Feature: Memberships
  In order to ensure memberships are not tampered with
  As an admin, designer or author
  I will be restricted based on my role

  Background:
    Given I have the site: "test site" set up with id: "4f832c2cb0d86d3f42fffffb"
    And I have accounts:
      | email           | id                        |
      | new-user@a.com  | 4f832c2cb0d86d3f42fffffc  |
    And I have memberships:
      | email           | role      | id                        |
      | admin@a.com     | admin     | 4f832c2cb0d86d3f42fffffd  |
      | designer@a.com  | designer  | 4f832c2cb0d86d3f42fffffe  |
      | author@a.com    | author    | 4f832c2cb0d86d3f42ffffff  |

  Scenario: As an unauthenticated user
    Given I am not authenticated
    When I do an API GET to memberships.json
    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."

  # listing memberships

  Scenario: Accessing memberships as an Admin
    Given I have an "admin" API token
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 4 entries

  Scenario: Accessing memberships as a Designer
    Given I have a "designer" API token
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 4 entries

  Scenario: Accessing memberships as an Author
    Given I have an "author" API token
    When I do an API GET request to memberships.json
    Then an access denied error should occur

  # showing membership

  Scenario: Accessing membership as an Admin
    Given I have an "admin" API token
    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffd.json
    Then the JSON response at "email" should be "admin@a.com"
    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
    Then the JSON response at "email" should be "designer@a.com"
    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
    Then the JSON response at "email" should be "author@a.com"

  Scenario: Accessing membership as a Designer
    Given I have a "designer" API token
    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffd.json
    Then the JSON response at "email" should be "admin@a.com"
    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
    Then the JSON response at "email" should be "designer@a.com"
    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
    Then the JSON response at "email" should be "author@a.com"

  Scenario: Accessing membership as an Author
    Given I have an "author" API token
    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
    Then an access denied error should occur

  # create membership

  Scenario: Creating new membership as an Admin
    Given I have an "admin" API token
    When I do an API POST to memberships.json with:
    """
    {
      "membership": {
        "site_id": "4f832c2cb0d86d3f42fffffb",
        "account_id": "4f832c2cb0d86d3f42fffffc"
      }
    }
    """
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 5 entries

  Scenario: Creating new membership as a Designer
    Given I have a "designer" API token
    When I do an API POST to memberships.json with:
    """
    {
      "membership": {
        "site_id": "4f832c2cb0d86d3f42fffffb",
        "account_id": "4f832c2cb0d86d3f42fffffc"
      }
    }
    """
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 5 entries

  Scenario: Creating new membership as an Author
    Given I have an "author" API token
    When I do an API POST to memberships.json with:
    """
    {
      "membership": {
        "site_id": "4f832c2cb0d86d3f42fffffb",
        "account_id": "4f832c2cb0d86d3f42fffffc"
      }
    }
    """
    Then an access denied error should occur

  Scenario: Created membership should always be Author
    Given I have an "admin" API token
    When I do an API POST to memberships.json with:
    """
    {
      "membership": {
        "site_id": "4f832c2cb0d86d3f42fffffb",
        "account_id": "4f832c2cb0d86d3f42fffffc",
        "role": "admin"
      }
    }
    """
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 5 entries
    And the JSON at "4/role" should be "author"

  # update membership

  Scenario: Updating membership as an Admin
    Given I have an "admin" API token
    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
    """
    {
      "membership": {
        "role": "admin"
      }
    }
    """
    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
    Then the JSON response at "role" should be "admin"

  Scenario: Updating membership as a Designer
    Given I have a "designer" API token
    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
    """
    {
      "membership": {
        "role": "admin"
      }
    }
    """
    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
    Then the JSON response at "role" should be "author"
    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
    """
    {
      "membership": {
        "role": "designer"
      }
    }
    """
    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
    Then the JSON response at "role" should be "designer"

  Scenario: Updating membership as an Author
    Given I have a "author" API token
    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
    """
    {
      "membership": {
        "role": "admin"
      }
    }
    """
    Then an access denied error should occur
    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
    """
    {
      "membership": {
        "role": "designer"
      }
    }
    """
    Then an access denied error should occur
    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
    """
    {
      "membership": {
        "role": "author"
      }
    }
    """
    Then an access denied error should occur

  # destroy membership

  Scenario: Destroying membership as an Admin
    Given I have an "admin" API token
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 4 entries
    When I do an API DELETE to memberships/4f832c2cb0d86d3f42ffffff.json
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 3 entries

  Scenario: Destroying membership as a Designer
    Given I have a "designer" API token
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 4 entries
    When I do an API DELETE to memberships/4f832c2cb0d86d3f42ffffff.json
    When I do an API GET request to memberships.json
    Then the JSON response should be an array
    And the JSON response should have 3 entries
    When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffe.json
    Then an access denied error should occur
    When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffd.json
    Then an access denied error should occur

  Scenario: Deleting membership as an Author
    Given I have a "author" API token
    When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffe.json
    Then an access denied error should occur