From 67e4272f3ecc46d11e43c30d8d35bd0e655210f1 Mon Sep 17 00:00:00 2001
From: Marcin Kurczewski <mkurczew@gmail.com>
Date: Sun, 4 May 2014 16:27:15 +0200
Subject: [PATCH] Changes to privilege system

---
 src/Access.php                                | 25 +++++++-----
 src/Api/Api.php                               | 40 +++++++++++--------
 src/Api/Jobs/AcceptUserRegistrationJob.php    |  2 +-
 src/Api/Jobs/AddCommentJob.php                |  2 +-
 src/Api/Jobs/AddPostJob.php                   |  2 +-
 src/Api/Jobs/AddUserJob.php                   |  2 +-
 src/Api/Jobs/DeleteCommentJob.php             |  6 +--
 src/Api/Jobs/DeletePostJob.php                |  6 +--
 src/Api/Jobs/DeleteUserJob.php                |  6 +--
 src/Api/Jobs/EditCommentJob.php               |  6 +--
 src/Api/Jobs/EditPostContentJob.php           |  6 +--
 src/Api/Jobs/EditPostRelationsJob.php         |  6 +--
 src/Api/Jobs/EditPostSafetyJob.php            |  6 +--
 src/Api/Jobs/EditPostSourceJob.php            |  6 +--
 src/Api/Jobs/EditPostTagsJob.php              |  6 +--
 src/Api/Jobs/EditPostThumbJob.php             |  6 +--
 src/Api/Jobs/EditPostUrlJob.php               |  6 +--
 src/Api/Jobs/EditUserAccessRankJob.php        |  6 +--
 src/Api/Jobs/EditUserEmailJob.php             |  6 +--
 src/Api/Jobs/EditUserJob.php                  | 40 ++++++++++++++++---
 src/Api/Jobs/EditUserNameJob.php              |  6 +--
 src/Api/Jobs/EditUserPasswordJob.php          |  6 +--
 src/Api/Jobs/FeaturePostJob.php               |  6 +--
 src/Api/Jobs/FlagPostJob.php                  |  6 +--
 src/Api/Jobs/FlagUserJob.php                  |  6 +--
 src/Api/Jobs/GetLogJob.php                    |  2 +-
 src/Api/Jobs/GetPostContentJob.php            | 27 ++++++++-----
 src/Api/Jobs/GetPostJob.php                   | 17 ++++----
 src/Api/Jobs/GetPostThumbJob.php              |  5 +--
 src/Api/Jobs/GetUserJob.php                   |  6 +--
 src/Api/Jobs/ListCommentsJob.php              |  2 +-
 src/Api/Jobs/ListLogsJob.php                  |  2 +-
 src/Api/Jobs/ListPostsJob.php                 |  2 +-
 src/Api/Jobs/ListTagsJob.php                  |  2 +-
 src/Api/Jobs/ListUsersJob.php                 |  2 +-
 src/Api/Jobs/MergeTagsJob.php                 |  2 +-
 src/Api/Jobs/PreviewCommentJob.php            |  2 +-
 src/Api/Jobs/RenameTagsJob.php                |  2 +-
 src/Api/Jobs/ScorePostJob.php                 |  6 +--
 src/Api/Jobs/TogglePostFavoriteJob.php        |  6 +--
 src/Api/Jobs/TogglePostTagJob.php             |  6 +--
 src/Api/Jobs/TogglePostVisibilityJob.php      |  6 +--
 src/Api/Jobs/ToggleUserBanJob.php             |  6 +--
 src/Controllers/PostController.php            | 12 +++---
 src/Controllers/TagController.php             |  6 +--
 src/Controllers/UserController.php            | 25 +++++++-----
 src/Models/Enums/Privilege.php                |  9 +++++
 .../SearchParsers/CommentSearchParser.php     |  2 +-
 src/Models/SearchParsers/PostSearchParser.php |  2 +-
 src/Views/comment-small.phtml                 |  8 ++--
 src/Views/layout-normal.phtml                 |  2 +-
 src/Views/post-edit.phtml                     | 32 +++++++--------
 src/Views/post-list-wrapper.phtml             | 12 ++----
 src/Views/post-list.phtml                     |  2 +-
 src/Views/post-view.phtml                     | 30 +++++++-------
 src/Views/tag-list-wrapper.phtml              | 16 ++++++--
 src/Views/top-navigation.phtml                | 18 +++++----
 src/Views/user-edit.phtml                     | 18 ++++-----
 src/Views/user-settings.phtml                 |  4 +-
 src/Views/user-view.phtml                     | 30 +++++++-------
 60 files changed, 286 insertions(+), 266 deletions(-)

diff --git a/src/Access.php b/src/Access.php
index 1086e91c..b16bd0e6 100644
--- a/src/Access.php
+++ b/src/Access.php
@@ -32,7 +32,7 @@ class Access
 		}
 	}
 
-	public static function check($privilege, $subPrivilege = null)
+	public static function check(Privilege $privilege)
 	{
 		if (php_sapi_name() == 'cli')
 			return true;
@@ -40,7 +40,7 @@ class Access
 		$user = Auth::getCurrentUser();
 		$minAccessRank = AccessRank::Nobody;
 
-		$key = TextCaseConverter::convert(Privilege::toString($privilege),
+		$key = TextCaseConverter::convert(Privilege::toString($privilege->primary),
 			TextCaseConverter::CAMEL_CASE,
 			TextCaseConverter::SPINAL_CASE);
 
