diff --git a/app/frontend/src/components/base/BaseFilter.vue b/app/frontend/src/components/base/BaseFilter.vue
index ed6519895..fedc171a4 100644
--- a/app/frontend/src/components/base/BaseFilter.vue
+++ b/app/frontend/src/components/base/BaseFilter.vue
@@ -62,7 +62,7 @@ const inputFilter = ref('');
 const inputFilterPlaceholder =
   properties.inputFilterPlaceholder || t('trans.baseFilter.exampleText2');
 const inputSaveButtonText =
-  properties.inputFilterPlaceholder || t('trans.baseFilter.filter');
+  properties.inputSaveButtonText || t('trans.baseFilter.filter');
 const selectedData = ref([]);
 
 const { isRTL } = storeToRefs(useFormStore());
diff --git a/app/frontend/src/components/designer/FormViewer.vue b/app/frontend/src/components/designer/FormViewer.vue
index 102436eff..74ddcc4c4 100644
--- a/app/frontend/src/components/designer/FormViewer.vue
+++ b/app/frontend/src/components/designer/FormViewer.vue
@@ -115,6 +115,7 @@ export default {
       submissionRecord: {},
       version: 0,
       versionIdToSubmitTo: this.versionId,
+      isAuthorized: true,
     };
   },
   computed: {
@@ -130,6 +131,9 @@ export default {
     formScheduleExpireMessage() {
       return this.$t('trans.formViewer.formScheduleExpireMessage');
     },
+    formUnauthorizedMessage() {
+      return this.$t('trans.formViewer.formUnauthorizedMessage');
+    },
     NOTIFICATIONS_TYPES() {
       return NotificationTypes;
     },
@@ -190,7 +194,6 @@ export default {
       this.showModal = true;
       await this.getFormSchema();
     }
-
     window.addEventListener('beforeunload', this.beforeWindowUnload);
 
     this.reRenderFormIo += 1;
@@ -403,19 +406,22 @@ export default {
         }
       } catch (error) {
         if (this.authenticated) {
-          this.isFormScheduleExpired = true;
-          this.isLateSubmissionAllowed = false;
-          this.formScheduleExpireMessage = error.message;
-          this.addNotification({
-            text: this.$t('trans.formViewer.fecthingFormErrMsg'),
-            consoleError: this.$t(
-              'trans.formViewer.fecthingFormConsoleErrMsg',
-              {
-                versionId: this.versionId,
-                error: error,
-              }
-            ),
-          });
+          // if 401 error, the user is not authorized to view the form
+          if (error.response && error.response.status === 401) {
+            this.isAuthorized = false;
+          } else {
+            // throw a generic error message
+            this.addNotification({
+              text: this.$t('trans.formViewer.fecthingFormErrMsg'),
+              consoleError: this.$t(
+                'trans.formViewer.fecthingFormConsoleErrMsg',
+                {
+                  versionId: this.versionId,
+                  error: error,
+                }
+              ),
+            });
+          }
         }
       }
     },
@@ -1144,7 +1150,18 @@ export default {
 <template>
   <v-skeleton-loader :loading="loadingSubmission" type="article, actions">
     <v-container fluid>
-      <div v-if="isFormScheduleExpired">
+      <div v-if="!isAuthorized">
+        <v-alert
+          :text="formUnauthorizedMessage"
+          prominent
+          type="error"
+          :class="{ 'dir-rtl': isRTL }"
+          :lang="locale"
+        >
+        </v-alert>
+      </div>
+
+      <div v-else-if="isFormScheduleExpired">
         <v-alert
           :text="
             isLateSubmissionAllowed
@@ -1159,7 +1176,7 @@ export default {
         </v-alert>
 
