DEF-046 — Settings: Site Name can be saved empty — no server-side validation

Admin Panel
High severity
Validation
New
Defect DEF-046 — Severity: High · Status: New
Published

2026-06-17

DEF-046 — Settings: Site Name can be saved empty — no server-side validation

Summary

The Application Settings page (/admin/settings) allows the Site Name field to be cleared and saved as an empty string. The server accepts the submission and responds with “Settings updated successfully.” — persisting a blank Site Name to the database with no validation error.

Environment

  • URL: https://project6.dxtserver.com/drivelink_new/public/admin/settings
  • Module: Admin Panel — Settings → General Settings → Site Name
  • Date Reported: 2026-06-17
  • Browser: Chromium (Playwright)
  • Testing Phase: Admin Panel — Section 16: Settings (test case SET-05)

Steps to Reproduce

  1. Log in to the Admin Panel.
  2. Navigate to Settings (/admin/settings).
  3. Clear the Site Name field (remove “DriveLink”).
  4. Click Save Settings.
  5. Observe: green toast “Settings updated successfully.” appears.
  6. Observe: Site Name field is now empty (placeholder “Enter site name” shown).
  7. Reload the page — Site Name loads as empty, confirming the empty value was persisted.

Expected Behaviour

  • Submitting an empty Site Name should be blocked with a validation error (e.g., “Site name is required.”).
  • The server should reject the form and not persist the empty value.

Actual Behaviour

  • The server accepts an empty Site Name and saves it.
  • Toast “Settings updated successfully.” confirms persistence.
  • The app now operates with a blank Site Name until manually corrected.

Impact

  • A Site Name is used in page titles, emails, and system references throughout the app.
  • An accidental (or malicious) blank Site Name could break email templates, page <title> tags, and other references that depend on this value.
  • No confirmation or undo mechanism exists — the change is immediate.

Severity

High — Core required configuration can be permanently blanked with no server-side protection, affecting the application’s identity across all user-facing surfaces.

Priority

High

Status

New

Reported By

QA / Testing Team