From 830a9a81d1d6db436cf810b471b03fb607dd4a85 Mon Sep 17 00:00:00 2001
From: remillet <remillet@yahoo.com>
Date: Sun, 14 Jan 2018 17:51:50 -0800
Subject: [PATCH] DRYD-221: Fixed bug in account update code.  Added new
 XMLReplay tests for accounts and roles.

---
 .../test-data/xmlreplay/security.xml          | 57 +++++++++++++++----
 .../xmlreplay/security/6-account-elmo.xml     | 28 ++++-----
 .../BasicRoles/createSimpleAccount-1.xml      | 13 +++++
 .../BasicRoles/createSimpleAccount-2.xml      | 20 +++++++
 .../BasicRoles/createSimpleRole-1.xml         |  5 ++
 .../BasicRoles/createSimpleRole-2.xml         | 11 ++++
 .../slipOutAccount-1.xml}                     |  6 +-
 .../{ => SlipOut}/slipOutPerm-update.xml      |  0
 .../security/{ => SlipOut}/slipOutPerm.xml    |  0
 .../security/{ => SlipOut}/slipOutRole.xml    |  0
 .../security/{ => SlipOut}/slipOutVocab-1.xml |  0
 .../security/{ => SlipOut}/slipOutVocab-2.xml |  0
 .../test-data/xmlreplay/xml-replay-master.xml | 10 +++-
 .../client/test/AccountRoleServiceTest.java   | 10 ++--
 .../services/account/AccountResource.java     |  9 ++-
 .../storage/AccountDocumentHandler.java       | 17 +++---
 .../account/storage/AccountStorageClient.java |  7 ++-
 .../test/PermissionRoleServiceTest.java       | 51 ++---------------
 .../client/test/RoleServiceTest.java          |  8 ++-
 .../client/test/AbstractServiceTestImpl.java  |  7 ++-
 .../services/common/SecurityResourceBase.java | 12 +++-
 .../document/AbstractDocumentHandlerImpl.java |  8 +++
 .../common/document/DocumentHandler.java      |  3 +
 .../common/storage/jpa/JpaStorageUtils.java   |  3 +-
 24 files changed, 184 insertions(+), 101 deletions(-)
 create mode 100644 services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-1.xml
 create mode 100644 services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-2.xml
 create mode 100644 services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-1.xml
 create mode 100644 services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-2.xml
 rename services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/{create-account-grover.xml => SlipOut/slipOutAccount-1.xml} (82%)
 rename services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/{ => SlipOut}/slipOutPerm-update.xml (100%)
 rename services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/{ => SlipOut}/slipOutPerm.xml (100%)
 rename services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/{ => SlipOut}/slipOutRole.xml (100%)
 rename services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/{ => SlipOut}/slipOutVocab-1.xml (100%)
 rename services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/{ => SlipOut}/slipOutVocab-2.xml (100%)

diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml
index 5074eeaa4..66014a9dd 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security.xml
@@ -2,45 +2,78 @@
 <xmlReplay>
     <auths>
         <!-- IMPORTANT: THESE ARE STICKY :: THEY STICK AROUND UNTIL RESET, IN EXEC ORDER OF THIS FILE. -->
+        <!-- Auth = Base64Encode("username:password") See https://www.base64encode.org/
+                For example:
+                    Username = "grover"
+                    Password = "grover2018"
+                    Token String = "grover:grover2018"
+                    Auth ID = "Z3JvdmVyOmdyb3ZlcjIwMTg="
+        -->
         <auth ID="admin@core.collectionspace.org">YWRtaW5AY29yZS5jb2xsZWN0aW9uc3BhY2Uub3JnOkFkbWluaXN0cmF0b3I=</auth>
         <auth ID="user1@museum1">dXNlcjFAbXVzZXVtMS5vcmc6dXNlcjFAbXVzZXVtMS5vcmc=</auth>
         <auth ID="bigbird2010">YmlnYmlyZDIwMTA6YmlnYmlyZDIwMTA=</auth>
         <auth ID="elmo2010">ZWxtbzIwMTA6ZWxtbzIwMTA=</auth>
-        <auth ID="grover2018">Z3JvdmVyMjAxODpncm92ZXIyMDE4</auth>
+        <auth ID="grover">Z3JvdmVyOmdyb3ZlcjIwMTg=</auth>
         