         <div v-if="isLateSubmissionAllowed">
-          <v-col cols="3" md="2">
+          <v-col cols="12" md="6">
             <v-btn
               color="primary"
               :class="{ 'dir-rtl': isRTL }"
diff --git a/app/frontend/src/components/designer/settings/FormAccessSettings.vue b/app/frontend/src/components/designer/settings/FormAccessSettings.vue
index 8d94c3b9d..33817caa5 100644
--- a/app/frontend/src/components/designer/settings/FormAccessSettings.vue
+++ b/app/frontend/src/components/designer/settings/FormAccessSettings.vue
@@ -170,9 +170,21 @@ defineExpose({ idpType, userTypeChanged, updateLoginType });
       </v-expand-transition>
       <v-radio :value="ID_MODE.TEAM">
         <template #label>
-          <span :class="{ 'mr-2': isRTL }" :lang="locale">
-            {{ $t('trans.formSettings.specificTeamMembers') }}
-          </span>
+          <v-tooltip location="bottom">
+            <template #activator="{ props }">
+              <span :class="{ 'mr-2': isRTL }" :lang="locale">
+                {{ $t('trans.formSettings.specificTeamMembers') }}
+              </span>
+              <v-icon
+                color="primary"
+                class="ml-3"
+                :class="{ 'mr-2': isRTL }"
+                v-bind="props"
+                icon="mdi:mdi-help-circle-outline"
+              />
+            </template>
+            <span>{{ $t('trans.formSettings.teamMemberTooltip') }}</span>
+          </v-tooltip>
         </template>
       </v-radio>
     </v-radio-group>
diff --git a/app/frontend/src/components/forms/PrintOptions.vue b/app/frontend/src/components/forms/PrintOptions.vue
index ec67ce693..718decbf2 100644
--- a/app/frontend/src/components/forms/PrintOptions.vue
+++ b/app/frontend/src/components/forms/PrintOptions.vue
@@ -50,6 +50,7 @@ export default {
       defaultReportname: '',
       displayTemplatePrintButton: false,
       isValidFile: true,
+      fileInputKey: 0,
       validFileExtensions: ['txt', 'docx', 'html', 'odt', 'pptx', 'xlsx'],
       defaultExportFileTypes: ['pdf'],
       uploadExportFileTypes: ['pdf'],
@@ -184,6 +185,7 @@ export default {
         ? disposition.substring(disposition.indexOf('filename=') + 9)
         : undefined;
     },
+
     createDownload(blob, filename = undefined) {
       const url = window.URL.createObjectURL(blob);
       const a = document.createElement('a');
@@ -256,6 +258,7 @@ export default {
         this.loading = false;
       }
     },
+
     createBody(content, contentFileType, outputFileName, outputFileType) {
       return {
         options: {
@@ -270,6 +273,7 @@ export default {
         },
       };
     },
+
     async fetchDefaultTemplate() {
       // Calling the API to check whether the form has any uploaded document templates
       this.loading = true;
@@ -313,6 +317,7 @@ export default {
         this.loading = false;
       }
     },
+
     validateFileExtension(event) {
       if (event.length > 0) {
         const fileExtension = event[0].name.split('.').pop();
@@ -325,6 +330,7 @@ export default {
         this.uploadExportFileTypes = ['pdf'];
         // reset the v-select value
         this.templateForm.outputFileType = null;
+
         if (this.validFileExtensions.includes(fileExtension)) {
           this.isValidFile = true;
         } else {
@@ -341,6 +347,12 @@ export default {
         this.isValidFile = true;
       }
     },
+
+    handleFileUpload(event) {
+      this.fileInputKey += 1;
+      this.templateForm.files = event;
+      this.validateFileExtension(event);
+    },
   },
 };
 </script>
@@ -475,6 +487,7 @@ export default {
                   value="upload"
                 ></v-radio>
                 <v-file-input
+                  :key="fileInputKey"
                   v-model="templateForm.files"
                   :class="{ label: isRTL }"
                   :style="isRTL ? { gap: '10px' } : null"
@@ -489,7 +502,7 @@ export default {
                   :lang="locale"
                   :rules="validationRules"
                   :disabled="selectedOption !== 'upload'"
-                  @update:model-value="validateFileExtension($event)"
+                  @update:model-value="handleFileUpload"
                 />
                 <v-select
                   v-if="selectedOption === 'upload'"
diff --git a/app/frontend/src/internationalization/trans/chefs/ar/ar.json b/app/frontend/src/internationalization/trans/chefs/ar/ar.json
index 2ac069b72..949e70408 100644
--- a/app/frontend/src/internationalization/trans/chefs/ar/ar.json
+++ b/app/frontend/src/internationalization/trans/chefs/ar/ar.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "دليل المستخدم",
     "referenceGuideC": "لمزيد من التفاصيل",
     "specificTeamMembers": "أعضاء الفريق المحدد",
+    "teamMemberTooltip": "أضف أعضاء الفريق من إعدادات إدارة الفريق بعد إنشاء هذا النموذج.",
     "formFunctionality": "وظيفة الشكل",
     "formSubmissinScheduleMsg": "سيكون جدول تقديم النموذج متاحًا في \"إعدادات النموذج\" بعد نشر النموذج.",
     "formSubmissionsSchedule": "جدول تقديم النموذج",
@@ -829,7 +830,8 @@
     "errorSavingFile": "خطأ في حفظ الملفات. اسم الملف: {fileName}. خطأ: {error}",
     "submittingDraftErrMsg": "حدث خطأ أثناء حفظ المسودة",
     "submittingDraftConsErrMsg": "خطأ في حفظ المسودة. معرف التقديم: {submitId}. خطأ: {error}",
-    "formDraftAccessErrMsg": "تم إرسال طلب التقديم بالفعل ، مع إعادة التوجيه إلى صفحة العرض"
+    "formDraftAccessErrMsg": "تم إرسال طلب التقديم بالفعل ، مع إعادة التوجيه إلى صفحة العرض",
+    "formUnauthorizedMessage": "غير مخول لك مشاهدة هذا النموذج، يرجى الاتصال بمالك النموذج للحصول على الوصول."
   },
   "bCGovFooter": {
     "home": "بيت",
diff --git a/app/frontend/src/internationalization/trans/chefs/de/de.json b/app/frontend/src/internationalization/trans/chefs/de/de.json
index a863abd1a..c35fa2d65 100644
--- a/app/frontend/src/internationalization/trans/chefs/de/de.json
+++ b/app/frontend/src/internationalization/trans/chefs/de/de.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "Benutzerhandbuch",
     "referenceGuideC": "für mehr Details",
     "specificTeamMembers": "Spezifische Teammitglieder",
+    "teamMemberTooltip": "Fügen Sie Teammitglieder aus den Teamverwaltungseinstellungen hinzu, nachdem Sie dieses Formular erstellt haben.",
     "formFunctionality": "Formularfunktionalität",
     "formSubmissinScheduleMsg": "Der Formulareinreichungsplan ist in den Formulareinstellungen verfügbar, nachdem das Formular veröffentlicht wurde.",
     "formSubmissionsSchedule": "Zeitplan für Formulareinreichungen",
@@ -830,7 +831,8 @@
     "errorSavingFile": "Fehler beim Speichern der Dateien. Dateiname: {fileName}. Fehler: {error}",
     "submittingDraftErrMsg": "Beim Speichern eines Entwurfs ist ein Fehler aufgetreten",
     "submittingDraftConsErrMsg": "Fehler beim Speichern des Entwurfs. Einreichungs-ID: {submissionId}. Fehler: {error}",
-    "formDraftAccessErrMsg": "Die angeforderte Übermittlung wurde bereits übermittelt und wird zur Ansichtsseite weitergeleitet"
+    "formDraftAccessErrMsg": "Die angeforderte Übermittlung wurde bereits übermittelt und wird zur Ansichtsseite weitergeleitet",
+    "formUnauthorizedMessage": "Sie sind nicht berechtigt, dieses Formular anzusehen. Bitte kontaktieren Sie den Formulareigentümer für den Zugang."
   },
   "bCGovFooter": {
     "home": "Heim",
diff --git a/app/frontend/src/internationalization/trans/chefs/en/en.json b/app/frontend/src/internationalization/trans/chefs/en/en.json
index cd1cc3662..8f52970a2 100644
--- a/app/frontend/src/internationalization/trans/chefs/en/en.json
+++ b/app/frontend/src/internationalization/trans/chefs/en/en.json
@@ -130,6 +130,7 @@
     "referenceGuideB": "user guide",
     "referenceGuideC": "for more details",
     "specificTeamMembers": "Specific Team Members",
+    "teamMemberTooltip": "Add team members from the Team Management settings after creating this form.",
     "formFunctionality": "Form Functionality",
     "formSubmissinScheduleMsg": "The Form Submissions Schedule will be available in the Form Settings after the form is published.",
     "formSubmissionsSchedule": "Form Submissions Schedule",
@@ -882,7 +883,8 @@
     "errorSavingFile": "Error saving files. Filename: {fileName}. Error: {error}",
     "submittingDraftErrMsg": "An error occurred while saving a draft",
     "submittingDraftConsErrMsg": "Error saving draft. SubmissionId: {submissionId}. Error: {error}",
-    "formDraftAccessErrMsg": "Requested submission is already submitted, redirecting to View page"
+    "formDraftAccessErrMsg": "Requested submission is already submitted, redirecting to View page",
+    "formUnauthorizedMessage": "You are not authorized to view this form, please contact the form owner for access."
   },
   "bCGovFooter": {
     "home": "Home",
diff --git a/app/frontend/src/internationalization/trans/chefs/es/es.json b/app/frontend/src/internationalization/trans/chefs/es/es.json
index 20ec42680..aa005e6c0 100644
--- a/app/frontend/src/internationalization/trans/chefs/es/es.json
+++ b/app/frontend/src/internationalization/trans/chefs/es/es.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "guía del usuario",
     "referenceGuideC": "para más detalles",
     "specificTeamMembers": "Miembros del equipo específicos",
+    "teamMemberTooltip": "Añade miembros del equipo desde la configuración de Gestión de Equipos después de crear este formulario.",
     "formFunctionality": "Funcionalidad de formulario",
     "formSubmissinScheduleMsg": "El programa de envío de formularios estará disponible en la configuración del formulario después de que se publique el formulario.",
     "formSubmissionsSchedule": "Calendario de envío de formularios",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Error al guardar archivos. Nombre de archivo: {fileName}. Error: {error}",
     "submittingDraftErrMsg": "Se produjo un error al guardar un borrador",
     "submittingDraftConsErrMsg": "Error al guardar el borrador. Id de envío: {submissionId}. Error: {error}",
-    "formDraftAccessErrMsg": "El envío solicitado ya se envió, redirigiendo a la página Ver"
+    "formDraftAccessErrMsg": "El envío solicitado ya se envió, redirigiendo a la página Ver",
+    "formUnauthorizedMessage": "No tienes autorización para ver este formulario, por favor contacta al propietario del formulario para acceder."
   },
   "bCGovFooter": {
     "home": "Hogar",
diff --git a/app/frontend/src/internationalization/trans/chefs/fa/fa.json b/app/frontend/src/internationalization/trans/chefs/fa/fa.json
index b2d5f27a2..29cd29556 100644
--- a/app/frontend/src/internationalization/trans/chefs/fa/fa.json
+++ b/app/frontend/src/internationalization/trans/chefs/fa/fa.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "راهنمای کاربر",
     "referenceGuideC": "برای جزئیات بیشتر",
     "specificTeamMembers": "اعضای تیم خاص",
+    "teamMemberTooltip": "پس از ایجاد این فرم، اعضای تیم را از تنظیمات مدیریت تیم اضافه کنید.",
     "formFunctionality": "عملکرد فرم",
     "formSubmissinScheduleMsg": "پس از انتشار فرم، برنامه ارسال فرم در تنظیمات فرم در دسترس خواهد بود.",
     "formSubmissionsSchedule": "جدول ارسال فرم ها",
@@ -829,7 +830,8 @@
     "errorSavingFile": "خطا در ذخیره فایل ها. نام فایل: {fileName}. خطا: {error}",
     "submittingDraftErrMsg": "هنگام ذخیره پیش نویس خطایی روی داد",
     "submittingDraftConsErrMsg": "خطا در ذخیره پیش نویس. SubmissionId: {submissionId}. خطا: {error}",
-    "formDraftAccessErrMsg": "ارسال درخواستی قبلا ارسال شده است، به صفحه مشاهده هدایت می شود"
+    "formDraftAccessErrMsg": "ارسال درخواستی قبلا ارسال شده است، به صفحه مشاهده هدایت می شود",
+    "formUnauthorizedMessage": "شما مجاز به مشاهده این فرم نیستید، لطفاً برای دسترسی با مالک فرم تماس بگیرید."
   },
   "bCGovFooter": {
     "home": "صفحه اصلی",
diff --git a/app/frontend/src/internationalization/trans/chefs/fr/fr.json b/app/frontend/src/internationalization/trans/chefs/fr/fr.json
index f0dcdbe75..0d287188f 100644
--- a/app/frontend/src/internationalization/trans/chefs/fr/fr.json
+++ b/app/frontend/src/internationalization/trans/chefs/fr/fr.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "mode d'emploi",
     "referenceGuideC": "pour plus de détails",
     "specificTeamMembers": "Membres spécifiques de l'équipe",
+    "teamMemberTooltip": "Ajoutez des membres de l'équipe depuis les paramètres de Gestion d'Équipe après avoir créé ce formulaire.",
     "formFunctionality": "Fonctionnalité du formulaire",
     "formSubmissinScheduleMsg": "Le calendrier de soumission des formulaires sera disponible dans les paramètres du formulaire après la publication du formulaire.",
     "formSubmissionsSchedule": "Calendrier de soumission des formulaires",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Erreur lors de l'enregistrement des fichiers. Nom de fichier : {fileName}. Erreur : {error}",
     "submittingDraftErrMsg": "Une erreur s'est produite lors de l'enregistrement d'un brouillon",
     "submittingDraftConsErrMsg": "Erreur lors de l'enregistrement du brouillon. ID de soumission : {submissionId}. Erreur : {error}",
-    "formDraftAccessErrMsg": "La soumission demandée est déjà soumise, redirigeant vers la page Afficher"
+    "formDraftAccessErrMsg": "La soumission demandée est déjà soumise, redirigeant vers la page Afficher",
+    "formUnauthorizedMessage": "Vous n'êtes pas autorisé à voir ce formulaire, veuillez contacter le propriétaire du formulaire pour accéder."
   },
   "bCGovFooter": {
     "home": "Maison",
diff --git a/app/frontend/src/internationalization/trans/chefs/hi/hi.json b/app/frontend/src/internationalization/trans/chefs/hi/hi.json
index 01e6d3890..bf23ba611 100644
--- a/app/frontend/src/internationalization/trans/chefs/hi/hi.json
+++ b/app/frontend/src/internationalization/trans/chefs/hi/hi.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "उपयोगकर्ता गाइड",
     "referenceGuideC": "अधिक जानकारी के लिए",
     "specificTeamMembers": "विशिष्ट टीम के सदस्य",
+    "teamMemberTooltip": "इस फॉर्म को बनाने के बाद टीम प्रबंधन सेटिंग्स से टीम के सदस्यों को जोड़ें।",
     "formFunctionality": "फॉर्म की कार्यक्षमता",
     "formSubmissinScheduleMsg": "फॉर्म सबमिशन शेड्यूल फॉर्म प्रकाशित होने के बाद फॉर्म सेटिंग्स में उपलब्ध होगा।",
     "formSubmissionsSchedule": "फॉर्म जमा करने की अनुसूची",
@@ -829,7 +830,8 @@
     "errorSavingFile": "फ़ाइलें सहेजने में त्रुटि. फ़ाइल का नाम: {fileName}. त्रुटि: {error}",
     "submittingDraftErrMsg": "ड्राफ्ट सहेजते समय एक त्रुटि उत्पन्न हुई",
     "submittingDraftConsErrMsg": "ड्राफ्ट सहेजने में त्रुटि. सबमिशनआईडी: {submissionId}। त्रुटि: {error}",
-    "formDraftAccessErrMsg": "अनुरोधित सबमिशन पहले ही सबमिट किया जा चुका है, व्यू पेज पर रीडायरेक्ट किया जा रहा है"
+    "formDraftAccessErrMsg": "अनुरोधित सबमिशन पहले ही सबमिट किया जा चुका है, व्यू पेज पर रीडायरेक्ट किया जा रहा है",
+    "formUnauthorizedMessage": "आप इस फॉर्म को देखने के लिए अधिकृत नहीं हैं, कृपया पहुँच प्राप्त करने के लिए फॉर्म के मालिक से संपर्क करें।"
   },
   "bCGovFooter": {
     "home": "घर",
diff --git a/app/frontend/src/internationalization/trans/chefs/it/it.json b/app/frontend/src/internationalization/trans/chefs/it/it.json
index 2806f98db..d614f6798 100644
--- a/app/frontend/src/internationalization/trans/chefs/it/it.json
+++ b/app/frontend/src/internationalization/trans/chefs/it/it.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "guida utente",
     "referenceGuideC": "per ulteriori dettagli",
     "specificTeamMembers": "Membri specifici del team",
+    "teamMemberTooltip": "Aggiungi membri del team dalle impostazioni di Gestione del Team dopo aver creato questo modulo.",
     "formFunctionality": "Funzionalità della forma",
     "formSubmissinScheduleMsg": "Il programma di invio del modulo sarà disponibile nelle Impostazioni del modulo dopo la pubblicazione del modulo.",
     "formSubmissionsSchedule": "Programma di invio dei moduli",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Errore durante il salvataggio dei file. nome file: {fileName}. Errore: {error}",
     "submittingDraftErrMsg": "Si è verificato un errore durante il salvataggio di una bozza",
     "submittingDraftConsErrMsg": "Errore durante il salvataggio della bozza. SubmissionId: {submissionId}. Errore: {error}",
-    "formDraftAccessErrMsg": "L'invio richiesto è già stato inviato, reindirizzamento alla pagina Visualizza"
+    "formDraftAccessErrMsg": "L'invio richiesto è già stato inviato, reindirizzamento alla pagina Visualizza",
+    "formUnauthorizedMessage": "Non sei autorizzato a visualizzare questo modulo, si prega di contattare il proprietario del modulo per l'accesso."
   },
   "bCGovFooter": {
     "home": "Casa",
diff --git a/app/frontend/src/internationalization/trans/chefs/ja/ja.json b/app/frontend/src/internationalization/trans/chefs/ja/ja.json
index 80cdbe558..4db0ec2c4 100644
--- a/app/frontend/src/internationalization/trans/chefs/ja/ja.json
+++ b/app/frontend/src/internationalization/trans/chefs/ja/ja.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "ユーザーガイド",
     "referenceGuideC": "詳細については",
     "specificTeamMembers": "特定のチームメンバー",
+    "teamMemberTooltip": "このフォームを作成した後、チーム管理設定からチームメンバーを追加してください。",
     "formFunctionality": "フォーム機能",
     "formSubmissinScheduleMsg": "フォーム送信スケジュールは、フォームが公開された後、フォーム設定で利用できるようになります。",
     "formSubmissionsSchedule": "フォーム送信スケジュール",
@@ -829,7 +830,8 @@
     "errorSavingFile": "ファイルの保存中にエラーが発生しました。ファイル名: {fileName}。エラー: {error}",
     "submittingDraftErrMsg": "下書きの保存中にエラーが発生しました",
     "submittingDraftConsErrMsg": "下書きの保存中にエラーが発生しました。送信 ID: {submissionId}。エラー: {error}",
-    "formDraftAccessErrMsg": "リクエストされた送信はすでに送信されており、[表示] ページにリダイレクトされます。"
+    "formDraftAccessErrMsg": "リクエストされた送信はすでに送信されており、[表示] ページにリダイレクトされます。",
+    "formUnauthorizedMessage": "このフォームを表示する権限がありません。アクセスするにはフォームの所有者に連絡してください。"
   },
   "bCGovFooter": {
     "home": "家",
diff --git a/app/frontend/src/internationalization/trans/chefs/ko/ko.json b/app/frontend/src/internationalization/trans/chefs/ko/ko.json
index 5fe33a00e..f59332df6 100644
--- a/app/frontend/src/internationalization/trans/chefs/ko/ko.json
+++ b/app/frontend/src/internationalization/trans/chefs/ko/ko.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "사용자 설명서",
     "referenceGuideC": "상세 사항은",
     "specificTeamMembers": "특정 팀원",
+    "teamMemberTooltip": "이 양식을 생성한 후 팀 관리 설정에서 팀 멤버를 추가하세요.",
     "formFunctionality": "양식 기능",
     "formSubmissinScheduleMsg": "양식 제출 일정은 양식이 게시된 후 양식 설정에서 사용할 수 있습니다.",
     "formSubmissionsSchedule": "양식 제출 일정",
@@ -829,7 +830,8 @@
     "errorSavingFile": "파일을 저장하는 중에 오류가 발생했습니다. 파일 이름: {fileName}. 오류: {error}",
     "submittingDraftErrMsg": "초안을 저장하는 중에 오류가 발생했습니다.",
     "submittingDraftConsErrMsg": "초안을 저장하는 중에 오류가 발생했습니다. 제출 ID: {submissionId}. 오류: {error}",
-    "formDraftAccessErrMsg": "요청한 제출이 이미 제출되었으며 보기 페이지로 리디렉션됩니다."
+    "formDraftAccessErrMsg": "요청한 제출이 이미 제출되었으며 보기 페이지로 리디렉션됩니다.",
+    "formUnauthorizedMessage": "이 양식을 볼 수 있는 권한이 없습니다. 접근하려면 양식 소유자에게 연락하세요."
   },
   "bCGovFooter": {
     "home": "집",
diff --git a/app/frontend/src/internationalization/trans/chefs/pa/pa.json b/app/frontend/src/internationalization/trans/chefs/pa/pa.json
index 49840c46a..1c04cf1c7 100644
--- a/app/frontend/src/internationalization/trans/chefs/pa/pa.json
+++ b/app/frontend/src/internationalization/trans/chefs/pa/pa.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "ਉਪਭੋਗਤਾ ਗਾਈਡ",
     "referenceGuideC": "ਹੋਰ ਵੇਰਵਿਆਂ ਲਈ",
     "specificTeamMembers": "ਖਾਸ ਟੀਮ ਦੇ ਮੈਂਬਰ",
+    "teamMemberTooltip": "ਇਸ ਫਾਰਮ ਨੂੰ ਬਣਾਉਣ ਤੋਂ ਬਾਅਦ ਟੀਮ ਪ੍ਰਬੰਧਨ ਸੈਟਿੰਗਾਂ ਤੋਂ ਟੀਮ ਦੇ ਮੈਂਬਰ ਨੂੰ ਜੋੜੋ।",
     "formFunctionality": "ਫਾਰਮ ਕਾਰਜਕੁਸ਼ਲਤਾ",
     "formSubmissinScheduleMsg": "ਫਾਰਮ ਪ੍ਰਕਾਸ਼ਿਤ ਹੋਣ ਤੋਂ ਬਾਅਦ ਫਾਰਮ ਸਬਮਿਸ਼ਨ ਅਨੁਸੂਚੀ ਫਾਰਮ ਸੈਟਿੰਗਾਂ ਵਿੱਚ ਉਪਲਬਧ ਹੋਵੇਗੀ।",
     "formSubmissionsSchedule": "ਫਾਰਮ ਸਬਮਿਸ਼ਨ ਅਨੁਸੂਚੀ",
@@ -829,7 +830,8 @@
     "errorSavingFile": "ਫ਼ਾਈਲਾਂ ਨੂੰ ਰੱਖਿਅਤ ਕਰਨ ਵਿੱਚ ਗੜਬੜ ਹੋਈ। ਫ਼ਾਈਲ ਦਾ ਨਾਮ: {fileName}। ਗਲਤੀ: {error}",
     "submittingDraftErrMsg": "ਡਰਾਫਟ ਨੂੰ ਸੁਰੱਖਿਅਤ ਕਰਨ ਦੌਰਾਨ ਇੱਕ ਤਰੁੱਟੀ ਉਤਪੰਨ ਹੋਈ",
     "submittingDraftConsErrMsg": "ਡਰਾਫਟ ਸੁਰੱਖਿਅਤ ਕਰਨ ਵਿੱਚ ਤਰੁੱਟੀ। SubmissionId: {submissionId}। ਗਲਤੀ: {error}",
-    "formDraftAccessErrMsg": "ਬੇਨਤੀ ਕੀਤੀ ਸਪੁਰਦਗੀ ਪਹਿਲਾਂ ਹੀ ਸਪੁਰਦ ਕੀਤੀ ਗਈ ਹੈ, ਵੇਖੋ ਪੰਨੇ 'ਤੇ ਰੀਡਾਇਰੈਕਟ ਕੀਤਾ ਜਾ ਰਿਹਾ ਹੈ"
+    "formDraftAccessErrMsg": "ਬੇਨਤੀ ਕੀਤੀ ਸਪੁਰਦਗੀ ਪਹਿਲਾਂ ਹੀ ਸਪੁਰਦ ਕੀਤੀ ਗਈ ਹੈ, ਵੇਖੋ ਪੰਨੇ 'ਤੇ ਰੀਡਾਇਰੈਕਟ ਕੀਤਾ ਜਾ ਰਿਹਾ ਹੈ",
+    "formUnauthorizedMessage": "ਤੁਹਾਨੂੰ ਇਸ ਫਾਰਮ ਨੂੰ ਵੇਖਣ ਦੀ ਅਧਿਕਾਰਤਾ ਨਹੀਂ ਹੈ, ਕਿਰਪਾ ਕਰਕੇ ਪਹੁੰਚ ਲਈ ਫਾਰਮ ਦੇ ਮਾਲਕ ਨਾਲ ਸੰਪਰਕ ਕਰੋ।"
   },
   "bCGovFooter": {
     "home": "ਘਰ",
diff --git a/app/frontend/src/internationalization/trans/chefs/pt/pt.json b/app/frontend/src/internationalization/trans/chefs/pt/pt.json
index ddaac6dd3..b3a4e6528 100644
--- a/app/frontend/src/internationalization/trans/chefs/pt/pt.json
+++ b/app/frontend/src/internationalization/trans/chefs/pt/pt.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "guia de usuario",
     "referenceGuideC": "para mais detalhes",
     "specificTeamMembers": "Membros Específicos da Equipe",
+    "teamMemberTooltip": "Adicione membros da equipe a partir das configurações de Gestão de Equipe após criar este formulário.",
     "formFunctionality": "Funcionalidade do formulário",
     "formSubmissinScheduleMsg": "A Agenda de envios de formulários estará disponível nas Configurações de formulários após a publicação do formulário.",
     "formSubmissionsSchedule": "Cronograma de Envios de Formulários",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Erro ao salvar arquivos. Nome do arquivo: {fileName}. Erro: {error}",
     "submittingDraftErrMsg": "Ocorreu um erro ao salvar um rascunho",
     "submittingDraftConsErrMsg": "Erro ao salvar rascunho. SubmissãoId: {submissionId}. Erro: {error}",
-    "formDraftAccessErrMsg": "O envio solicitado já foi enviado, redirecionando para a página Exibir"
+    "formDraftAccessErrMsg": "O envio solicitado já foi enviado, redirecionando para a página Exibir",
+    "formUnauthorizedMessage": "Você não está autorizado a visualizar este formulário, por favor, contate o proprietário do formulário para acesso."
   },
   "bCGovFooter": {
     "home": "Lar",
diff --git a/app/frontend/src/internationalization/trans/chefs/ru/ru.json b/app/frontend/src/internationalization/trans/chefs/ru/ru.json
index 53f020b39..8af28b6fc 100644
--- a/app/frontend/src/internationalization/trans/chefs/ru/ru.json
+++ b/app/frontend/src/internationalization/trans/chefs/ru/ru.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "руководству пользователя",
     "referenceGuideC": "для подробностей",
     "specificTeamMembers": "Конкретные члены команды",
+    "teamMemberTooltip": "Добавьте членов команды из настроек управления командой после создания этой формы.",
     "formFunctionality": "Функциональность формы",
     "formSubmissinScheduleMsg": "Расписание отправки формы будет доступно в настройках формы после публикации формы.",
     "formSubmissionsSchedule": "Расписание отправки формы",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Ошибка сохранения файлов. Имя файла: {fileName}. Ошибка: {error}",
     "submittingDraftErrMsg": "Произошла ошибка при сохранении черновика",
     "submittingDraftConsErrMsg": "Не удалось сохранить черновик. Идентификатор записи: {submissionId}. Ошибка: {error}",
-    "formDraftAccessErrMsg": "Запрошенная отправка уже отправлена, перенаправление на страницу просмотра"
+    "formDraftAccessErrMsg": "Запрошенная отправка уже отправлена, перенаправление на страницу просмотра",
+    "formUnauthorizedMessage": "Вы не авторизованы для просмотра этой формы, пожалуйста, свяжитесь с владельцем формы для доступа."
   },
   "bCGovFooter": {
     "home": "Главная страница",
diff --git a/app/frontend/src/internationalization/trans/chefs/tl/tl.json b/app/frontend/src/internationalization/trans/chefs/tl/tl.json
index 7e852beaa..bccdaa983 100644
--- a/app/frontend/src/internationalization/trans/chefs/tl/tl.json
+++ b/app/frontend/src/internationalization/trans/chefs/tl/tl.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "gabay sa gumagamit",
     "referenceGuideC": "para sa karagdagang detalye",
     "specificTeamMembers": "Mga Partikular na Miyembro ng Koponan",
+    "teamMemberTooltip": "Idagdag ang mga miyembro ng team mula sa Mga Setting ng Pamamahala ng Team matapos likhain ang form na ito.",
     "formFunctionality": "Pag-andar ng Form",
     "formSubmissinScheduleMsg": "Ang Iskedyul ng Pagsusumite ng Form ay magiging available sa Mga Setting ng Form pagkatapos mailathala ang form.",
     "formSubmissionsSchedule": "Iskedyul ng Pagsusumite ng Form",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Error sa pag-save ng mga file. Filename: {fileName}. Error: {error}",
     "submittingDraftErrMsg": "Nagkaroon ng error habang nagse-save ng draft",
     "submittingDraftConsErrMsg": "Error sa pag-save ng draft. SubmissionId: {submissionId}. Error: {error}",
-    "formDraftAccessErrMsg": "Ang hiniling na pagsusumite ay naisumite na, nagre-redirect sa View page"
+    "formDraftAccessErrMsg": "Ang hiniling na pagsusumite ay naisumite na, nagre-redirect sa View page",
+    "formUnauthorizedMessage": "Hindi ka awtorisadong tingnan ang form na ito, mangyaring makipag-ugnayan sa may-ari ng form para sa access."
   },
   "bCGovFooter": {
     "home": "Bahay",
diff --git a/app/frontend/src/internationalization/trans/chefs/uk/uk.json b/app/frontend/src/internationalization/trans/chefs/uk/uk.json
index 962ea4db6..e915db0de 100644
--- a/app/frontend/src/internationalization/trans/chefs/uk/uk.json
+++ b/app/frontend/src/internationalization/trans/chefs/uk/uk.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "керівництво користувача",
     "referenceGuideC": "для більш детальної інформації",
     "specificTeamMembers": "Конкретні члени команди",
+    "teamMemberTooltip": "Додайте членів команди з налаштувань управління командою після створення цієї форми.",
     "formFunctionality": "Функціональність форми",
     "formSubmissinScheduleMsg": "Розклад подання форми буде доступний у налаштуваннях форми після публікації форми.",
     "formSubmissionsSchedule": "Графік подання форм",
@@ -828,7 +829,8 @@
     "errorSavingFile": "Помилка збереження файлів. Ім'я файлу: {fileName}. Помилка: {error}",
     "submittingDraftErrMsg": "Під час збереження чернетки сталася помилка",
     "submittingDraftConsErrMsg": "Помилка збереження чернетки. SubmissionId: {submissionId}. Помилка: {error}",
-    "formDraftAccessErrMsg": "Запитане подання вже подано, переспрямовує на сторінку перегляду"
+    "formDraftAccessErrMsg": "Запитане подання вже подано, переспрямовує на сторінку перегляду",
+    "formUnauthorizedMessage": "Ви не маєте права переглядати цю форму, будь ласка, зв'яжіться з власником форми для доступу."
   },
   "bCGovFooter": {
     "home": "додому",
diff --git a/app/frontend/src/internationalization/trans/chefs/vi/vi.json b/app/frontend/src/internationalization/trans/chefs/vi/vi.json
index ff842ecf7..09b45483a 100644
--- a/app/frontend/src/internationalization/trans/chefs/vi/vi.json
+++ b/app/frontend/src/internationalization/trans/chefs/vi/vi.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "hướng dẫn sử dụng",
     "referenceGuideC": "để biết thêm chi tiết",
     "specificTeamMembers": "Thành viên nhóm cụ thể",
+    "teamMemberTooltip": "Thêm thành viên nhóm từ cài đặt Quản lý Nhóm sau khi tạo mẫu này.",
     "formFunctionality": "Chức năng biểu mẫu",
     "formSubmissinScheduleMsg": "Lịch gửi biểu mẫu sẽ có sẵn trong Cài đặt biểu mẫu sau khi biểu mẫu được xuất bản.",
     "formSubmissionsSchedule": "Lịch gửi biểu mẫu",
@@ -829,7 +830,8 @@
     "errorSavingFile": "Lỗi khi lưu tệp. Tên tệp: {fileName}. Lỗi: {error}",
     "submittingDraftErrMsg": "Đã xảy ra lỗi khi lưu bản nháp",
     "submittingDraftConsErrMsg": "Lỗi khi lưu bản nháp. Đệ trìnhId: {submissionId}. Lỗi: {error}",
-    "formDraftAccessErrMsg": "Yêu cầu gửi đã được gửi, chuyển hướng đến Xem trang"
+    "formDraftAccessErrMsg": "Yêu cầu gửi đã được gửi, chuyển hướng đến Xem trang",
+    "formUnauthorizedMessage": "Bạn không được phép xem mẫu này, vui lòng liên hệ với chủ sở hữu mẫu để được truy cập."
   },
   "bCGovFooter": {
     "home": "Trang chủ",
diff --git a/app/frontend/src/internationalization/trans/chefs/zh/zh.json b/app/frontend/src/internationalization/trans/chefs/zh/zh.json
index 5f039c577..a093b928c 100644
--- a/app/frontend/src/internationalization/trans/chefs/zh/zh.json
+++ b/app/frontend/src/internationalization/trans/chefs/zh/zh.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "用户指南",
     "referenceGuideC": "更多细节",
     "specificTeamMembers": "具体团队成员",
+    "teamMemberTooltip": "在创建此表单后，从团队管理设置中添加团队成员。",
     "formFunctionality": "表单功能",
     "formSubmissinScheduleMsg": "表单发布后，表单提交计划将在表单设置中可用。",
     "formSubmissionsSchedule": "表格提交时间表",
@@ -829,7 +830,8 @@
     "errorSavingFile": "保存文件时出错。文件名：{fileName}。错误：{error}",
     "submittingDraftErrMsg": "保存草稿时出错",
     "submittingDraftConsErrMsg": "保存草稿时出错。提交 ID：{submissionId}。错误：{error}",
-    "formDraftAccessErrMsg": "请求的提交已提交，正在重定向到查看页面"
+    "formDraftAccessErrMsg": "请求的提交已提交，正在重定向到查看页面",
+    "formUnauthorizedMessage": "您无权查看此表单，请联系表单所有者以获取访问权限。"
   },
   "bCGovFooter": {
     "home": "家",
diff --git a/app/frontend/src/internationalization/trans/chefs/zhTW/zh-TW.json b/app/frontend/src/internationalization/trans/chefs/zhTW/zh-TW.json
index 5b51619b0..a0020fd7b 100644
--- a/app/frontend/src/internationalization/trans/chefs/zhTW/zh-TW.json
+++ b/app/frontend/src/internationalization/trans/chefs/zhTW/zh-TW.json
@@ -100,6 +100,7 @@
     "referenceGuideB": "用戶指南",
     "referenceGuideC": "更多細節",
     "specificTeamMembers": "具體團隊成員",
+    "teamMemberTooltip": "在創建此表單後，從團隊管理設置中添加團隊成員。",
     "formFunctionality": "表單功能",
     "formSubmissinScheduleMsg": "表單發布後，表單提交計劃將在表單設置中可用。",
     "formSubmissionsSchedule": "表格提交時間表",
@@ -829,7 +830,8 @@
     "errorSavingFile": "保存文件時出錯。文件名：{fileName}。錯誤：{error}",
     "submittingDraftErrMsg": "保存草稿時出錯",
     "submittingDraftConsErrMsg": "保存草稿時出錯。提交 ID：{submissionId}。錯誤：{error}",
-    "formDraftAccessErrMsg": "請求的提交已提交，正在重定向到查看頁面"
+    "formDraftAccessErrMsg": "請求的提交已提交，正在重定向到查看頁面",
+    "formUnauthorizedMessage": "您無權查看此表單，請聯繫表單所有者以獲取訪問權限。"
   },
   "bCGovFooter": {
     "home": "家",
diff --git a/app/frontend/src/services/formService.js b/app/frontend/src/services/formService.js
index 31bfa75ca..957b9dea2 100644
--- a/app/frontend/src/services/formService.js
+++ b/app/frontend/src/services/formService.js
@@ -320,12 +320,12 @@ export default {
   },
 
