[AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite

Made-with: Cursor

_docs/02_tasks/done/AZ-191_user_mgmt_tests.md

@@ -0,0 +1,102 @@
+# User Management Blackbox Tests
+
+**Task**: AZ-191_user_mgmt_tests
+**Name**: User Management Blackbox Tests
+**Description**: Implement blackbox tests for registration, CRUD operations, role changes, enable/disable
+**Complexity**: 5 points
+**Dependencies**: AZ-189_test_infrastructure, AZ-190_auth_tests
+**Component**: Blackbox Tests
+**Tracker**: AZ-191
+**Epic**: AZ-188
+
+## Problem
+
+User management operations (registration, listing, role changes, deletion) have no automated test coverage.
+
+## Outcome
+
+- Registration with valid data succeeds (FT-P-02)
+- User list returns seed users (FT-P-06)
+- User filter by email works (FT-P-07)
+- Role change succeeds (FT-P-11)
+- Account disable succeeds (FT-P-12)
+- User deletion succeeds (FT-P-13)
+- Registration validation rejects invalid input (FT-N-03, FT-N-04, FT-N-07, FT-N-08)
+- Non-admin cannot manage users (tested in security tests)
+
+## Scope
+
+### Included
+- Registration positive and negative scenarios
+- User CRUD operations (list, filter, role change, enable/disable, delete)
+- FluentValidation error cases
+
+### Excluded
+- Non-admin access (covered by security tests AZ-194)
+
+## Acceptance Criteria
+
+**AC-1: Registration**
+Given caller is ApiAdmin
+When POST /users is called with valid email (>= 8 chars, valid format), password (>= 8 chars), and role
+Then HTTP 200 is returned
+
+**AC-2: List users**
+Given seed users exist
+When GET /users is called with ApiAdmin JWT
+Then HTTP 200 with JSON array containing >= 1 user
+
+**AC-3: Filter users**
+Given seed users exist
+When GET /users?email=admin is called
+Then all returned emails contain "admin"
+
+**AC-4: Change role**
+Given a test user exists
+When PUT /users/role is called with new role
+Then HTTP 200
+
+**AC-5: Disable user**
+Given a test user exists
+When PUT /users/enable with isEnabled=false
+Then HTTP 200
+
+**AC-6: Delete user**
+Given a test user exists
+When DELETE /users?email=user
+Then HTTP 200
+
+**AC-7: Short email rejected**
+Given caller is ApiAdmin
+When POST /users with email < 8 chars
+Then HTTP 400
+
+**AC-8: Invalid email format rejected**
+Given caller is ApiAdmin
+When POST /users with invalid email format
+Then HTTP 400
+
+**AC-9: Short password rejected**
+Given caller is ApiAdmin
+When POST /users with password < 8 chars
+Then HTTP 400
+
+**AC-10: Duplicate email rejected**
+Given user with email already exists
+When POST /users with same email
+Then HTTP 409 with code 20
+
+## Blackbox Tests
+
+| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
+|--------|------------------------|-------------|-------------------|----------------|
+| AC-1 | ApiAdmin JWT | POST /users valid | HTTP 200 | — |
+| AC-2 | Seed data | GET /users | HTTP 200, array >= 1 | — |
+| AC-3 | Seed data | GET /users?email=admin | Filtered results | — |
+| AC-4 | Test user | PUT /users/role | HTTP 200 | — |
+| AC-5 | Test user | PUT /users/enable false | HTTP 200 | — |
+| AC-6 | Test user | DELETE /users | HTTP 200 | — |
+| AC-7 | ApiAdmin JWT | POST /users short email | HTTP 400 | — |
+| AC-8 | ApiAdmin JWT | POST /users bad format | HTTP 400 | — |
+| AC-9 | ApiAdmin JWT | POST /users short pass | HTTP 400 | — |
+| AC-10 | Existing user | POST /users duplicate | HTTP 409, code 20 | — |