diff --git a/spec/controllers/api/v1/products_controller_spec.rb b/spec/controllers/api/v1/products_controller_spec.rb
new file mode 100644
index 000000000..a81726b90
--- /dev/null
+++ b/spec/controllers/api/v1/products_controller_spec.rb
@@ -0,0 +1,91 @@
+# -*- encoding : utf-8 -*-
+require 'spec_helper'
+
+shared_examples_for 'api user without reader rights' do
+  it 'should not be able to perform show action', :anonymous_access  => false do
+    get :show, :id => @product.id, :format => :json
+    response.status.should == 401
+  end
+
+  it 'should not be able to perform show action for the hidden platform' do
+    @product.platform.update_column :visibility, 'hidden'
+    get :show, :id => @product.id, :format => :json
+    response.status.should == 403
+  end
+
+  it 'should not be able to perform create action' do
+    post :create, :format => :json
+    response.status.should == 401
+  end
+
+  [:update, :destroy].each do |action|
+    it "should not be able to perform #{action} action" do
+      put action, :id => @product.id, :format => :json
+      response.status.should == 401
+    end
+  end
+end
+
+shared_examples_for 'api user with admin rights' do
+  before(:each) do
+    @product.platform.relations.create!(:actor_type => 'User', :actor_id => @another_user.id, :role => 'admin')
+    http_login(@another_user)
+    params = {:platform_id => @product.platform.id, :project_id => @product.project.id}
+    @create_params = {:product =>{:name => 'pro', :time_living => 150}.merge(params)}
+    @update_params = {:product =>{:name => 'pro2', :time_living => 250}}
+  end
+  it 'should be able to perform show action' do
+    get :show, :id => @product.id, :format => :json
+    response.should be_success
+  end
+
+  it 'should be able to perform show action for the hidden platform' do
+    @product.platform.update_column :visibility, 'hidden'
+    get :show, :id => @product.id, :format => :json
+    response.should be_success
+  end
+
+  it 'should be able to perform create action' do
+    post :create, @create_params, :format => :json
+    response.should be_success
+  end
+
+  it 'ensures that product has been created' do
+    lambda { post :create, @create_params, :format => :json }.should change{ Product.count }.by(1)
+  end
+
+  [:update, :destroy].each do |action|
+    it "should be able to perform #{action} action" do
+      put action, :id => @product.id, :format => :json
+      response.should be_success
+    end
+  end
+
+  it "ensures that product has been destroyed" do
+    lambda { put :destroy, :id => @product.id, :format => :json }.should change{ Product.count }.by(-1)
+  end
+
+  it "ensures that product has been updated" do
+    put :update, @update_params.merge(:id => @product.id), :format => :json
+    @product.reload.name.should == 'pro2'
+    @product.reload.time_living.should == 250*60 # in seconds
+  end
+end
+
+describe Api::V1::ProductsController do
+  before(:each) do
+    stub_symlink_methods
+    stub_redis
+
+    @product = FactoryGirl.create(:product)
+    @another_user = FactoryGirl.create(:user)
+  end
+
+  context 'for guest' do
+    it_should_behave_like 'api user without reader rights'
+  end
+
+  context 'for platform admin' do
+    it_should_behave_like 'api user with admin rights'
+  end
+end