diff --git a/src/tests/api/test_order_change.py b/src/tests/api/test_order_change.py
index a956950f3..ec9394f68 100644
--- a/src/tests/api/test_order_change.py
+++ b/src/tests/api/test_order_change.py
@@ -1468,6 +1468,31 @@ def test_position_update_change_price_and_tax_rule(token_client, organizer, even
     assert op.tax_rule == tr
 
 
+@pytest.mark.django_db
+def test_position_update_secret(token_client, organizer, event, order, item):
+    with scopes_disabled():
+        order.positions.create(item=item, price=Decimal('23.00'), secret='alreadyused')
+        p = order.positions.first()
+        psw = p.web_secret
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/orderpositions/{}/'.format(
+            organizer.slug, event.slug, p.pk,
+        ), format='json', data={'secret': 'nobodyknows'}
+    )
+    assert resp.status_code == 200
+    p.refresh_from_db()
+    with scopes_disabled():
+        assert 'nobodyknows' == p.secret
+        assert psw == p.web_secret
+
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/orderpositions/{}/'.format(
+            organizer.slug, event.slug, p.pk,
+        ), format='json', data={'secret': 'alreadyused'}
+    )
+    assert resp.status_code == 400
+
+
 @pytest.mark.django_db
 def test_position_add_simple(token_client, organizer, event, order, quota, item):
     with scopes_disabled():