@@ -48,9 +48,9 @@ class Access
 		{
 			$minAccessRank = self::$privileges[$key];
 		}
-		if ($subPrivilege != null)
+		if ($privilege->secondary != null)
 		{
-			$key2 = $key . '.' . strtolower($subPrivilege);
+			$key2 = $key . '.' . strtolower($privilege->secondary);
 			if (isset(self::$privileges[$key2]))
 			{
 				$minAccessRank = self::$privileges[$key2];
@@ -63,20 +63,25 @@ class Access
 	public static function assertAuthentication()
 	{
 		if (!Auth::isLoggedIn())
-			throw new SimpleException('Not logged in');
+			self::fail('Not logged in');
 	}
 
-	public static function assert($privilege, $subPrivilege = null)
+	public static function assert(Privilege $privilege)
 	{
-		if (!self::check($privilege, $subPrivilege))
-			throw new SimpleException('Insufficient privileges');
+		if (!self::check($privilege))
+			self::fail();
 	}
 
 	public static function assertEmailConfirmation()
 	{
 		$user = Auth::getCurrentUser();
 		if (!$user->emailConfirmed)
-			throw new SimpleException('Need e-mail address confirmation to continue');
+			self::fail('Need e-mail address confirmation to continue');
+	}
+
+	public static function fail($message = 'Insufficient privileges')
+	{
+		throw new SimpleException($message);
 	}
 
 	public static function getIdentity($user)
@@ -93,7 +98,7 @@ class Access
 
 		return array_filter(PostSafety::getAll(), function($safety)
 		{
-			return Access::check(Privilege::ListPosts, PostSafety::toString($safety))
+			return Access::check(new Privilege(Privilege::ListPosts, PostSafety::toString($safety)))
 				and Auth::getCurrentUser()->hasEnabledSafety($safety);
 		});
 	}
diff --git a/src/Api/Api.php b/src/Api/Api.php
index 48637c7c..40dc71e5 100644
--- a/src/Api/Api.php
+++ b/src/Api/Api.php
@@ -1,7 +1,7 @@
 <?php
 final class Api
 {
-	protected static $checkPrivileges;
+	protected static $checkPrivileges = true;
 
 	public static function run($job, $jobArgs)
 	{
@@ -12,26 +12,34 @@ final class Api
 			$job->setArguments($jobArgs);
 			$job->prepare();
 
-			if (self::$checkPrivileges)
-			{
-				if ($job->requiresAuthentication())
-					Access::assertAuthentication();
-
-				if ($job->requiresConfirmedEmail())
-					Access::assertEmailConfirmation();
-
-				$p = $job->requiresPrivilege();
-				list ($privilege, $subPrivilege) = is_array($p)
-					? $p
-					: [$p, false];
-				if ($privilege !== false)
-					Access::assert($privilege, $subPrivilege);
-			}
+			self::checkPrivileges($job);
 
 			return $job->execute();
 		});
 	}
 
+	public static function checkPrivileges(AbstractJob $job)
+	{
+		if (!self::$checkPrivileges)
+			return;
+
+		if ($job->requiresAuthentication())
+			Access::assertAuthentication();
+
+		if ($job->requiresConfirmedEmail())
+			Access::assertEmailConfirmation();
+
+		$privileges = $job->requiresPrivilege();
+		if ($privileges !== false)
+		{
+			if (!is_array($privileges))
+				$privileges = [$privileges];
+
+			foreach ($privileges as $privilege)
+				Access::assert($privilege);
+		}
+	}
+
 	public static function runMultiple($jobs)
 	{
 		$statuses = [];
diff --git a/src/Api/Jobs/AcceptUserRegistrationJob.php b/src/Api/Jobs/AcceptUserRegistrationJob.php
index 5d75b1c2..e1717c15 100644
--- a/src/Api/Jobs/AcceptUserRegistrationJob.php
+++ b/src/Api/Jobs/AcceptUserRegistrationJob.php
@@ -15,6 +15,6 @@ class AcceptUserRegistrationJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::AcceptUserRegistration;
+		return new Privilege(Privilege::AcceptUserRegistration);
 	}
 }
diff --git a/src/Api/Jobs/AddCommentJob.php b/src/Api/Jobs/AddCommentJob.php
index d3c29416..504421a9 100644
--- a/src/Api/Jobs/AddCommentJob.php
+++ b/src/Api/Jobs/AddCommentJob.php
@@ -23,7 +23,7 @@ class AddCommentJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::AddComment;
+		return new Privilege(Privilege::AddComment);
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/AddPostJob.php b/src/Api/Jobs/AddPostJob.php
index 6557c3b8..ed12409e 100644
--- a/src/Api/Jobs/AddPostJob.php
+++ b/src/Api/Jobs/AddPostJob.php
@@ -55,7 +55,7 @@ class AddPostJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::UploadPost;
+		return new Privilege(Privilege::UploadPost);
 	}
 
