diff --git a/test/fixtures/current_relation_members.yml b/test/fixtures/current_relation_members.yml
index f05537115..f6418983a 100644
--- a/test/fixtures/current_relation_members.yml
+++ b/test/fixtures/current_relation_members.yml
@@ -27,3 +27,9 @@ t5:
   member_role: "some"
   member_type: "Node"
   member_id: 5
+  
+public_used:
+  id: 4
+  member_role: "used by other relation"
+  member_type: "Relation"
+  member_id: 5
diff --git a/test/fixtures/current_relations.yml b/test/fixtures/current_relations.yml
index 7df9c6bd7..da0343956 100644
--- a/test/fixtures/current_relations.yml
+++ b/test/fixtures/current_relations.yml
@@ -7,7 +7,7 @@ visible_relation:
 
 invisible_relation:
   id: 2
-  changeset_id: 1
+  changeset_id: 3
   timestamp: 2007-01-01 00:00:00
   visible: false
   version: 1
@@ -25,3 +25,10 @@ multi_tag_relation:
   timestamp: 2009-04-21 09:50:57
   visible: true
   version: 1
+  
+public_used_relation:
+  id: 5
+  changeset_id: 2
+  timestamp: 2009-04-22 00:30:33
+  visible: true
+  version: 1
diff --git a/test/fixtures/relation_members.yml b/test/fixtures/relation_members.yml
index 5a19bf3f2..b37e5beae 100644
--- a/test/fixtures/relation_members.yml
+++ b/test/fixtures/relation_members.yml
@@ -22,3 +22,17 @@ t4:
   member_type: "Node"
   member_id: 5
   version: 1
+
+t5:
+  id: 2
+  member_role: "some"
+  member_type: "Node"
+  member_id: 5
+  version: 1
+  
+public_used:
+  id: 4
+  member_role: "used by other relation"
+  member_type: "Relation"
+  member_id: 5
+  version: 1
diff --git a/test/fixtures/relations.yml b/test/fixtures/relations.yml
index 7df9c6bd7..558352782 100644
--- a/test/fixtures/relations.yml
+++ b/test/fixtures/relations.yml
@@ -7,7 +7,7 @@ visible_relation:
 
 invisible_relation:
   id: 2
-  changeset_id: 1
+  changeset_id: 3
   timestamp: 2007-01-01 00:00:00
   visible: false
   version: 1
@@ -25,3 +25,10 @@ multi_tag_relation:
   timestamp: 2009-04-21 09:50:57
   visible: true
   version: 1
+  
+public_used_relation:
+  id: 5
+  changeset_id: 2
+  timestamp: 2009-04-22 00:30:03
+  visible: true
+  version: 1
diff --git a/test/functional/relation_controller_test.rb b/test/functional/relation_controller_test.rb
index 9ecac826c..4baf810fe 100644
--- a/test/functional/relation_controller_test.rb
+++ b/test/functional/relation_controller_test.rb
@@ -319,9 +319,59 @@ class RelationControllerTest < ActionController::TestCase
     # first try to delete relation without auth
     delete :delete, :id => current_relations(:visible_relation).id
     assert_response :unauthorized
+    
+    ## First try with the private user, to make sure that you get a forbidden
+    basic_authorization(users(:normal_user).email, "test")
+    
+    # this shouldn't work, as we should need the payload...
+    delete :delete, :id => current_relations(:visible_relation).id
+    assert_response :forbidden
 
-    # now set auth
-    basic_authorization("test@openstreetmap.org", "test");  
+    # try to delete without specifying a changeset
+    content "<osm><relation id='#{current_relations(:visible_relation).id}'/></osm>"
+    delete :delete, :id => current_relations(:visible_relation).id
+    assert_response :forbidden
+
+    # try to delete with an invalid (closed) changeset
+    content update_changeset(current_relations(:visible_relation).to_xml,
+                             changesets(:normal_user_closed_change).id)
+    delete :delete, :id => current_relations(:visible_relation).id
+    assert_response :forbidden
+
+    # try to delete with an invalid (non-existent) changeset
+    content update_changeset(current_relations(:visible_relation).to_xml,0)
+    delete :delete, :id => current_relations(:visible_relation).id
+    assert_response :forbidden
+
+    # this won't work because the relation is in-use by another relation
+    content(relations(:used_relation).to_xml)
+    delete :delete, :id => current_relations(:used_relation).id
+    assert_response :forbidden
+
+    # this should work when we provide the appropriate payload...
+    content(relations(:visible_relation).to_xml)
+    delete :delete, :id => current_relations(:visible_relation).id
+    assert_response :forbidden
+
+    # this won't work since the relation is already deleted
+    content(relations(:invisible_relation).to_xml)
+    delete :delete, :id => current_relations(:invisible_relation).id
+    assert_response :forbidden
+
+    # this works now because the relation which was using this one 
+    # has been deleted.
+    content(relations(:used_relation).to_xml)
+    delete :delete, :id => current_relations(:used_relation).id
+    assert_response :forbidden
+
+    # this won't work since the relation never existed
+    delete :delete, :id => 0
+    assert_response :forbidden
+
+    
+
+    # now set auth for the private user
+    basic_authorization(users(:public_user).email, "test");  
 
     # this shouldn't work, as we should need the payload...
     delete :delete, :id => current_relations(:visible_relation).id
@@ -344,15 +394,27 @@ class RelationControllerTest < ActionController::TestCase
     delete :delete, :id => current_relations(:visible_relation).id
     assert_response :conflict
 
