If you are using rescue_from to handle an exception then the following spec won’t work:

it "should raise an access denied error" do
  expect { get(:new) }.to raise_error(CanCan::AccessDenied)
end

Instead you need to use rspec-rails’s bypass_rescue:

it "should raise an access denied error" do
  bypass_rescue
  expect { get(:new) }.to raise_error(CanCan::AccessDenied)
end

This works in rspec-rails 1.3 but from what I understand it wasn’t originally available in rspec-rails 2. It is about to make a comeback though.