 	public function requiresConfirmedEmail()
diff --git a/src/Api/Jobs/AddUserJob.php b/src/Api/Jobs/AddUserJob.php
index 537f0c25..46450322 100644
--- a/src/Api/Jobs/AddUserJob.php
+++ b/src/Api/Jobs/AddUserJob.php
@@ -43,6 +43,6 @@ class AddUserJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::RegisterAccount;
+		return new Privilege(Privilege::RegisterAccount);
 	}
 }
diff --git a/src/Api/Jobs/DeleteCommentJob.php b/src/Api/Jobs/DeleteCommentJob.php
index 45bb83c1..5e1532a8 100644
--- a/src/Api/Jobs/DeleteCommentJob.php
+++ b/src/Api/Jobs/DeleteCommentJob.php
@@ -21,11 +21,9 @@ class DeleteCommentJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::DeleteComment,
-			Access::getIdentity($this->comment->getCommenter())
-		];
+			Access::getIdentity($this->comment->getCommenter()));
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/DeletePostJob.php b/src/Api/Jobs/DeletePostJob.php
index 0271e3ef..85e2bc49 100644
--- a/src/Api/Jobs/DeletePostJob.php
+++ b/src/Api/Jobs/DeletePostJob.php
@@ -14,11 +14,9 @@ class DeletePostJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::DeletePost,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/DeleteUserJob.php b/src/Api/Jobs/DeleteUserJob.php
index a657a263..80f27d20 100644
--- a/src/Api/Jobs/DeleteUserJob.php
+++ b/src/Api/Jobs/DeleteUserJob.php
@@ -15,10 +15,8 @@ class DeleteUserJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::DeleteUser,
-			Access::getIdentity($this->user)
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/EditCommentJob.php b/src/Api/Jobs/EditCommentJob.php
index 6d5d097a..2c98fdec 100644
--- a/src/Api/Jobs/EditCommentJob.php
+++ b/src/Api/Jobs/EditCommentJob.php
@@ -25,11 +25,9 @@ class EditCommentJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditComment,
-			Access::getIdentity($this->comment->getCommenter())
-		];
+			Access::getIdentity($this->comment->getCommenter()));
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/EditPostContentJob.php b/src/Api/Jobs/EditPostContentJob.php
index 16006b2f..a4d1ff57 100644
--- a/src/Api/Jobs/EditPostContentJob.php
+++ b/src/Api/Jobs/EditPostContentJob.php
@@ -20,10 +20,8 @@ class EditPostContentJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostFile,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditPostRelationsJob.php b/src/Api/Jobs/EditPostRelationsJob.php
index d05d380a..06a999fe 100644
--- a/src/Api/Jobs/EditPostRelationsJob.php
+++ b/src/Api/Jobs/EditPostRelationsJob.php
@@ -35,10 +35,8 @@ class EditPostRelationsJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostRelations,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditPostSafetyJob.php b/src/Api/Jobs/EditPostSafetyJob.php
index b86ca1a2..5fe25803 100644
--- a/src/Api/Jobs/EditPostSafetyJob.php
+++ b/src/Api/Jobs/EditPostSafetyJob.php
@@ -26,10 +26,8 @@ class EditPostSafetyJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostSafety,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditPostSourceJob.php b/src/Api/Jobs/EditPostSourceJob.php
index f001033b..7dc6233c 100644
--- a/src/Api/Jobs/EditPostSourceJob.php
+++ b/src/Api/Jobs/EditPostSourceJob.php
@@ -26,10 +26,8 @@ class EditPostSourceJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostSource,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditPostTagsJob.php b/src/Api/Jobs/EditPostTagsJob.php
index 32c56218..b82482f2 100644
--- a/src/Api/Jobs/EditPostTagsJob.php
+++ b/src/Api/Jobs/EditPostTagsJob.php
@@ -34,10 +34,8 @@ class EditPostTagsJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostTags,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditPostThumbJob.php b/src/Api/Jobs/EditPostThumbJob.php
index 59e12b3e..9f83f4f3 100644
--- a/src/Api/Jobs/EditPostThumbJob.php
+++ b/src/Api/Jobs/EditPostThumbJob.php
@@ -21,10 +21,8 @@ class EditPostThumbJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostThumb,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditPostUrlJob.php b/src/Api/Jobs/EditPostUrlJob.php
index faa3f33d..a357cf4f 100644
--- a/src/Api/Jobs/EditPostUrlJob.php
+++ b/src/Api/Jobs/EditPostUrlJob.php
@@ -21,10 +21,8 @@ class EditPostUrlJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostFile,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/EditUserAccessRankJob.php b/src/Api/Jobs/EditUserAccessRankJob.php
index a94974c1..5b3de9b1 100644
--- a/src/Api/Jobs/EditUserAccessRankJob.php
+++ b/src/Api/Jobs/EditUserAccessRankJob.php
@@ -26,10 +26,8 @@ class EditUserAccessRankJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::ChangeUserEmail,
-			Access::getIdentity($this->user),
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/EditUserEmailJob.php b/src/Api/Jobs/EditUserEmailJob.php
index af3f82a7..5c5f56be 100644
--- a/src/Api/Jobs/EditUserEmailJob.php
+++ b/src/Api/Jobs/EditUserEmailJob.php
@@ -41,10 +41,8 @@ class EditUserEmailJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::ChangeUserAccessRank,
-			Access::getIdentity($this->user),
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/EditUserJob.php b/src/Api/Jobs/EditUserJob.php
index 8b5b1729..418dece3 100644
--- a/src/Api/Jobs/EditUserJob.php
+++ b/src/Api/Jobs/EditUserJob.php
@@ -1,19 +1,42 @@
 <?php
 class EditUserJob extends AbstractUserJob
 {
-	public function execute()
+	protected $subJobs;
+
+	public function __construct()
 	{
-		$user = $this->user;
-
-		LogHelper::bufferChanges();
-
-		$subJobs =
+		$this->subJobs =
 		[
 			new EditUserAccessRankJob(),
 			new EditUserNameJob(),
 			new EditUserPasswordJob(),
 			new EditUserEmailJob(),
 		];
+	}
+
+	public function canEditAnything($user)
+	{
+		$this->privileges = [];
+		foreach ($this->subJobs as $subJob)
+		{
+			try
+			{
+				$subJob->user = $user;
+				Api::checkPrivileges($subJob);
+				return true;
+			}
+			catch (SimpleException $e)
+			{
+			}
+		}
+		return false;
+	}
+
+	public function execute()
+	{
+		$user = $this->user;
+
+		LogHelper::bufferChanges();
 
