diff --git a/k4ever/api2/decorators.py b/k4ever/api2/decorators.py
index e90c59f..9d60333 100644
--- a/k4ever/api2/decorators.py
+++ b/k4ever/api2/decorators.py
@@ -73,8 +73,9 @@ def requirePlugin(apiFunc):
 			if request.user:
 				group = request.user.groups.get(name="Plugin")
 				# no exception, exec apiFunc!
+				request.plugin = Plugin.objects.get(user=request.user)
 				return apiFunc(self, request, *args, **kwargs)
-		except Groups.DoesNotExist:
+		except Group.DoesNotExist:
 			pass
 		ret = rc.FORBIDDEN
 
diff --git a/k4ever/api2/handlers.py b/k4ever/api2/handlers.py
index 0baf20d..fe2c79c 100644
--- a/k4ever/api2/handlers.py
+++ b/k4ever/api2/handlers.py
@@ -136,6 +136,26 @@ class AuthBlobHandler(BaseHandler):
 	# model = 
 	pass
 
+class AuthUserHandler(BaseHandler):
+	allowed_methods = ('GET')
+	fields = ('id', 'username')
+	
+	@requirePlugin
+	def read(self, request):
+		if not request.plugin.uniqueAuthblob:
+			ret = rc.BAD_REQUEST
+			ret.write("\nThis plugin does not support unique auth blobs, therefore we can't identify an user uniquely by its authblob\n")
+			return ret
+
+		if not request.GET.has_key('authblob'):
+			return rc.BAD_REQUEST
+		
+		try:
+			perm = PluginPermission.objects.get(plugin=request.plugin, authblob=request.GET['authblob'])
+			return perm.user
+		except PluginPermission.DoesNotExist:
+			return rc.NOT_FOUND
+
 class ConfigHandler(BaseHandler):
 	allowed_methods = ('GET',)
 	
diff --git a/k4ever/api2/urls.py b/k4ever/api2/urls.py
index 52ea539..c61a026 100644
--- a/k4ever/api2/urls.py
+++ b/k4ever/api2/urls.py
@@ -22,6 +22,7 @@ accountBalanceRes      = CsrfExemptResource(handler=AccountBalanceHandler, **ad)
 
 
 authBlobRes = CsrfExemptResource(handler=AuthBlobHandler, **ad)
+authUserRes = CsrfExemptResource(handler=AuthUserHandler, **ad)
 configRes   = CsrfExemptResource(handler=ConfigHandler, **ad)
 
 
@@ -37,6 +38,7 @@ urlpatterns = patterns('',
 	url(r'account/balance/?$', accountBalanceRes),
 	
 	url(r'auth/blob/?$', authBlobRes),
+	url(r'auth/user/?$', authUserRes),
 	url(r'config/?$', configRes),
 )
 
diff --git a/k4ever/main/models.py b/k4ever/main/models.py
index 27f20be..107363e 100644
--- a/k4ever/main/models.py
+++ b/k4ever/main/models.py
@@ -19,12 +19,21 @@ def createUserProfile(sender, instance, created, **kwargs):
 post_save.connect(createUserProfile, sender=User)
 
 class Plugin(models.Model):
-	name = models.CharField(max_length=40)
 	user = models.ForeignKey(User, unique=True)
+	
+	# plugin info
+	name = models.CharField(max_length=40)
 	author = models.CharField(max_length=40)
 	version = models.CharField(max_length=40)
 	descr = models.TextField(default='')
+	
+	# plugin config
 	uniqueAuthblob = models.BooleanField(default=False)
+	userCanWriteAuthblob = models.BooleanField(default=True)
+	# automatically set when write is allowed
+	userCanReadAuthblob = models.BooleanField(default=True)
+	pluginCanWriteAuthblob = models.BooleanField(default=False)
+	pluginCanReadAuthblob = models.BooleanField(default=False)
 	
 	def __unicode__(self):
 		return self.name
@@ -32,7 +41,7 @@ class Plugin(models.Model):
 class PluginPermission(models.Model):
 	user = models.ForeignKey(User)
 	plugin = models.ForeignKey('Plugin')
-	authBlob = models.TextField(default='')
+	authblob = models.TextField(default='')
 	
