Report — 2026-06-17 — Admin Panel & Backend API
2026-06-17 — Admin Panel & Backend API Testing Report
Overview
| Platforms | DriveLink Admin Panel (Web), Backend REST API |
| Admin Panel URL | https://project6.dxtserver.com/drivelink_new/public/ |
| API Server | https://project6.dxtserver.com/drivelink_new/public/api/v1 |
| Testing Date | 2026-06-17 |
| Tester | Ahmad Shrif |
| Browser | Chromium (Playwright) |
| Test Cases Run | ~225 |
| Total Defects Filed | 36 (28 Admin Panel + 8 Backend API) |
| Overall Status | 🔴 RED — Critical and High severity defects require resolution before production |
Executive Summary
The DriveLink Admin Panel and Backend API have been tested across 22 sections and approximately 225 test cases. A total of 36 defects were filed: 28 against the Admin Panel and 8 against the Backend API.
Two critical security vulnerabilities were identified that must be resolved before any production deployment. The first exposes the full database schema — including host, port, database name, table names, and raw SQL queries — in a browser alert dialog triggered by a search action on the Verification Requests page. The second is a pre-existing API issue where OTP verification accepts any code, enabling full account takeover without SMS delivery. A third critical defect affects the Live Vehicle Tracking feature entirely: the socket.io server returns 503 on every connection attempt, making real-time tracking non-functional.
Beyond the critical issues, the most impactful patterns found are: search functionality is broken on the majority of list pages (DataTables client-side search does not filter); all customer and story images served via direct S3 URLs fail to load; the server is running with APP_DEBUG=true in production, exposing stack traces and Laravel Ignition debug pages on 405 errors; and the Settings form accepts a blank Site Name with no server-side validation, allowing core configuration to be accidentally cleared.
On the positive side, the Reports section (all 6 report types), FAQs, Reported Stories, Administrators, and Activity Logs all performed well, with CRUD workflows, date filters, exports, and audit trail functionality confirmed working correctly.
Testing Progress
Module Execution Table
| Section | Cases Run | Pass | Fail | Skip | Defects |
|---|---|---|---|---|---|
| Authentication & Navigation | 11 | 7 | 2 | 1 | DEF-032, DEF-033 |
| Common Table Behaviour | 8 | 4 | 3 | 0 | DEF-035 (sort), DEF-019 (search) |
| Dashboard | 13 | 10 | 2 | 0 | DEF-036, DEF-037 |
| Masters | 17 | 10 | 4 | 1 | DEF-038, DEF-039 |
| Safety Alerts | 8 | 7 | 1 | 0 | DEF-040 |
| Customers | 15 | 9 | 4 | 1 | DEF-041, DEF-042 |
| Stories | 10 | 5 | 4 | 1 | DEF-043, DEF-044 |
| Reported Stories | 9 | 7 | 2 | 0 | — (search blocked by DEF-019) |
| Convoys | 9 | 5 | 4 | 0 | DEF-045 |
| CMS Pages | 11 | 6 | 1 | 4 | — |
| FAQs | 10 | 9 | 1 | 0 | — (search blocked by DEF-019) |
| Sales | 11 | 9 | 2 | 0 | — (search blocked by DEF-019) |
| Tow | 7 | 5 | 2 | 0 | — (search blocked by DEF-019) |
| Help | 7 | 5 | 2 | 0 | — (search blocked by DEF-019) |
| Public Notifications | 12 | 7 | 1 | 4 | — |
| Reports | 44 | 39 | 5 | 0 | — |
| Roles | 8 | 7 | 0 | 1 | — |
| Administrators | 11 | 10 | 1 | 0 | DEF-041 (scope extended) |
| Settings | 6 | 5 | 1 | 0 | DEF-046 |
| Activity Logs | 8 | 6 | 2 | 0 | DEF-047, DEF-048 |
| Live Tracking | 6 | 4 | 1 | 1 | DEF-049 |
| Verification Requests | 8 | 6 | 2 | 0 | DEF-050 |
| Total | ~225 | ~171 | ~47 | ~14 |
Execution Statistics
- Test cases run: ~225
- Passed: ~171 (76%)
- Failed: ~47 (21%)
- Skipped: ~14 (6%) — session timeout (requires real wait) and live-data deletion on Roles/Administrators
Severity Breakdown
| Severity | Admin Panel | Backend API | Total |
|---|---|---|---|
| Critical | 3 | 1 | 4 |
| High | 10 | 4 | 14 |
| Medium | 11 | 3 | 14 |
| Low | 4 | 0 | 4 |
| Total | 28 | 8 | 36 |
Key Findings by Area
Security
The most severe finding is on the Verification Requests page (DEF-050): typing in the search box triggers a server-side SQL error that is returned verbatim to the browser in a JavaScript alert. The alert exposes the database engine (PostgreSQL), host, port, database name, table names, column names, and the full failing SQL query. This is accessible to any logged-in admin user and must be addressed before the panel is in production use. The root cause is a misconfigured DataTables column (DT_RowIndex) included in the server-side search query against a table where that column does not exist.