   /**
-   * @function restoreMutipleSubmissions
+   * @function restoreMultipleSubmissions
    * Restores an existing submission
    * @param {string} submissionId The form uuid
    * @returns {Promise} An axios response
    */
-  restoreMutipleSubmissions(submissionId, formId, requestBody) {
+  restoreMultipleSubmissions(submissionId, formId, requestBody) {
     return appAxios().put(
       `${ApiRoutes.SUBMISSION}/${submissionId}/${formId}/submissions/restore`,
       requestBody
diff --git a/app/frontend/src/store/form.js b/app/frontend/src/store/form.js
index 27ee6ae43..739ddbff7 100644
--- a/app/frontend/src/store/form.js
+++ b/app/frontend/src/store/form.js
@@ -513,7 +513,7 @@ export const useFormStore = defineStore('form', {
       const notificationStore = useNotificationStore();
       try {
         // Get this submission
-        await formService.restoreMutipleSubmissions(submissionIds[0], formId, {
+        await formService.restoreMultipleSubmissions(submissionIds[0], formId, {
           submissionIds: submissionIds,
         });
         notificationStore.addNotification({
diff --git a/app/frontend/tests/unit/components/base/BaseFilter.spec.js b/app/frontend/tests/unit/components/base/BaseFilter.spec.js
index 00dc15d34..8293bd219 100644
--- a/app/frontend/tests/unit/components/base/BaseFilter.spec.js
+++ b/app/frontend/tests/unit/components/base/BaseFilter.spec.js
@@ -66,6 +66,7 @@ describe('BaseFilter.vue', () => {
           },
         ],
         inputFilterPlaceholder: 'Filter Something',
+        inputSaveButtonText: 'Save Text',
       },
       global: {
         plugins: [pinia],
@@ -97,6 +98,7 @@ describe('BaseFilter.vue', () => {
     expect(wrapper.html()).toContain('TEST HEADER');
     expect(wrapper.html()).toContain('TEST NAME');
     expect(wrapper.html()).toContain('Filter Something');
+    expect(wrapper.html()).toContain('Save Text');
 