     </auths>
     
-    <testGroup ID="slipOut" autoDeletePOSTS="true">
+    <testGroup ID="SimpleRoles" autoDeletePOSTS="true">
+        <test ID="simpleAccount-1">
+            <method>POST</method>
+            <uri>/cspace-services/accounts</uri>
+            <filename>security/BasicRoles/createSimpleAccount-1.xml</filename>
+        </test>
+        <test ID="simpleRole-1">
+            <method>POST</method>
+            <uri>/cspace-services/authorization/roles</uri>
+            <filename>security/BasicRoles/createSimpleRole-1.xml</filename>
+        </test>
+        <!--
+            Create an account and role(s) with a single payload request
+        -->
+        <test ID="simpleRole_2">
+            <method>POST</method>
+            <uri>/cspace-services/authorization/roles</uri>
+            <filename>security/BasicRoles/createSimpleRole-2.xml</filename>
+        </test>        
+        <test ID="simpleAccount-2">
+            <method>POST</method>
+            <uri>/cspace-services/accounts</uri>
+            <filename>security/BasicRoles/createSimpleAccount-2.xml</filename>
+        </test>
+    </testGroup>
+    
+    <testGroup ID="SlipOut" autoDeletePOSTS="true">
         <test ID="slipOutPerm">
             <method>POST</method>
             <uri>/cspace-services/authorization/permissions</uri>
-            <filename>security/slipOutPerm.xml</filename>
+            <filename>security/SlipOut/slipOutPerm.xml</filename>
         </test>
         <test ID="slipOutRole">
             <method>POST</method>
             <uri>/cspace-services/authorization/roles</uri>
-            <filename>security/slipOutRole.xml</filename>
+            <filename>security/SlipOut/slipOutRole.xml</filename>
         </test>
-        <test ID="accountGrover">
+        <test ID="slipOutAccount">
             <method>POST</method>
             <uri>/cspace-services/accounts</uri>
-            <filename>security/create-account-grover.xml</filename>
+            <filename>security/SlipOut/slipOutAccount-1.xml</filename>
         </test>
-        <test ID="slipOutVocab-1" auth="grover2018">
+        <test ID="slipOutVocab-1" auth="grover">
             <method>POST</method>
             <uri>/cspace-services/vocabularies</uri>
-            <filename>security/slipOutVocab-1.xml</filename>
+            <filename>security/SlipOut/slipOutVocab-1.xml</filename>
         </test>
         <test ID="update-slipOutPerm" auth="admin@core.collectionspace.org">
             <method>PUT</method>
             <uri>/cspace-services/authorization/permissions/${slipOutPerm.CSID}</uri>
-            <filename>security/slipOutPerm-update.xml</filename>
+            <filename>security/SlipOut/slipOutPerm-update.xml</filename>
         </test>
-        <test ID="slipOutVocab-2" auth="grover2018">
+        <test ID="slipOutVocab-2" auth="grover">
             <expectedCodes>403</expectedCodes>
             <method>POST</method>
             <uri>/cspace-services/vocabularies</uri>
-            <filename>security/slipOutVocab-2.xml</filename>
+            <filename>security/SlipOut/slipOutVocab-2.xml</filename>
         </test>
     </testGroup>
     
@@ -60,7 +93,7 @@
         </test>
     </testGroup>
     
-    <testGroup ID="deleteBug" autoDeletePOSTS="false">
+    <testGroup ID="DeleteBug" autoDeletePOSTS="false">
 
