+
+
+ ## Then try with the private user, to make sure that you get a forbidden
+ basic_authorization(users(:normal_user).email, "test")
+
+ # this shouldn't work, as we should need the payload...
+ delete :delete, :id => current_relations(:visible_relation).id
+ assert_response :forbidden
+
+ # try to delete without specifying a changeset
+ content "<osm><relation id='#{current_relations(:visible_relation).id}'/></osm>"
+ delete :delete, :id => current_relations(:visible_relation).id
+ assert_response :forbidden
+
+ # try to delete with an invalid (closed) changeset
+ content update_changeset(current_relations(:visible_relation).to_xml,
+ changesets(:normal_user_closed_change).id)
+ delete :delete, :id => current_relations(:visible_relation).id
+ assert_response :forbidden
+
+ # try to delete with an invalid (non-existent) changeset
+ content update_changeset(current_relations(:visible_relation).to_xml,0)
+ delete :delete, :id => current_relations(:visible_relation).id
+ assert_response :forbidden
+
+ # this won't work because the relation is in-use by another relation
+ content(relations(:used_relation).to_xml)
+ delete :delete, :id => current_relations(:used_relation).id
+ assert_response :forbidden
+
+ # this should work when we provide the appropriate payload...
+ content(relations(:visible_relation).to_xml)
+ delete :delete, :id => current_relations(:visible_relation).id
+ assert_response :forbidden
+
+ # this won't work since the relation is already deleted
+ content(relations(:invisible_relation).to_xml)
+ delete :delete, :id => current_relations(:invisible_relation).id
+ assert_response :forbidden
+
+ # this works now because the relation which was using this one
+ # has been deleted.
+ content(relations(:used_relation).to_xml)
+ delete :delete, :id => current_relations(:used_relation).id
+ assert_response :forbidden
+
+ # this won't work since the relation never existed
+ delete :delete, :id => 0
+ assert_response :forbidden
+
+