Hier ist der Text 1:1 ohne Emojis: --- **QA Tester: Complete Launch Test – Swiss Classifieds Platform** Full end-to-end test before go-live. Paid listings in 3 tiers (Basic/Premium/TOP), public website + admin dashboard + backend. You get full access to everything: admin credentials, backend (database, storage, edge functions, logs, auth), repo. Goal: Complete test report with launch-readiness verdict. **Important** 1. Payments = TEST MODE – click "Mark transaction as paid" 2. Location = Google Autocomplete ONLY – select from dropdown, GPS-based 3. Postal code optional – some cities won't return one, not a bug 4. UI = German, report in English or German 5. Listings visible without login – verify! --- **30 Test Accounts Required** - 30 accounts, 1 listing each (30 total) - 10x Basic, 10x Premium, 10x TOP – different Swiss cities - Every profile: MAX photos (Basic:5, Premium:10, TOP:15) - At least 5 verification photos across profiles - Keep all accounts – I inspect them Admin actions: Approve at least 15, reject at least 5, leave at least 3 pending. Accept at least 3 verifications, reject at least 2 with notes. Set 2 expiry dates to past. "Gratis Aktivierung" on at least 2. Delete 1 user completely. --- **EVERY Test** AUTH: Register, email verify (login blocked until confirmed), wrong password error, rate-limit (5+ fails = lock), forgot password, reset, logout/re-login, protected pages redirect to /auth, session persistence after refresh. GOOGLE AUTOCOMPLETE (mandatory everywhere): - Every location input MUST use Google Autocomplete (user: create/edit profile, admin: create/edit profile) - Locations can ONLY be saved when a suggestion from the dropdown was selected (no freetext without selection) - After selection: canton + GPS coordinates must auto-fill and save correctly - Test with big cities (Zuerich, Bern, Basel) + small towns (Eiken AG, Stein AG, Rheinfelden) - Negative test: Try manual payload/freetext manipulation for city/canton/coords, must be rejected LISTING CREATION: All fields: name, age, gender, Google Autocomplete city, canton auto-fill, about me (test 1500 char limit), languages, categories (max 3 enforced), all contacts (phone, WhatsApp, email, website, Telegram, Instagram, street). Max photos per tier. Large images >5MB compressed. Reorder photos, set primary, delete. Verification upload. AGB mandatory. Tier selection. PAYMENT AND SUBSCRIPTIONS: - Pay, status "pending". Cancel, cancellation page - Upgrade exploit: Basic to Premium without paying - Downgrade exploit: TOP to Basic while active - Active = extend only (no tier change) - Expired = upgrade/downgrade allowed - Extend active, auto-activate - Extend expired, pending (re-approval) - listing_type manipulation via console/API PHOTO EXPLOITS: Basic: upload #6, blocked. Premium: #11, blocked. TOP: #16, blocked. Pay Basic, try 10 photos, fail. Verify server-side check in payport-checkout. PUBLIC PAGES (no login): - Homepage: featured profiles load - Search /suche: filter canton, category, text, GPS radius - Profile detail: photos, contacts, categories, verification badge - /kategorien, /kantone, /agb, /datenschutz, /impressum, /preise, /kontakt - Contact form, appears in admin - All 30 listings visible without login - Rotation every 30min, sorting TOP>Premium>Basic USER DASHBOARD: View/edit profile. Statistics. Favorites add+remove. Change request with media. Upgrade/extend page. Package change for unpaid profiles. Delete account completely. ADMIN DASHBOARD – EVERY PAGE: - Dashboard: 4 stat tiles correct counts - Profiles: All statuses, approve/reject/edit, change expiry, delete photos, moderation notes, expired filter - Verifications: Accept (badge appears), reject with note - Users: List, delete completely (all data gone), roles - Pending Payments: View/manage - Tier Monitor: Filter tabs, grid+table, rotation timer - Categories: CRUD, sort, activate/deactivate, intro text - Cities: CRUD, coordinates, intro text - Dropdowns: Manage languages, genders etc. - Messages: Read, status change, delete - Reports: View, update status, delete - Rate Limits: View locked, unlock - Analytics: Charts, views table, real-time feed - Settings CMS: Change values, verify on live site - Export: CSV/JSON all tables, schema SQL, storage files - Ads/Banners: Create/edit/test if present - Gratis Aktivierung: Quick-activate with custom duration - Admin Account: Settings BACKEND CHECK (full access): - Database: all tables, RLS policies, no orphaned data - Edge functions: logs clean, error handling (approximately 23 functions) - Storage: photos correct, buckets configured - Auth: email verification enforced - Views: public_profiles shows only active SECURITY AND EXPLOITS: - RLS: can't read/edit others' profiles/contacts/photos - Premium/TOP without payment impossible - listing_type not manipulable client-side - Photo limits server-side enforced - /admin/* blocked for non-admins - SQL injection + XSS via all text fields - Rate limit bypass, IDOR tests - is_adult bypass, verification without ownership - Direct API calls bypassing frontend RESPONSIVE: Mobile iOS+Android, tablet, desktop Chrome/Firefox/Safari/Edge. Images load. Navigation works. Forms usable on mobile. SEO: Unique title+meta per page, OG tags, canonical URLs, robots.txt, JSON-LD on profiles. CODE REVIEW: Edge function error handling, no hardcoded secrets, RLS on all queries, dead routes, performance. --- **Deliverable** Report table: # | Area | Test | Status (Pass/Fail/Warning) | Details | Screenshot. Plus: launch verdict, critical bugs, nice-to-haves, security assessment. Specific repro steps + screenshots for every bug. **Stack** React+TS+Vite+Tailwind, PostgreSQL+RLS, PayPort test mode, Google Places, approximately 23 Edge Functions, German UI. **You Receive** Published URL, admin credentials, full backend access (DB/storage/functions/logs/auth), repo access, PayPort test guide, this checklist. **Requirements** Web app testing, OWASP Top 10 knowledge, clear documentation with screenshots, English or German. Tags: QA, Security Testing, React, E2E, Classifieds, Swiss Market, PostgreSQL, RLS, Manual Testing