Access control view
===================

First, create a SchoolBell instance:

    >>> print http(r"""
    ... POST /@@contents.html HTTP/1.1
    ... Authorization: Basic mgr:mgrpw
    ... Content-Length: 81
    ... Content-Type: application/x-www-form-urlencoded
    ... Referer: http://localhost/@@contents.html?type_name=BrowserAdd__schoolbell.app.app.SchoolBellApplication
    ...
    ... type_name=BrowserAdd__schoolbell.app.app.SchoolBellApplication&new_value=frogpond""")
    HTTP/1.1 303 See Other
    ...

Let's create a person so that we can fool around with his calendar:

    >>> print http(r"""
    ... POST /frogpond/persons/add.html HTTP/1.1
    ... Authorization: Basic mgr:mgrpw
    ... Content-Length: 112
    ... Content-Type: application/x-www-form-urlencoded
    ...
    ... field.title=Frog&field.username=frog&field.password=pwd&field.verify_password=pwd&field.photo=&UPDATE_SUBMIT=Add
    ... """)
    HTTP/1.1 303 See Other
    ...

He can't access the ACL view:

    >>> print http(r"""
    ... GET /frogpond/acl.html HTTP/1.1
    ... Authorization: Basic frog:pwd
    ... """)
    HTTP/1.1 303 See Other
    ...
    Location: ...login.html...

Grant him a 'schoolbell.controlAccess' permission on the app:

    >>> print http("""
    ... POST /frogpond/acl.html HTTP/1.1
    ... Authorization: Basic mgr:mgrpw
    ... Content-Type: application/x-www-form-urlencoded
    ...
    ... marker-sb.person.frog=1&\
    ... sb.person.frog=schoolbell.controlAccess&\
    ... sb.person.frog=schoolbell.view&\
    ... UPDATE_SUBMIT=Set
    ... """)
    HTTP/1.1 303 See Other
    ...
    Location: http://localhost/frogpond
    ...

Now he can access the acl.html view on app:

    >>> print http(r"""
    ... GET /frogpond/acl.html HTTP/1.1
    ... Authorization: Basic frog:pwd
    ... """, handle_errors=False)
    HTTP/1.1 200 Ok
    ...

Also, he can set the permissions, even elevate his own permissions:

    >>> print http("""
    ... POST /frogpond/acl.html HTTP/1.1
    ... Authorization: Basic frog:pwd
    ... Content-Type: application/x-www-form-urlencoded
    ...
    ... marker-sb.person.frog=1&\
    ... sb.person.frog=schoolbell.view&\
    ... sb.person.frog=schoolbell.edit&\
    ... sb.person.frog=schoolbell.addEvent&\
    ... sb.person.frog=schoolbell.modifyEvent&\
    ... sb.person.frog=schoolbell.controlAccess&\
    ... sb.person.frog=schoolbell.create&\
    ... UPDATE_SUBMIT=Set
    ... """)
    HTTP/1.1 303 See Other
    ...
    Location: http://localhost/frogpond
    ...

It works for subobjects of the app too:

    >>> print http("""
    ... POST /frogpond/persons/acl.html HTTP/1.1
    ... Authorization: Basic frog:pwd
    ... Content-Type: application/x-www-form-urlencoded
    ...
    ... marker-sb.person.frog=1&\
    ... sb.person.frog=schoolbell.view&\
    ... sb.person.frog=schoolbell.edit&\
    ... sb.person.frog=schoolbell.addEvent&\
    ... sb.person.frog=schoolbell.modifyEvent&\
    ... sb.person.frog=schoolbell.controlAccess&\
    ... sb.person.frog=schoolbell.create&\
    ... UPDATE_SUBMIT=Set
    ... """)
    HTTP/1.1 303 See Other
    ...
    Location: http://localhost/frogpond/persons
    ...