         <test ID="permElmo">
             <method>POST</method>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/6-account-elmo.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/6-account-elmo.xml
index af1447aee..80180083a 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/6-account-elmo.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/6-account-elmo.xml
@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<ns2:accounts_common
-xmlns:ns2="http://collectionspace.org/services/account"
-xmlns:ns3="http://collectionspace.org/services/hyperjaxb">
-  <screenName>elmo2010</screenName>
-  <personRefName>elmo2010</personRefName>
-  <email>elmo@cspace.org</email>
-  <phone>1234567890</phone>
-  <userId>elmo2010</userId>
-	<!-- Pass word is elmo2010, base64 encoded -->
-  <password>ZWxtbzIwMTA=</password>
-  <tenants>
-    <tenant_id>1</tenant_id>
-  </tenants>
+<ns2:accounts_common xmlns:ns2="http://collectionspace.org/services/account" xmlns:ns3="http://collectionspace.org/services/hyperjaxb">
+    <screenName>elmo2018</screenName>
+    <personRefName>elmo2018</personRefName>
+    <email>elmo2018@DeleteBug.accountelemo.org</email>
+    <phone>1234567890</phone>
+    <userId>elmo2018</userId>
+    <!-- Pass word is grover2018, base64 encoded -->
+    <password>Z3JvdmVyMjAxOA==</password>
+    <tenants>
+        <tenant_id>1</tenant_id>
+    </tenants>
+    <role>
+        <roleId>${permElmo.CSID}</roleId> <!-- It should be ok that role name is missing -->
+    </role>
 </ns2:accounts_common>
-
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-1.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-1.xml
new file mode 100644
index 000000000..3612f7c5b
--- /dev/null
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-1.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:accounts_common xmlns:ns2="http://collectionspace.org/services/account" xmlns:ns3="http://collectionspace.org/services/hyperjaxb">
+    <screenName>simpleAccount-1</screenName>
+    <personRefName>simpleAccount-1</personRefName>
+    <email>simpleAccount-1@security.simpleroles.org</email>
+    <phone>1234567890</phone>
+    <userId>simpleAccount-1</userId>
+    <!-- Pass word is elmo2010, base64 encoded -->
+    <password>ZWxtbzIwMTA=</password>
+    <tenants>
+        <tenant_id>1</tenant_id>
+    </tenants>
+</ns2:accounts_common>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-2.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-2.xml
new file mode 100644
index 000000000..657682ef9
--- /dev/null
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleAccount-2.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:accounts_common xmlns:ns2="http://collectionspace.org/services/account" xmlns:ns3="http://collectionspace.org/services/hyperjaxb">
+    <screenName>simpleAccount-2</screenName>
+    <personRefName>simpleAccount-2</personRefName>
+    <email>simpleAccount-2@security.simpleroles.org</email>
+    <phone>1234567890</phone>
+    <userId>simpleAccount-2</userId>
+    <!-- Pass word is elmo2010, base64 encoded -->
+    <password>ZWxtbzIwMTA=</password>
+    <tenants>
+        <tenant_id>1</tenant_id>
+    </tenants>
+    <role>
+        <roleId>9a1fed44-25b0-48f9-8356-d16ac7555cae</roleId>
+        <roleName>ROLE_1_TENANT_ADMINISTRATOR</roleName>
+    </role>
+    <role>
+        <roleId>${simpleRole_2.CSID}</roleId>
+    </role>
+</ns2:accounts_common>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-1.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-1.xml
new file mode 100644
index 000000000..3bf4d1861
--- /dev/null
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-1.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:role xmlns:ns2="http://collectionspace.org/services/authorization">
+    <roleName>BasicRoles-SimpleRole-1</roleName>
+    <description>Role for BasicRoles-simpleRole-1 create test.</description>
+</ns2:role>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-2.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-2.xml
new file mode 100644
index 000000000..41640460c
--- /dev/null
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/BasicRoles/createSimpleRole-2.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:role xmlns:ns2="http://collectionspace.org/services/authorization">
+    <roleName>BasicRoles-SimpleRole-2</roleName>
+    <description>Role for BasicRoles-simpleRole-2 create test.</description>
+    <permission>
+        <permissionId>1-vocabularies-RL</permissionId>
+    </permission>
+    <permission>
+        <permissionId>1-groups-RL</permissionId>
+    </permission>
+</ns2:role>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/create-account-grover.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutAccount-1.xml
similarity index 82%
rename from services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/create-account-grover.xml
rename to services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutAccount-1.xml
index 6ca2535e9..6eac120fa 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/create-account-grover.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutAccount-1.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <ns2:accounts_common xmlns:ns2="http://collectionspace.org/services/account" xmlns:ns3="http://collectionspace.org/services/hyperjaxb">
-    <screenName>grover2018</screenName>
-    <personRefName>grover2018</personRefName>
+    <screenName>grover</screenName>
+    <personRefName>grover</personRefName>
     <email>grover@cspace.org</email>
     <phone>1234567890</phone>
-    <userId>grover2018</userId>
+    <userId>grover</userId>
     <!-- Pass word is grover2018, base64 encoded -->
     <password>Z3JvdmVyMjAxOA==</password>
     <tenants>
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutPerm-update.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutPerm-update.xml
similarity index 100%
rename from services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutPerm-update.xml
rename to services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutPerm-update.xml
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutPerm.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutPerm.xml
similarity index 100%
rename from services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutPerm.xml
rename to services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutPerm.xml
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutRole.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutRole.xml
similarity index 100%
rename from services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutRole.xml
rename to services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutRole.xml
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutVocab-1.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutVocab-1.xml
similarity index 100%
rename from services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutVocab-1.xml
rename to services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutVocab-1.xml
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutVocab-2.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutVocab-2.xml
similarity index 100%
rename from services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/slipOutVocab-2.xml
rename to services/IntegrationTests/src/test/resources/test-data/xmlreplay/security/SlipOut/slipOutVocab-2.xml
diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/xml-replay-master.xml b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/xml-replay-master.xml
index 796a932c7..03449900d 100644
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/xml-replay-master.xml
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/xml-replay-master.xml
@@ -5,13 +5,17 @@
     <!-- legal values for dumpServiceResult=[minimal,detailed,full,auto] -->
     <dump payloads="false" dumpServiceResult="auto" />
     