 		foreach ($subJobs as $subJob)
 		{
@@ -31,4 +54,9 @@ class EditUserJob extends AbstractUserJob
 		LogHelper::flush();
 		return $user;
 	}
+
+	public function requiresPrivilege()
+	{
+		return false;
+	}
 }
diff --git a/src/Api/Jobs/EditUserNameJob.php b/src/Api/Jobs/EditUserNameJob.php
index fe57b3c9..56342c83 100644
--- a/src/Api/Jobs/EditUserNameJob.php
+++ b/src/Api/Jobs/EditUserNameJob.php
@@ -27,10 +27,8 @@ class EditUserNameJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::ChangeUserName,
-			Access::getIdentity($this->user),
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/EditUserPasswordJob.php b/src/Api/Jobs/EditUserPasswordJob.php
index d2c59d1b..9e5964be 100644
--- a/src/Api/Jobs/EditUserPasswordJob.php
+++ b/src/Api/Jobs/EditUserPasswordJob.php
@@ -26,10 +26,8 @@ class EditUserPasswordJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::ChangeUserPassword,
-			Access::getIdentity($this->user),
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/FeaturePostJob.php b/src/Api/Jobs/FeaturePostJob.php
index 7adab319..5af7afa7 100644
--- a/src/Api/Jobs/FeaturePostJob.php
+++ b/src/Api/Jobs/FeaturePostJob.php
@@ -18,11 +18,9 @@ class FeaturePostJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::FeaturePost,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/FlagPostJob.php b/src/Api/Jobs/FlagPostJob.php
index f9d89241..c09e716f 100644
--- a/src/Api/Jobs/FlagPostJob.php
+++ b/src/Api/Jobs/FlagPostJob.php
@@ -21,10 +21,8 @@ class FlagPostJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::FlagPost,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/FlagUserJob.php b/src/Api/Jobs/FlagUserJob.php
index 876a4498..74365e19 100644
--- a/src/Api/Jobs/FlagUserJob.php
+++ b/src/Api/Jobs/FlagUserJob.php
@@ -21,10 +21,8 @@ class FlagUserJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::FlagUser,
-			Access::getIdentity($this->user)
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/GetLogJob.php b/src/Api/Jobs/GetLogJob.php
index 12edcc7f..a82aa7ff 100644
--- a/src/Api/Jobs/GetLogJob.php
+++ b/src/Api/Jobs/GetLogJob.php
@@ -41,6 +41,6 @@ class GetLogJob extends AbstractPageJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::ViewLog;
+		return new Privilege(Privilege::ViewLog);
 	}
 }
diff --git a/src/Api/Jobs/GetPostContentJob.php b/src/Api/Jobs/GetPostContentJob.php
index 22a9ae8c..96eff85f 100644
--- a/src/Api/Jobs/GetPostContentJob.php
+++ b/src/Api/Jobs/GetPostContentJob.php
@@ -1,16 +1,16 @@
 <?php
 class GetPostContentJob extends AbstractJob
 {
+	protected $post;
+
+	public function prepare()
+	{
+		$this->post = PostModel::findByName($this->getArgument(self::POST_NAME));
+	}
+
 	public function execute()
 	{
-		$post = PostModel::findByName($this->getArgument(self::POST_NAME));
-
-		//todo: refactor this so that requiresPrivilege can accept multiple privileges
-		if ($post->hidden)
-			Access::assert(Privilege::RetrievePost, 'hidden');
-		Access::assert(Privilege::RetrievePost);
-		Access::assert(Privilege::RetrievePost, PostSafety::toString($post->safety));
-
+		$post = $this->post;
 		$config = getConfig();
 
 		$path = $config->main->filesPath . DS . $post->name;
@@ -32,7 +32,14 @@ class GetPostContentJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		//temporarily enforced in execute
-		return false;
+		$post = $this->post;
+		$privileges = [];
+
+		if ($post->hidden)
+			$privileges []= new Privilege(Privilege::ViewPost, 'hidden');
+
+		$privileges []= new Privilege(Privilege::ViewPost, PostSafety::toString($post->safety));
+
+		return $privileges;
 	}
 }
diff --git a/src/Api/Jobs/GetPostJob.php b/src/Api/Jobs/GetPostJob.php
index 9927c582..898bda24 100644
--- a/src/Api/Jobs/GetPostJob.php
+++ b/src/Api/Jobs/GetPostJob.php
@@ -5,12 +5,6 @@ class GetPostJob extends AbstractPostJob
 	{
 		$post = $this->post;
 