     expect(wrapper.vm.RTL).toBe('mr-3');
   });
diff --git a/app/frontend/tests/unit/services/formService.spec.js b/app/frontend/tests/unit/services/formService.spec.js
index a3782a7dc..2576556a7 100644
--- a/app/frontend/tests/unit/services/formService.spec.js
+++ b/app/frontend/tests/unit/services/formService.spec.js
@@ -491,7 +491,7 @@ describe('Form Service', () => {
         '0715b1ac-4069-4778-a868-b4f71fdea18d',
       ];
 
-      const result = await formService.restoreMutipleSubmissions(
+      const result = await formService.restoreMultipleSubmissions(
         submissionId,
         formId,
         { submissionIds }
diff --git a/app/frontend/tests/unit/store/modules/form.actions.spec.js b/app/frontend/tests/unit/store/modules/form.actions.spec.js
index 6d559c41a..555f6683e 100644
--- a/app/frontend/tests/unit/store/modules/form.actions.spec.js
+++ b/app/frontend/tests/unit/store/modules/form.actions.spec.js
@@ -259,7 +259,7 @@ describe('form actions', () => {
     });
 
     it('restoreMultiSubmissions should dispatch to notifications/addNotification', async () => {
-      formService.restoreMutipleSubmissions.mockRejectedValue('');
+      formService.restoreMultipleSubmissions.mockRejectedValue('');
       await mockStore.restoreMultiSubmissions(['sId']);
 
       expect(addNotificationSpy).toHaveBeenCalledTimes(1);
diff --git a/app/src/README.md b/app/src/README.md
new file mode 100644
index 000000000..7879b4bd6
--- /dev/null
+++ b/app/src/README.md
@@ -0,0 +1,67 @@
+# Backend API
+
+This is the source code for the Express API. It contains all routes (endpoints) needed to run the application.
+
+## Design
+
+The code is broken down into layers:
+
+- The `middleware` layer provides a collection of utility functions that validate requests, check permissions, etc.
+- The `route` layer uses `middleware` to validate requests and check permissions, and then performs work by calling a `controller`
+- The `controller` layer deals with HTTP requests and responses, and performs work by calling a `service`
+- The `service` layer contains business logic and manipulates data by calling the `model`
+- The `model` layer is the ORM that deals with the database
+
+> Note: Between the `controller` and `service` there is a logical division where nothing below the `controller` knows about requests and responses, and nothing above the `service` touches the `model`.
+
+### Middleware
+
+Express middleware always has to call `next`, otherwise the request hangs.
+
+- when called as `next()` it chains to the next piece of middleware
+- when called as `next(obj)` execution jumps to the error handler with `obj` as the error object
+
+We wrap middleware in a `try`/`catch` to make it obvious that `next` is always called:
+
+```javascript
+const middleware = async (req, _res, next) => {
+  try {
+    // If possible the helper functions should throw a Problem rather than
+    // return a response that needs handling logic.
+    const formId = _getValidFormId(req);
+    const foo = service.getForm(formId);
+
+    next();
+  } catch (error) {
+    next(error);
+  }
+};
+```
+
+#### Testing
+
+Testing the middleware should include but is not limited to:
+
+- TODO
+
+### Routes
+
+Sets up routes with Middleware and then calls a Controller.
+
+#### Testing
+
+Testing the routes should include but is not limited to:
+
+- TODO
+
+### Controllers
+
+Calls Services
+
+### Services
+
+Calls ORM
+
+### ORM
+
+Calls DB
diff --git a/app/src/forms/common/middleware/validateParameter.js b/app/src/forms/common/middleware/validateParameter.js
index 2132b2794..411c2ec2c 100644
--- a/app/src/forms/common/middleware/validateParameter.js
+++ b/app/src/forms/common/middleware/validateParameter.js
@@ -122,6 +122,24 @@ const validateFormId = async (_req, _res, next, formId) => {
   }
 };
 
+/**
+ * Validates that the :formSubmissionId route parameter exists and is a UUID.
+ *
+ * @param {*} _req the Express object representing the HTTP request - unused.
+ * @param {*} _res the Express object representing the HTTP response - unused.
+ * @param {*} next the Express chaining function.
+ * @param {*} formSubmissionId the :formSubmissionId value from the route.
+ */
+const validateFormSubmissionId = async (_req, _res, next, formSubmissionId) => {
+  try {
+    _validateUuid(formSubmissionId, 'formSubmissionId');
+
+    next();
+  } catch (error) {
+    next(error);
+  }
+};
+
 /**
  * Validates that the :formVersionDraftId route parameter exists and is a UUID.
  * This validator requires that the :formId route parameter also exists.
@@ -174,11 +192,31 @@ const validateFormVersionId = async (req, _res, next, formVersionId) => {
   }
 };
 
+/**
+ * Validates that the :userId route parameter exists and is a UUID.
+ *
+ * @param {*} _req the Express object representing the HTTP request - unused.
+ * @param {*} _res the Express object representing the HTTP response - unused.
+ * @param {*} next the Express chaining function.
+ * @param {*} userId the :userId value from the route.
+ */
+const validateUserId = async (_req, _res, next, userId) => {
+  try {
+    _validateUuid(userId, 'userId');
+
+    next();
+  } catch (error) {
+    next(error);
+  }
+};
+
 module.exports = {
   validateDocumentTemplateId,
   validateExternalAPIId,
   validateFileId,
   validateFormId,
+  validateFormSubmissionId,
   validateFormVersionDraftId,
   validateFormVersionId,
+  validateUserId,
 };
diff --git a/app/src/forms/form/controller.js b/app/src/forms/form/controller.js
index 23833a987..b98e0af37 100644
--- a/app/src/forms/form/controller.js
+++ b/app/src/forms/form/controller.js
@@ -33,7 +33,7 @@ module.exports = {
   documentTemplateDelete: async (req, res, next) => {
     try {
       await service.documentTemplateDelete(req.params.documentTemplateId, req.currentUser.usernameIdp);
-      res.status(204).send();
+      res.sendStatus(204);
     } catch (error) {
       next(error);
     }
diff --git a/app/src/forms/form/externalApi/controller.js b/app/src/forms/form/externalApi/controller.js
index 324a0cbbb..d4f7339d4 100644
--- a/app/src/forms/form/externalApi/controller.js
+++ b/app/src/forms/form/externalApi/controller.js
@@ -44,7 +44,7 @@ module.exports = {
   deleteExternalAPI: async (req, res, next) => {
     try {
       await service.deleteExternalAPI(req.params.formId, req.params.externalAPIId);
-      res.status(204).send();
+      res.sendStatus(204);
     } catch (error) {
       next(error);
     }
diff --git a/app/src/forms/submission/controller.js b/app/src/forms/submission/controller.js
index b29a9c853..fbd8cf20e 100644
--- a/app/src/forms/submission/controller.js
+++ b/app/src/forms/submission/controller.js
@@ -36,19 +36,19 @@ module.exports = {
       next(error);
     }
   },
-  deleteMutipleSubmissions: async (req, res, next) => {
+  deleteMultipleSubmissions: async (req, res, next) => {
     try {
       let submissionIds = req.body && req.body.submissionIds ? req.body.submissionIds : [];
-      const response = await service.deleteMutipleSubmissions(submissionIds, req.currentUser);
+      const response = await service.deleteMultipleSubmissions(submissionIds, req.currentUser);
       res.status(200).json(response);
     } catch (error) {
       next(error);
     }
   },
-  restoreMutipleSubmissions: async (req, res, next) => {
+  restoreMultipleSubmissions: async (req, res, next) => {
     try {
       let submissionIds = req.body && req.body.submissionIds ? req.body.submissionIds : [];
-      const response = await service.restoreMutipleSubmissions(submissionIds, req.currentUser);
+      const response = await service.restoreMultipleSubmissions(submissionIds, req.currentUser);
       res.status(200).json(response);
     } catch (error) {
       next(error);
diff --git a/app/src/forms/submission/routes.js b/app/src/forms/submission/routes.js
index 2425ef4bf..f18cab3ce 100644
--- a/app/src/forms/submission/routes.js
+++ b/app/src/forms/submission/routes.js
@@ -1,15 +1,18 @@
-const apiAccess = require('../auth/middleware/apiAccess');
 const routes = require('express').Router();
 
-const controller = require('./controller');
-const P = require('../common/constants').Permissions;
+const apiAccess = require('../auth/middleware/apiAccess');
 const { currentUser, hasSubmissionPermissions, filterMultipleSubmissions } = require('../auth/middleware/userAccess');
+const P = require('../common/constants').Permissions;
 const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 const validateParameter = require('../common/middleware/validateParameter');
 
