add test that only owner can open tickets

src/routes/test/support-test.js

@@ -13,7 +13,7 @@ const common = require('./common.js'),
     superagent = require('superagent');
 
 describe('Support API', function () {
-    const { setup, cleanup, serverUrl, owner, mockApiServerOrigin, appstoreToken } = common;
+    const { setup, cleanup, serverUrl, owner, mockApiServerOrigin, appstoreToken, user, admin } = common;
 
     before(setup);
     after(cleanup);
@@ -169,7 +169,25 @@ describe('Support API', function () {
             expect(scope2.isDone()).to.be.ok();
         });
 
-        it('succeeds with app type', async function () {
+        it('normal user cannot open tickets', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/support/ticket`)
+                .send({ type: 'app_missing', subject: 'some subject', description: 'some description' })
+                .query({ access_token: user.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(403);
+        });
+
+        it('admin also cannot open tickets', async function () {
+            const response = await superagent.post(`${serverUrl}/api/v1/support/ticket`)
+                .send({ type: 'app_missing', subject: 'some subject', description: 'some description' })
+                .query({ access_token: admin.token })
+                .ok(() => true);
+
+            expect(response.statusCode).to.equal(403);
+        });
+
+        it('owner can open tickets', async function () {
             const scope2 = nock(mockApiServerOrigin)
                 .filteringRequestBody(function (/* unusedBody */) { return ''; }) // strip out body
                 .post(`/api/v1/ticket?accessToken=${appstoreToken}`)