public void ShouldThrowForbiddenWhenUserNotAllowed()
{
_controller.ControllerContext.RequestContext.Principal =
new GenericPrincipal(new GenericIdentity("foo", "bar"), new[] { "user" });
_userResource.Setup(a => a.GetByUserName(It.IsAny<string>())).Returns(new User { Id = 2 });
_httpActionContext.ActionArguments.Add("dummy", new DummyObject { User = new User { Id = 1 } });
var attribute = new PreventCrossUserManipulationAttribute { UsersResource = _userResource.Object };
var result = Assert.Throws<HttpResponseException>(() => attribute.OnActionExecuting(_httpActionContext));
Assert.AreEqual(HttpStatusCode.Forbidden, result.Response.StatusCode);
}