diff --git a/editoast/src/views/projects.rs b/editoast/src/views/projects.rs
index 5d658b79c47..85aea6e1893 100644
--- a/editoast/src/views/projects.rs
+++ b/editoast/src/views/projects.rs
@@ -365,6 +365,8 @@ pub mod tests {
     use serde_json::json;
 
     use super::*;
+    use crate::core::mocking::MockingClient;
+    use crate::core::CoreClient;
     use crate::models::fixtures::create_project;
     use crate::models::prelude::*;
     use crate::views::test_app::TestAppBuilder;
@@ -394,6 +396,27 @@ pub mod tests {
         assert_eq!(project.name, project_name);
     }
 
+    #[rstest]
+    async fn project_post_should_fail_when_authorization_is_enabled() {
+        let pool = DbConnectionPoolV2::for_tests_no_transaction();
+        let app = TestAppBuilder::new()
+            .db_pool(pool)
+            .core_client(CoreClient::Mocked(MockingClient::default()))
+            .disable_authorization(false)
+            .build();
+
+        let project_name = "test_project_failed";
+
+        let request = app.post("/projects").json(&json!({
+            "name": project_name,
+            "description": "",
+            "objectives": "",
+            "funders": "",
+        }));
+
+        app.fetch(request).assert_status(StatusCode::FORBIDDEN);
+    }
+
     #[rstest]
     async fn project_list() {
         let app = TestAppBuilder::default_app();
diff --git a/editoast/src/views/test_app.rs b/editoast/src/views/test_app.rs
index 9ab47d93081..d9e726f9a19 100644
--- a/editoast/src/views/test_app.rs
+++ b/editoast/src/views/test_app.rs
@@ -39,6 +39,7 @@ pub(crate) struct TestAppBuilder {
     db_pool: Option<DbConnectionPoolV2>,
     core_client: Option<CoreClient>,
     osrdyne_client: Option<OsrdyneClient>,
+    disable_authorization: bool,
 }
 
 impl TestAppBuilder {
@@ -47,6 +48,7 @@ impl TestAppBuilder {
             db_pool: None,
             core_client: None,
             osrdyne_client: None,
+            disable_authorization: true,
         }
     }
 
@@ -68,6 +70,11 @@ impl TestAppBuilder {
         self
     }
 
+    pub fn disable_authorization(mut self, disable_authorization: bool) -> Self {
+        self.disable_authorization = disable_authorization;
+        self
+    }
+
     pub fn default_app() -> TestApp {
         let pool = DbConnectionPoolV2::for_tests();
         let core_client = CoreClient::Mocked(MockingClient::default());
@@ -83,7 +90,7 @@ impl TestAppBuilder {
             port: 0,
             address: String::default(),
             health_check_timeout: chrono::Duration::milliseconds(500),
-            disable_authorization: true,
+            disable_authorization: self.disable_authorization,
             map_layers_max_zoom: 18,
             postgres_config: PostgresConfig {
                 database_url: Url::parse("postgres://osrd:password@localhost:5432/osrd").unwrap(),
@@ -152,7 +159,7 @@ impl TestAppBuilder {
             infra_caches,
             map_layers: Arc::new(MapLayers::default()),
             speed_limit_tag_ids,
-            disable_authorization: true,
+            disable_authorization: self.disable_authorization,
             health_check_timeout: config.health_check_timeout,
             config: Arc::new(config),
         };