 	def __unicode__(self):
 		return "%s allows %s" % (self.user, self.plugin)
diff --git a/k4ever/main/templates/main/startpage.html b/k4ever/main/templates/main/startpage.html
index 33d9986..e327d96 100644
--- a/k4ever/main/templates/main/startpage.html
+++ b/k4ever/main/templates/main/startpage.html
@@ -4,7 +4,7 @@
 	{% if allMost %}
 		Am beliebtesten ist: <br /> <br />
 		{% for buyable in allMost %}
-			{{ buyable.buyable__name }} ( {{ buyable.num_buys }} mal) <br />
+			<a href="/store/show/{{ buyable.buyable__id }}">{{ buyable.buyable__name }}</a> ( {{ buyable.num_buys }} mal) <br />
 			{% endfor %}
 		<br />
 	{% else %}
@@ -15,7 +15,7 @@
 	{% if usersMost %}
 		Am oeftesten hattest du: <br /> <br />
 		{% for buyable in usersMost %}
-			{{ buyable.buyable__name }} ( {{ buyable.num_buys }} mal) <br />
+			<a href="/store/show/{{ buyable.buyable__id }}">{{ buyable.buyable__name }}</a> ( {{ buyable.num_buys }} mal) <br />
 			{% endfor %}
 		<br />
 	{% else %}
@@ -26,7 +26,7 @@
 	{% if usersLast %}
 		Als letztes hattest du: <br /> <br />
 		{% for buyable in usersLast %}
-			{{ buyable.buyable__name }} <br />
+			<a href="/store/show/{{ buyable.buyable__id }}">{{ buyable.buyable__name }}</a> <br />
 			{% endfor %}
 		<br />
 	{% else %}
diff --git a/k4ever/main/templates/settings/settings.html b/k4ever/main/templates/settings/settings.html
index 0206990..2559542 100644
--- a/k4ever/main/templates/settings/settings.html
+++ b/k4ever/main/templates/settings/settings.html
@@ -9,89 +9,57 @@
 	<br />
 	<h2>Plugin Berechtigungen</h2>
 	<hr />
-	<p>
-		<form method="POST" action="/settings/plugins/addperm/">
-			<select name="pid">
-				<option value="0"> ----- </option>
-				{% for plugin in unallowedplugins %}
-				<option value="{{ plugin.id }}">{{ plugin.name }}</option>
-				{% endfor %}
-			</select>
-			<input type="submit" value="Plugin erlauben">
-		</form>
-	</p>
-	<p>
-	<table>
-		<tr>
-			<th>Name</th>
-			<th>AuthBlob</th>
-			<th>Optionen</th>
-		</tr>
-	{% if pluginpermissions %}
-		{% for pperm in pluginpermissions %}
-		{% if pperm.plugin in plugins %}
-			end test
-		{% endif %}
-		<tr style="background: green">
-			<td style="vertical-align:middle">{{ pperm.plugin }}</td>
-			<td style="vertical-align:middle">
-				<form method="post" action="">
-					<textarea name="authblob">{{ pperm.authBlob }}</textarea>
-					<input type="submit" value="Speichern" />
-				</form>
-			</td>
-			<td style="vertical-align:middle">
-				<form method="post" action="">
-					<input type="submit"  value="Berechtigungen aufheben" />
-				</form>
-			<td>
-		</tr>
-		{% endfor %}
-	{% else %}
-		<tr>
-			<td align="center" colspan="10">Du hast bisher keinem Plugin zugriff auf deinen Account gew&auml;hrt</td>
-		</tr>
+	{% if pluginerror %}
+		<font color="red">{{ pluginerror|safe }}</font>
+	{% endif %}
+	{% if pluginmsg %}
+		<font color="green">{{ pluginmsg|safe }}</font>
 	{% endif %}
-	</table>
-	Perms {{ pluginpermissions }} <br />
-	<br /><br />
-	<h2>Second Idea for Plugin interface</h2>
-	<hr />
 	<p>
 	<table>
 		<tr>
 			<th>Name</th>
+			<th>Author</th>
+			<th>Version</th>
+			<th>Beschreibung</th>
 			<th>AuthBlob</th>
-			<th>Optionen</th>
-		</tr>
-	{% if pluginpermissions %}
-		{% for plugin in plugins %}
-		<tr style="{%if plugin in unallowedplugins%}background:red{%else%}background: green{%endif%}">
-			<td style="vertical-align:middle">{{ plugin }}</td>
-			<td style="vertical-align:middle">
-				{%if plugin not in unallowedplugins %}
-				<form method="post" action="">
-					<textarea name="authblob">{{ pperm.authBlob }}</textarea>
-					<input type="submit" value="Speichern" />
-				</form>
-				{%endif%}
-			</td>
-			<td style="vertical-align:middle">
-				<form method="post" action="">
-					{%if plugin in unallowedplugins %}
-					<input type="submit"  value="Berechtigungen hinzuf&uuml;gen" />
-					{%else%}
-					<input type="submit"  value="Berechtigungen aufheben" />
-					{%endif%}
-				</form>
-			<td>
+			<th>Erlauben/Verbieten</th>
 		</tr>
-		{% endfor %}
-	{% else %}
-		<tr>
-			<td align="center" colspan="10">Du hast bisher keinem Plugin zugriff auf deinen Account gew&auml;hrt</td>
-		</tr>
-	{% endif %}
+	{% for p in permissions %}
+	<tr style="background: green">
+		<td style="vertical-align:middle">{{ p.plugin.name }}</td>
+		<td style="vertical-align:middle">{{ p.plugin.author }}</td>
+		<td style="vertical-align:middle">{{ p.plugin.version }}</td>
+		<td style="vertical-align:top">{{ p.plugin.descr }}</td>
+		<td>
+		{% if p.plugin.userCanWriteAuthblob %}
+			<form method="post" action="/user/settings/plugin/authblob/{{ p.plugin.id }}/">
+				{% csrf_token %}
+				<textarea name="authblob">{{ p.authblob }}</textarea>
+				<input type="submit" value="Speichern">
+			</form>
+		{% else %}
+			{% if p.plugin.userCanReadAuthblob %}
+				{{ p.authblob }}
+			{% else %}
+				---
+			{% endif %}
+		{% endif %}
+		</td>
+		<td style="vertical-align:middle"><a href="/user/settings/plugin/deny/{{ p.plugin.id }}/">Plugin verbieten</a></td>
+	</tr>
+	{% endfor %}
+	{% for plugin in unallowed %}
+	<tr style="background: red">
+		<td style="vertical-align:middle">{{ plugin.name }}</td>
+		<td style="vertical-align:middle">{{ plugin.author }}</td>
+		<td style="vertical-align:middle">{{ plugin.version }}</td>
+		<td style="vertical-align:top">{{ plugin.descr }}</td>
+		<td>&nbsp;</td>
+		<td style="vertical-align:middle"><a href="/user/settings/plugin/allow/{{ plugin.id }}/">Plugin erlauben</a></td>
+	</tr>
+	{% endfor %}
+
 	</table>
 	</p>
 {% endblock %}
diff --git a/k4ever/main/urls.py b/k4ever/main/urls.py
index 780a285..6115090 100644
--- a/k4ever/main/urls.py
+++ b/k4ever/main/urls.py
@@ -11,4 +11,7 @@ urlpatterns = patterns('',
 					{'template_name': 'registration/logout.html',
 					 'next_page': '/user/login/'}),
 	(r'^settings/$', 'main.views.settings'),
+	#plugin stuff
+	(r'^settings/plugin/(?P<method>(?:allow|deny))/(?P<pluginId>\d+)/$', 'main.views.pluginPermission'),
+	(r'^settings/plugin/authblob/(?P<pluginId>\d+)/$', 'main.views.pluginAuthblob'),
 )
diff --git a/k4ever/main/views.py b/k4ever/main/views.py
index b0f2776..f41e176 100644
--- a/k4ever/main/views.py
+++ b/k4ever/main/views.py
@@ -2,6 +2,7 @@ from django.shortcuts import render_to_response
 from django.template import RequestContext
 from django.contrib.auth.decorators import login_required
 from django.db.models import Count
+from django.http import HttpResponseRedirect
 from main.models import Plugin, PluginPermission
 
