pinakes-server: add more route tests

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Ief16a2b3181bfa50193fb69a5ad4a9166a6a6964

crates/pinakes-server/tests/webhooks.rs

@@ -2,9 +2,12 @@ mod common;
 
 use axum::http::StatusCode;
 use common::{
+  delete_authed,
   get,
   get_authed,
+  patch_json_authed,
   post_json_authed,
+  put_json_authed,
   response_body,
   setup_app,
   setup_app_with_auth,
@@ -88,3 +91,46 @@ async fn test_webhook_requires_auth() {
     .unwrap();
   assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 }
+
+// RBAC enforcement for editor-level HTTP methods
+
+#[tokio::test]
+async fn delete_playlist_requires_editor() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(delete_authed(
+      "/api/v1/playlists/00000000-0000-0000-0000-000000000000",
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn update_playlist_requires_editor() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(patch_json_authed(
+      "/api/v1/playlists/00000000-0000-0000-0000-000000000000",
+      r#"{"name":"updated"}"#,
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn update_sync_device_requires_editor() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(put_json_authed(
+      "/api/v1/sync/devices/00000000-0000-0000-0000-000000000000",
+      r#"{"name":"device"}"#,
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}