+const controller = require('./controller');
+
 routes.use(currentUser);
 
 routes.param('documentTemplateId', validateParameter.validateDocumentTemplateId);
+routes.param('formId', validateParameter.validateFormId);
+routes.param('formSubmissionId', validateParameter.validateFormSubmissionId);
 
 routes.get('/:formSubmissionId', rateLimiter, apiAccess, hasSubmissionPermissions([P.SUBMISSION_READ]), async (req, res, next) => {
   await controller.read(req, res, next);
@@ -24,7 +27,7 @@ routes.delete('/:formSubmissionId', rateLimiter, apiAccess, hasSubmissionPermiss
 });
 
 routes.put('/:formSubmissionId/:formId/submissions/restore', hasSubmissionPermissions([P.SUBMISSION_DELETE]), filterMultipleSubmissions, async (req, res, next) => {
-  await controller.restoreMutipleSubmissions(req, res, next);
+  await controller.restoreMultipleSubmissions(req, res, next);
 });
 
 routes.put('/:formSubmissionId/restore', hasSubmissionPermissions([P.SUBMISSION_DELETE]), async (req, res, next) => {
@@ -68,7 +71,7 @@ routes.post('/:formSubmissionId/template/render', rateLimiter, apiAccess, hasSub
 });
 
 routes.delete('/:formSubmissionId/:formId/submissions', hasSubmissionPermissions([P.SUBMISSION_DELETE]), filterMultipleSubmissions, async (req, res, next) => {
-  await controller.deleteMutipleSubmissions(req, res, next);
+  await controller.deleteMultipleSubmissions(req, res, next);
 });
 
 module.exports = routes;
diff --git a/app/src/forms/submission/service.js b/app/src/forms/submission/service.js
index 36c9a642f..a87c101fa 100644
--- a/app/src/forms/submission/service.js
+++ b/app/src/forms/submission/service.js
@@ -191,7 +191,7 @@ const service = {
     }
   },
 
-  deleteMutipleSubmissions: async (submissionIds, currentUser) => {
+  deleteMultipleSubmissions: async (submissionIds, currentUser) => {
     let trx;
     try {
       trx = await FormSubmission.startTransaction();
@@ -204,7 +204,7 @@ const service = {
     }
   },
 
-  restoreMutipleSubmissions: async (submissionIds, currentUser) => {
+  restoreMultipleSubmissions: async (submissionIds, currentUser) => {
     let trx;
     try {
       trx = await FormSubmission.startTransaction();
diff --git a/app/src/forms/user/controller.js b/app/src/forms/user/controller.js
index 7da76d75a..191781d74 100644
--- a/app/src/forms/user/controller.js
+++ b/app/src/forms/user/controller.js
@@ -57,7 +57,7 @@ module.exports = {
   deleteUserPreferences: async (req, res, next) => {
     try {
       await service.deleteUserPreferences(req.currentUser);
-      res.status(204).send();
+      res.sendStatus(204);
     } catch (error) {
       next(error);
     }
@@ -93,7 +93,7 @@ module.exports = {
   deleteUserFormPreferences: async (req, res, next) => {
     try {
       await service.deleteUserFormPreferences(req.currentUser, req.params.formId);
-      res.status(204).send();
+      res.sendStatus(204);
     } catch (error) {
       next(error);
     }
diff --git a/app/src/forms/user/routes.js b/app/src/forms/user/routes.js
index 032cd6513..31ff6bc77 100644
--- a/app/src/forms/user/routes.js
+++ b/app/src/forms/user/routes.js
@@ -1,12 +1,16 @@
 const routes = require('express').Router();
-const controller = require('./controller');
 
-const currentUser = require('../auth/middleware/userAccess').currentUser;
 const jwtService = require('../../components/jwtService');
+const currentUser = require('../auth/middleware/userAccess').currentUser;
+const validateParameter = require('../common/middleware/validateParameter');
+const controller = require('./controller');
 
 routes.use(jwtService.protect());
 routes.use(currentUser);
 
+routes.param('formId', validateParameter.validateFormId);
+routes.param('userId', validateParameter.validateUserId);
+
 //
 // User Preferences
 // This must be defined before /:userId route to work as intended
diff --git a/app/tests/unit/forms/auth/middleware/apiAccess.spec.js b/app/tests/unit/forms/auth/middleware/apiAccess.spec.js
index 2a494bf6c..cb6b9be8c 100644
--- a/app/tests/unit/forms/auth/middleware/apiAccess.spec.js
+++ b/app/tests/unit/forms/auth/middleware/apiAccess.spec.js
@@ -1,5 +1,5 @@
 const { getMockReq, getMockRes } = require('@jest-mock/express');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const apiAccess = require('../../../../../src/forms/auth/middleware/apiAccess');
 const formService = require('../../../../../src/forms/form/service');
@@ -8,10 +8,10 @@ const fileService = require('../../../../../src/forms/file/service');
 const { NotFoundError } = require('objection');
 
 describe('apiAccess', () => {
-  const fileId = uuidv4();
-  const formId = uuidv4();
-  const formSubmissionId = uuidv4();
-  const secret = uuidv4();
+  const fileId = uuid.v4();
+  const formId = uuid.v4();
+  const formSubmissionId = uuid.v4();
+  const secret = uuid.v4();
 
   const token = Buffer.from(`${formId}:${secret}`).toString('base64');
   const authHeader = `Basic ${token}`;
diff --git a/app/tests/unit/forms/common/middleware/validateParameter.spec.js b/app/tests/unit/forms/common/middleware/validateParameter.spec.js
index 8aeb0baf3..4abebaeda 100644
--- a/app/tests/unit/forms/common/middleware/validateParameter.spec.js
+++ b/app/tests/unit/forms/common/middleware/validateParameter.spec.js
@@ -1,24 +1,25 @@
 const { getMockReq, getMockRes } = require('@jest-mock/express');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const validateParameter = require('../../../../../src/forms/common/middleware/validateParameter');
 const externalApiService = require('../../../../../src/forms/form/externalApi/service');
 const formService = require('../../../../../src/forms/form/service');
 const submissionService = require('../../../../../src/forms/submission/service');
 
-const fileId = uuidv4();
-const formId = uuidv4();
-const formSubmissionId = uuidv4();
+const fileId = uuid.v4();
+const formId = uuid.v4();
+const formSubmissionId = uuid.v4();
+const userId = uuid.v4();
 
 // Various types of invalid UUIDs that we see in API calls.
-const invalidUuids = [[''], ['undefined'], ['{{id}}'], ['${id}'], [uuidv4() + '.'], [' ' + uuidv4() + ' ']];
+const invalidUuids = [[''], ['undefined'], ['{{id}}'], ['${id}'], [uuid.v4() + '.'], [' ' + uuid.v4() + ' ']];
 
 afterEach(() => {
   jest.clearAllMocks();
 });
 
 describe('validateDocumentTemplateId', () => {
-  const documentTemplateId = uuidv4();
+  const documentTemplateId = uuid.v4();
 
   const mockReadDocumentTemplateResponse = {
     formId: formId,
@@ -86,7 +87,7 @@ describe('validateDocumentTemplateId', () => {
 
     test('formId does not match', async () => {
       formService.documentTemplateRead.mockReturnValueOnce({
-        formId: uuidv4(),
+        formId: uuid.v4(),
         id: documentTemplateId,
       });
       const req = getMockReq({
@@ -107,7 +108,7 @@ describe('validateDocumentTemplateId', () => {
     test('submission formId does not match', async () => {
       submissionService.read.mockReturnValueOnce({
         form: {
-          id: uuidv4(),
+          id: uuid.v4(),
         },
       });
       const req = getMockReq({
@@ -200,7 +201,7 @@ describe('validateDocumentTemplateId', () => {
 });
 
 describe('validateExternalApiId', () => {
-  const externalApiId = uuidv4();
+  const externalApiId = uuid.v4();
 
   const mockReadExternalApiResponse = {
     formId: formId,
@@ -261,7 +262,7 @@ describe('validateExternalApiId', () => {
 
     test('formId does not match', async () => {
       externalApiService.readExternalAPI.mockReturnValueOnce({
-        formId: uuidv4(),
+        formId: uuid.v4(),
         id: externalApiId,
       });
       const req = getMockReq({
@@ -402,8 +403,51 @@ describe('validateFormId', () => {
   });
 });
 
+describe('validateFormSubmissionId', () => {
+  describe('400 response when', () => {
+    const expectedStatus = { status: 400 };
+
+    test('formSubmissionId is missing', async () => {
+      const req = getMockReq({
+        params: {},
+      });
+      const { res, next } = getMockRes();
+
+      await validateParameter.validateFormSubmissionId(req, res, next);
+
+      expect(next).toBeCalledWith(expect.objectContaining(expectedStatus));
+    });
+
+    test.each(invalidUuids)('formSubmissionId is "%s"', async (eachFormSubmissionId) => {
+      const req = getMockReq({
+        params: { formSubmissionId: eachFormSubmissionId },
+      });
+      const { res, next } = getMockRes();
+
+      await validateParameter.validateFormSubmissionId(req, res, next, eachFormSubmissionId);
+
+      expect(next).toBeCalledWith(expect.objectContaining(expectedStatus));
+    });
+  });
+
+  describe('allows', () => {
+    test('uuid for formSubmissionId', async () => {
+      const req = getMockReq({
+        params: {
+          formSubmissionId: formSubmissionId,
+        },
+      });
+      const { res, next } = getMockRes();
+
+      await validateParameter.validateFormSubmissionId(req, res, next, formSubmissionId);
+
+      expect(next).toBeCalledWith();
+    });
+  });
+});
+
 describe('validateFormVersionDraftId', () => {
-  const formVersionDraftId = uuidv4();
+  const formVersionDraftId = uuid.v4();
 
   const mockReadDraftResponse = {
     formId: formId,
@@ -461,7 +505,7 @@ describe('validateFormVersionDraftId', () => {
 
     test('formId does not match', async () => {
       formService.readDraft.mockReturnValueOnce({
-        formId: uuidv4(),
+        formId: uuid.v4(),
         id: formVersionDraftId,
       });
       const req = getMockReq({
@@ -517,7 +561,7 @@ describe('validateFormVersionDraftId', () => {
 });
 
 describe('validateFormVersionId', () => {
-  const formVersionId = uuidv4();
+  const formVersionId = uuid.v4();
 
   const mockReadVersionResponse = {
     formId: formId,
@@ -575,7 +619,7 @@ describe('validateFormVersionId', () => {
 
     test('formId does not match', async () => {
       formService.readVersion.mockReturnValueOnce({
-        formId: uuidv4(),
+        formId: uuid.v4(),
         id: formVersionId,
       });
       const req = getMockReq({
@@ -629,3 +673,46 @@ describe('validateFormVersionId', () => {
     });
   });
 });
+
+describe('validateUserId', () => {
+  describe('400 response when', () => {
+    const expectedStatus = { status: 400 };
+
+    test('userId is missing', async () => {
+      const req = getMockReq({
+        params: {},
+      });
+      const { res, next } = getMockRes();
+
+      await validateParameter.validateUserId(req, res, next);
+
+      expect(next).toBeCalledWith(expect.objectContaining(expectedStatus));
+    });
+
+    test.each(invalidUuids)('userId is "%s"', async (eachUserId) => {
+      const req = getMockReq({
+        params: { userId: eachUserId },
+      });
+      const { res, next } = getMockRes();
+
+      await validateParameter.validateUserId(req, res, next, eachUserId);
+
+      expect(next).toBeCalledWith(expect.objectContaining(expectedStatus));
+    });
+  });
+
+  describe('allows', () => {
+    test('uuid for userId', async () => {
+      const req = getMockReq({
+        params: {
+          userId: userId,
+        },
+      });
+      const { res, next } = getMockRes();
+
+      await validateParameter.validateUserId(req, res, next, userId);
+
+      expect(next).toBeCalledWith();
+    });
+  });
+});
diff --git a/app/tests/unit/forms/file/controller.spec.js b/app/tests/unit/forms/file/controller.spec.js
index e23c62db5..cbe00f3be 100644
--- a/app/tests/unit/forms/file/controller.spec.js
+++ b/app/tests/unit/forms/file/controller.spec.js
@@ -1,5 +1,5 @@
 const { getMockReq, getMockRes } = require('@jest-mock/express');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const controller = require('../../../../src/forms/file/controller');
 const service = require('../../../../src/forms/file/service');
@@ -12,7 +12,7 @@ const currentUser = {
 const fileStorage = {
   createdAt: '2024-06-25T13:53:01-0700',
   createdBy: currentUser.usernameIdp,
-  id: uuidv4(),
+  id: uuid.v4(),
   mimeType: 'text/plain',
   originalName: 'testfile.txt',
   path: '/some/path',
diff --git a/app/tests/unit/forms/file/routes.spec.js b/app/tests/unit/forms/file/routes.spec.js
index 206ea04a1..69d7f8fa1 100644
--- a/app/tests/unit/forms/file/routes.spec.js
+++ b/app/tests/unit/forms/file/routes.spec.js
@@ -1,5 +1,5 @@
 const request = require('supertest');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../common/helper');
 