+    <!-- Auth = Base64Encode("username:password") See https://www.base64encode.org/
+                For example:
+                    Username = "grover"
+                    Password = "grover2018"
+                    Token String = "grover:grover2018"
+                    Auth ID = "Z3JvdmVyOmdyb3ZlcjIwMTg="
+    -->
     <auths default="admin@core.collectionspace.org">
         <auth ID="admin@core.collectionspace.org">YWRtaW5AY29yZS5jb2xsZWN0aW9uc3BhY2Uub3JnOkFkbWluaXN0cmF0b3I=</auth>
     </auths>
     
-    
-    
-    
     <run controlFile="./security-oauth.xml" />
     <run controlFile="./security.xml" testGroup="deleteBug" />
     <run controlFile="objectexit/object-exit.xml" testGroup="makeone" />
diff --git a/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java b/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java
index a6b7b8a2f..967e2d9d0 100644
--- a/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java
+++ b/services/account/client/src/test/java/org/collectionspace/services/account/client/test/AccountRoleServiceTest.java
@@ -114,14 +114,14 @@ public class AccountRoleServiceTest extends AbstractServiceTestImpl<AccountRole,
         avc.setAccountId(coAccId);
         accValues.put(avc.getScreenName(), avc);
 
-        String rn1 = "ROLE_CO1";
+        String rn1 = "xROLE_CO1";
         String r1RoleId = createRole(rn1);
         RoleValue rv1 = new RoleValue();
         rv1.setRoleId(r1RoleId);
         rv1.setRoleName(rn1);
         roleValues.put(rv1.getRoleName(), rv1);
 
-        String rn2 = "ROLE_CO2";
+        String rn2 = "xROLE_CO2";
         String r2RoleId = createRole(rn2);
         RoleValue rv2 = new RoleValue();
         rv2.setRoleId(r2RoleId);
@@ -219,7 +219,7 @@ public class AccountRoleServiceTest extends AbstractServiceTestImpl<AccountRole,
     }
     
