rails-authorization plugin + rspec meaningful specs?


I'm working with the fabulous authorization_plugin and have got things
working pretty well.
I'm now going back and trying to write some meaningful specs for my
controller code.

My code has the following line:

class Controller
permit "developer of :app or appowner of :app"

my specs has the following code:

setup do
      @user = mock_model(User, :user_id => 1)
      @role= mock_model(Role, :name => 'appowner')
      @roles = [@role]
      @app = mock_model(App, :id => 1)

I've put both of the following lines in my specs, and *both* of these
specs pass. According to my understanding, one should pass and one
should fail.

  controller.should_receive(:permit).with('developer of :app or appowner
of :app').and_return(true)
  controller.should_receive(:permit).with('developer of :app or appowner
of :app').and_return(false)

Therefore, my understanding is incomplete. Would anyone be willing to
share a snippet of their code that illustrates how to write meaningful
rspecs using the rails-authorization plugin?