diff --git a/tests/test_issues_server.py b/tests/test_issues_server.py
index fbac653681fbf789a52c1d5fe9e738459596b99b..af88e7440e4f7704d4569d167170d71bb354db9d 100644
--- a/tests/test_issues_server.py
+++ b/tests/test_issues_server.py
@@ -857,8 +857,10 @@ def test_145():
     https://gitlab.com/caosdb/caosdb-server/-/issues/145
     """
     db.Property("TestProp", datatype=db.TEXT).insert()
-    db.Property("TestPropInt", datatype=db.INTEGER).add_parent("TestProp").insert()
-    db.Property("TestPropDouble", datatype=db.DOUBLE).add_parent("TestProp").insert()
+    db.Property("TestPropInt", datatype=db.INTEGER).add_parent(
+        "TestProp").insert()
+    db.Property("TestPropDouble", datatype=db.DOUBLE).add_parent(
+        "TestProp").insert()
 
     db.RecordType("TestRT").insert()
     rec1 = db.Record("TestRec1").add_parent("TestRT").add_property(
@@ -870,17 +872,25 @@ def test_145():
     assert rec2.get_property("TestPropDouble").value == 20_000_000_000
     assert isinstance(rec2.get_property("TestPropDouble").value, float)
 
-    assert db.execute_query("FIND TestRT WITH TestProp = 1000000000", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT WITH TestProp = 1000000000.0", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp = 1000000000", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp = 1000000000.0", unique=True).id == rec1.id
 
-    assert db.execute_query("FIND TestRT WITH TestProp > 1000000000", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT WITH TestProp > 1000000000.0", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp > 1000000000", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp > 1000000000.0", unique=True).id == rec2.id
 
-    assert db.execute_query("FIND TestRT WITH TestProp = 20000000000", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT WITH TestProp = 20000000000.0", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp = 20000000000", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp = 20000000000.0", unique=True).id == rec2.id
 
-    assert db.execute_query("FIND TestRT WITH TestProp < 20000000000", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT WITH TestProp < 20000000000.0", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp < 20000000000", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestProp < 20000000000.0", unique=True).id == rec1.id
 
     assert db.execute_query(
         "FIND TestRT WITH TestPropInt < 10000000000000000000000000000000000000000000000000000000000",
@@ -894,7 +904,8 @@ def test_147():
     https://gitlab.com/caosdb/caosdb-server/-/issues/147
     """
     db.Property("TestProp", datatype=db.TEXT).insert()
-    db.Property("TestPropInt", datatype=db.INTEGER).add_parent("TestProp").insert()
+    db.Property("TestPropInt", datatype=db.INTEGER).add_parent(
+        "TestProp").insert()
 
     db.RecordType("TestRT1").insert()
     db.RecordType("TestRT2").insert()
@@ -906,27 +917,45 @@ def test_147():
         "TestPropInt", -2).insert()
 
     # Find the records
-    assert db.execute_query("FIND TestRT1 WITH TestProp < 1.9", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp < 1.1", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp = 1.0", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp > 0.9", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp > 0.1", unique=True).id == rec1.id
-
-    assert db.execute_query("FIND TestRT1 WITH TestProp <= 1.9", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp <= 1.1", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp >= 0.9", unique=True).id == rec1.id
-    assert db.execute_query("FIND TestRT1 WITH TestProp >= 0.1", unique=True).id == rec1.id
-
-    assert db.execute_query("FIND TestRT2 WITH TestProp < -1.1", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp < -1.9", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp = -2.0", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp > -2.1", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp > 2.9", unique=True).id == rec2.id
-
-    assert db.execute_query("FIND TestRT2 WITH TestProp <= -1.1", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp <= -1.9", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp >= -2.1", unique=True).id == rec2.id
-    assert db.execute_query("FIND TestRT2 WITH TestProp >= 2.9", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp < 1.9", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp < 1.1", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp = 1.0", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp > 0.9", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp > 0.1", unique=True).id == rec1.id
+
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp <= 1.9", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp <= 1.1", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp >= 0.9", unique=True).id == rec1.id
+    assert db.execute_query(
+        "FIND TestRT1 WITH TestProp >= 0.1", unique=True).id == rec1.id
+
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp < -1.1", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp < -1.9", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp = -2.0", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp > -2.1", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp > 2.9", unique=True).id == rec2.id
+
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp <= -1.1", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp <= -1.9", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp >= -2.1", unique=True).id == rec2.id
+    assert db.execute_query(
+        "FIND TestRT2 WITH TestProp >= 2.9", unique=True).id == rec2.id
 
     # Don't find the records
     assert len(db.execute_query("FIND TestRT1 WITH TestProp < 0.9")) == 0
@@ -940,9 +969,70 @@ def test_147():
     assert len(db.execute_query("FIND TestRT2 WITH TestProp <= -2.1")) == 0
 
     # Smaller numbers, but querying across number types.
-    rec3 = db.Record("TestRec3").add_parent("TestRT").add_property("TestPropInt", 1).insert()
-    assert db.execute_query("FIND TestRT WITH TestPropInt < 2", unique=True).id == rec3.id
-    assert db.execute_query("FIND TestRT WITH TestPropInt < 2.5", unique=True).id == rec3.id
+    rec3 = db.Record("TestRec3").add_parent(
+        "TestRT").add_property("TestPropInt", 1).insert()
+    assert db.execute_query(
+        "FIND TestRT WITH TestPropInt < 2", unique=True).id == rec3.id
+    assert db.execute_query(
+        "FIND TestRT WITH TestPropInt < 2.5", unique=True).id == rec3.id
+
+
+def test_140():
+    """https://gitlab.com/caosdb/caosdb-server/-/issues/140"""
+    admin._insert_role(name=CURATOR_ROLE, description="Desc")
+
+    perms = admin._get_permissions(CURATOR_ROLE)
+    g = admin.PermissionRule(action="Grant", permission="TRANSACTION:*")
+    perms.add(g)
+    admin._set_permissions(CURATOR_ROLE, permission_rules=perms)
+    admin._insert_user(name="TestUser", password="Password1!", status="ACTIVE")
+    admin._set_roles(username="TestUser", roles=[CURATOR_ROLE])
+
+    core_model_deny_permissions = [
+        "DELETE",
+        "UPDATE:*",
+        "EDIT:ACL"
+    ]
+    core_model_grant_permissions = [
+        "RETRIEVE:*",
+        "USE:*",
+        "UPDATE:PROPERTY:ADD"
+    ]
+
+    prop = db.Property(name="TestProp", datatype=db.TEXT).insert()
+    rt = db.RecordType(name="TestRT").insert(flags={"ACL": None})
+
+    for d in core_model_deny_permissions:
+        # First deny s.th. later the "UPDATE:PROPERTY:ADD" permission can be granted explicitely
+        rt.deny(role=CURATOR_ROLE, permission=d)
+    rt.update_acl()
+
+    # retrieve again to be sure
+    rt.retrieve(flags={"ACL": None})
+    for g in core_model_grant_permissions:
+        rt.grant(role=CURATOR_ROLE, permission=g)
+    rt.update_acl()
+
+    print(rt.acl)
+
+    db.configure_connection(username="TestUser", password_method="plain",
+                            password="Password1!")
+    assert db.Info().user_info.name == "TestUser"
+    assert db.Info().user_info.roles == [CURATOR_ROLE]
+
+    rt.add_property(prop)
+    rt.get_property("TestProp").value = "some value"
+
+    # this should succeed because the curator has UPDATE:PROPERTY:ADD
+    rt.update()
+
+    assert rt.get_property("TestProp").value == "some value"
+    rt.get_property("TestProp").value = "some other value"
+    with pytest.raises(TransactionError) as cm:
+        # this should fail because the curator doesn't have
+        # UPDATE:PROPERTY:REMOVE
+        rt.update()
+    assert cm.value.errors[0].msg == "You are not allowed to do this."
 
 
 def test_142():