public void POST_Lock_OwnAccount() { //Arrange var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, "123"), }); var principal = new ClaimsPrincipal(identity); var context = new Mock <HttpContextBase>(); context.SetupGet(x => x.User).Returns(principal); var routeData = new RouteData(); _controller.ControllerContext = new ControllerContext(context.Object, routeData, _controller); //Act var result = (HttpStatusCodeResult)_controller.Lock(123); //Assert Assert.That(result.StatusCode, Is.EqualTo((int)HttpStatusCode.Forbidden)); }