-		//todo: refactor this so that requiresPrivilege can accept multiple privileges
-		if ($post->hidden)
-			Access::assert(Privilege::ViewPost, 'hidden');
-		Access::assert(Privilege::ViewPost);
-		Access::assert(Privilege::ViewPost, PostSafety::toString($post->safety));
-
 		CommentModel::preloadCommenters($post->getComments());
 
 		return $post;
@@ -18,7 +12,14 @@ class GetPostJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		//temporarily enforced in execute
-		return false;
+		$post = $this->post;
+		$privileges = [];
+
+		if ($post->hidden)
+			$privileges []= new Privilege(Privilege::ViewPost, 'hidden');
+
+		$privileges []= new Privilege(Privilege::ViewPost, PostSafety::toString($post->safety));
+
+		return $privileges;
 	}
 }
diff --git a/src/Api/Jobs/GetPostThumbJob.php b/src/Api/Jobs/GetPostThumbJob.php
index c47d79c0..514372e1 100644
--- a/src/Api/Jobs/GetPostThumbJob.php
+++ b/src/Api/Jobs/GetPostThumbJob.php
@@ -19,9 +19,8 @@ class GetPostThumbJob extends AbstractJob
 				$post = PostModel::findByIdOrName($name);
 
 				if ($post->hidden)
-					Access::assert(Privilege::ListPosts, 'hidden');
-				Access::assert(Privilege::ListPosts);
-				Access::assert(Privilege::ListPosts, PostSafety::toString($post->safety));
+					Access::assert(new Privilege(Privilege::ListPosts, 'hidden'));
+				Access::assert(new Privilege(Privilege::ListPosts, PostSafety::toString($post->safety)));
 
 				$post->generateThumb($width, $height);
 
diff --git a/src/Api/Jobs/GetUserJob.php b/src/Api/Jobs/GetUserJob.php
index 71405ab9..b7022a16 100644
--- a/src/Api/Jobs/GetUserJob.php
+++ b/src/Api/Jobs/GetUserJob.php
@@ -8,10 +8,8 @@ class GetUserJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::ViewUser,
-			Access::getIdentity($this->user)
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Api/Jobs/ListCommentsJob.php b/src/Api/Jobs/ListCommentsJob.php
index e1ea3e38..741c702d 100644
--- a/src/Api/Jobs/ListCommentsJob.php
+++ b/src/Api/Jobs/ListCommentsJob.php
@@ -27,6 +27,6 @@ class ListCommentsJob extends AbstractPageJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::ListComments;
+		return new Privilege(Privilege::ListComments);
 	}
 }
diff --git a/src/Api/Jobs/ListLogsJob.php b/src/Api/Jobs/ListLogsJob.php
index 88dc0f27..48e0434f 100644
--- a/src/Api/Jobs/ListLogsJob.php
+++ b/src/Api/Jobs/ListLogsJob.php
@@ -19,6 +19,6 @@ class ListLogsJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::ListLogs;
+		return new Privilege(Privilege::ListLogs);
 	}
 }
diff --git a/src/Api/Jobs/ListPostsJob.php b/src/Api/Jobs/ListPostsJob.php
index 7eed5fb6..eaa584ae 100644
--- a/src/Api/Jobs/ListPostsJob.php
+++ b/src/Api/Jobs/ListPostsJob.php
@@ -22,6 +22,6 @@ class ListPostsJob extends AbstractPageJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::ListPosts;
+		return new Privilege(Privilege::ListPosts);
 	}
 }
diff --git a/src/Api/Jobs/ListTagsJob.php b/src/Api/Jobs/ListTagsJob.php
index f43d0109..00175e2f 100644
--- a/src/Api/Jobs/ListTagsJob.php
+++ b/src/Api/Jobs/ListTagsJob.php
@@ -20,6 +20,6 @@ class ListTagsJob extends AbstractPageJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::ListTags;
+		return new Privilege(Privilege::ListTags);
 	}
 }
diff --git a/src/Api/Jobs/ListUsersJob.php b/src/Api/Jobs/ListUsersJob.php
index 4df5c1a5..a1991058 100644
--- a/src/Api/Jobs/ListUsersJob.php
+++ b/src/Api/Jobs/ListUsersJob.php
@@ -20,6 +20,6 @@ class ListUsersJob extends AbstractPageJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::ListUsers;
+		return new Privilege(Privilege::ListUsers);
 	}
 }
diff --git a/src/Api/Jobs/MergeTagsJob.php b/src/Api/Jobs/MergeTagsJob.php
index 21dced09..b76c8b4e 100644
--- a/src/Api/Jobs/MergeTagsJob.php
+++ b/src/Api/Jobs/MergeTagsJob.php
@@ -20,6 +20,6 @@ class MergeTagsJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::MergeTags;
+		return new Privilege(Privilege::MergeTags);
 	}
 }
diff --git a/src/Api/Jobs/PreviewCommentJob.php b/src/Api/Jobs/PreviewCommentJob.php
index 7e9e501a..bb1ad195 100644
--- a/src/Api/Jobs/PreviewCommentJob.php
+++ b/src/Api/Jobs/PreviewCommentJob.php
@@ -15,7 +15,7 @@ class PreviewCommentJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::AddComment;
+		return new Privilege(Privilege::AddComment);
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/RenameTagsJob.php b/src/Api/Jobs/RenameTagsJob.php
index f26c92a5..87d3209b 100644
--- a/src/Api/Jobs/RenameTagsJob.php
+++ b/src/Api/Jobs/RenameTagsJob.php
@@ -20,6 +20,6 @@ class RenameTagsJob extends AbstractJob
 
 	public function requiresPrivilege()
 	{
-		return Privilege::RenameTags;
+		return new Privilege(Privilege::RenameTags);
 	}
 }
diff --git a/src/Api/Jobs/ScorePostJob.php b/src/Api/Jobs/ScorePostJob.php
index 4215d6f1..050df208 100644
--- a/src/Api/Jobs/ScorePostJob.php
+++ b/src/Api/Jobs/ScorePostJob.php
@@ -13,10 +13,8 @@ class ScorePostJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::ScorePost,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/TogglePostFavoriteJob.php b/src/Api/Jobs/TogglePostFavoriteJob.php
index 01fa29e3..03c7e46e 100644
--- a/src/Api/Jobs/TogglePostFavoriteJob.php
+++ b/src/Api/Jobs/TogglePostFavoriteJob.php
@@ -21,11 +21,9 @@ class TogglePostFavoriteJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::FavoritePost,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 
 	public function requiresAuthentication()
diff --git a/src/Api/Jobs/TogglePostTagJob.php b/src/Api/Jobs/TogglePostTagJob.php
index 1910514a..3ba88e91 100644
--- a/src/Api/Jobs/TogglePostTagJob.php
+++ b/src/Api/Jobs/TogglePostTagJob.php
@@ -52,10 +52,8 @@ class TogglePostTagJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::EditPostTags,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/TogglePostVisibilityJob.php b/src/Api/Jobs/TogglePostVisibilityJob.php
index 7f13a386..6338920c 100644
--- a/src/Api/Jobs/TogglePostVisibilityJob.php
+++ b/src/Api/Jobs/TogglePostVisibilityJob.php
@@ -21,10 +21,8 @@ class TogglePostVisibilityJob extends AbstractPostJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::HidePost,
-			Access::getIdentity($this->post->getUploader())
-		];
+			Access::getIdentity($this->post->getUploader()));
 	}
 }
diff --git a/src/Api/Jobs/ToggleUserBanJob.php b/src/Api/Jobs/ToggleUserBanJob.php
index 1438c00b..1c68d142 100644
--- a/src/Api/Jobs/ToggleUserBanJob.php
+++ b/src/Api/Jobs/ToggleUserBanJob.php
@@ -19,10 +19,8 @@ class ToggleUserBanJob extends AbstractUserJob
 
 	public function requiresPrivilege()
 	{
-		return
-		[
+		return new Privilege(
 			Privilege::BanUser,
-			Access::getIdentity($this->user)
-		];
+			Access::getIdentity($this->user));
 	}
 }
diff --git a/src/Controllers/PostController.php b/src/Controllers/PostController.php
index 0eddadd2..9d940c64 100644
--- a/src/Controllers/PostController.php
+++ b/src/Controllers/PostController.php
@@ -31,11 +31,11 @@ class PostController
 		$context->transport->lastSearchQuery = $query;
 		if ($source == 'mass-tag')
 		{
-			Access::assert(Privilege::MassTag);
+			Access::assert(new Privilege(Privilege::MassTag));
 			$context->massTagTag = $additionalInfo;
 			$context->massTagQuery = $query;
 
-			if (!Access::check(Privilege::MassTag, 'all'))
+			if (!Access::check(new Privilege(Privilege::MassTag, 'all')))
 				$query = trim($query . ' submit:' . Auth::getCurrentUser()->name);
 		}
 
@@ -67,9 +67,9 @@ class PostController
 
 	public function toggleTagAction($id, $tag, $enable)
 	{
-		Access::assert(
+		Access::assert(new Privilege(
 			Privilege::MassTag,
-			Access::getIdentity(PostModel::findById($id)->getUploader()));
+			Access::getIdentity(PostModel::findById($id)->getUploader())));
 
 		Api::run(
 			new TogglePostTagJob(),
@@ -113,7 +113,9 @@ class PostController
 
 	public function editView($id)
 	{
-		$post = PostModel::findByIdOrName($id);
+		$post = Api::run(new GetPostJob(), [
+			GetPostJob::POST_ID => $id]);
+
 		$context = getContext()->transport->post = $post;
 	}
 
diff --git a/src/Controllers/TagController.php b/src/Controllers/TagController.php
index b0049893..cb879c75 100644
--- a/src/Controllers/TagController.php
+++ b/src/Controllers/TagController.php
@@ -79,8 +79,6 @@ class TagController
 		$context->viewName = 'tag-list-wrapper';
 		$context->handleExceptions = true;
 
-		Access::assert(Privilege::MergeTags);
-
 		Api::run(
 			new MergeTagsJob(),
 			[
@@ -103,8 +101,6 @@ class TagController
 		$context->viewName = 'tag-list-wrapper';
 		$context->handleExceptions = true;
 
-		Access::assert(Privilege::MergeTags);
-
 		Api::run(
 			new RenameTagsJob(),
 			[
@@ -120,7 +116,7 @@ class TagController
 		$context = getContext();
 		$context->viewName = 'tag-list-wrapper';
 
-		Access::assert(Privilege::MassTag);
+		Access::assert(new Privilege(Privilege::MassTag));
 		if (!InputHelper::get('submit'))
 			return;
 
diff --git a/src/Controllers/UserController.php b/src/Controllers/UserController.php
index b8c9a664..d25b3f90 100644
--- a/src/Controllers/UserController.php
+++ b/src/Controllers/UserController.php
@@ -27,6 +27,18 @@ class UserController
 
 		$flagged = in_array(TextHelper::reprUser($user), SessionHelper::get('flagged', []));
 
+		if ($tab == 'uploads')
+			$query = 'submit:' . $user->name;
+		elseif ($tab == 'favs')
+			$query = 'fav:' . $user->name;
+
+		elseif ($tab == 'delete')
+			Access::assert(new Privilege(Privilege::DeleteUser));
+		elseif ($tab == 'settings')
+			Access::assert(new Privilege(Privilege::ChangeUserSettings));
+		elseif ($tab == 'edit' and !(new EditUserJob)->canEditAnything(Auth::getCurrentUser()))
+			Access::fail();
+
 		$context = getContext();
 		$context->flagged = $flagged;
 		$context->transport->tab = $tab;
@@ -34,11 +46,6 @@ class UserController
 		$context->handleExceptions = true;
 		$context->viewName = 'user-view';
 
