diff --git a/ckan/logic/auth/create.py b/ckan/logic/auth/create.py
index ae98e257914..6061e4eb69b 100644
--- a/ckan/logic/auth/create.py
+++ b/ckan/logic/auth/create.py
@@ -114,6 +114,13 @@ def user_create(context, data_dict=None):
 
 
 def _check_group_auth(context, data_dict):
+    '''Has this user got update permission for all of the given groups?
+    If there is a package in the context then ignore that package's groups.
+    :returns: False if not allowed to update one (or more) of the given groups.
+              True otherwise. i.e. True is the default. A blank data_dict
+              mentions no groups, so it returns True.
+
+    '''
     # FIXME This code is shared amoung other logic.auth files and should be
     # somewhere better
     if not data_dict:
diff --git a/ckan/model/group.py b/ckan/model/group.py
index f21bafb3cb8..a25cebf9927 100644
--- a/ckan/model/group.py
+++ b/ckan/model/group.py
@@ -177,6 +177,7 @@ def get_children_groups(self, type='group'):
         # actually did, but is now far simpler.
         results =  meta.Session.query(Group.id, Group.name, Group.title).\
                      filter_by(type=type).\
+                     filter_by(state='active').\
                      join(Member, Member.table_id == Group.id).\
                      filter_by(group=self).\
                      filter_by(table_name='group').\
diff --git a/ckan/new_authz.py b/ckan/new_authz.py
index a8f13063f60..370b19fb581 100644
--- a/ckan/new_authz.py
+++ b/ckan/new_authz.py
@@ -354,7 +354,7 @@ def check_config_permission(permission):
             key = 'ckan.auth.' + perm
             default = CONFIG_PERMISSIONS_DEFAULTS[perm]
             CONFIG_PERMISSIONS[perm] = config.get(key, default)
-            if isinstance(perm, bool):
+            if isinstance(default, bool):
                 CONFIG_PERMISSIONS[perm] = asbool(CONFIG_PERMISSIONS[perm])
     if permission in CONFIG_PERMISSIONS:
         return CONFIG_PERMISSIONS[permission]
diff --git a/ckan/tests/functional/test_group.py b/ckan/tests/functional/test_group.py
index b07bbe7ea6f..4f4fddc3e05 100644
--- a/ckan/tests/functional/test_group.py
+++ b/ckan/tests/functional/test_group.py
@@ -24,6 +24,10 @@ def setup_class(self):
         model.Session.remove()
         CreateTestData.create()
 
+        # reduce extraneous logging
+        from ckan.lib import activity_streams_session_extension
+        activity_streams_session_extension.logger.level = 100
+
     @classmethod
     def teardown_class(self):
         model.repo.rebuild_db()
@@ -102,17 +106,21 @@ def test_children(self):
     def test_sorting(self):
         model.repo.rebuild_db()
 
+        testsysadmin = model.User(name=u'testsysadmin')
+        testsysadmin.sysadmin = True
+        model.Session.add(testsysadmin)
+
         pkg1 = model.Package(name="pkg1")
         pkg2 = model.Package(name="pkg2")
         model.Session.add(pkg1)
         model.Session.add(pkg2)
 
         CreateTestData.create_groups([{'name': "alpha", 'packages': []},
-                                       {'name': "beta",
-                                        'packages': ["pkg1", "pkg2"]},
-                                       {'name': "delta",
-                                        'packages': ["pkg1"]},
-                                       {'name': "gamma", 'packages': []}],
+                                      {'name': "beta",
+                                       'packages': ["pkg1", "pkg2"]},
+                                      {'name': "delta",
+                                       'packages': ["pkg1"]},
+                                      {'name': "gamma", 'packages': []}],
                                      admin_user_name='testsysadmin')
 
         context = {'model': model, 'session': model.Session,