GET requests to /login and /logout routes return HTTP 405 with a full Laravel Ignition debug page (DEF-032). This exposes framework internals, file paths, and stack traces publicly. The fix is a single environment change: setting APP_DEBUG=false. The same issue exists on the API server (DEF-029), which returns full stack traces on unhandled errors throughout the Backend API.
On the API side, OTP verification accepts any numeric code regardless of what was sent via SMS (DEF-031). This allows any user with a target’s email and phone number to obtain a valid session token without access to the target’s device.
Infrastructure & Broken Features
The Live Vehicle Tracking page (/admin/vehicle-tracking) attempts to establish a socket.io WebSocket connection for real-time location data. The socket.io server returns 503 Service Unavailable on every attempt, and the client retries continuously, generating unbounded errors for the lifetime of the page (DEF-049). The Active Vehicles count therefore always shows 0 and no vehicle locations are ever received. This is an infrastructure issue — the Node.js socket.io process appears to not be running on the server.
Firebase Realtime Database is not initialised on the dashboard (database is not defined, DEF-037), which affects the Live Activity Feed widget. The flasher.min.js library (used for server-side flash messages) and the hkgrotesk-regular.woff font both return 404 on every page load. The combined effect is that server-side validation feedback and flash notifications are never displayed anywhere in the admin panel — errors appear to fail silently.
Search functionality is broken across the majority of list pages. DataTables client-side search does not filter results on Customers, Stories, Reported Stories, FAQs, Sales, Tow, Help, and Public Notifications (DEF-019). On the Stories page there is an additional JavaScript error — $ is not defined at stories:1323 — because jQuery is not loaded before the inline script that references it (DEF-044). This also breaks the Grid/List view toggle on Stories (DEF-012) and Convoys (DEF-045). Search works correctly only on pages that use server-side DataTables: Administrators and Activity Logs.
The Activity Logs Filter by Action dropdown returns 0 results for every action value — Login, Create, Update, Delete, Status Change (DEF-047). The module filter and text search on the same page work correctly. The root cause appears to be a mismatch between the option values sent by the client and the format expected by the server.
Data & Storage
All customer profile images across the 51-customer database show as broken placeholders (DEF-042). The fallback image user-placeholder.png is itself missing from the server (404), compounding the issue across every page that references user avatars.
11 of 12 story images fail to load (DEF-043). Inspection of the image src attributes reveals two storage patterns in use: the single working image is served via CloudFront CDN (d31siqwam1pdxq.cloudfront.net), while all 11 broken images use direct S3 bucket URLs (dxprojects.s3.ap-southeast-1.amazonaws.com) that do not return content publicly. This indicates a storage configuration change occurred at some point and older records were not migrated.
Validation Gaps
The Settings form saves silently with an empty Site Name field — the server responds with “Settings updated successfully” and persists a null value to the database (DEF-046). This was confirmed by the Activity Logs detail view showing "site_name": null in the Old Values after the test. No server-side validation exists for required fields on this form.
The Masters section accepts duplicate titles on create with no uniqueness check — submitting the same title twice creates two identical entries without any error (DEF-038).
Status toggles on the Customers and Administrators list pages fire an immediate AJAX request on click with no confirmation dialog (DEF-041). An accidental click deactivates a user account instantly with no undo path.
UI & Minor Issues
The Reports count column in the Hazard Clusters table on the Safety Alerts page renders invisible — the value is present in the DOM but not displayed (DEF-040). Module names in the Activity Logs table render with spaces between letters: “F A Q” and “C M S Page” instead of “FAQ” and “CMS Page” (DEF-048). The Settings page breadcrumb reads “Dashboard › Settings” while all other pages use the pattern “Drivelink › [Page Name]” (DEF-034). Create and edit forms throughout the Masters section have no Cancel or Back button (DEF-039).
What Is Working Well
The Reports section performed well across all 6 report types (Customers, Drivers, Safety, Stories, Sales, Tow). Date range filters narrow results correctly, Reset restores the full dataset, and Export Excel downloads a valid .xlsx file. 44 test cases were run in this section with 39 passing.
The FAQs module supports a complete and correct CRUD workflow. Create, edit, and delete all behave as expected, with the record count updating correctly after each operation. The Reported Stories status workflow (Pending → Reviewed → Action Taken) persists correctly across page reloads.
The Administrators section demonstrates well-implemented search (server-side DataTables filters correctly), a proper two-step delete confirmation modal (“This action cannot be undone”), and an edit form that correctly distinguishes new-password entry from keep-existing behaviour.
The Activity Logs page provides a comprehensive audit trail with timestamps, user, module, action type, description, and IP address for all 482 logged events. The detail view for each log entry shows a structured Old Values / New Values JSON diff, confirming all admin actions during this test session were captured accurately.