 
@@ -12,17 +13,84 @@ def startpage(request):
 	''' Diese Funktion wird wahrscheinlich viel Last erzeugen, da 
 	sie ueber mehrere Tabellen joined,filtered und wieder reduced.
 	'''
-	allMost = Purchase.objects.filter(isDeposit=False).values('buyable__name').annotate(num_buys=Count('buyable')).order_by('-num_buys')
-	usersMost = Purchase.objects.filter(isDeposit=False).values('buyable__name').filter(order__user=request.user.id).annotate(num_buys=Count('buyable')).order_by('-num_buys')
-	usersLast = Purchase.objects.filter(isDeposit=False).values('buyable__name').filter(order__user=request.user.id).order_by('-order__dateTime')
+	allMost = Purchase.objects.filter(isDeposit=False).values('buyable__name', 'buyable__id').annotate(num_buys=Count('buyable')).order_by('-num_buys')
+	usersMost = Purchase.objects.filter(isDeposit=False).values('buyable__name','buyable__id').filter(order__user=request.user.id).annotate(num_buys=Count('buyable')).order_by('-num_buys')
+	usersLast = Purchase.objects.filter(isDeposit=False).values('buyable__name','buyable__id').filter(order__user=request.user.id).order_by('-order__dateTime')
 	return render_to_response("main/startpage.html", {'allMost' : allMost,'usersMost': usersMost, 'usersLast' : usersLast}, RequestContext(request))
 
 def register(request):
 	return render_to_response("registration/register.html", RequestContext(request))
 
