diff --git a/model/repositories.py b/model/repositories.py
index b1273ca..b8f8823 100644
--- a/model/repositories.py
+++ b/model/repositories.py
@@ -59,15 +59,8 @@ class Repository(ModelItemBase):
   def gen_internalurl(self):
     return self.repotype.gen_internalurl( self.gen_subpath() )
     
-  def can_write(self, user_id):
-    if user_id:
-      if self.user_id == self.rights.user_id:
-        return True
-      if self.rights.get_superuser(user_id):
-        return True
-      if self.rights.get(user_id, self.table(), self.id, self.manager.REPOWRITE):
-        return True
-    return False
+  def can_write(self):
+    return self.can_update() or self.rights.isallowed(self.table(), self.id, self.manager.REPOWRITE)
   
   def can_update(self):
     return self.user_id == self.rights.user_id or self.rights.issuperuser()
diff --git a/repoproxy.py b/repoproxy.py
index cff8fe8..6c835df 100644
--- a/repoproxy.py
+++ b/repoproxy.py
@@ -144,29 +144,30 @@ class RepoProxy:
     url = None
     with db.holder.Holder(request.server.dbpool, readonly = True) as connection:
       request.connection = connection
-      request.model = Model(connection, Translator(), superuser = True)
+      request.model = Model(connection, Translator(), 0)
       
       user = None
       if login:
         user_id = request.model.users.check_password(login, password)
         if not user_id:
           return self.unauthorized()
+        request.model = Model(connection, Translator(), user_id)
         user = request.model.users.get_by_id(user_id)
         assert(user)
       
       owner = request.model.users.get_by_login( repoowner )
       if not owner:
-        return self.forbidden()
+        return self.forbidden() if user else self.unauthorized()
     
       repo = request.model.repositories.get_by_name( owner, reponame )
       if not repo:
-        return self.forbidden()
+        return self.forbidden() if user else self.unauthorized()
       
       writeaccess = repo.repotype.iswriteaccess(request, nextpath)
 
       if writeaccess:
-        if not repo.can_write(user.id if user else 0):
-          return self.unauthorized()
+        if not repo.can_write():
+          return self.forbidden() if user else self.unauthorized()
       
       url = repo.gen_internalurl()
       
diff --git a/request.py b/request.py
index c300796..b4bf64a 100644
--- a/request.py
+++ b/request.py
@@ -83,6 +83,7 @@ class Request:
       self.user = self.model.users.get_by_id(self.session.user_id)
       if not self.user:
         self.server.sessions.close_session(self)
+        self.model = Model(self.connection, self.answer, 0)
 
   def get_urlpath(self, path = None, domain = False):
     if path is None: