diff --git a/lib/permission/permission.js b/lib/permission/permission.js
index 4d6a9427..6459bdd4 100644
--- a/lib/permission/permission.js
+++ b/lib/permission/permission.js
@@ -30,7 +30,7 @@ class Permission extends BigBitfield {
 		const handlingBits = boardOnly ? Permissions._MANAGE_BOARD_BITS : Object.keys(Metadata);
 		for (let bit of handlingBits) {
 			// If perm has no "parent" bit, or current user has the parent permission, set each bit based on the form input
-			const allowedParent = !Metadata[bit].parent
+			const allowedParent = Metadata[bit].parent == null
 				|| editorPermission.get(Metadata[bit].parent);
 			if (allowedParent && !Metadata[bit].block) {
 				this.set(parseInt(bit), (body[`permission_bit_${bit}`] != null));
diff --git a/lib/permission/permission.test.js b/lib/permission/permission.test.js
index 401fa4f9..1e2e459d 100644
--- a/lib/permission/permission.test.js
+++ b/lib/permission/permission.test.js
@@ -67,6 +67,28 @@ describe('testing permissions', () => {
 		expect(Permission.allPermissions.every(b => NO_PERMISSION.get(b))).toBe(true);
 	});
 
-	//todo: what othe rpermissions test should be added?
+	test('handleBody() by somebody with editorPermission NOT having Permissions.ROOT cannot set Permissions.ROOT', () => {
+		const TEST_PERMISSION = new Permission();
+		TEST_PERMISSION.handleBody({
+			'permission_bit_0': 0,
+		}, ANON);
+		expect(TEST_PERMISSION.get(0)).toBe(false);
+	});
+
+	test('handleBody() by somebody with editorPermission having Permissions.ROOT CAN set Permissions.ROOT', () => {
+		const TEST_PERMISSION = new Permission();
+		TEST_PERMISSION.handleBody({
+			'permission_bit_0': 0,
+		}, ROOT);
+		expect(TEST_PERMISSION.get(0)).toBe(true);
+	});
+
+	test('handleBody() does not allow setting permission outside of _MANAGE_BOARD_BITS when boardOnly=true, even with permission', () => {
+		const TEST_PERMISSION = new Permission();
+		TEST_PERMISSION.handleBody({
+			'permission_bit_0': 0,
+		}, ROOT, true);
+		expect(TEST_PERMISSION.get(0)).toBe(false);
+	});
 
 });