# User Management Blackbox Tests

**Task**: AZ-191_user_mgmt_tests
**Name**: User Management Blackbox Tests
**Description**: Implement blackbox tests for registration, CRUD operations, role changes, enable/disable
**Complexity**: 5 points
**Dependencies**: AZ-189_test_infrastructure, AZ-190_auth_tests
**Component**: Blackbox Tests
**Tracker**: AZ-191
**Epic**: AZ-188

## Problem

User management operations (registration, listing, role changes, deletion) have no automated test coverage.

## Outcome

- Registration with valid data succeeds (FT-P-02)
- User list returns seed users (FT-P-06)
- User filter by email works (FT-P-07)
- Role change succeeds (FT-P-11)
- Account disable succeeds (FT-P-12)
- User deletion succeeds (FT-P-13)
- Registration validation rejects invalid input (FT-N-03, FT-N-04, FT-N-07, FT-N-08)
- Non-admin cannot manage users (tested in security tests)

## Scope

### Included
- Registration positive and negative scenarios
- User CRUD operations (list, filter, role change, enable/disable, delete)
- FluentValidation error cases

### Excluded
- Non-admin access (covered by security tests AZ-194)

## Acceptance Criteria

**AC-1: Registration**
Given caller is ApiAdmin
When POST /users is called with valid email (>= 8 chars, valid format), password (>= 8 chars), and role
Then HTTP 200 is returned

**AC-2: List users**
Given seed users exist
When GET /users is called with ApiAdmin JWT
Then HTTP 200 with JSON array containing >= 1 user

**AC-3: Filter users**
Given seed users exist
When GET /users?email=admin is called
Then all returned emails contain "admin"

**AC-4: Change role**
Given a test user exists
When PUT /users/role is called with new role
Then HTTP 200

**AC-5: Disable user**
Given a test user exists
When PUT /users/enable with isEnabled=false
Then HTTP 200

**AC-6: Delete user**
Given a test user exists
When DELETE /users?email=user
Then HTTP 200

**AC-7: Short email rejected**
Given caller is ApiAdmin
When POST /users with email < 8 chars
Then HTTP 400

**AC-8: Invalid email format rejected**
Given caller is ApiAdmin
When POST /users with invalid email format
Then HTTP 400

**AC-9: Short password rejected**
Given caller is ApiAdmin
When POST /users with password < 8 chars
Then HTTP 400

**AC-10: Duplicate email rejected**
Given user with email already exists
When POST /users with same email
Then HTTP 409 with code 20

## Blackbox Tests

| AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
|--------|------------------------|-------------|-------------------|----------------|
| AC-1 | ApiAdmin JWT | POST /users valid | HTTP 200 | — |
| AC-2 | Seed data | GET /users | HTTP 200, array >= 1 | — |
| AC-3 | Seed data | GET /users?email=admin | Filtered results | — |
| AC-4 | Test user | PUT /users/role | HTTP 200 | — |
| AC-5 | Test user | PUT /users/enable false | HTTP 200 | — |
| AC-6 | Test user | DELETE /users | HTTP 200 | — |
| AC-7 | ApiAdmin JWT | POST /users short email | HTTP 400 | — |
| AC-8 | ApiAdmin JWT | POST /users bad format | HTTP 400 | — |
| AC-9 | ApiAdmin JWT | POST /users short pass | HTTP 400 | — |
| AC-10 | Existing user | POST /users duplicate | HTTP 409, code 20 | — |