Functional doctest for Security
===============================

This test verifies the security checking for booked resources and
events that book them.

XXX: Review with David Welsh for accuracy.

Setup / Create Manager
----------------------

    >>> manager = Browser('manager', 'schooltool')

Let's create several people who have different permissions for resource booking:

    >>> from schooltool.app.browser.ftests.setup import addPerson, setUpBasicSchool
    >>> setUpBasicSchool()
    >>> addPerson('Teacher', 'teacher', 'pwd')
    >>> addPerson('Leader', 'leader', 'pwd')

Now lets create a resources that can be booked:

    >>> manager.getLink('Manage').click()
    >>> manager.getLink('Resources').click()

    >>> manager.getLink('New Resource').click()
    >>> manager.getControl('Title').value = 'Classroom'
    >>> manager.getControl('Add').click()
    >>> manager.getLink('Resource', index=2).click()
    >>> manager.getLink('Classroom').click()

Create new Browsers for 'Teacher' & 'Leader' and log them in

    >>> teacher = Browser('teacher', 'pwd')
    >>> leader = Browser('leader', 'pwd')

Our users are neither in the teacher group, nor leaders of
the resource, but they should still be able to see the resource
to know when it is in use because they are logged in.

    >>> teacher.open('http://localhost/resources')
    >>> teacher.getLink("Resource").click()
    >>> teacher.getLink('Classroom').click()
    >>> teacher.url
    'http://localhost/resources/classroom'

The teacher should be able to view the calendar for a resource.

    >>> teacher.getLink('View Calendar').click()

But he should not be able to add the events (even if he can guess the url):

    >>> teacher.open('http://localhost/resources/classroom/calendar/add.html')
    Traceback (most recent call last):
    ...
    Unauthorized: (<...>, 'browserDefault', 'schooltool.edit')

Now we will put these people into the teacher group

    >>> manager.getLink('2005-2006').click()
    >>> manager.getLink('Groups').click()
    >>> manager.getLink('Teachers').click()
    >>> manager.getLink('edit members').click()
    >>> manager.getControl('Teacher').click()
    >>> manager.getControl('Add').click()

Now the teacher should be able to schedule a new event

    >>> teacher.open("http://localhost/resources")
    >>> teacher.getLink('Resource').click()
    >>> teacher.getLink('Classroom').click()
    >>> teacher.getLink('View Calendar').click()
    >>> teacher.getLink('New Event').click()
    >>> teacher.getControl('Title').value = 'Classroom Event'
    >>> teacher.getControl('Time').value = '08:00'
    >>> teacher.getControl('Add').click()
    >>> 'Classroom Event' in teacher.contents
    True

The teacher should be able to edit the event that they created.

    >>> teacher.getLink('Classroom Event').click()
    >>> teacher.getControl('Time').value = '09:00'
    >>> teacher.getControl('Update', index=1).click()

The leader should not be able to edit this event (yet) because the
leader is not yet a member of the resource's leader list.

    >>> leader.open('http://localhost/resources')
    >>> leader.getLink('Resource').click()
    >>> leader.getLink('Classroom').click()
    >>> leader.getLink('View Calendar').click()
    >>> leader.getLink('Classroom Event').click()
    >>> leader.getLink('edit event').click()
    Traceback (most recent call last):
    ...
    Unauthorized: (<...>, 'browserDefault', 'schooltool.edit')

So now we will make this leader the leader of the resource.

    >>> manager.open('http://localhost/resources/classroom')
    >>> manager.getLink('Edit Leaders').click()
    >>> manager.getControl('Leader').click()
    >>> manager.getControl('Add').click()

Now 'Leader' is the leader of the resource and should be able to edit it.

    >>> leader.goBack()
    >>> leader.getLink('edit event').click()
    >>> leader.getControl('Time').value = '10:00'
    >>> leader.getControl('Update', index=1).click()

The teacher should still be able to delete the event.

    >>> teacher.getLink('[X]').click()
    >>> teacher.getControl('Delete').click()
    >>> 'Classroom Event' in teacher.contents
    False

The teacher should also be able to schedule a new event from their
personal calendar.

    >>> teacher.getLink('Calendar').click()
    >>> teacher.getLink('New Event').click()
    >>> teacher.getControl('Title').value = 'Classroom Event'
    >>> teacher.getControl('Time').value = '09:00'
    >>> teacher.getControl('Book Resources').click()
    >>> teacher.getControl('Add').click()
    >>> teacher.getControl('Classroom').click()
    >>> teacher.getControl('Book').click()
    >>> teacher.getLink('Calendar').click()
    >>> 'Classroom Event' in teacher.contents
    True

Check to see that the classroom is booked as well.

    >>> print teacher.contents
    <BLANKLINE>
    ...
      <h6 class="booked-resource-header"
          style="background: #7590ae">
        <a style="color: #000;"
           href="http://localhost/persons/teacher/calendar/.../booking.html?date=...">Booked resources</a></h6>
    <BLANKLINE>
        <a href="http://localhost/resources/classroom">Classroom</a>
    ...

Create another Resource.

    >>> manager.getLink('Manage').click()
    >>> manager.getLink('Resources').click()
    >>> manager.getLink('New Resource').click()
    >>> manager.getControl('Title').value = 'Lobby'
    >>> manager.getControl('Add').click()
    >>> manager.getLink("Resource", index=2).click()
    >>> manager.getLink('Classroom').click()

Have Teacher book 'Lobby'

    >>> teacher.open("http://localhost/resources")
    >>> teacher.getLink('Resource').click()
    >>> teacher.getLink('Lobby').click()
    >>> teacher.getLink('View Calendar').click()
    >>> teacher.getLink('New Event').click()
    >>> teacher.getControl('Title').value = 'Lobby Event'
    >>> teacher.getControl('Time').value = '08:00'
    >>> teacher.getControl('Add').click()
    >>> 'Lobby Event' in teacher.contents
    True

The Leader is not the leader of 'Lobby' but is of 'Classroom', make sure that
Leader cannot edit an event in 'Lobby'.

    >>> leader.open('http://localhost/resources/lobby')
    >>> leader.getLink('View Calendar').click()
    >>> leader.getLink('Lobby Event').click()
    >>> leader.getLink('edit event').click()
    Traceback (most recent call last):
    ...
    Unauthorized: (<...>, 'browserDefault', 'schooltool.edit')
