fix(controller): update tests to check for 403

The unit tests were referencing the same variable over and over again
(known as `url`). After concatenating to it, the following tests were
running requests against odd URLs like /v1/apps/foo/config/builds, which
would obviously return a 404. I've updated the unit tests to properly
check for a 403 response.

Author: Matthew Fisher

controller/api/tests/test_release.py

@@ -254,19 +254,25 @@ def test_unauthorized_user_cannot_modify_release(self):
         requests should return a 404.
         """
         app_id = 'autotest'
-        url = '/v1/apps'
+        base_url = '/v1/apps'
         body = {'id': app_id}
-        response = self.client.post(url, json.dumps(body), content_type='application/json',
+        response = self.client.post(base_url, json.dumps(body), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.token))
+        # push a new build
+        url = '{base_url}/{app_id}/builds'.format(**locals())
+        body = {'image': 'test'}
+        response = self.client.post(
+            url, json.dumps(body), content_type='application/json',
+            HTTP_AUTHORIZATION='token {}'.format(self.token))
         # update config to roll a new release
-        url = '/v1/apps/{app_id}/config'.format(**locals())
+        url = '{base_url}/{app_id}/config'.format(**locals())
         body = {'values': json.dumps({'NEW_URL1': 'http://localhost:8080/'})}
         response = self.client.post(
             url, json.dumps(body), content_type='application/json',
             HTTP_AUTHORIZATION='token {}'.format(self.token))
         unauthorized_user = User.objects.get(username='autotest2')
         unauthorized_token = Token.objects.get(user=unauthorized_user).key
         # try to rollback
-        url = '{}/{}/releases/rollback'.format(url, app_id)
+        url = '{base_url}/{app_id}/releases/rollback/'.format(**locals())
         response = self.client.post(url, HTTP_AUTHORIZATION='token {}'.format(unauthorized_token))
-        self.assertEqual(response.status_code, 404)
+        self.assertEqual(response.status_code, 403)