     /*
-     * In this test, for setup, we associate both test roles ("ROLE_CO1", "ROLE_CO2") with the test account "acc-role-user2".
+     * In this test, for setup, we associate both test roles ("xROLE_CO1", "xROLE_CO2") with the test account "acc-role-user2".
      * After we've performed this setup, our call to "/role/{csid}/accountroles" should contain an AccountRole that has
      * a list of 1 account -the test user account we associated during setup.
      */
@@ -248,7 +248,7 @@ public class AccountRoleServiceTest extends AbstractServiceTestImpl<AccountRole,
         }
 
         //
-        // Now read the list of accounts associated with the role "ROLE_CO1".
+        // Now read the list of accounts associated with the role "xROLE_CO1".
         // There should be just the "acc-role-user2" account.
         //
         RoleClient roleClient = new RoleClient();
@@ -256,7 +256,7 @@ public class AccountRoleServiceTest extends AbstractServiceTestImpl<AccountRole,
         // Submit the request to the service and store the response.
         setupRead();        
         Response res = roleClient.readRoleAccounts(
-        		roleValues.get("ROLE_CO1").getRoleId());
+        		roleValues.get("xROLE_CO1").getRoleId());
         try {
             // Check the status code of the response: does it match
             // the expected response(s)?
diff --git a/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java b/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
index d664d8c88..424e8095a 100644
--- a/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
+++ b/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
@@ -36,6 +36,7 @@ import org.collectionspace.services.authorization.SubjectType;
 import org.collectionspace.services.client.AccountClient;
 import org.collectionspace.services.client.PayloadOutputPart;
 import org.collectionspace.services.client.RoleClient;
+import org.collectionspace.services.common.CSWebApplicationException;
 import org.collectionspace.services.common.EmailUtil;
 import org.collectionspace.services.common.SecurityResourceBase;
 import org.collectionspace.services.common.ServiceMain;
@@ -45,6 +46,7 @@ import org.collectionspace.services.common.authorization_mgt.AuthorizationCommon
 import org.collectionspace.services.common.context.RemoteServiceContextFactory;
 import org.collectionspace.services.common.context.ServiceContext;
 import org.collectionspace.services.common.context.ServiceContextFactory;
+import org.collectionspace.services.common.document.DocumentException;
 import org.collectionspace.services.common.document.DocumentNotFoundException;
 import org.collectionspace.services.common.query.UriInfoImpl;
 import org.collectionspace.services.common.storage.StorageClient;
@@ -64,6 +66,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 
+import javax.persistence.NoResultException;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
@@ -129,7 +132,11 @@ public class AccountResource extends SecurityResourceBase<AccountsCommon, Accoun
     @GET
     @Path("{csid}")
     public AccountsCommon getAccount(@Context UriInfo ui, @PathParam("csid") String csid) {
-        return (AccountsCommon)get(ui, csid, AccountsCommon.class);
+    	AccountsCommon result = null;
+    	
+        result = (AccountsCommon)get(ui, csid, AccountsCommon.class);
+    	
+    	return result;
     }
 
     @GET
diff --git a/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountDocumentHandler.java b/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountDocumentHandler.java
index eddd79470..ed4fc0a9b 100644
--- a/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountDocumentHandler.java
+++ b/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountDocumentHandler.java
@@ -35,11 +35,9 @@ import org.collectionspace.services.account.AccountListItem;
 import org.collectionspace.services.account.AccountRoleSubResource;
 import org.collectionspace.services.account.Status;
 import org.collectionspace.services.authorization.AccountRole;
-import org.collectionspace.services.authorization.AccountValue;
 import org.collectionspace.services.authorization.SubjectType;
 import org.collectionspace.services.account.RoleValue;
 import org.collectionspace.services.client.AccountClient;
-import org.collectionspace.services.client.AccountFactory;
 import org.collectionspace.services.client.AccountRoleFactory;
 import org.collectionspace.services.common.storage.TransactionContext;
 import org.collectionspace.services.common.storage.jpa.JpaDocumentHandler;
@@ -170,8 +168,7 @@ public class AccountDocumentHandler
     @Override
     public void completeUpdate(DocumentWrapper<AccountsCommon> wrapDoc) throws Exception {
         AccountsCommon upAcc = wrapDoc.getWrappedObject();
-        getServiceContext().setOutput(upAcc);
-        sanitize(upAcc);
+        getServiceContext().setOutput(upAcc);        
     }
 
