Enforce drafts when clients have `draft` scope
As well as allowing clients to manage the post-status
of a given post,
we should also follow 0 and enforce this using the draft
scope, to
force a client to only have this access.
A client with draft
shouldn't be able to update a published post, or
delete/undelete a post, but should have the ability to create a post as
a draft, as well as update a draft post.
This requires we protect at multiple layers - spring security to restrict scopes on certain actions, and in the actual service layer for validating further logic once the post is updated, but before it's saved.
This requires a slight tweak to our tests to use a real Authentication
rather than a mock that doesn't allow setting up authorities.