@@ -94,7 +94,7 @@ describe(`${basePath}`, () => {
 });
 
 describe(`${basePath}/:id`, () => {
-  const fileId = uuidv4();
+  const fileId = uuid.v4();
   const path = `${basePath}/${fileId}`;
 
   it('should have correct middleware for DELETE', async () => {
diff --git a/app/tests/unit/forms/form/controller.spec.js b/app/tests/unit/forms/form/controller.spec.js
index 78e70f65c..e615d6abe 100644
--- a/app/tests/unit/forms/form/controller.spec.js
+++ b/app/tests/unit/forms/form/controller.spec.js
@@ -1,5 +1,5 @@
 const { getMockReq, getMockRes } = require('@jest-mock/express');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const controller = require('../../../../src/forms/form/controller');
 const exportService = require('../../../../src/forms/form/exportService');
@@ -11,15 +11,15 @@ const currentUser = {
 
 const documentTemplate = {
   filename: 'cdogs_template.txt',
-  formId: uuidv4(),
-  id: uuidv4(),
+  formId: uuid.v4(),
+  id: uuid.v4(),
   template: 'My Template',
 };
 
 const error = new Error('error');
 
 // Various strings that should produce 400 errors when used as UUIDs.
-const testCases400 = [[''], ['undefined'], ['{{oops}}'], [uuidv4() + '.']];
+const testCases400 = [[''], ['undefined'], ['{{oops}}'], [uuid.v4() + '.']];
 
 //
 // Mock out all happy-path service calls.
@@ -152,7 +152,7 @@ describe('documentTemplateDelete', () => {
 
       expect(service.documentTemplateDelete).toBeCalledWith(validRequest.params.documentTemplateId, validRequest.currentUser.usernameIdp);
       expect(res.json).not.toBeCalled();
-      expect(res.status).toBeCalledWith(204);
+      expect(res.sendStatus).toBeCalledWith(204);
       expect(next).not.toBeCalled();
     });
   });
@@ -275,7 +275,7 @@ describe('form controller', () => {
 });
 
 describe('listFormSubmissions', () => {
-  const uuid = uuidv4();
+  const formId = uuid.v4();
   const mockResponse = {
     results: [
       {
@@ -287,7 +287,7 @@ describe('listFormSubmissions', () => {
   it('should 200 if the formId is valid', async () => {
     // Arrange
     service.listFormSubmissions = jest.fn().mockReturnValue(mockResponse);
-    const req = getMockReq({ params: { formId: uuid } });
+    const req = getMockReq({ params: { formId: formId } });
     const { res, next } = getMockRes();
 
     // Act
@@ -313,9 +313,9 @@ describe('listFormSubmissions', () => {
     expect(res.json).toBeCalledWith({ detail: 'Bad formId "undefined".' });
   });
 
-  test.each(testCases400)('should 400 if the formId is "%s"', async (formId) => {
+  test.each(testCases400)('should 400 if the formId is "%s"', async (eachFormId) => {
     // Arrange
-    const req = getMockReq({ params: { formId: formId } });
+    const req = getMockReq({ params: { formId: eachFormId } });
     const { res, next } = getMockRes();
 
     // Act
@@ -324,7 +324,7 @@ describe('listFormSubmissions', () => {
     // Assert
     expect(service.listFormSubmissions).toBeCalledTimes(0);
     expect(res.status).toBeCalledWith(400);
-    expect(res.json).toBeCalledWith({ detail: `Bad formId "${formId}".` });
+    expect(res.json).toBeCalledWith({ detail: `Bad formId "${eachFormId}".` });
   });
 
   it('should forward service errors for handling elsewhere', async () => {
@@ -333,7 +333,7 @@ describe('listFormSubmissions', () => {
     service.listFormSubmissions = jest.fn(() => {
       throw error;
     });
-    const req = getMockReq({ params: { formId: uuid } });
+    const req = getMockReq({ params: { formId: formId } });
     const { res, next } = getMockRes();
 
     // Act
@@ -346,17 +346,17 @@ describe('listFormSubmissions', () => {
 });
 
 describe('readFormOptions', () => {
-  const uuid = uuidv4();
+  const formId = uuid.v4();
   const mockReadResponse = {
     form: {
-      id: uuid,
+      id: formId,
     },
   };
 
   it('should 200 if the formId is valid', async () => {
     // Arrange
     service.readFormOptions = jest.fn().mockReturnValue(mockReadResponse);
-    const req = getMockReq({ params: { formId: uuid } });
+    const req = getMockReq({ params: { formId: formId } });
     const { res, next } = getMockRes();
 
     // Act
@@ -382,9 +382,9 @@ describe('readFormOptions', () => {
     expect(res.json).toBeCalledWith({ detail: 'Bad formId "undefined".' });
   });
 
-  test.each(testCases400)('should 400 if the formId is "%s"', async (formId) => {
+  test.each(testCases400)('should 400 if the formId is "%s"', async (eachFormId) => {
     // Arrange
-    const req = getMockReq({ params: { formId: formId } });
+    const req = getMockReq({ params: { formId: eachFormId } });
     const { res, next } = getMockRes();
 
     // Act
@@ -393,7 +393,7 @@ describe('readFormOptions', () => {
     // Assert
     expect(service.readFormOptions).toBeCalledTimes(0);
     expect(res.status).toBeCalledWith(400);
-    expect(res.json).toBeCalledWith({ detail: `Bad formId "${formId}".` });
+    expect(res.json).toBeCalledWith({ detail: `Bad formId "${eachFormId}".` });
   });
 
   it('should forward service errors for handling elsewhere', async () => {
@@ -402,7 +402,7 @@ describe('readFormOptions', () => {
     service.readFormOptions = jest.fn(() => {
       throw error;
     });
-    const req = getMockReq({ params: { formId: uuid } });
+    const req = getMockReq({ params: { formId: formId } });
     const { res, next } = getMockRes();
 
     // Act
diff --git a/app/tests/unit/forms/form/exportService.spec.js b/app/tests/unit/forms/form/exportService.spec.js
index 329355431..b57895ee2 100644
--- a/app/tests/unit/forms/form/exportService.spec.js
+++ b/app/tests/unit/forms/form/exportService.spec.js
@@ -1,4 +1,4 @@
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const exportService = require('../../../../src/forms/form/exportService');
 const emailService = require('../../../../src/forms/email/emailService');
@@ -14,7 +14,7 @@ jest.mock('../../../../src/forms/common/models/views/submissionData', () => ({
   then: jest.fn().mockReturnThis(),
 }));
 
-const formId = uuidv4();
+const formId = uuid.v4();
 
 const getCsvRowCount = (result) => {
   return result.data.split('\n').length;
diff --git a/app/tests/unit/forms/form/externalApi/controller.spec.js b/app/tests/unit/forms/form/externalApi/controller.spec.js
index 69aa55532..c0d278f85 100644
--- a/app/tests/unit/forms/form/externalApi/controller.spec.js
+++ b/app/tests/unit/forms/form/externalApi/controller.spec.js
@@ -1,5 +1,5 @@
 const { getMockReq, getMockRes } = require('@jest-mock/express');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { ENCRYPTION_ALGORITHMS } = require('../../../../../src/components/encryptionService');
 
@@ -96,9 +96,9 @@ describe('createExternalAPI', () => {
     });
   });
 
-  const formId = uuidv4();
+  const formId = uuid.v4();
   const externalApi = {
-    id: uuidv4(),
+    id: uuid.v4(),
     formId: formId,
     name: 'test_api',
     endpointUrl: 'http://external.api/',
@@ -192,8 +192,8 @@ describe('updateExternalAPI', () => {
     });
   });
 
-  const formId = uuidv4();
-  const externalAPIId = uuidv4();
+  const formId = uuid.v4();
+  const externalAPIId = uuid.v4();
   const externalApi = {
     id: externalAPIId,
     formId: formId,
@@ -289,8 +289,8 @@ describe('deleteExternalAPI', () => {
     });
   });
 
-  const formId = uuidv4();
-  const externalAPIId = uuidv4();
+  const formId = uuid.v4();
+  const externalAPIId = uuid.v4();
 
   const validRequest = {
     currentUser: currentUser,
@@ -337,7 +337,8 @@ describe('deleteExternalAPI', () => {
       await controller.deleteExternalAPI(req, res, next);
 
       expect(service.deleteExternalAPI).toBeCalledWith(validRequest.params.formId, validRequest.params.externalAPIId);
-      expect(res.status).toBeCalledWith(204);
+      expect(res.json).not.toBeCalled();
+      expect(res.sendStatus).toBeCalledWith(204);
       expect(next).not.toBeCalled();
     });
   });
diff --git a/app/tests/unit/forms/form/externalApi/routes.spec.js b/app/tests/unit/forms/form/externalApi/routes.spec.js
index 6a9605a58..94fd983c8 100644
--- a/app/tests/unit/forms/form/externalApi/routes.spec.js
+++ b/app/tests/unit/forms/form/externalApi/routes.spec.js
@@ -1,5 +1,5 @@
 const request = require('supertest');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../../common/helper');
 
@@ -69,7 +69,7 @@ validateParameter.validateFormId = jest.fn((_req, _res, next) => {
 validateParameter.validateExternalAPIId = jest.fn((_req, _res, next) => {
   next();
 });
-const formId = uuidv4();
+const formId = uuid.v4();
 
 //
 // Create the router and a simple Express server.
@@ -127,7 +127,7 @@ describe(`${basePath}/:formId/externalAPIs`, () => {
 });
 
 describe(`${basePath}/:formId/externalAPIs/:externalAPIId`, () => {
-  const externalAPIId = uuidv4();
+  const externalAPIId = uuid.v4();
   const path = `${basePath}/${formId}/externalAPIs/${externalAPIId}`;
   controller.updateExternalAPI = jest.fn((_req, _res, next) => {
     next();
diff --git a/app/tests/unit/forms/form/externalApi/service.spec.js b/app/tests/unit/forms/form/externalApi/service.spec.js
index 3d1903064..620429d02 100644
--- a/app/tests/unit/forms/form/externalApi/service.spec.js
+++ b/app/tests/unit/forms/form/externalApi/service.spec.js
@@ -1,6 +1,6 @@
 const { MockModel, MockTransaction } = require('../../../../common/dbHelper');
 
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { ExternalAPIStatuses } = require('../../../../../src/forms/common/constants');
 const service = require('../../../../../src/forms/form/externalApi/service');
@@ -21,8 +21,8 @@ describe('checkAllowSendUserToken', () => {
   let validData = null;
   beforeEach(() => {
     validData = {
-      id: uuidv4(),
-      formId: uuidv4(),
+      id: uuid.v4(),
+      formId: uuid.v4(),
       name: 'test_api',
       endpointUrl: 'http://external.api/',
       sendApiKey: true,
@@ -65,8 +65,8 @@ describe('validateExternalAPI', () => {
   let validData = null;
   beforeEach(() => {
     validData = {
-      id: uuidv4(),
-      formId: uuidv4(),
+      id: uuid.v4(),
+      formId: uuid.v4(),
       name: 'test_api',
       endpointUrl: 'http://external.api/',
       sendApiKey: true,
@@ -130,8 +130,8 @@ describe('createExternalAPI', () => {
     MockModel.mockReset();
     MockTransaction.mockReset();
     validData = {
-      id: uuidv4(),
-      formId: uuidv4(),
+      id: uuid.v4(),
+      formId: uuid.v4(),
       name: 'test_api',
       endpointUrl: 'http://external.api/',
       sendApiKey: true,
@@ -180,8 +180,8 @@ describe('updateExternalAPI', () => {
     MockModel.mockReset();
     MockTransaction.mockReset();
     validData = {
-      id: uuidv4(),
-      formId: uuidv4(),
+      id: uuid.v4(),
+      formId: uuid.v4(),
       name: 'test_api',
       endpointUrl: 'http://external.api/',
       sendApiKey: true,
diff --git a/app/tests/unit/forms/form/routes.spec.js b/app/tests/unit/forms/form/routes.spec.js
index 242958cd8..2ab130875 100644
--- a/app/tests/unit/forms/form/routes.spec.js
+++ b/app/tests/unit/forms/form/routes.spec.js
@@ -1,5 +1,5 @@
 const request = require('supertest');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../common/helper');
 
@@ -13,9 +13,6 @@ const controller = require('../../../../src/forms/form/controller');
 // Mock out all the middleware - we're testing that the routes are set up
 // correctly, not the functionality of the middleware.
 //
-//
-// mock middleware
-//
 const jwtService = require('../../../../src/components/jwtService');
 
 //
@@ -70,8 +67,8 @@ validateParameter.validateFormId = jest.fn((_req, _res, next) => {
   next();
 });
 
-const documentTemplateId = uuidv4();
-const formId = uuidv4();
+const documentTemplateId = uuid.v4();
+const formId = uuid.v4();
 
 //
 // Create the router and a simple Express server.
diff --git a/app/tests/unit/forms/form/service.spec.js b/app/tests/unit/forms/form/service.spec.js
index 8e91daa48..9ae660f54 100644
--- a/app/tests/unit/forms/form/service.spec.js
+++ b/app/tests/unit/forms/form/service.spec.js
@@ -1,6 +1,6 @@
 const { MockModel, MockTransaction } = require('../../../common/dbHelper');
 
