rails-authorization plugin + rspec meaningful specs?

Hello,

I'm working with the fabulous authorization_plugin and have got things
working pretty well.
I'm now going back and trying to write some meaningful specs for my
controller code.

My code has the following line:

class Controller
[...]
permit "developer of :app or appowner of :app"
end

my specs has the following code:

setup do
      @user = mock_model(User, :user_id => 1)
      @role= mock_model(Role, :name => 'appowner')
      @roles = [@role]
      @user.stub!(:roles).and_return(@roles)
      controller.stub!(:current_user).and_return(@user)
      @app = mock_model(App, :id => 1)
      App.should_receive(:find).with("1").and_return(@app)
end

I've put both of the following lines in my specs, and *both* of these
specs pass. According to my understanding, one should pass and one
should fail.

  controller.should_receive(:permit).with('developer of :app or appowner
of :app').and_return(true)
  controller.should_receive(:permit).with('developer of :app or appowner
of :app').and_return(false)

Therefore, my understanding is incomplete. Would anyone be willing to
share a snippet of their code that illustrates how to write meaningful
rspecs using the rails-authorization plugin?