diff --git a/domain/permission/mysql/store.go b/domain/permission/mysql/store.go
index 45847baf..f2a08998 100644
--- a/domain/permission/mysql/store.go
+++ b/domain/permission/mysql/store.go
@@ -48,26 +48,33 @@ func (s Scope) AddPermission(ctx domain.RequestContext, r permission.Permission)
 func (s Scope) AddPermissions(ctx domain.RequestContext, r permission.Permission, actions ...permission.Action) (err error) {
 	for _, a := range actions {
 		r.Action = a
-		s.AddPermission(ctx, r)
+
+		err := s.AddPermission(ctx, r)
+		if err != nil {
+			return err
+		}
 	}
 
 	return
 }
 
 // GetUserSpacePermissions returns space permissions for user.
-// Context is used to for user ID.
+// Context is used to for userID because must match by userID
+// or everyone ID of 0.
 func (s Scope) GetUserSpacePermissions(ctx domain.RequestContext, spaceID string) (r []permission.Permission, err error) {
 	err = s.Runtime.Db.Select(&r, `
 		SELECT id, orgid, who, whoid, action, scope, location, refid
 			FROM permission WHERE orgid=? AND location='space' AND refid=? AND who='user' AND (whoid=? OR whoid='0')
 		UNION ALL
 		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
-			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.location='space' AND refid=?
-			AND p.who='role' AND (r.userid=? OR r.userid='0')`,
+			FROM permission p
+			LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='space' AND refid=? AND p.who='role' AND (r.userid=? OR r.userid='0')`,
 		ctx.OrgID, spaceID, ctx.UserID, ctx.OrgID, spaceID, ctx.UserID)
 
 	if err == sql.ErrNoRows {
 		err = nil
+		r = []permission.Permission{}
 	}
 	if err != nil {
 		err = errors.Wrap(err, fmt.Sprintf("unable to execute select user permissions %s", ctx.UserID))
@@ -77,18 +84,21 @@ func (s Scope) GetUserSpacePermissions(ctx domain.RequestContext, spaceID string
 }
 
 // GetSpacePermissions returns space permissions for all users.
+// We do not filter by userID because we return permissions for all users.
 func (s Scope) GetSpacePermissions(ctx domain.RequestContext, spaceID string) (r []permission.Permission, err error) {
 	err = s.Runtime.Db.Select(&r, `
 		SELECT id, orgid, who, whoid, action, scope, location, refid
 			FROM permission WHERE orgid=? AND location='space' AND refid=? AND who='user'
 		UNION ALL
 		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
-			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.location='space' AND p.refid=? 
-			AND p.who='role'`,
+			FROM permission p
+			LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='space' AND p.refid=? AND p.who='role'`,
 		ctx.OrgID, spaceID, ctx.OrgID, spaceID)
 
 	if err == sql.ErrNoRows {
 		err = nil
+		r = []permission.Permission{}
 	}
 	if err != nil {
 		err = errors.Wrap(err, fmt.Sprintf("unable to execute select space permissions %s", ctx.UserID))
@@ -97,6 +107,136 @@ func (s Scope) GetSpacePermissions(ctx domain.RequestContext, spaceID string) (r
 	return
 }
 