-@login_required
-def settings(request):
+
+def getPluginDict(request):
 	plugins = Plugin.objects.all()
+	allowed = Plugin.objects.filter(pluginpermission__user=request.user)
 	unallowed = Plugin.objects.exclude(pluginpermission__user=request.user)
 	perms = PluginPermission.objects.filter(user=request.user)
-	return render_to_response("settings/settings.html", {'plugins': plugins, 'unallowedplugins': unallowed, 'pluginpermissions': perms}, RequestContext(request))
+	
+	return {'plugins': plugins, 'allowed': allowed, 'unallowed': unallowed, 'permissions': perms}
+
+@login_required
+def settings(request):
+	return render_to_response("settings/settings.html", getPluginDict(request), RequestContext(request))
+
+@login_required
+def pluginPermission(request, method, pluginId):
+	plugin = None
+	try:
+		plugin = Plugin.objects.get(id=pluginId)
+	except Plugin.DoesNotExist:
+		d = getPluginDict(request)
+		d['pluginerror'] = "Ein Plugin mit der angegebenen ID existiert nicht"
+		return render_to_response("settings/settings.html", d, RequestContext(request))
+	
+	if method == "allow":
+		try:
+			p = PluginPermission.objects.get(user=request.user, plugin=plugin)
+			d = getPluginDict(request)
+			d['pluginerror'] = "Dieses Plugin wurde bereits erlaubt"
+			return render_to_response("settings/settings.html", d, RequestContext(request))
+		except PluginPermission.DoesNotExist:
+			p = PluginPermission(user=request.user, plugin=plugin)
+			p.save()
+	else:
+		try:
+			p = PluginPermission.objects.get(user=request.user, plugin=plugin)
+			p.delete()
+		except PluginPermission.DoesNotExist:
+			d = getPluginDict(request)
+			d['pluginerror'] = "Keine Berechtigungen f&uuml;r dieses Plugin gefunden - kann also auch nicht zur&uuml;ckgezogen werden"
+			return render_to_response("settings/settings.html", d, RequestContext(request))
+	return HttpResponseRedirect("/user/settings/")
+
+@login_required
+def pluginAuthblob(request, pluginId):
+	if request.method != "POST":
+		return HttpResponseRedirect("/user/settings/")
+	plugin = None
+	try:
+		plugin = Plugin.objects.get(id=pluginId)
+	except Plugin.DoesNotExist:
+		d = getPluginDict(request)
+		d['pluginerror'] = "Ein Plugin mit der angegebenen ID existiert nicht"
+		return render_to_response("settings/settings.html", d, RequestContext(request))
+	
+	p = None
+	try:
+		p = PluginPermission.objects.get(user=request.user, plugin=plugin)
+	except PluginPermission.DoesNotExist:
+		d = getPluginDict(request)
+		d['pluginerror'] = "Vor dem editieren vom Authblob muss das Plugin ersteinmal erlaubt werden"
+		return render_to_response("settings/settings.html", d, RequestContext(request))
+
+	if not p.plugin.userCanWriteAuthblob or not request.POST.has_key("authblob"):
+		d = getPluginDict(request)
+		d['pluginerror'] = "Der Authblob darf f&uuml;r dieses Plugin nicht vom User ver&auml;ndert werden (oder der Authblob war kaputt)"
+		return render_to_response("settings/settings.html", d, RequestContext(request))
+	
+	p.authblob = request.POST['authblob']
+	p.save()
+	d = getPluginDict(request)
+	d['pluginmsg'] = "Authblob erfolgreich ge&auml;ndert"
+	return render_to_response("settings/settings.html", d, RequestContext(request))
+

Name	AuthBlob	Optionen
{{ pperm.plugin }}	- - {{ pperm.authBlob }} - - -	- - - -	-
Du hast bisher keinem Plugin zugriff auf deinen Account gewährt
Name	Author	Version	Beschreibung	AuthBlob	Optionen
{{ plugin }}	- {%if plugin not in unallowedplugins %} - - {{ pperm.authBlob }} - - - {%endif%} -	- - {%if plugin in unallowedplugins %} - - {%else%} - - {%endif%} - -	+	Erlauben/Verbieten
Du hast bisher keinem Plugin zugriff auf deinen Account gewährt
{{ p.plugin.name }}	{{ p.plugin.author }}	{{ p.plugin.version }}	{{ p.plugin.descr }}	+ {% if p.plugin.userCanWriteAuthblob %} + + {% csrf_token %} + {{ p.authblob }} + + + {% else %} + {% if p.plugin.userCanReadAuthblob %} + {{ p.authblob }} + {% else %} + --- + {% endif %} + {% endif %} +	Plugin verbieten
{{ plugin.name }}	{{ plugin.author }}	{{ plugin.version }}	{{ plugin.descr }}		Plugin erlauben