This post describes how I discovered a defect which allowed me to gain higher privilege than I was supposed to as a normal user. When testing an application I came across a use case when a privileged user would be allowed to delete a team and non privileged user would not be. Delete operation is controlled by displaying of a link. This is how it looks like for a privileged user -
And this is how it look for a non privileged user -
Here “Delete team” link is missing for non privileged user.
Having a look at html source code, I found following for the privileged user -
<a class="delete right" data-bind="if: teamProfile().type() != 'official', click: deleteTeam" href="https://test.com/" title="Delete this team">Delete team...</a>
And following for the non privileged user -
<a class="delete right" data-bind="if: teamProfile().type() != 'official', click: deleteTeam" href="https://test.com/" title="Delete this team"></a>
The only difference is the missing inner text for delete link for non privileged user. Hence I modified the delete link of non privileged user as -
<a class="delete right" data-bind="if: teamProfile().type() != 'official', click: deleteTeam" href="https://draft.blogger.com/null" title="Delete this team">Delete</a>
This brought the Delete link on front end which was missing on previous snapshot -
When clicked on Delete link then voila, I got the confirmation prompt message of team deletion -
I was automating this use case by verifying the absence of delete link for non privileged user. Which would run perfect without reporting any bug. But we can see from example above that doing a little exploratory testing helped uncovered a defect which would have been missed from automated tests :-)
Do you have a similar story to share when automated testing helped you uncover a defect?
