diff --git a/tests/test_permissions.py b/tests/test_permissions.py
index a88735d265f1f1ef123600cf719409ae95640223..6088409d104429cb575a8590f39707dc5a009075 100644
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -188,6 +188,7 @@ def test_basic_acl_stuff():
 
 
 def test_query():
+    db.administration.set_server_property("QUERY_FILTER_ENTITIES_WITHOUT_RETRIEVE_PERMISSIONS", "TRUE")
     person = db.RecordType("TestPerson").insert()
     db.Property("TestFirstName", datatype=db.TEXT).insert()
     db.Property("TestConductor", datatype=person).insert()
@@ -231,8 +232,6 @@ def test_query():
     deny_permission(dan, "RETRIEVE:*")
     switch_to_test_user()
 
-    # this fails if server is configured with
-    # QUERY_FILTER_ENTITIES_WITHOUT_RETRIEVE_PERMISSIONS = FALSE
     with raises(db.EmptyUniqueQueryError):
         db.execute_query(
             "FIND ENTITY TestExperiment WHICH HAS A TestConductor WHICH has a TestFirstName=Daniel",
@@ -1168,3 +1167,30 @@ def test_check_entity_acl_roles():
     assert ret.get_warnings()[0].description == "User role does not exist."
 
     db.administration.set_server_property("CHECK_ENTITY_ACL_ROLES_MODE", reset)
+
+
+def test_deny_update_role():
+
+    p = db.Property(name="TestProperty", datatype=db.TEXT).insert()
+    assert p.is_valid()
+
+    grant_permission(p, "RETRIEVE:*")
+    grant_permission(p, "UPDATE:*")
+
+    '''Success'''
+    p.name = "TestPropertyNew"
+    assert_is_none(p.acl)
+    p.update()
+
+    '''Failure'''
+    switch_to_admin_user()
+    db.administration._set_permissions(
+        role=test_role, permission_rules=[
+            db.administration.PermissionRule(
+                "Deny", "TRANSACTION:UPDATE:*")])
+    switch_to_test_user()
+
+    p.retrieve()
+    p.name = "TestPropertyEvenNewer"
+    with raises(db.TransactionError) as te:
+        p.update()