diff -r b28cf69f42e8 -r aced2245fb1c src/server/daemon/acl.c
--- a/src/server/daemon/acl.c	Thu Feb 28 20:00:05 2013 +0100
+++ b/src/server/daemon/acl.c	Fri Mar 01 21:15:52 2013 +0100
@@ -41,7 +41,10 @@
     rq->acllist = handle;
 }
 
-void acllist_append(Session *sn, Request *rq, ACLList *acl) {
+/*
+ * append or prepend an ACL
+ */
+void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) {
     if(!rq->acllist) {
         acllist_createhandle(sn, rq);
     }
@@ -58,31 +61,22 @@
         list->listhead = elm;
         list->listtail = elm;
     } else {
-        list->listtail->next = elm;
-        list->listtail = elm;
+        if(append) {
+            list->listtail->next = elm;
+            list->listtail = elm;
+        } else {
+            elm->next = list->listhead;
+            list->listhead = elm;
+        }
     }
 }
 
+void acllist_append(Session *sn, Request *rq, ACLList *acl) {
+    acllist_add(sn, rq, acl, 1);
+}
+
 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) {
-    if(!rq->acllist) {
-        acllist_createhandle(sn, rq);
-    }
-    ACLListHandle *list = rq->acllist;
-    
-    if(!list->defaultauthdb && acl->authdb) {
-        list->defaultauthdb = acl->authdb;
-    }
-    
-    ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
-    elm->acl = acl;
-    elm->next = NULL;
-    if(list->listhead == NULL) {
-        list->listhead = elm;
-        list->listtail = elm;
-    } else {
-        elm->next = list->listhead;
-        list->listhead = elm;
-    }
+    acllist_add(sn, rq, acl, 0);
 }
 
 
@@ -92,6 +86,10 @@
         return REQ_PROCEED;
     }
     
+    // we combine access_mask with the required access rights
+    access_mask = access_mask | rq->aclreqaccess;
+    
+    
     // get user
     User *user = NULL;
     if(list->defaultauthdb) {
@@ -105,6 +103,7 @@
             }
             if(!user->verify_password(user, pw)) {
                 // wrong password
+                user->free(user);
                 return REQ_ABORTED;
             }
             // ok - user is authenticated
@@ -128,57 +127,62 @@
                         rq->srvhdrs);
                 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
             }
+            user->free(user);
             return REQ_ABORTED;
         } 
         elm = elm->next;
     }
     
     // ok - all acls allowed access
+    user->free(user);
     return REQ_PROCEED;
 }
 
+int wsacl_affects_user(ACLEntry *ace, User *user) {
+    int check_access = 0;
+    
+    /*
+     * an ace can affect
+     *   a named user or group (ace->who is set)
+     *   the owner of the resource (ACL_OWNER is set)
+     *   the owning group of the resource (ACL_GROUP is set)
+     *   everyone (ACL_EVERYONE is set)
+     * 
+     * Only one of this conditions should be true. The behavior on
+     * illegal flag combination is undefined. We assume that the acls
+     * are created correctly by the configuration loader.
+     */
+    
+    if(ace->who && user) {
+        // this ace is defined for a named user or group
+        if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
+            if(user->check_group(user, ace->who)) {
+                // the user is in the group
+                check_access = 1;
+            }
+        } else {
+            if(!strcmp(user->name, ace->who)) {
+                check_access = 1;
+            }
+        }
+    } else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
+        // TODO
+    } else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
+        // TODO
+    } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
+        check_access = 1;
+    }
+    
+    return check_access;
+}
+
 int wsacl_check(ACLList *acl, User *user, int access_mask) { 
     int allow = 0;
     uint32_t allowed_access = 0;
     // check each access control entry
     for(int i=0;i<acl->acenum;i++) {
-        ACLEntry *ace = acl->ace[i];
-        int check_access = 0;
-        
-        /*
-         * an ace can affect
-         *   a named user or group (ace->who is set)
-         *   the owner of the resource (ACL_OWNER is set)
-         *   the owning group of the resource (ACL_GROUP is set)
-         *   everyone (ACL_EVERYONE is set)
-         * 
-         * Only one of this conditions should be true. The behavior on
-         * illegal flag combination is undefined. We assume that the acls
-         * are created correctly by the configuration loader.
-         */
-        
-        if(ace->who && user) {
-            // this ace is defined for a named user or group
-            if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
-                if(user->check_group(user, ace->who)) {
-                    // the user is in the group
-                    check_access = 1;
-                }
-            } else {
-                if(!strcmp(user->name, ace->who)) {
-                    check_access = 1;
-                }
-            }
-        } else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
-            // TODO
-        } else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
-            // TODO
-        } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
-            check_access = 1;
-        }
-        
-        
-        if(check_access) {
+        ACLEntry *ace = acl->ace[i];   
+        if(wsacl_affects_user(ace, user)) {
             if(ace->type == ACL_TYPE_ALLOWED) {
                 // add all new access rights 
                 allowed_access = allowed_access |