     @Override
@@ -277,17 +274,23 @@ public class AccountDocumentHandler
      * sanitize removes data not needed to be sent to the consumer
      * @param account
      */
-    private void sanitize(AccountsCommon account) {
+    @Override
+	public void sanitize(DocumentWrapper<AccountsCommon> wrapDoc) {
+    	AccountsCommon account = wrapDoc.getWrappedObject();
+    	sanitize(account);
+    }
+    
+	private void sanitize(AccountsCommon account) {
         account.setPassword(null);
         if (!SecurityUtils.isCSpaceAdmin()) {
             account.setTenants(new ArrayList<AccountTenant>(0));
         }
-    }
+    }    
 
     /* (non-Javadoc)
      * @see org.collectionspace.services.common.document.DocumentHandler#initializeDocumentFilter(org.collectionspace.services.common.context.ServiceContext)
      */
-    public void initializeDocumentFilter(ServiceContext ctx) {
+    public void initializeDocumentFilter(ServiceContext<AccountsCommon, AccountsCommon> ctx) {
         // set a default document filter in this method
     }
 }
diff --git a/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountStorageClient.java b/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountStorageClient.java
index 0977ce61c..1a0df03bf 100644
--- a/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountStorageClient.java
+++ b/services/account/service/src/main/java/org/collectionspace/services/account/storage/AccountStorageClient.java
@@ -186,9 +186,12 @@ public class AccountStorageClient extends JpaStorageClientImpl {
             DocumentWrapper<AccountsCommon> wrapDoc =
                     new DocumentWrapperImpl<AccountsCommon>(accountFound);
             handler.handle(Action.UPDATE, wrapDoc);
-            handler.complete(Action.UPDATE, wrapDoc);
-
+            handler.complete(Action.UPDATE, wrapDoc); 
             jpaConnectionContext.commitTransaction();
+            //
+            // Don't sanitize until we've committed changes to the DB
+            //
+            handler.sanitize(wrapDoc);
         } catch (BadRequestException bre) {
         	jpaConnectionContext.markForRollback();
             throw bre;
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
index c444233ed..45aed137d 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
@@ -290,59 +290,19 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl<Permissio
 
     }
 
-    // Failure outcomes
-    /* (non-Javadoc)
-     * @see org.collectionspace.services.client.test.AbstractServiceTestImpl#readNonExistent(java.lang.String)
-     */
-    @Override
-    @Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class)
-    public void readNonExistent(String testName) throws Exception {
-        // Perform setup.
-        setupReadNonExistent();
-
-        // Submit the request to the service and store the response.
-        PermissionRoleClient client = new PermissionRoleClient();
-        Response res = null;
-        try {
-            res = client.read(NON_EXISTENT_ID);
-            int statusCode = res.getStatus();
-
-            // Check the status code of the response: does it match
-            // the expected response(s)?
-            if (logger.isDebugEnabled()) {
-                logger.debug(testName + ": status = " + statusCode);
-            }
-            Assert.assertTrue(testRequestType.isValidStatusCode(statusCode),
-                    invalidStatusCodeMessage(testRequestType, statusCode));
-            Assert.assertEquals(statusCode, testExpectedStatusCode);
-        } finally {
-            if (res != null) {
-                res.close();
-            }
-        }
-    }
-
     @Test(dataProvider = "testName",
     		dependsOnMethods = {"CRUDTests"})
     public void readNoRelationship(String testName) throws Exception {
         // Perform setup.
-        setupRead();
+    	setupReadNonExistent();
 
