Skip to content
Saudi NCAP Docs

Bug Report

Reported: 2026-03-16 | Environment: Staging (ncap.dev) | Reporter: AI Documentation Agent

Critical Issues

Section titled “Critical Issues”

ISS-001: Assessment Editor Can Delete Published Assessments

Section titled “ISS-001: Assessment Editor Can Delete Published Assessments”
CRITICAL
  • Role: Assessment Editor
  • Location: Assessments list (/admin/assessments)
  • Description: The delete (trash) icon appears on EVERY assessment row regardless of status, including Published assessments. An Assessment Editor should only be able to create/edit Draft and Re-Edit assessments, not delete Published ones.
  • Expected: Delete icon should NOT appear for Published, Under Review, or Approved assessments for the Editor role.
  • Impact: Data loss risk — an editor could accidentally or intentionally delete published assessments visible on the public website.
  • Steps to reproduce: Login as assessment-editor → Navigate to Assessments → Observe trash icon on Published assessment rows.

ISS-002: Assessment Editor Has Excessive Permissions

Section titled “ISS-002: Assessment Editor Has Excessive Permissions”
HIGH
  • Role: Assessment Editor
  • Description: The Assessment Editor role has access to far more features than documented in the FRD:
    • Can manage Vehicle Makes (add/edit/delete)
    • Can manage Manufacturers (add/edit/delete)
    • Can manage Child Restraint Systems (add/edit/delete)
    • Can upload files to Media Library
    • Can view/manage Lookup Tables
    • Can view Manufacturer Test Requests
  • Expected (per FRD): Editor should ONLY be able to create/edit assessments, submit for review, and view protocols.
  • Impact: Principle of least privilege violated. Editor could modify vehicle data, CRS data, or upload unauthorized files.

ISS-003: CMS Manager Missing Media Library Access

Section titled “ISS-003: CMS Manager Missing Media Library Access”
HIGH
  • Role: CMS Manager
  • Location: Sidebar navigation
  • Description: CMS Manager sidebar shows only 3 items: Overview, Pages, Protocols. Media Library is NOT accessible, despite the FRD stating CMS Manager should have Media Library access.
  • Expected: CMS Manager should see Media Library in the sidebar to upload images/documents for content pages.
  • Impact: CMS Manager cannot upload images for page content, severely limiting their ability to manage website content.

Medium Issues

Section titled “Medium Issues”

ISS-004: Editor and Reviewer Have Identical Navigation

Section titled “ISS-004: Editor and Reviewer Have Identical Navigation”
MEDIUM
  • Role: Assessment Editor, Assessment Reviewer
  • Description: Both roles see exactly the same sidebar navigation (10 items). The only difference is in action buttons within screens (approve/return for reviewer). This means the Reviewer can access Vehicles, System Config, Media Library — none of which are relevant to reviewing assessments.
  • Expected: Reviewer sidebar should be trimmed to only assessment-related items.
  • Impact: Confusing UX — reviewer sees irrelevant menu items. Also creates risk of unintended data modification.

ISS-005: “Something went wrong” Error Page Appears Frequently

Section titled “ISS-005: “Something went wrong” Error Page Appears Frequently”
MEDIUM
  • Location: All pages, intermittently
  • Description: A React error boundary overlay (“Something went wrong - An unexpected error occurred”) appears frequently during navigation, especially after login/logout transitions. The page often recovers after clicking “Go To Dashboard” or “Reload”, but sometimes requires a full page refresh.
  • Impact: Poor UX — users will encounter this error regularly during normal workflows.

ISS-006: Restricted URLs Return “Page Not Found” Instead of “Access Denied”

Section titled “ISS-006: Restricted URLs Return “Page Not Found” Instead of “Access Denied””
LOW
  • Role: All non-admin roles
  • Location: /admin/users, /admin/monitoring, /admin/administration
  • Description: When a role-restricted user navigates to a URL they don’t have access to, the app shows a generic “Page Not Found” error instead of “Access Denied” or a redirect to the dashboard.
  • Expected: Should show “Access Denied — You don’t have permission to view this page” or redirect to dashboard with a toast message.
  • Impact: Confusing UX — user can’t distinguish between a non-existent page and a restricted page.

Low / UX Issues

Section titled “Low / UX Issues”

ISS-007: Dark Mode Persists Across Sessions

Section titled “ISS-007: Dark Mode Persists Across Sessions”
LOW
  • Description: When one user enables dark mode, it persists for the next user who logs in on the same browser. Theme preference appears to be stored in browser localStorage rather than per-user on the server.
  • Expected: Theme preference should be stored per-user on the server, or reset to light mode on logout.

ISS-008: Sidebar Label Truncation

Section titled “ISS-008: Sidebar Label Truncation”
LOW
  • Location: Sidebar navigation
  • Description: “Manufacturer Representatives” is truncated to “Manufacturer Re…” in the sidebar. The actual page title is “Manufacturer Test Requests” which doesn’t match the sidebar label at all.
  • Expected: Either use a shorter label that fits, or use the correct page title “Test Requests”.

ISS-009: Content Pages Quick Action Card Available but Pages Not in Sidebar

Section titled “ISS-009: Content Pages Quick Action Card Available but Pages Not in Sidebar”
LOW
  • Role: Assessment Editor, Assessment Reviewer
  • Location: Dashboard Quick Actions
  • Description: The Dashboard shows a “Content Pages” quick action card, but there is no “Pages” link in the sidebar. Clicking this card may lead to an error or unexpected behavior.
  • Expected: Either add Pages to the sidebar for these roles, or remove the Content Pages quick action card.

ISS-010: Inconsistent Naming — “Manufacturers (Makes)”

Section titled “ISS-010: Inconsistent Naming — “Manufacturers (Makes)””
LOW
  • Location: /admin/vehicles/makes
  • Description: The Makes page is titled “Manufacturers (Makes)” which is confusing. Makes and Manufacturers are separate concepts in the system (Makes = Toyota, Honda; Manufacturers = Toyota Motor Corporation, etc.)
  • Expected: Title should be just “Makes” or “Brands” to distinguish from the Manufacturers page.

Verification Status

Section titled “Verification Status”
RoleVerifiedSidebar ItemsIssues Found
Super Admin (sysadmin)22Baseline
Assessment Editor10ISS-001, ISS-002, ISS-009
Assessment Reviewer10 (identical to Editor)ISS-004
CMS Manager3ISS-003
AdminPending
GuestPending

Questions for Development Team

Section titled “Questions for Development Team”
  1. Is the Editor delete permission intentional? If not, what’s the correct list of statuses an Editor should be able to delete?
  2. Should CMS Manager have Media Library access? The FRD says yes, but the current implementation says no.
  3. What permissions should the Admin role have vs Super Admin? We need to verify the Admin sidebar.
  4. Is there a way to disable the bot detection for automated testing? Current implementation blocks Playwright/Puppeteer.
  5. Should the “Something went wrong” error be logged/reported? It appears to be a React error boundary with no backend logging.