Admin Panel Defects
| ID | Title | Severity | Status |
|---|---|---|---|
| DEF-012 | Stories Management: View Toggle Buttons Non-Functional | Medium | New |
| DEF-013 | Stories Management: Oversized Arrow/Chevron Icon Display | Medium | New |
| DEF-014 | Stories Management: Oversized Pagination Icons Overlap Controls | High | New |
| DEF-015 | Admin Sidebar: Bottom Navigation Items Not Reachable | Critical | New |
| DEF-016 | Admin Panel: Inconsistent Pagination Style Across Pages | Medium | New |
| DEF-017 | Admin Panel: Full Page Reload on Every Navigation Click | High | New |
| DEF-019 | Admin Panel: Search Does Not Filter Results (Systemic) | High | New |
| DEF-020 | Deleted Account’s Phone Number Still Blocks Re-Registration | High | New |
| DEF-021 | POST /register Does Not Enforce Phone Number Uniqueness | High | New |
| DEF-032 | GET /login and /logout Expose Laravel Ignition Debug Page on 405 | High / Security | New |
| DEF-033 | Admin Login: No Error Message on Invalid Credentials | Medium | New |
| DEF-034 | Settings Page Breadcrumb Shows “Dashboard” Instead of “Drivelink” | Low | New |
| DEF-035 | Admin Tables: Column Header Sorting Does Not Work | Medium | New |
| DEF-036 | Dashboard: “View All” on Live Activity Feed Does Nothing | Medium | New |
| DEF-037 | Dashboard: Console Errors on Load — flasher.min.js 404, Font 404, Firebase Undefined | High | New |
| DEF-038 | Masters: Duplicate Titles Accepted — No Uniqueness Validation | Medium | New |
| DEF-039 | Masters: Create/Edit Forms Have No Cancel or Back Button | Low | New |
| DEF-040 | Safety Alerts: Reports Count Column Invisible in Hazard Clusters Table | Medium | New |
| DEF-041 | Status Toggle Fires Immediately With No Confirmation (Customers & Administrators) | Medium | New |
| DEF-042 | Customers: All Profile Images Broken — user-placeholder.png Missing from Server | Medium | New |
| DEF-043 | Stories: 11/12 Images Broken — Direct S3 URLs Inaccessible | Medium | New |
| DEF-044 | Stories: Search Non-Functional — jQuery Not Loaded at Runtime | High | New |
| DEF-045 | Convoys: Grid/List View Toggle Does Not Switch Layout | Low | New |
| DEF-046 | Settings: Site Name Can Be Saved Empty — No Server-Side Validation | High | New |
| DEF-047 | Activity Logs: Filter by Action Returns 0 Results for All Values | High | New |
| DEF-048 | Activity Logs: Module Names Display With Spaces Between Letters (“F A Q”) | Low | New |
| DEF-049 | Live Tracking: socket.io Server Returns 503 — Real-Time Tracking Non-Functional | Critical | New |
| DEF-050 | Verification Requests: Search Exposes Full DB Schema in Browser Alert | Critical / Security | New |
Backend API Defects
| ID | Title | Severity | Status |
|---|---|---|---|
| DEF-023 | Login Endpoints Couple Authentication with Device Registration | Medium | Open |
| DEF-024 | Login Response Buries Auth Token Inside User Object | Medium | Open |
| DEF-025 | Register Field Naming Inconsistent with the Rest of the API | High | Open |
| DEF-026 | Eight Endpoints Require Auth Token Duplicated in Request Body | Medium | Open |
| DEF-027 | Forgot Password Flow Broken — Two Steps Use Different Field Names | High | Open |
| DEF-029 | Server Exposes Full Laravel Stack Traces in Error Responses | High / Security | Open |
| DEF-030 | 15 Features Non-Functional — Endpoints Return 404 or Redirect | High | Open |
| DEF-031 | OTP Verification Accepts Any Code — Full Account Takeover Possible | Critical / Security | Open |
Conclusion
The DriveLink Admin Panel is not in a production-ready state. The combination of two critical security vulnerabilities (database schema exposure on Verification Requests search, OTP bypass on the API), a broken real-time infrastructure service (socket.io 503), and systemic issues with search, image loading, and flash messaging represents a significant gap between the current state and production readiness.
The recommended resolution order is:
- Immediate (block deployment): DEF-050 (SQL schema in browser alert), DEF-031 (OTP bypass), DEF-032/DEF-029 (debug mode in production exposing stack traces).
- Before release: DEF-049 (socket.io server down), DEF-037 (flasher.min.js 404 / Firebase uninitialised — makes all server validation silent), DEF-019/DEF-044 (search broken system-wide), DEF-043/DEF-042 (images broken across Stories and Customers).
- Before UAT: DEF-046 (settings blank save), DEF-038 (duplicate masters), DEF-041 (status toggle no confirmation), DEF-047 (activity log action filter), DEF-040 (reports count invisible).
- Polish before launch: DEF-034, DEF-035, DEF-039, DEF-045, DEF-048 (low-severity UI and UX issues).
Report prepared by: QA / Testing Team — 2026-06-17
Distribution: Development Team, Stakeholders