+// GetCategoryPermissions returns category permissions for all users.
+func (s Scope) GetCategoryPermissions(ctx domain.RequestContext, catID string) (r []permission.Permission, err error) {
+	err = s.Runtime.Db.Select(&r, `
+		SELECT id, orgid, who, whoid, action, scope, location, refid
+			FROM permission WHERE orgid=? AND location='category' AND refid=? AND who='user'
+		UNION ALL
+		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
+			FROM permission p
+			LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='space' AND p.refid=? AND p.who='role'`,
+		ctx.OrgID, catID, ctx.OrgID, catID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+		r = []permission.Permission{}
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions %s", catID))
+	}
+
+	return
+}
+
+// GetCategoryUsers returns space permissions for all users.
+func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []user.User, err error) {
+	err = s.Runtime.Db.Select(&u, `
+		SELECT u.id, IFNULL(u.refid, '') AS refid, IFNULL(u.firstname, '') AS firstname, IFNULL(u.lastname, '') as lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised
+		FROM user u LEFT JOIN account a ON u.refid = a.userid 
+		WHERE a.orgid=? AND a.active=1 AND u.refid IN (
+			SELECT whoid from permission WHERE orgid=? AND who='user' AND location='category' AND refid=?
+			UNION ALL
+			SELECT r.userid from rolemember r
+				LEFT JOIN permission p ON p.whoid=r.roleid
+				WHERE p.orgid=? AND p.who='role' AND p.location='category' AND p.refid=?
+		)
+		GROUP by u.id
+		ORDER BY firstname, lastname`,
+		ctx.OrgID, ctx.OrgID, catID, ctx.OrgID, catID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+		u = []user.User{}
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select users for category %s", catID))
+	}
+
+	return
+}
+
+// GetUserCategoryPermissions returns category permissions for given user.
+func (s Scope) GetUserCategoryPermissions(ctx domain.RequestContext, userID string) (r []permission.Permission, err error) {
+	err = s.Runtime.Db.Select(&r, `
+		SELECT id, orgid, who, whoid, action, scope, location, refid
+			FROM permission WHERE orgid=? AND location='category' AND who='user' AND (whoid=? OR whoid='0')
+		UNION ALL
+		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
+			FROM permission p
+			LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='category' AND p.who='role' AND (r.userid=? OR r.userid='0')`,
+		ctx.OrgID, userID, ctx.OrgID, userID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+		r = []permission.Permission{}
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))
+	}
+
+	return
+}
+
+// GetUserDocumentPermissions returns document permissions for user.
+// Context is used to for user ID.
+func (s Scope) GetUserDocumentPermissions(ctx domain.RequestContext, documentID string) (r []permission.Permission, err error) {
+	err = s.Runtime.Db.Select(&r, `
+		SELECT id, orgid, who, whoid, action, scope, location, refid
+			FROM permission WHERE orgid=? AND location='document' AND refid=? AND who='user' AND (whoid=? OR whoid='0')
+		UNION ALL
+		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
+			FROM permission p
+			LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='document' AND refid=? AND p.who='role' AND (r.userid=? OR r.userid='0')`,
+		ctx.OrgID, documentID, ctx.UserID, ctx.OrgID, documentID, ctx.OrgID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+		r = []permission.Permission{}
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select user document permissions %s", ctx.UserID))
+	}
+
+	return
+}
+
+// GetDocumentPermissions returns documents permissions for all users.
+// We do not filter by userID because we return permissions for all users.
+func (s Scope) GetDocumentPermissions(ctx domain.RequestContext, documentID string) (r []permission.Permission, err error) {
+	err = s.Runtime.Db.Select(&r, `
+		SELECT id, orgid, who, whoid, action, scope, location, refid
+			FROM permission WHERE orgid=? AND location='document' AND refid=? AND who='user'
+		UNION ALL
+		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
+			FROM permission p
+			LEFT JOIN rolemember r ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.location='document' AND p.refid=? AND p.who='role'`,
+		ctx.OrgID, documentID, ctx.OrgID, documentID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+		r = []permission.Permission{}
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select document permissions %s", ctx.UserID))
+	}
+
+	return
+}
+
+// DeleteDocumentPermissions removes records from permissions table for given document.
+func (s Scope) DeleteDocumentPermissions(ctx domain.RequestContext, documentID string) (rows int64, err error) {
+	b := mysql.BaseQuery{}
+
+	sql := fmt.Sprintf("DELETE FROM permission WHERE orgid='%s' AND location='document' AND refid='%s'", ctx.OrgID, documentID)
+
+	return b.DeleteWhere(ctx.Transaction, sql)
+}
+
 // DeleteSpacePermissions removes records from permissions table for given space ID.
 func (s Scope) DeleteSpacePermissions(ctx domain.RequestContext, spaceID string) (rows int64, err error) {
 	b := mysql.BaseQuery{}
@@ -146,121 +286,3 @@ func (s Scope) DeleteSpaceCategoryPermissions(ctx domain.RequestContext, spaceID
 
