+ # now set auth using the private user
+ basic_authorization(users(:normal_user).email, "test");
+
+ # this shouldn't work as with the 0.6 api we need pay load to delete
+ delete :delete, :id => current_ways(:visible_way).id
+ assert_response :forbidden
+
+ # Now try without having a changeset
+ content "<osm><way id='#{current_ways(:visible_way).id}'></osm>"
+ delete :delete, :id => current_ways(:visible_way).id
+ assert_response :forbidden
+
+ # try to delete with an invalid (closed) changeset
+ content update_changeset(current_ways(:visible_way).to_xml,
+ changesets(:normal_user_closed_change).id)
+ delete :delete, :id => current_ways(:visible_way).id
+ assert_response :forbidden
+
+ # try to delete with an invalid (non-existent) changeset
+ content update_changeset(current_ways(:visible_way).to_xml,0)
+ delete :delete, :id => current_ways(:visible_way).id
+ assert_response :forbidden
+
+ # Now try with a valid changeset
+ content current_ways(:visible_way).to_xml
+ delete :delete, :id => current_ways(:visible_way).id
+ assert_response :forbidden
+
+ # check the returned value - should be the new version number
+ # valid delete should return the new version number, which should
+ # be greater than the old version number
+ #assert @response.body.to_i > current_ways(:visible_way).version,
+ # "delete request should return a new version number for way"
+
+ # this won't work since the way is already deleted
+ content current_ways(:invisible_way).to_xml
+ delete :delete, :id => current_ways(:invisible_way).id
+ assert_response :forbidden
+
+ # this shouldn't work as the way is used in a relation
+ content current_ways(:used_way).to_xml
+ delete :delete, :id => current_ways(:used_way).id
+ assert_response :forbidden,
+ "shouldn't be able to delete a way used in a relation (#{@response.body}), when done by a private user"
+
+ # this won't work since the way never existed
+ delete :delete, :id => 0
+ assert_response :forbidden
+
+
+ ### Now check with a public user