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { EmailTypes } = require('../../../../src/forms/common/constants');
 const service = require('../../../../src/forms/form/service');
@@ -9,8 +9,8 @@ jest.mock('../../../../src/forms/common/models/tables/documentTemplate', () => M
 jest.mock('../../../../src/forms/common/models/tables/formEmailTemplate', () => MockModel);
 jest.mock('../../../../src/forms/common/models/views/submissionMetadata', () => MockModel);
 
-const documentTemplateId = uuidv4();
-const formId = uuidv4();
+const documentTemplateId = uuid.v4();
+const formId = uuid.v4();
 
 const currentUser = {
   usernameIdp: 'TESTER',
@@ -689,7 +689,7 @@ describe('popFormLevelInfo', () => {
 
 describe('_getDefaultEmailTemplate', () => {
   it('should return a template', async () => {
-    const formId = uuidv4();
+    const formId = uuid.v4();
     const template = service._getDefaultEmailTemplate(formId, EmailTypes.SUBMISSION_CONFIRMATION);
 
     expect(template.formId).toEqual(formId);
@@ -773,7 +773,7 @@ describe('createOrUpdateEmailTemplates', () => {
   });
 
   it('should update template when it already exists', async () => {
-    const id = uuidv4();
+    const id = uuid.v4();
     service.readEmailTemplate = jest.fn().mockReturnValue({ id: id, ...emailTemplate });
     service.readEmailTemplates = jest.fn().mockReturnValue([{ id: id, ...emailTemplate }]);
 
@@ -806,7 +806,7 @@ describe('createOrUpdateEmailTemplates', () => {
   });
 
   it('should rollback when an update error occurs inside transaction', async () => {
-    const id = uuidv4();
+    const id = uuid.v4();
     service.readEmailTemplate = jest.fn().mockReturnValue({ id: id, ...emailTemplate });
     service.readEmailTemplates = jest.fn().mockReturnValue([{ id: id, ...emailTemplate }]);
     MockModel.update = jest.fn().mockRejectedValueOnce(new Error('SQL Error'));
diff --git a/app/tests/unit/forms/proxy/service.spec.js b/app/tests/unit/forms/proxy/service.spec.js
index 2fa294125..7c3d953dc 100644
--- a/app/tests/unit/forms/proxy/service.spec.js
+++ b/app/tests/unit/forms/proxy/service.spec.js
@@ -1,6 +1,6 @@
 const { MockModel, MockTransaction } = require('../../../common/dbHelper');
 
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { encryptionService, ENCRYPTION_ALGORITHMS } = require('../../../../src/components/encryptionService');
 const service = require('../../../../src/forms/proxy/service');
@@ -33,8 +33,8 @@ const goodProxyHeaderInfo = {
 delete goodProxyHeaderInfo.idpUserId;
 
 const goodExternalApi = {
-  id: uuidv4(),
-  formId: uuidv4(),
+  id: uuid.v4(),
+  formId: uuid.v4(),
   name: 'test_api',
   endpointUrl: 'http://external.api/',
   sendApiKey: true,
diff --git a/app/tests/unit/forms/submission/controller.spec.js b/app/tests/unit/forms/submission/controller.spec.js
index da2f96e6d..b2fb8da37 100644
--- a/app/tests/unit/forms/submission/controller.spec.js
+++ b/app/tests/unit/forms/submission/controller.spec.js
@@ -357,7 +357,7 @@ describe('template rendering', () => {
   });
 });
 
-describe('deleteMutipleSubmissions', () => {
+describe('deleteMultipleSubmissions', () => {
   const returnValue = {
     submission: [
       { id: 'ac4ef441-43b1-414a-a0d4-1e2f67c2a745', formVersionId: '8d8e24ce-326f-4536-9100-a0844c27d5a0', confirmationId: 'AC4EF441', draft: false, deleted: true },
@@ -373,16 +373,16 @@ describe('deleteMutipleSubmissions', () => {
     currentUser: {},
     headers: {},
   };
-  it('should call deleteMutipleSubmissions service in controller', async () => {
-    service.deleteMutipleSubmissions = jest.fn().mockReturnValue(returnValue);
-    await controller.deleteMutipleSubmissions(req, {}, jest.fn());
+  it('should call deleteMultipleSubmissions service in controller', async () => {
+    service.deleteMultipleSubmissions = jest.fn().mockReturnValue(returnValue);
+    await controller.deleteMultipleSubmissions(req, {}, jest.fn());
 
-    expect(service.deleteMutipleSubmissions).toBeCalledTimes(1);
-    expect(service.deleteMutipleSubmissions).toBeCalledWith(req.body.submissionIds, req.currentUser);
+    expect(service.deleteMultipleSubmissions).toBeCalledTimes(1);
+    expect(service.deleteMultipleSubmissions).toBeCalledWith(req.body.submissionIds, req.currentUser);
   });
 });
 
-describe('restoreMutipleSubmissions', () => {
+describe('restoreMultipleSubmissions', () => {
   const returnValue = {
     submission: [
       { id: 'ac4ef441-43b1-414a-a0d4-1e2f67c2a745', formVersionId: '8d8e24ce-326f-4536-9100-a0844c27d5a0', confirmationId: 'AC4EF441', draft: false, deleted: false },
@@ -398,11 +398,11 @@ describe('restoreMutipleSubmissions', () => {
     currentUser: {},
     headers: {},
   };
-  it('should call restoreMutipleSubmissions service in controller', async () => {
-    service.restoreMutipleSubmissions = jest.fn().mockReturnValue(returnValue);
-    await controller.restoreMutipleSubmissions(req, {}, jest.fn());
+  it('should call restoreMultipleSubmissions service in controller', async () => {
+    service.restoreMultipleSubmissions = jest.fn().mockReturnValue(returnValue);
+    await controller.restoreMultipleSubmissions(req, {}, jest.fn());
 
-    expect(service.restoreMutipleSubmissions).toBeCalledTimes(1);
-    expect(service.restoreMutipleSubmissions).toBeCalledWith(req.body.submissionIds, req.currentUser);
+    expect(service.restoreMultipleSubmissions).toBeCalledTimes(1);
+    expect(service.restoreMultipleSubmissions).toBeCalledWith(req.body.submissionIds, req.currentUser);
   });
 });
diff --git a/app/tests/unit/forms/submission/routes.spec.js b/app/tests/unit/forms/submission/routes.spec.js
index d47f04df3..8ab849cca 100644
--- a/app/tests/unit/forms/submission/routes.spec.js
+++ b/app/tests/unit/forms/submission/routes.spec.js
@@ -1,5 +1,5 @@
 const request = require('supertest');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../common/helper');
 
@@ -31,9 +31,51 @@ apiAccess.mockImplementation(
   })
 );
 
+controller.addNote = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.addStatus = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.delete = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.deleteMultipleSubmissions = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.email = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.getNotes = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.getStatus = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.listEdits = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.read = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.readOptions = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.restore = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.restoreMultipleSubmissions = jest.fn((_req, _res, next) => {
+  next();
+});
 controller.templateRender = jest.fn((_req, _res, next) => {
   next();
 });
+controller.templateUploadAndRender = jest.fn((_req, _res, next) => {
+  next();
+});
+controller.update = jest.fn((_req, _res, next) => {
+  next();
+});
 
 rateLimiter.apiKeyRateLimiter = jest.fn((_req, _res, next) => {
   next();
@@ -46,7 +88,9 @@ const hasSubmissionPermissionsMock = jest.fn((_req, _res, next) => {
 userAccess.currentUser = jest.fn((_req, _res, next) => {
   next();
 });
-
+userAccess.filterMultipleSubmissions = jest.fn((_req, _res, next) => {
+  next();
+});
 userAccess.hasSubmissionPermissions = jest.fn(() => {
   return hasSubmissionPermissionsMock;
 });
@@ -54,9 +98,16 @@ userAccess.hasSubmissionPermissions = jest.fn(() => {
 validateParameter.validateDocumentTemplateId = jest.fn((_req, _res, next) => {
   next();
 });
+validateParameter.validateFormId = jest.fn((_req, _res, next) => {
+  next();
+});
+validateParameter.validateFormSubmissionId = jest.fn((_req, _res, next) => {
+  next();
+});
 
-const documentTemplateId = uuidv4();
-const formSubmissionId = uuidv4();
+const documentTemplateId = uuid.v4();
+const formId = uuid.v4();
+const formSubmissionId = uuid.v4();
 
 //
 // Create the router and a simple Express server.
@@ -71,16 +122,256 @@ afterEach(() => {
   jest.clearAllMocks();
 });
 
+describe(`${basePath}/:formSubmissionId`, () => {
+  const path = `${basePath}/${formSubmissionId}`;
+
+  it('should have correct middleware for DELETE', async () => {
+    await appRequest.delete(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(1);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.delete).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(1);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.read).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for PUT', async () => {
+    await appRequest.put(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.update).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/:formId/submissions`, () => {
+  const path = `${basePath}/${formSubmissionId}/${formId}/submissions`;
+
+  it('should have correct middleware for DELETE', async () => {
+    await appRequest.delete(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(1);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(1);
+    expect(controller.deleteMultipleSubmissions).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/:formId/submissions/restore`, () => {
+  const path = `${basePath}/${formSubmissionId}/${formId}/submissions/restore`;
+
+  it('should have correct middleware for PUT', async () => {
+    await appRequest.put(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(1);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(1);
+    expect(controller.restoreMultipleSubmissions).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/edits`, () => {
+  const path = `${basePath}/${formSubmissionId}/edits`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.listEdits).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/email`, () => {
+  const path = `${basePath}/${formSubmissionId}/email`;
+
+  it('should have correct middleware for POST', async () => {
+    await appRequest.post(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.email).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/notes`, () => {
+  const path = `${basePath}/${formSubmissionId}/notes`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.getNotes).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for POST', async () => {
+    await appRequest.post(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.addNote).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/options`, () => {
+  const path = `${basePath}/${formSubmissionId}/options`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(0);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.readOptions).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/restore`, () => {
+  const path = `${basePath}/${formSubmissionId}/restore`;
+
+  it('should have correct middleware for PUT', async () => {
+    await appRequest.put(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.restore).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:formSubmissionId/status`, () => {
+  const path = `${basePath}/${formSubmissionId}/status`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(1);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.getStatus).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for POST', async () => {
+    await appRequest.post(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.addStatus).toBeCalledTimes(1);
+  });
+});
+
 describe(`${basePath}/:formSubmissionId/template/:documentTemplateId/render`, () => {
   const path = `${basePath}/${formSubmissionId}/template/${documentTemplateId}/render`;
 
   it('should have correct middleware for GET', async () => {
     await appRequest.get(path);
 
+    expect(userAccess.currentUser).toBeCalledTimes(1);
     expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(1);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
     expect(apiAccess).toBeCalledTimes(1);
     expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
     expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
     expect(controller.templateRender).toBeCalledTimes(1);
   });
 });
+
+describe(`${basePath}/:formSubmissionId/template/render`, () => {
+  const path = `${basePath}/${formSubmissionId}/template/render`;
+
+  it('should have correct middleware for POST', async () => {
+    await appRequest.post(path);
+
+    expect(userAccess.currentUser).toBeCalledTimes(1);
+    expect(validateParameter.validateDocumentTemplateId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateFormSubmissionId).toBeCalledTimes(1);
+    expect(apiAccess).toBeCalledTimes(1);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
+    expect(hasSubmissionPermissionsMock).toBeCalledTimes(1);
+    expect(userAccess.filterMultipleSubmissions).toBeCalledTimes(0);
+    expect(controller.templateUploadAndRender).toBeCalledTimes(1);
+  });
+});
diff --git a/app/tests/unit/forms/submission/service.spec.js b/app/tests/unit/forms/submission/service.spec.js
index 2070af1b1..3794fc962 100644
--- a/app/tests/unit/forms/submission/service.spec.js
+++ b/app/tests/unit/forms/submission/service.spec.js
@@ -1,5 +1,5 @@
 const { MockModel, MockTransaction } = require('../../../common/dbHelper');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 jest.mock('../../../../src/forms/common/models/tables/formSubmissionStatus', () => MockModel);
 jest.mock('../../../../src/forms/common/models/tables/formSubmission', () => MockModel);
@@ -52,10 +52,10 @@ describe('createStatus', () => {
   });
 });
 
-describe('deleteMutipleSubmissions', () => {
+describe('deleteMultipleSubmissions', () => {
   it('should delete the selected submissions', async () => {
-    let submissionId1 = uuidv4();
-    let submissionId2 = uuidv4();
+    let submissionId1 = uuid.v4();
+    let submissionId2 = uuid.v4();
     const submissionIds = [submissionId1, submissionId2];
 
     const returnValue = {
@@ -70,7 +70,7 @@ describe('deleteMutipleSubmissions', () => {
     const currentUser = { usernameIdp: 'TEST@idir' };
     service.readSubmissionData = jest.fn().mockReturnValue(returnValue);
     const spy = jest.spyOn(service, 'readSubmissionData');
-    const res = await service.deleteMutipleSubmissions(submissionIds, currentUser);
+    const res = await service.deleteMultipleSubmissions(submissionIds, currentUser);
     expect(MockModel.startTransaction).toBeCalledTimes(1);
     expect(MockModel.query).toBeCalledTimes(1);
     expect(MockModel.query).toBeCalledWith(expect.anything());
@@ -83,10 +83,10 @@ describe('deleteMutipleSubmissions', () => {
   });
 });
 
