diff --git a/tests/models/account.py b/tests/models/account.py
index a2789c5..b075dbc 100644
--- a/tests/models/account.py
+++ b/tests/models/account.py
@@ -98,21 +98,26 @@ def test_user_set_password():
     assert password not in user.password_hash
 
 
-@pytest.mark.parametrize(
-    'password', [
-        'Fish Slapping Dance',
-        pytest.mark.xfail('Argument Clinic')
-        ]
-    )
-def test_user_check_password_ok(password):
-    ''' test password check '''
+def test_user_check_password_ok():
+    ''' test password check succeeds'''
     from ordr2.models.account import User, passlib_context
 
     passlib_context.update(schemes=['argon2', 'bcrypt'], deprecated='auto')
     user = User(password_hash=None)
     user.set_password('Fish Slapping Dance')
 
-    assert user.check_password(password)
+    assert user.check_password('Fish Slapping Dance') is True
+
+
+def test_user_check_password_fails():
+    ''' test password check fails '''
+    from ordr2.models.account import User, passlib_context
+
+    passlib_context.update(schemes=['argon2', 'bcrypt'], deprecated='auto')
+    user = User(password_hash=None)
+    user.set_password('Fish Slapping Dance')
+
+    assert user.check_password('Argument Clininc') is False
 
 
 def test_user_check_password_deprecated_hash():
diff --git a/tests/resources/account.py b/tests/resources/account.py
index a95f9ee..2365bf3 100644
--- a/tests/resources/account.py
+++ b/tests/resources/account.py
@@ -32,6 +32,7 @@ def test_registration_token_acl():
         DENY_ALL
         ]
 
+
 def test_email_verification_token_acl(app_config):
     ''' test the access controll list of the email token resource '''
     from pyramid.security import Allow, Authenticated, Deny, Everyone, DENY_ALL
@@ -44,6 +45,7 @@ def test_email_verification_token_acl(app_config):
 
     assert resource.__acl__() == [(Allow, 'user:3', 'settings'), DENY_ALL]
 
+
 def test_password_reset_token_acl():
     ''' test the access controll list of the password token resource '''
     from pyramid.security import Allow, Everyone, DENY_ALL
@@ -57,6 +59,7 @@ def test_password_reset_token_acl():
         DENY_ALL
         ]
 
+
 def test_account_resource_init():
     ''' test __init__ function of base resource '''
     from ordr2.resources.account import AccountResource
@@ -69,6 +72,7 @@ def test_account_resource_init():
     assert resource.request == root.request
     assert resource.model == root.request.user
 
+
 def test_account_resource_acl():
     ''' test the access controll list of the account resource '''
     from pyramid.security import Allow, Authenticated, Deny, Everyone, DENY_ALL
@@ -87,6 +91,7 @@ def test_account_resource_acl():
             DENY_ALL
         ]
 
+
 def test_account_resource_getitem_token_ok(app_config, dbsession):
     ''' test __getitem__ method returns correct token '''
     from ordr2.models.account import TokenSubject
diff --git a/tests/resources/base.py b/tests/resources/base.py
index 35596d0..04e0c0a 100644
--- a/tests/resources/base.py
+++ b/tests/resources/base.py
@@ -28,20 +28,25 @@ def test_base_resource_acl():
         assert resource.__acl__()
 
 
-@pytest.mark.parametrize(
-    'segment', [
-        'known',
-        pytest.mark.xfail('unknown', raises=KeyError)
-        ]
-    )
-def test_base_resource_getitem(segment):
+def test_base_resource_getitem_ok():
     ''' test the __getitem__ function of base resource '''
     from ordr2.resources import BaseResource, RootResource
 
     root = RootResource('request object')
     root.nodes = {'known': BaseResource}
-    resource = root[segment]
+    resource = root['known']
 
     assert resource.__name__ == 'known'
     assert resource.__parent__ == root
     assert resource.request == 'request object'
+
+
+def test_base_resource_getitem_raises_key_error():
+    ''' test the __getitem__ function of base resource '''
+    from ordr2.resources import BaseResource, RootResource
+
+    root = RootResource('request object')
+    root.nodes = {'known': BaseResource}
+
+    with pytest.raises(KeyError):
+        resource = root['unknown']
diff --git a/tests/security.py b/tests/security.py
index 000358e..ccd410f 100644
--- a/tests/security.py
+++ b/tests/security.py
@@ -82,15 +82,9 @@ def test_get_user_no_unauthenticated_user_id():
     assert get_user(request) is None
 
 
-@pytest.mark.parametrize(
-    'user_id', [
-        3,  # active user, must work
-        pytest.mark.xfail(1),  # inactive user, must fail
-        pytest.mark.xfail(1969),  # unknown user id, must fail
-        ]
-    )
-def test_get_user_no_unauthenticated_user_id(user_id, dbsession):
-    ''' get_user() should return None if unauthenticated_userid is None '''
+@pytest.mark.parametrize('user_id', [3, 4, 5])
+def test_get_user_known_authenticated_user_id(user_id, dbsession):
+    ''' get_user() should return user instance on known active user '''
     from collections import namedtuple
     from ordr2.models import User, Role
     from ordr2.security import get_user
@@ -103,3 +97,20 @@ def test_get_user_no_unauthenticated_user_id(user_id, dbsession):
     user = get_user(request)
 
     assert isinstance(user, User)
+
+
+@pytest.mark.parametrize('user_id', [1, 2, 6, 1969])
+def test_get_user_with_unknown_or_inactive_id(user_id, dbsession):
+    ''' get_user() should return None on inactive users or unknown ids '''
+    from collections import namedtuple
+    from ordr2.models import User, Role
+    from ordr2.security import get_user
+
+    create_users(dbsession)
+    # pyramid.testing.DummyRequest can't be used, since the parameter
+    # unauthenticated_userid cannot be set. A named tuple is used instead
+    Request = namedtuple('Request', 'dbsession, unauthenticated_userid')
+    request = Request(dbsession=dbsession, unauthenticated_userid=user_id)
+    user = get_user(request)
+
+    assert user is None