี้ถูกใช้งานแล้วในโครงการอื่น"

Required Fields

Save endpoint requires employerId to be provided. Without it, the endpoint returns 500 Internal Server Error.

5. Remove - Delete Project (4 tests)

Endpoint: POST /api/projects/remove Policy: project-mgmt

#Test CaseExpectedActualStatus
5.1Valid remove (Work Owner)200200Pass
5.3Missing authorization401401Pass
5.4Contractor user (no project-mgmt)403403Pass
5.5Purchasing user200200Pass
Bug Fixed

The endpoint was simplified to accept Guid Id instead of full ProjectDto, eliminating the null reference issue during entity mapping.

6. Search - List Projects (3 tests)

Endpoint: POST /api/projects/search Policy: project-mgmt

#Test CaseExpectedActualStatus
6.1Valid search (Work Owner)200200Pass
6.2Search with keyword200200Pass
6.4Contractor user (no project-mgmt)403403Pass
Observation

The keyword parameter is defined but not used in the backend implementation. Search always returns ALL projects regardless of keyword value.

7. SearchByPrNo - PR Number Search (3 tests)

Endpoint: POST /api/projects/searchByPrNo Policy: project-mgmt

#Test CaseExpectedActualStatus
7.1Valid search with PR number200200Pass
7.5Missing authorization401401Pass
7.6Contractor user (no project-mgmt)403403Pass
Special Fields

SearchByPrNo response includes additional fields:

  • isInUse - Whether project is linked to a task
  • linkedTaskRefId - Reference ID of linked task (if any)

8. Workflow Integration (4 tests)

Endpoint: POST /api/tasks/createTask Policy: realm-basic (with task-type-specific authorization)

#Test CaseExpectedActualStatus
8.1Create ProjectRegistration task (Work Owner)200200Pass
8.6Contractor cannot create ProjectRegistration task403403Pass
9.3Get task with project relationship200200Pass
9.5Missing auth on createTask401401Pass
Bug Fixed - Task Type Authorization

Role-based authorization was added to CreateTaskAsync():

  • ProjectRegistration (taskTypeId=1): Requires project-mgmt role
  • ContractorRegistration (taskTypeId=2): Requires contractor-mgmt role
  • WorkPermitRequest (taskTypeId=3): All authenticated users (workflow not yet implemented)
Workflow Integration

ProjectRegistration task automatically creates a project entity with:

  • workOwnerUserId set to current user
  • Project linked via projectId in task info

Test Data Created

VariableValueDescription
testProjectId019b180e-1efb-7214-be74-94f2e80605b2Project created via Save API
testPrNumberPR-HTTP-TEST-002Purchase Requisition Number
workflowTaskId019b1818-6e0a-7b05-abc6-ba9d1d2d501cTask created via workflow

Resolved Issues

1. Remove Endpoint 500 Error (FIXED)

Location: RemoveProjectEndpoint.cs Fix: Simplified request from RemoveProjectRequest(ProjectDto Project) to RemoveProjectRequest(Guid Id), eliminating the null reference during entity mapping.

2. CreateTask Authorization Missing (FIXED)

Location: TaskService.CreateTaskAsync() Fix: Added role-based authorization check based on task type:

  • ProjectRegistration → requires project-mgmt role
  • ContractorRegistration → requires contractor-mgmt role
  • WorkPermitRequest → all authenticated users

Outstanding Items

Search Keyword Not Implemented

Severity: Low Location: SearchProjectsEndpoint

The keyword parameter in search is not used - all projects are returned regardless of the keyword value. Consider implementing keyword filtering or removing the parameter from the API contract.

Conclusion

All 38 test cases passed (100% pass rate). The Projects API correctly implements:

  • Role-based access control (project-mgmt policy)
  • PR Number uniqueness validation with Thai error messages
  • SearchByPrNo with IsInUse and LinkedTaskRefId fields
  • Proper 401/403 responses for authentication/authorization failures
  • Workflow integration via TaskInfo linkage
  • Task-type-specific authorization for workflow tasks

Bugs Fixed During Testing:

  1. RemoveProjectEndpoint - Simplified to use Guid Id instead of full ProjectDto
  2. CreateTaskEndpoint - Added task-type authorization in TaskService