-describe('restoreMutipleSubmissions', () => {
+describe('restoreMultipleSubmissions', () => {
   it('should delete the selected submissions', async () => {
-    let submissionId1 = uuidv4();
-    let submissionId2 = uuidv4();
+    let submissionId1 = uuid.v4();
+    let submissionId2 = uuid.v4();
     const submissionIds = [submissionId1, submissionId2];
 
     const returnValue = {
@@ -101,7 +101,7 @@ describe('restoreMutipleSubmissions', () => {
     const currentUser = { usernameIdp: 'TEST@idir' };
     service.readSubmissionData = jest.fn().mockReturnValue(returnValue);
     const spy = jest.spyOn(service, 'readSubmissionData');
-    const res = await service.restoreMutipleSubmissions(submissionIds, currentUser);
+    const res = await service.restoreMultipleSubmissions(submissionIds, currentUser);
     expect(MockModel.startTransaction).toBeCalledTimes(1);
     expect(MockModel.query).toBeCalledTimes(1);
     expect(MockModel.query).toBeCalledWith(expect.anything());
diff --git a/app/tests/unit/forms/user/routes.spec.js b/app/tests/unit/forms/user/routes.spec.js
new file mode 100644
index 000000000..67dffb363
--- /dev/null
+++ b/app/tests/unit/forms/user/routes.spec.js
@@ -0,0 +1,180 @@
+const request = require('supertest');
+const uuid = require('uuid');
+
+const { expressHelper } = require('../../../common/helper');
+
+const jwtService = require('../../../../src/components/jwtService');
+const userAccess = require('../../../../src/forms/auth/middleware/userAccess');
+const validateParameter = require('../../../../src/forms/common/middleware/validateParameter');
+const controller = require('../../../../src/forms/user/controller');
+
+//
+// Mock out all the middleware - we're testing that the routes are set up
+// correctly, not the functionality of the middleware.
+//
+
+jwtService.protect = jest.fn(() => {
+  return jest.fn((_req, _res, next) => {
+    next();
+  });
+});
+
+userAccess.currentUser = jest.fn((_req, _res, next) => {
+  next();
+});
+
+validateParameter.validateFormId = jest.fn((_req, _res, next) => {
+  next();
+});
+validateParameter.validateUserId = jest.fn((_req, _res, next) => {
+  next();
+});
+
+// Mock the controller functions with happy path results.
+
+controller.deleteUserFormPreferences = jest.fn((_req, res) => {
+  res.sendStatus(204);
+});
+controller.deleteUserPreferences = jest.fn((_req, res) => {
+  res.sendStatus(204);
+});
+controller.list = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.read = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.readUserFormPreferences = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.readUserLabels = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.readUserPreferences = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.updateUserFormPreferences = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.updateUserLabels = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+controller.updateUserPreferences = jest.fn((_req, res) => {
+  res.status(200).json({});
+});
+
+const formId = uuid.v4();
+const userId = uuid.v4();
+
+//
+// Create the router and a simple Express server.
+//
+
+const router = require('../../../../src/forms/user/routes');
+const basePath = '/users';
+const app = expressHelper(basePath, router);
+const appRequest = request(app);
+
+afterEach(() => {
+  jest.clearAllMocks();
+});
+
+describe(`${basePath}/`, () => {
+  const path = `${basePath}/`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.list).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/:userId`, () => {
+  const path = `${basePath}/${userId}`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(1);
+    expect(controller.read).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/labels`, () => {
+  const path = `${basePath}/labels`;
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.readUserLabels).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for PUT', async () => {
+    await appRequest.put(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.updateUserLabels).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/preferences`, () => {
+  const path = `${basePath}/preferences`;
+
+  it('should have correct middleware for DELETE', async () => {
+    await appRequest.delete(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.deleteUserPreferences).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.readUserPreferences).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for PUT', async () => {
+    await appRequest.put(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(0);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.updateUserPreferences).toBeCalledTimes(1);
+  });
+});
+
+describe(`${basePath}/preferences/forms/:formId`, () => {
+  const path = `${basePath}/preferences/forms/${formId}`;
+
+  it('should have correct middleware for DELETE', async () => {
+    await appRequest.delete(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(1);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.deleteUserFormPreferences).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for GET', async () => {
+    await appRequest.get(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(1);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.readUserFormPreferences).toBeCalledTimes(1);
+  });
+
+  it('should have correct middleware for PUT', async () => {
+    await appRequest.put(path);
+
+    expect(validateParameter.validateFormId).toBeCalledTimes(1);
+    expect(validateParameter.validateUserId).toBeCalledTimes(0);
+    expect(controller.updateUserFormPreferences).toBeCalledTimes(1);
+  });
+});
diff --git a/app/tests/unit/routes/v1/form.spec.js b/app/tests/unit/routes/v1/form.spec.js
index ffdb78efc..c2a0fa4bf 100644
--- a/app/tests/unit/routes/v1/form.spec.js
+++ b/app/tests/unit/routes/v1/form.spec.js
@@ -1,6 +1,6 @@
 const request = require('supertest');
 const Problem = require('api-problem');
-const { v4: uuidv4 } = require('uuid');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../common/helper');
 
@@ -28,9 +28,9 @@ userAccess.hasFormPermissions = jest.fn(() => {
   });
 });
 
-const formId = uuidv4();
-const formVersionDraftId = uuidv4();
-const formVersionId = uuidv4();
+const formId = uuid.v4();
+const formVersionDraftId = uuid.v4();
+const formVersionId = uuid.v4();
 
 //
 // we will mock the underlying data service calls...
diff --git a/app/tests/unit/routes/v1/submission.spec.js b/app/tests/unit/routes/v1/submission.spec.js
index a2871efb7..b21523010 100644
--- a/app/tests/unit/routes/v1/submission.spec.js
+++ b/app/tests/unit/routes/v1/submission.spec.js
@@ -1,8 +1,12 @@
-const request = require('supertest');
 const Problem = require('api-problem');
+const request = require('supertest');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../common/helper');
 
+const formId = uuid.v4();
+const formSubmissionId = uuid.v4();
+
 //
 // mock middleware
 //
@@ -49,7 +53,7 @@ afterEach(() => {
 });
 
 describe(`${basePath}/:formSubmissionId`, () => {
-  const path = `${basePath}/:formSubmissionId`;
+  const path = `${basePath}/${formSubmissionId}`;
 
   describe('DELETE', () => {
     it('should return 200', async () => {
@@ -161,7 +165,7 @@ describe(`${basePath}/:formSubmissionId`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/edits`, () => {
-  const path = `${basePath}/:formSubmissionId/edits`;
+  const path = `${basePath}/${formSubmissionId}/edits`;
 
   describe('GET', () => {
     it('should return 200', async () => {
@@ -201,7 +205,7 @@ describe(`${basePath}/:formSubmissionId/edits`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/email`, () => {
-  const path = `${basePath}/:formSubmissionId/email`;
+  const path = `${basePath}/${formSubmissionId}/email`;
 
   describe('POST', () => {
     const submissionResult = { form: { id: '' }, submission: { id: '' }, version: { id: '' } };
@@ -259,12 +263,12 @@ describe(`${basePath}/:formSubmissionId/email`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/:formId/submissions`, () => {
-  const path = `${basePath}/:formSubmissionId/:formId/submissions`;
+  const path = `${basePath}/${formSubmissionId}/${formId}/submissions`;
 
   describe('DELETE', () => {
     it('should return 200', async () => {
       // mock a success return value...
-      service.deleteMutipleSubmissions = jest.fn().mockReturnValue({});
+      service.deleteMultipleSubmissions = jest.fn().mockReturnValue({});
 
       const response = await appRequest.delete(path);
 
@@ -274,7 +278,7 @@ describe(`${basePath}/:formSubmissionId/:formId/submissions`, () => {
 
     it('should handle 401', async () => {
       // mock an authentication/permission issue...
-      service.deleteMutipleSubmissions = jest.fn(() => {
+      service.deleteMultipleSubmissions = jest.fn(() => {
         throw new Problem(401);
       });
 
@@ -286,7 +290,7 @@ describe(`${basePath}/:formSubmissionId/:formId/submissions`, () => {
 
     it('should handle 500', async () => {
       // mock an unexpected error...
-      service.deleteMutipleSubmissions = jest.fn(() => {
+      service.deleteMultipleSubmissions = jest.fn(() => {
         throw new Error();
       });
 
@@ -299,12 +303,12 @@ describe(`${basePath}/:formSubmissionId/:formId/submissions`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/:formId/submissions/restore`, () => {
-  const path = `${basePath}/:formSubmissionId/:formId/submissions/restore`;
+  const path = `${basePath}/${formSubmissionId}/${formId}/submissions/restore`;
 
   describe('PUT', () => {
     it('should return 200', async () => {
       // mock a success return value...
-      service.restoreMutipleSubmissions = jest.fn().mockReturnValue({});
+      service.restoreMultipleSubmissions = jest.fn().mockReturnValue({});
 
       const response = await appRequest.put(path);
 
@@ -314,7 +318,7 @@ describe(`${basePath}/:formSubmissionId/:formId/submissions/restore`, () => {
 
     it('should handle 401', async () => {
       // mock an authentication/permission issue...
-      service.restoreMutipleSubmissions = jest.fn(() => {
+      service.restoreMultipleSubmissions = jest.fn(() => {
         throw new Problem(401);
       });
 
@@ -326,7 +330,7 @@ describe(`${basePath}/:formSubmissionId/:formId/submissions/restore`, () => {
 
     it('should handle 500', async () => {
       // mock an unexpected error...
-      service.restoreMutipleSubmissions = jest.fn(() => {
+      service.restoreMultipleSubmissions = jest.fn(() => {
         throw new Error();
       });
 
@@ -339,7 +343,7 @@ describe(`${basePath}/:formSubmissionId/:formId/submissions/restore`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/notes`, () => {
-  const path = `${basePath}/:formSubmissionId/notes`;
+  const path = `${basePath}/${formSubmissionId}/notes`;
 
   describe('GET', () => {
     it('should return 200', async () => {
@@ -416,7 +420,7 @@ describe(`${basePath}/:formSubmissionId/notes`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/options`, () => {
-  const path = `${basePath}/:formSubmissionId/options`;
+  const path = `${basePath}/${formSubmissionId}/options`;
 
   describe('GET', () => {
     it('should return 200', async () => {
@@ -456,7 +460,7 @@ describe(`${basePath}/:formSubmissionId/options`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/restore`, () => {
-  const path = `${basePath}/:formSubmissionId/restore`;
+  const path = `${basePath}/${formSubmissionId}/restore`;
 
   describe('PUT', () => {
     it('should return 200', async () => {
@@ -496,7 +500,7 @@ describe(`${basePath}/:formSubmissionId/restore`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/status`, () => {
-  const path = `${basePath}/:formSubmissionId/status`;
+  const path = `${basePath}/${formSubmissionId}/status`;
 
   describe('GET', () => {
     it('should return 200', async () => {
@@ -577,7 +581,7 @@ describe(`${basePath}/:formSubmissionId/status`, () => {
 });
 
 describe(`${basePath}/:formSubmissionId/template/render`, () => {
-  const path = `${basePath}/:formSubmissionId/template/render`;
+  const path = `${basePath}/${formSubmissionId}/template/render`;
 
   describe('POST', () => {
     it('should return 200', async () => {
diff --git a/app/tests/unit/routes/v1/user.spec.js b/app/tests/unit/routes/v1/user.spec.js
index 1bb9d0f0c..d29bd285b 100644
--- a/app/tests/unit/routes/v1/user.spec.js
+++ b/app/tests/unit/routes/v1/user.spec.js
@@ -1,5 +1,6 @@
-const request = require('supertest');
 const Problem = require('api-problem');
+const request = require('supertest');
+const uuid = require('uuid');
 
 const { expressHelper } = require('../../../common/helper');
 
@@ -27,6 +28,9 @@ userAccess.currentUser = jest.fn((_req, _res, next) => {
 //
 const service = require('../../../../src/forms/user/service');
 
+const formId = uuid.v4();
+const userId = uuid.v4();
+
 //
 // mocks are in place, create the router
 //
@@ -82,7 +86,7 @@ describe(`${basePath}`, () => {
 });
 
 describe(`${basePath}/:userId`, () => {
-  const path = `${basePath}/:userId`;
+  const path = `${basePath}/${userId}`;
 
   describe('GET', () => {
     it('should return 200', async () => {
@@ -234,7 +238,7 @@ describe(`${basePath}/preferences`, () => {
 });
 
 describe(`${basePath}/preferences/forms/:formId`, () => {
-  const path = `${basePath}/preferences/forms/:formId`;
+  const path = `${basePath}/preferences/forms/${formId}`;
 
   describe('DELETE', () => {
     it('should return 204', async () => {