diff --git a/tests/test_state.py b/tests/test_state.py
index a7b888ea775e81f82476aa9db1a2d50c4b10c8f9..8741d33c2d053a9f6a8142529c07fde49f05ca08 100644
--- a/tests/test_state.py
+++ b/tests/test_state.py
@@ -55,7 +55,7 @@ def setup_users():
             db.administration.PermissionRule(
                 "Grant", "TRANSACTION:*"),
             db.administration.PermissionRule(
-                "Grant", "STATE:TRANSITION:*"),
+                "Grant", "STATE:*"),
         ])
 
 
@@ -701,3 +701,63 @@ def test_automatic_record_state():
 
     rec_retrieve = db.Record(id=rec.id).retrieve()
     assert rec_retrieve.state == db.State(model="Model1", name="State1")
+
+
+def test_unauthorized_final():
+    rec = db.Record().add_parent("TestRT")
+    rec.state = db.State(model="Model1", name="State1")
+    rec.insert()
+
+    switch_to_test_user("normal")
+    rec.state = None
+    with pytest.raises(db.TransactionError) as exc:
+        rec.update(sync = False)
+    assert "You are not allowed to do this." in str(exc.value)
+
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state == db.State(model="Model1", name="State1")
+
+    switch_to_test_user("team-leader")
+    rec.update()
+
+    assert rec.state is None
+
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state is None
+
+
+def test_unauthorized_initial():
+    rec = db.Record().add_parent("TestRT")
+    rec.insert()
+
+    switch_to_test_user("normal")
+    rec.state = db.State(model="Model1", name="State1")
+    with pytest.raises(db.TransactionError) as exc:
+        # normal user lacks the permission for the initial state
+        rec.update(sync = False)
+    assert "You are not allowed to do this." in str(exc.value)
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state is None
+
+    switch_to_test_user("team-leader")
+    with pytest.raises(db.TransactionError) as exc:
+        # it is not allowed to "steal" the entity with the state feature
+        rec.update(sync = False)
+    assert "You are not allowed to do this." in str(exc.value)
+    rec_retrieve = db.Record(id=rec.id).retrieve(flags={"ACL": None})
+    assert rec_retrieve.state is None
+
+    # we need to give ownership to "team-leader"
+    switch_to_admin_user()
+    rec_update = rec_retrieve
+    print(rec_update.acl)
+    rec_update.acl.grant(role="team-leader", permission="EDIT:ACL")
+    print(rec_update.acl)
+    rec_update.update_acl()
+
+    switch_to_test_user("team-leader")
+    rec.update(sync = False)
+    assert rec.state == db.State(model="Model1", name="State1")
+
+    rec_retrieve = db.Record(id=rec.id).retrieve()
+    assert rec_retrieve.state == db.State(model="Model1", name="State1")