-		if ($tab == 'uploads')
-			$query = 'submit:' . $user->name;
-		elseif ($tab == 'favs')
-			$query = 'fav:' . $user->name;
-
 		if (isset($query))
 		{
 			$ret = Api::run(
@@ -60,9 +67,9 @@ class UserController
 
 		$user = getContext()->transport->user;
 
-		Access::assert(
+		Access::assert(new Privilege(
 			Privilege::ChangeUserSettings,
-			Access::getIdentity($user));
+			Access::getIdentity($user)));
 
 		$suppliedSafety = InputHelper::get('safety');
 		if (!is_array($suppliedSafety))
@@ -157,9 +164,9 @@ class UserController
 	{
 		$user = Auth::getCurrentUser();
 
-		Access::assert(
+		Access::assert(new Privilege(
 			Privilege::ChangeUserSettings,
-			Access::getIdentity($user));
+			Access::getIdentity($user)));
 
 		if (!in_array($safety, PostSafety::getAll()))
 			throw new SimpleExcetpion('Invalid safety');
diff --git a/src/Models/Enums/Privilege.php b/src/Models/Enums/Privilege.php
index 4f81040a..2c58cff1 100644
--- a/src/Models/Enums/Privilege.php
+++ b/src/Models/Enums/Privilege.php
@@ -44,4 +44,13 @@ class Privilege extends Enum
 
 	const ListLogs = 32;
 	const ViewLog = 33;
+
+	public $primary;
+	public $secondary;
+
+	public function __construct($primary, $secondary = null)
+	{
+		$this->primary = $primary;
+		$this->secondary = $secondary;
+	}
 }
diff --git a/src/Models/SearchParsers/CommentSearchParser.php b/src/Models/SearchParsers/CommentSearchParser.php
index 9df1f472..492005ba 100644
--- a/src/Models/SearchParsers/CommentSearchParser.php
+++ b/src/Models/SearchParsers/CommentSearchParser.php
@@ -11,7 +11,7 @@ class CommentSearchParser extends AbstractSearchParser
 		$allowedSafety = Access::getAllowedSafety();
 		$crit->add(Sql\InFunctor::fromArray('post.safety', Sql\Binding::fromArray($allowedSafety)));
 
-		if (!Access::check(Privilege::ListPosts, 'hidden'))
+		if (!Access::check(new Privilege(Privilege::ListPosts, 'hidden')))
 			$crit->add(new Sql\NegationFunctor(new Sql\StringExpression('hidden')));
 
 		$this->statement->setCriterion($crit);
diff --git a/src/Models/SearchParsers/PostSearchParser.php b/src/Models/SearchParsers/PostSearchParser.php
index 3058a539..5fec6ca4 100644
--- a/src/Models/SearchParsers/PostSearchParser.php
+++ b/src/Models/SearchParsers/PostSearchParser.php
@@ -27,7 +27,7 @@ class PostSearchParser extends AbstractSearchParser
 		if (Auth::getCurrentUser()->hasEnabledHidingDislikedPosts() and !$this->showDisliked)
 			$this->processComplexToken('special', 'disliked', true);
 
-		if (!Access::check(Privilege::ListPosts, 'hidden') or !$this->showHidden)
+		if (!Access::check(new Privilege(Privilege::ListPosts, 'hidden')) or !$this->showHidden)
 			$this->processComplexToken('special', 'hidden', true);
 
 		foreach ($this->tags as $item)
diff --git a/src/Views/comment-small.phtml b/src/Views/comment-small.phtml
index 19071ce2..5b91bb43 100644
--- a/src/Views/comment-small.phtml
+++ b/src/Views/comment-small.phtml
@@ -36,9 +36,9 @@ Assets::addScript('comment-edit.js');
 				<?= TextHelper::formatDate($this->context->comment->commentDate, false) ?>
 			</span>
 
-			<?php if (Access::check(
+			<?php if (Access::check(new Privilege(
 				Privilege::EditComment,
-				Access::getIdentity($commenter))): ?>
+				Access::getIdentity($commenter)))): ?>
 				<span class="edit">
 					<a href="<?= \Chibi\Router::linkTo(
 						['CommentController', 'editView'],
@@ -48,9 +48,9 @@ Assets::addScript('comment-edit.js');
 				</span>
 			<?php endif ?>
 
-			<?php if (Access::check(
+			<?php if (Access::check(new Privilege(
 				Privilege::DeleteComment,
-				Access::getIdentity($commenter))): ?>
+				Access::getIdentity($commenter)))): ?>
 				<span class="delete">
 					<a class="simple-action confirmable"
 						data-confirm-text="Are you sure you want to delete this comment?"
diff --git a/src/Views/layout-normal.phtml b/src/Views/layout-normal.phtml
index 42661525..7045ec86 100644
--- a/src/Views/layout-normal.phtml
+++ b/src/Views/layout-normal.phtml
@@ -42,7 +42,7 @@ Assets::addScript('core.js');
 				<span>Load:&nbsp;<?= sprintf('%.05f', microtime(true) - $this->context->startTime) ?>s</span>
 				<span>Queries:&nbsp;<?= count(\Chibi\Database::getLogs()) ?></span>
 				<span><a href="<?= SZURU_LINK ?>">szurubooru&nbsp;v<?= SZURU_VERSION ?></a></span>
-				<?php if (Access::check(Privilege::ListLogs)): ?>
+				<?php if (Access::check(new Privilege(Privilege::ListLogs))): ?>
 					<span><a href="<?= \Chibi\Router::linkTo(['LogController', 'listView']) ?>">Logs</a></span>
 				<?php endif ?>
 				<hr>
diff --git a/src/Views/post-edit.phtml b/src/Views/post-edit.phtml
index 34c912a5..4dbed190 100644
--- a/src/Views/post-edit.phtml
+++ b/src/Views/post-edit.phtml
@@ -12,9 +12,9 @@
 		id="edit-token"
 		value="<?= htmlspecialchars($this->context->transport->post->getEditToken()) ?>"/>
 