-    # this won't work because the relation is in-use by another relation
+    # this won't work because the relation is in a changeset owned by someone else
     content(relations(:used_relation).to_xml)
     delete :delete, :id => current_relations(:used_relation).id
+    assert_response :conflict, 
+    "shouldn't be able to delete a relation in a changeset owned by someone else (#{@response.body})"
+
+    # this won't work because the relation in the payload is different to that passed
+    content(relations(:public_used_relation).to_xml)
+    delete :delete, :id => current_relations(:used_relation).id
+    assert_not_equal relations(:public_used_relation).id, current_relations(:used_relation).id
+    assert_response :bad_request, "shouldn't be able to delete a relation when payload is different to the url"
+    
+    # this won't work because the relation is in-use by another relation
+    content(relations(:public_used_relation).to_xml)
+    delete :delete, :id => current_relations(:public_used_relation).id
     assert_response :precondition_failed, 
        "shouldn't be able to delete a relation used in a relation (#{@response.body})"
 
     # this should work when we provide the appropriate payload...
-    content(relations(:visible_relation).to_xml)
-    delete :delete, :id => current_relations(:visible_relation).id
+    content(relations(:multi_tag_relation).to_xml)
+    delete :delete, :id => current_relations(:multi_tag_relation).id
     assert_response :success
 
     # valid delete should return the new version number, which should
@@ -367,8 +429,8 @@ class RelationControllerTest < ActionController::TestCase
 
     # this works now because the relation which was using this one 
     # has been deleted.
-    content(relations(:used_relation).to_xml)
-    delete :delete, :id => current_relations(:used_relation).id
+    content(relations(:public_used_relation).to_xml)
+    delete :delete, :id => current_relations(:public_used_relation).id
     assert_response :success, 
        "should be able to delete a relation used in an old relation (#{@response.body})"
 
@@ -450,11 +512,11 @@ class RelationControllerTest < ActionController::TestCase
   ##
   # check that relations are ordered
   def test_relation_member_ordering
-    basic_authorization("test@openstreetmap.org", "test");  
-
+    basic_authorization(users(:public_user).email, "test")
+    
     doc_str = <<OSM
 <osm>
- <relation changeset='1'>
+ <relation changeset='4'>
   <member ref='1' type='node' role='first'/>
   <member ref='3' type='node' role='second'/>
   <member ref='1' type='way' role='third'/>
@@ -499,11 +561,32 @@ OSM
   ## 
   # check that relations can contain duplicate members
   def test_relation_member_duplicates
-    basic_authorization("test@openstreetmap.org", "test");  
+    ## First try with the private user
+    basic_authorization(users(:normal_user).email, "test");  
 
     doc_str = <<OSM
 <osm>
- <relation changeset='1'>
+ <relation changeset='4'>
+  <member ref='1' type='node' role='forward'/>
+  <member ref='3' type='node' role='forward'/>
+  <member ref='1' type='node' role='forward'/>
+  <member ref='3' type='node' role='forward'/>
+ </relation>
+</osm>
+OSM
+    doc = XML::Parser.string(doc_str).parse
+
+    content doc
+    put :create
+    assert_response :forbidden
+
+
+    ## Now try with the public user
+    basic_authorization(users(:public_user).email, "test");  
+
+    doc_str = <<OSM
+<osm>
+ <relation changeset='4'>
   <member ref='1' type='node' role='forward'/>
   <member ref='3' type='node' role='forward'/>
   <member ref='1' type='node' role='forward'/>
@@ -551,8 +634,21 @@ OSM
   # create a changeset and yield to the caller to set it up, then assert
   # that the changeset bounding box is +bbox+.
   def check_changeset_modify(bbox)
-    basic_authorization("test@openstreetmap.org", "test");  
+    ## First test with the private user to check that you get a forbidden
+    basic_authorization(users(:normal_user).email, "test");  
 
+    # create a new changeset for this operation, so we are assured
+    # that the bounding box will be newly-generated.
+    changeset_id = with_controller(ChangesetController.new) do
+      content "<osm><changeset/></osm>"
+      put :create
+      assert_response :forbidden, "shouldn't be able to create changeset for modify test, as should get forbidden"
+    end
+
+    
+    ## Now do the whole thing with the public user
+    basic_authorization(users(:public_user).email, "test")
+    
     # create a new changeset for this operation, so we are assured
     # that the bounding box will be newly-generated.
     changeset_id = with_controller(ChangesetController.new) do
diff --git a/test/unit/relation_member_test.rb b/test/unit/relation_member_test.rb
index f0590ef71..93fa55180 100644
--- a/test/unit/relation_member_test.rb
+++ b/test/unit/relation_member_test.rb
@@ -4,7 +4,7 @@ class RelationMemberTest < Test::Unit::TestCase
   api_fixtures
   
   def test_relation_member_count
-    assert_equal 5, RelationMember.count
+    assert_equal 6, RelationMember.count
   end
   
 end
diff --git a/test/unit/relation_test.rb b/test/unit/relation_test.rb
index b72a9835a..5d46a6e59 100644
--- a/test/unit/relation_test.rb
+++ b/test/unit/relation_test.rb
@@ -4,7 +4,7 @@ class RelationTest < Test::Unit::TestCase
   api_fixtures
   
   def test_relation_count
-    assert_equal 4, Relation.count
+    assert_equal 5, Relation.count
   end
   
 end