diff --git a/code/CommentAdmin.php b/code/CommentAdmin.php
index 3f9f2150..618f1d27 100644
--- a/code/CommentAdmin.php
+++ b/code/CommentAdmin.php
@@ -127,7 +127,7 @@ class CommentAdmin extends LeftAndMain {
 	
 			if($_REQUEST['Comments']) {
 				foreach($_REQUEST['Comments'] as $commentid) {
-					$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
+					$comment = DataObject::get_by_id('PageComment', $commentid);
 					if($comment) {
 						$comment->delete();
 						$numComments++;
@@ -171,7 +171,7 @@ JS;
 	
 			if($_REQUEST['Comments']) {
 				foreach($_REQUEST['Comments'] as $commentid) {
-					$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
+					$comment = DataObject::get_by_id('PageComment', $commentid);
 					if($comment) {
 						$comment->IsSpam = true;
 						$comment->NeedsModeration = false;
@@ -210,7 +210,7 @@ JS;
 	
 			if($_REQUEST['Comments']) {
 				foreach($_REQUEST['Comments'] as $commentid) {
-					$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
+					$comment = DataObject::get_by_id('PageComment', $commentid);
 					if($comment) {
 						$comment->IsSpam = false;
 						$comment->NeedsModeration = false;
@@ -250,7 +250,7 @@ JS;
 	
 			if($_REQUEST['Comments']) {
 				foreach($_REQUEST['Comments'] as $commentid) {
-					$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
+					$comment = DataObject::get_by_id('PageComment', $commentid);
 					if($comment) {
 						$comment->IsSpam = false;
 						$comment->NeedsModeration = false;
diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index 3abbfba4..302ee362 100644
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -143,8 +143,13 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$id = $_REQUEST['ID'];
 		if($id == 'new') $id = null;
 
-		if($id) $record = DataObject::get_one($className, "`$className`.ID = $id");
-		else $record = new $className();
+		if($id) {
+			$record = DataObject::get_by_id($className, $id);
+			if($record && !$record->canEdit()) return Security::permissionFailure($this);
+		} else {
+			if(!singleton($this->stat('subitem_class'))->canCreate()) return Security::permissionFailure($this);
+			$record = new $className();
+		}
 
 		$record->update($data);
 		$record->ID = $id;
@@ -167,7 +172,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$record->update($data);
 		$record->write();
 		
-		if($data['GroupID']) $record->Groups()->add($data['GroupID']);
+		if($data['GroupID']) $record->Groups()->add((int)$data['GroupID']);
 
 		FormResponse::add("reloadMemberTableField();");
 
@@ -179,7 +184,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$memberID = $this->urlParams['OtherID'];
 		if(is_numeric($groupID) && is_numeric($memberID)) {
 			$member = DataObject::get_by_id('Member', (int) $memberID);
-			$member->Groups()->remove($groupID);
+			$member->Groups()->remove((int)$groupID);
 			FormResponse::add("reloadMemberTableField();");
 		} else {
 			user_error("SecurityAdmin::removememberfromgroup: Bad parameters: Group=$groupID, Member=$memberID", E_USER_ERROR);