diff --git a/tests/LeftAndMainSubsitesTest.php b/tests/LeftAndMainSubsitesTest.php
index 7d0a390..5b7345a 100644
--- a/tests/LeftAndMainSubsitesTest.php
+++ b/tests/LeftAndMainSubsitesTest.php
@@ -1,4 +1,5 @@
-<?php 
+<?php
+
 class LeftAndMainSubsitesTest extends FunctionalTest {
 	
 	static $fixture_file = 'subsites/tests/SubsiteTest.yml';
@@ -9,12 +10,34 @@ class LeftAndMainSubsitesTest extends FunctionalTest {
 	function objFromFixture($class, $id) {
 		Subsite::disable_subsite_filter(true);
 		$obj = parent::objFromFixture($class, $id);
-		Subsite::disable_subsite_filter(false);		
+		Subsite::disable_subsite_filter(false);
 
 		return $obj;
 	}
-	
-	function testAlternateAccessCheck() {
+
+	function testSectionSites() {
+		$member = $this->objFromFixture('Member', 'subsite1member');
+
+		$cmsmain = singleton('CMSMain');
+		$subsites = $cmsmain->sectionSites(true, "Main site", $member);
+		$this->assertDOSEquals(array(
+			array('Title' =>'Subsite1 Template')
+		), $subsites, 'Lists member-accessible sites for the accessible controller.');
+
+		$assetadmin = singleton('AssetAdmin');
+		$subsites = $assetadmin->sectionSites(true, "Main site", $member);
+		$this->assertDOSEquals(array(), $subsites, 'Does not list any sites for forbidden controller.');
+
+		$member = $this->objFromFixture('Member', 'editor');
+
+		$cmsmain = singleton('CMSMain');
+		$subsites = $cmsmain->sectionSites(true, "Main site", $member);
+		$this->assertDOSContains(array(
+			array('Title' =>'Main site')
+		), $subsites, 'Includes the main site for members who can access all sites.');
+	}
+
+	function testAccessChecksDontChangeCurrentSubsite() {
 		$admin = $this->objFromFixture("Member","admin");
 		$this->loginAs($admin);
 		$ids = array();
@@ -28,11 +51,17 @@ class LeftAndMainSubsitesTest extends FunctionalTest {
 		$ids[] = $subsite3->ID;
 		$ids[] = 0;
 		
+		// Enable session-based subsite tracking.
+		Subsite::$use_session_subsiteid = true;
+
 		foreach($ids as $id) {
-			Subsite::changeSubsite($id);	//switch to main site (subsite ID zero)
+			Subsite::changeSubsite($id);
+			$this->assertEquals($id, Subsite::currentSubsiteID());
+
 			$left = new LeftAndMain();
 			$this->assertTrue($left->canView(), "Admin user can view subsites LeftAndMain with id = '$id'");
-			$this->assertEquals($id, Subsite::currentSubsiteID(), "The current subsite has not been changed in the process of checking permissions for admin user.");
+			$this->assertEquals($id, Subsite::currentSubsiteID(),
+				"The current subsite has not been changed in the process of checking permissions for admin user.");
 		}
 		
 	}
diff --git a/tests/SiteTreeSubsitesTest.php b/tests/SiteTreeSubsitesTest.php
index e8fa7d5..cdd120d 100644
--- a/tests/SiteTreeSubsitesTest.php
+++ b/tests/SiteTreeSubsitesTest.php
@@ -41,6 +41,7 @@ class SiteTreeSubsitesTest extends BaseSubsiteTest {
 	
 	function testBasicSanity() {
 		$this->assertTrue(singleton('SiteTree')->getSiteConfig() instanceof SiteConfig);
+		// The following assert is breaking in Translatable.
 		$this->assertTrue(singleton('SiteTree')->getCMSFields() instanceof FieldList);
 		$this->assertTrue(singleton('SubsitesVirtualPage')->getCMSFields() instanceof FieldList);
 		$this->assertTrue(is_array(singleton('SiteTreeSubsites')->extraStatics()));
diff --git a/tests/SubsiteAdminFunctionalTest.php b/tests/SubsiteAdminFunctionalTest.php
index 0b3a656..ed1c7b2 100644
--- a/tests/SubsiteAdminFunctionalTest.php
+++ b/tests/SubsiteAdminFunctionalTest.php
@@ -6,6 +6,35 @@ class SubsiteAdminFunctionalTest extends FunctionalTest {
 
 	protected $autoFollowRedirection = false;
 
+	/**
+	 * Helper: FunctionalTest is only able to follow redirection once, we want to go all the way.
+	 */
+	function getAndFollowAll($url) {
+		$response = $this->get($url);
+		while ($location = $response->getHeader('Location')) {
+			$response = $this->mainSession->followRedirection();
+		}
+		echo $response->getHeader('Location');
+
+		return $response;
+	}
+
+	/**
+	 * Anonymous user cannot access anything.
+	 */
+	function testAnonymousIsForbiddenAdminAccess() {
+		$response = $this->getAndFollowAll('admin/pages/?SubsiteID=0');
+		$this->assertRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'Admin is disallowed');
+
+		$subsite1 = $this->objFromFixture('Subsite', 'subsite1');
+		$response = $this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}");
+		$this->assertRegExp('#^Security/login.*#', $this->mainSession->lastUrl(), 'Admin is disallowed');
+
+		$response = $this->getAndFollowAll('SubsiteXHRController');
+		$this->assertRegExp('#^Security/login.*#', $this->mainSession->lastUrl(),
+			'SubsiteXHRController is disallowed');
+	}
+
 	/**
 	 * Admin should be able to access all subsites and the main site
 	 */
@@ -13,14 +42,18 @@ class SubsiteAdminFunctionalTest extends FunctionalTest {
 		$member = $this->objFromFixture('Member', 'admin');
 		Session::set("loggedInAs", $member->ID);
 		