 	return b.DeleteWhere(ctx.Transaction, sql)
 }
-
-// GetCategoryPermissions returns category permissions for all users.
-func (s Scope) GetCategoryPermissions(ctx domain.RequestContext, catID string) (r []permission.Permission, err error) {
-	err = s.Runtime.Db.Select(&r, `
-		SELECT id, orgid, who, whoid, action, scope, location, refid
-			FROM permission WHERE orgid=? AND location='category' AND refid=? AND who='user'
-		UNION ALL
-		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
-			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.location='space' AND p.refid=? 
-			AND p.who='role'`,
-		ctx.OrgID, catID, ctx.OrgID, catID)
-
-	if err == sql.ErrNoRows {
-		err = nil
-	}
-	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions %s", catID))
-	}
-
-	return
-}
-
-// GetCategoryUsers returns space permissions for all users.
-func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []user.User, err error) {
-	err = s.Runtime.Db.Select(&u, `
-		SELECT u.id, IFNULL(u.refid, '') AS refid, IFNULL(u.firstname, '') AS firstname, IFNULL(u.lastname, '') as lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised
-		FROM user u LEFT JOIN account a ON u.refid = a.userid 
-		WHERE a.orgid=? AND a.active=1 AND u.refid IN (
-			SELECT whoid from permission WHERE orgid=? AND who='user' AND location='category' AND refid=? UNION ALL
-			SELECT r.userid from rolemember r LEFT JOIN permission p ON p.whoid=r.roleid WHERE p.orgid=? AND p.who='role' 
-				AND p.location='category' AND p.refid=?
-		)
-		GROUP by u.id
-		ORDER BY firstname, lastname`,
-		ctx.OrgID, ctx.OrgID, catID, ctx.OrgID, catID)
-
-	if err == sql.ErrNoRows {
-		err = nil
-	}
-	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select users for category %s", catID))
-	}
-
-	return
-}
-
-// GetUserCategoryPermissions returns category permissions for given user.
-func (s Scope) GetUserCategoryPermissions(ctx domain.RequestContext, userID string) (r []permission.Permission, err error) {
-	err = s.Runtime.Db.Select(&r, `
-		SELECT id, orgid, who, whoid, action, scope, location, refid
-			FROM permission WHERE orgid=? AND location='category' AND who='user' AND (whoid=? OR whoid='0')
-		UNION ALL
-		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
-			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid
-			WHERE p.orgid=? AND p.location='category' AND p.who='role'`,
-		ctx.OrgID, userID, ctx.OrgID)
-
-	if err == sql.ErrNoRows {
-		err = nil
-	}
-	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))
-	}
-
-	return
-}
-
-// GetUserDocumentPermissions returns document permissions for user.
-// Context is used to for user ID.
-func (s Scope) GetUserDocumentPermissions(ctx domain.RequestContext, documentID string) (r []permission.Permission, err error) {
-	err = s.Runtime.Db.Select(&r, `
-		SELECT id, orgid, who, whoid, action, scope, location, refid
-			FROM permission WHERE orgid=? AND location='document' AND refid=? AND who='user' AND (whoid=? OR whoid='0')
-		UNION ALL
-		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
-			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.location='document' AND refid=?
-			AND p.who='role' AND (r.userid=? OR r.userid='0')`,
-		ctx.OrgID, documentID, ctx.UserID, ctx.OrgID, documentID, ctx.OrgID)
-
-	if err == sql.ErrNoRows {
-		err = nil
-	}
-	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select user document permissions %s", ctx.UserID))
-	}
-
-	return
-}
-
-// GetDocumentPermissions returns documents permissions for all users.
-func (s Scope) GetDocumentPermissions(ctx domain.RequestContext, documentID string) (r []permission.Permission, err error) {
-	err = s.Runtime.Db.Select(&r, `
-		SELECT id, orgid, who, whoid, action, scope, location, refid
-			FROM permission WHERE orgid=? AND location='document' AND refid=? AND who='user'
-		UNION ALL
-		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
-			FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.location='document' AND p.refid=? 
-			AND p.who='role'`,
-		ctx.OrgID, documentID, ctx.OrgID, documentID)
-
-	if err == sql.ErrNoRows {
-		err = nil
-	}
-	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select document permissions %s", ctx.UserID))
-	}
-
-	return
-}
-
-// DeleteDocumentPermissions removes records from permissions table for given document.
-func (s Scope) DeleteDocumentPermissions(ctx domain.RequestContext, documentID string) (rows int64, err error) {
-	b := mysql.BaseQuery{}
-
-	sql := fmt.Sprintf("DELETE FROM permission WHERE orgid='%s' AND location='document' AND refid='%s'", ctx.OrgID, documentID)
-
-	return b.DeleteWhere(ctx.Transaction, sql)
-}