Should only be able to do things that make sense for the basic auth you've provided, e.g. currently I can provide credentials for testuser1 but make a post as any user, delete any posts, basically do any API call
Testing: Add tests to verify a user can only do what they're authorized to do