-		$this->get('admin/pages?SubsiteID=0&ajax=1');
-		$this->get('admin');
-		$this->assertEquals(Subsite::currentSubsiteID(), '0', 'Can access main site');
+		$this->getAndFollowAll('admin/pages/?SubsiteID=0');
+		$this->assertEquals(Subsite::currentSubsiteID(), '0', 'Can access main site.');
+		$this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section');
 
-		$mainSubsite = $this->objFromFixture('Subsite', 'main');
-		$this->get("admin/pages?SubsiteID={$mainSubsite->ID}&ajax=1");
-		$this->get('admin');
-		$this->assertEquals(Subsite::currentSubsiteID(), $mainSubsite->ID, 'Can access the subsite');
+		$subsite1 = $this->objFromFixture('Subsite', 'subsite1');
+		$this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}");
+		$this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Can access other subsite.');
+		$this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section');
+
+		$response = $this->getAndFollowAll('SubsiteXHRController');
+		$this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(),
+			'SubsiteXHRController is reachable');
 	}
 
 	/**
@@ -30,14 +63,48 @@ class SubsiteAdminFunctionalTest extends FunctionalTest {
 	function testEditorCanAccessAllSubsites() {
 		$member = $this->objFromFixture('Member', 'editor');
 		Session::set("loggedInAs", $member->ID);
-		
-		$this->get('admin/pages?SubsiteID=0&ajax=1');
-		$this->get('admin');
-		$this->assertEquals(Subsite::currentSubsiteID(), '0', 'Can access main site');
 
-		$mainSubsite = $this->objFromFixture('Subsite', 'main');
-		$this->get("admin/pages?SubsiteID={$mainSubsite->ID}&ajax=1");
-		$this->get('admin');
-		$this->assertEquals(Subsite::currentSubsiteID(), $mainSubsite->ID, 'Can access the subsite');
+		$this->getAndFollowAll('admin/pages/?SubsiteID=0');
+		$this->assertEquals(Subsite::currentSubsiteID(), '0', 'Can access main site.');
+		$this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section');
+
+		$subsite1 = $this->objFromFixture('Subsite', 'subsite1');
+		$this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}");
+		$this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Can access other subsite.');
+		$this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Lands on the correct section');
+
+		$response = $this->getAndFollowAll('SubsiteXHRController');
+		$this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(),
+			'SubsiteXHRController is reachable');
+	}
+
+	/**
+	 * Test a member who only has access to one subsite (subsite1) and only some sections (pages and security).
+	 */
+	function testSubsiteAdmin() {
+		$member = $this->objFromFixture('Member', 'subsite1member');
+		Session::set("loggedInAs", $member->ID);
+
+		$subsite1 = $this->objFromFixture('Subsite', 'subsite1');
+
+		// Check allowed URL.
+		$this->getAndFollowAll("admin/pages/?SubsiteID={$subsite1->ID}");
+		$this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Can access own subsite.');
+		$this->assertRegExp('#^admin/pages.*#', $this->mainSession->lastUrl(), 'Can access permitted section.');
+
+		// Check forbidden section in allowed subsite.
+		$this->getAndFollowAll("admin/assets/?SubsiteID={$subsite1->ID}");
+		$this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Is redirected within subsite.');
+		$this->assertNotRegExp('#^admin/assets/.*#', $this->mainSession->lastUrl(),
+			'Is redirected away from forbidden section');
+
+		// Check forbidden site.
+		$this->getAndFollowAll("admin/pages/?SubsiteID=0");
+		$this->assertEquals(Subsite::currentSubsiteID(), $subsite1->ID, 'Is redirected to permitted subsite.');
+
+		// Check the standalone XHR controller.
+		$response = $this->getAndFollowAll('SubsiteXHRController');
+		$this->assertNotRegExp('#^Security/login.*#', $this->mainSession->lastUrl(),
+			'SubsiteXHRController is reachable');
 	}
 }
diff --git a/tests/SubsiteTest.php b/tests/SubsiteTest.php
index 71c2086..16ee493 100644
--- a/tests/SubsiteTest.php
+++ b/tests/SubsiteTest.php
@@ -241,7 +241,29 @@ class SubsiteTest extends BaseSubsiteTest {
 
 		$_SERVER['HTTP_HOST'] = $originalHTTPHost;
 	}
-	
+
+	function testAllSites() {
+		$subsites = Subsite::all_sites();
+		$this->assertDOSEquals(array(
+			array('Title' =>'Main site'),
+			array('Title' =>'Template'),
+			array('Title' =>'Subsite1 Template'),
+			array('Title' =>'Subsite2 Template'),
+			array('Title' =>'Test 1'),
+			array('Title' =>'Test 2'),
+			array('Title' =>'Test 3')
+		), $subsites, 'Lists all subsites');
+	}
+
+	function testAllAccessibleSites() {
+		$member = $this->objFromFixture('Member', 'subsite1member');
+
+		$subsites = Subsite::all_accessible_sites(true, 'Main site', $member);
+		$this->assertDOSEquals(array(
+			array('Title' =>'Subsite1 Template')
+		), $subsites, 'Lists member-accessible sites.');
+	}
+
 	/**
 	 * Test Subsite::accessible_sites()
 	 */