         // Submit the request to the service and store the response.
         PermissionRoleClient client = new PermissionRoleClient();
         Response res = null;
         try {
-            res = client.read(
-                    permValues.get(TEST_SERVICE_NAME + TEST_MARKER + NO_REL_SUFFIX).getPermissionId());
-            // Check the status code of the response: does it match
-            // the expected response(s)?
+        	String permId = permValues.get(TEST_SERVICE_NAME + TEST_MARKER + NO_REL_SUFFIX).getPermissionId();
+            res = client.read(permId);
             assertStatusCode(res, testName);
-            PermissionRole output = res.readEntity(PermissionRole.class);
-
-            String sOutput = objectAsXmlString(output, PermissionRole.class);
-            if (logger.isDebugEnabled()) {
-                logger.debug(testName + " received " + sOutput);
-            }
         } finally {
             if (res != null) {
                 res.close();
@@ -728,11 +688,10 @@ public class PermissionRoleServiceTest extends AbstractServiceTestImpl<Permissio
      * refer to this method in their @Test annotation declarations.
      */
     @Override
-    @Test(dataProvider = "testName",
-    		dependsOnMethods = {
+    @Test(dataProvider = "testName", dependsOnMethods = {
         		"org.collectionspace.services.client.test.AbstractServiceTestImpl.baseCRUDTests"})    
     public void CRUDTests(String testName) {
-    	// Do nothing.  Simply here to for a TestNG execution order for our tests
+    	System.out.println("no-op");
     }
     
 	@Override
diff --git a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
index 5a70fb614..18a65b3b0 100644
--- a/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
+++ b/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/RoleServiceTest.java
@@ -61,11 +61,13 @@ public class RoleServiceTest extends AbstractServiceTestImpl<RolesList, Role, Ro
     // Used to create unique identifiers
     static private final Random random = new Random(System.currentTimeMillis());
     
-	private static final String PERM_1_RL_RESOURCE = "xROLE_TEST_PERMVALUE_RESOURCE_1";
+	private static final String PERM_1_RL_RESOURCE = "intakes";
 	private static final String PERM_1_RL_ACTIONGROUP = "RL";
-	private static final String PERM_2_RL_RESOURCE = "xROLE_TEST_PERMVALUE_RESOURCE_2";
+	
+	private static final String PERM_2_RL_RESOURCE = "dimensions";
 	private static final String PERM_2_RL_ACTIONGROUP = "CRUL";
-	private static final String PERM_3_RL_RESOURCE = "xROLE_TEST_PERMVALUE_RESOURCE_3";
+	
+	private static final String PERM_3_RL_RESOURCE = "loansin";
 	private static final String PERM_3_RL_ACTIONGROUP = "CRUDL";
 
 
diff --git a/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java b/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java
index be4176100..16b6e0d1a 100644
--- a/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java
+++ b/services/client/src/main/java/org/collectionspace/services/client/test/AbstractServiceTestImpl.java
@@ -256,9 +256,10 @@ public abstract class AbstractServiceTestImpl<CLT, CPT, REQUEST_TYPE, RESPONSE_T
 
         // Submit the request to the service and store the response.
     	CollectionSpaceClient client = this.getClientInstance();
-        Response res = client.read(NON_EXISTENT_ID);
-        int statusCode = res.getStatus();
+        Response res = null;
         try {
+            res = client.read(NON_EXISTENT_ID);
+            int statusCode = res.getStatus();
             // Check the status code of the response: does it match
             // the expected response(s)?
             if (logger.isDebugEnabled()) {
@@ -268,7 +269,7 @@ public abstract class AbstractServiceTestImpl<CLT, CPT, REQUEST_TYPE, RESPONSE_T
                     invalidStatusCodeMessage(testRequestType, statusCode));
             Assert.assertEquals(statusCode, testExpectedStatusCode);
         } finally {
-            res.close();
+            if (res != null) res.close();
         }
     }
 
diff --git a/services/common/src/main/java/org/collectionspace/services/common/SecurityResourceBase.java b/services/common/src/main/java/org/collectionspace/services/common/SecurityResourceBase.java
index df5a9fa78..ab06f294d 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/SecurityResourceBase.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/SecurityResourceBase.java
@@ -1,6 +1,7 @@
 package org.collectionspace.services.common;
 
 import org.collectionspace.services.common.context.ServiceContext;
+import org.collectionspace.services.common.document.DocumentException;
 import org.collectionspace.services.common.document.DocumentFilter;
 import org.collectionspace.services.common.document.DocumentHandler;
 import org.collectionspace.services.common.storage.TransactionContext;
@@ -8,6 +9,7 @@ import org.collectionspace.services.common.storage.jpa.JPATransactionContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.persistence.NoResultException;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
@@ -84,14 +86,22 @@ public abstract class SecurityResourceBase<IT, OT> extends AbstractCollectionSpa
         logger.debug("get with csid=" + csid);
         ensureCSID(csid, ServiceMessages.GET_FAILED + "csid");
         Object result = null;
+        
         try {
             ServiceContext<IT, OT> ctx = createServiceContext((IT) null, objectClass, ui);            
             DocumentHandler handler = createDocumentHandler(ctx);
             getStorageClient(ctx).get(ctx, csid, handler);
             result = ctx.getOutput();
-        } catch (Exception e) {
+        } catch (DocumentException e) {
+    		Exception cause = (Exception) e.getCause();
+    		if (cause instanceof NoResultException) {
+		        Response response = Response.status(Response.Status.NOT_FOUND).entity(result).type("text/plain").build();
+	            throw new CSWebApplicationException(response);
+    		}
+    	} catch (Exception e) {
             throw bigReThrow(e, ServiceMessages.GET_FAILED, csid);
         }
+        
         checkResult(result, csid, ServiceMessages.GET_FAILED);
         return result;
     }
diff --git a/services/common/src/main/java/org/collectionspace/services/common/document/AbstractDocumentHandlerImpl.java b/services/common/src/main/java/org/collectionspace/services/common/document/AbstractDocumentHandlerImpl.java
index f6af6159b..8ffa1d259 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/document/AbstractDocumentHandlerImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/document/AbstractDocumentHandlerImpl.java
@@ -266,6 +266,14 @@ public abstract class AbstractDocumentHandlerImpl<T, TL, WT, WTL>
         
         return result;
     }
+    
+    @Override
+	public void sanitize(DocumentWrapper<WT> wrapDoc) {
+    	//
+    	// By default, do nothing.  Sub-classes can override if they want to.
+    	//
+    }
+
 
     /* (non-Javadoc)
      * @see org.collectionspace.services.common.document.DocumentHandler#handleCreate(org.collectionspace.services.common.document.DocumentWrapper)
diff --git a/services/common/src/main/java/org/collectionspace/services/common/document/DocumentHandler.java b/services/common/src/main/java/org/collectionspace/services/common/document/DocumentHandler.java
index 5e1db5046..668357c64 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/document/DocumentHandler.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/document/DocumentHandler.java
@@ -19,6 +19,7 @@ package org.collectionspace.services.common.document;
 
 import java.util.Map;
 
+import org.collectionspace.services.account.AccountsCommon;
 import org.collectionspace.services.common.context.ServiceContext;
 import org.collectionspace.services.common.query.QueryContext;
 import org.collectionspace.services.common.vocabulary.RefNameServiceUtils.Specifier;
@@ -384,4 +385,6 @@ public interface DocumentHandler<T, TL, WT, WTL> {
 	 */
 	void completeSync(DocumentWrapper<Object> wrapDoc) throws Exception;
 
+	public void sanitize(DocumentWrapper<WT> wrapDoc);
+
 }
diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageUtils.java b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageUtils.java
index 705cd756e..7fc0aff2f 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageUtils.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageUtils.java
@@ -32,6 +32,7 @@ import java.util.Map;
 import javax.persistence.PersistenceException;
 import javax.persistence.EntityManager;
 import javax.persistence.EntityManagerFactory;
+import javax.persistence.EntityNotFoundException;
 import javax.persistence.NoResultException;
 import javax.persistence.Persistence;
 import javax.persistence.Query;
@@ -544,7 +545,7 @@ public class JpaStorageUtils {
             q.setParameter(paramName, paramBindings.get(paramName));
         }
         
-        result = q.getSingleResult();
+       	result = q.getSingleResult();
         
         if (result == null) {
         	logger.debug("Call to getEntity() returned empty set.");
-- 
2.47.3