-	<?php if (Access::check(
+	<?php if (Access::check(new Privilege(
 		Privilege::EditPostSafety,
-		Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+		Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 
 		<div class="form-row safety">
 			<label>Safety:</label>
@@ -34,9 +34,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (Access::check(
+	<?php if (Access::check(new Privilege(
 		Privilege::EditPostTags,
-		Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+		Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 
 		<div class="form-row tags">
 			<label for="tags">Tags:</label>
@@ -52,9 +52,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (
-		Access::check(Privilege::EditPostSource,
-		Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+	<?php if (Access::check(new Privilege(
+		Privilege::EditPostSource,
+		Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 
 		<div class="form-row source">
 			<label for="source">Source:</label>
@@ -67,9 +67,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (
-		Access::check(Privilege::EditPostRelations,
-		Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+	<?php if (Access::check(new Privilege(
+		Privilege::EditPostRelations,
+		Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 
 		<div class="form-row thumb">
 			<label for="relations">Relations:</label>
@@ -85,9 +85,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (
-		Access::check(Privilege::EditPostFile,
-		Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+	<?php if (Access::check(new Privilege(
+		Privilege::EditPostFile,
+		Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 
 		<div class="form-row url">
 			<label for="url">File:</label>
@@ -104,9 +104,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (
-		Access::check(Privilege::EditPostThumb,
-		Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+	<?php if (Access::check(new Privilege(
+		Privilege::EditPostThumb,
+		Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 
 		<div class="form-row thumb">
 			<label for="thumb">Thumb:</label>
diff --git a/src/Views/post-list-wrapper.phtml b/src/Views/post-list-wrapper.phtml
index ff73c922..caf4f8f1 100644
--- a/src/Views/post-list-wrapper.phtml
+++ b/src/Views/post-list-wrapper.phtml
@@ -3,31 +3,25 @@ Assets::setSubTitle('posts');
 
 $tabs = [];
 $activeTab = 0;
-if (Access::check(Privilege::ListPosts))
+if (Access::check(new Privilege(Privilege::ListPosts)))
 	$tabs []= ['All posts', \Chibi\Router::linkTo(['PostController', 'listView'])];
 
-if (Access::check(Privilege::ListPosts))
+if (Access::check(new Privilege(Privilege::ListPosts)))
 {
 	$tabs []= ['Random', \Chibi\Router::linkTo(['PostController', 'randomView'])];
 	if ($this->context->simpleActionName == 'random')
 		$activeTab = count($tabs) - 1;
-}
 
-if (Access::check(Privilege::ListPosts))
-{
 	$tabs []= ['Favorites', \Chibi\Router::linkTo(['PostController', 'favoritesView'])];
 	if ($this->context->simpleActionName == 'favorites')
 		$activeTab = count($tabs) - 1;
-}
 
-if (Access::check(Privilege::ListPosts))
-{
 	$tabs []= ['Upvoted', \Chibi\Router::linkTo(['PostController', 'upvotedView'])];
 	if ($this->context->simpleActionName == 'upvoted')
 		$activeTab = count($tabs) - 1;
 }
 
-if (Access::check(Privilege::MassTag))
+if (Access::check(new Privilege(Privilege::MassTag)))
 {
 	$tabs []= ['Mass tag', \Chibi\Router::linkTo(['PostController', 'listView'], [
 		'source' => 'mass-tag',
diff --git a/src/Views/post-list.phtml b/src/Views/post-list.phtml
index 12c8c9f2..8893d0f3 100644
--- a/src/Views/post-list.phtml
+++ b/src/Views/post-list.phtml
@@ -5,7 +5,7 @@ Assets::addScript('post-list.js');
 
 <?php if (isset($this->context->source)
 	and $this->context->source == 'mass-tag'
-	and Access::check(Privilege::MassTag)): ?>
+	and Access::check(new Privilege(Privilege::MassTag))): ?>
 
 	<?php \Chibi\View::render('tag-mass-tag', $this->context) ?>
 
diff --git a/src/Views/post-view.phtml b/src/Views/post-view.phtml
index d21da84e..a4526419 100644
--- a/src/Views/post-view.phtml
+++ b/src/Views/post-view.phtml
@@ -17,9 +17,9 @@ $editPostPrivileges = [
 $editPostPrivileges = array_fill_keys($editPostPrivileges, false);
 foreach (array_keys($editPostPrivileges) as $privilege)
 {
-	if (Access::check(
+	if (Access::check(new Privilege(
 		$privilege,
-		Access::getIdentity($this->context->transport->post->getUploader())))
+		Access::getIdentity($this->context->transport->post->getUploader()))))
 
 		$editPostPrivileges[$privilege] = true;
 }
@@ -158,9 +158,9 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 							['id' => $this->context->transport->post->id, 'score' => $score]);
 					}
 				?>
-				<?php if (Access::check(
+				<?php if (Access::check(new Privilege(
 					Privilege::ScorePost,
-					Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+					Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 					<?php if ($this->context->score === 1): ?>
 						<a class="simple-action selected" href="<?= $scoreLink(0) ?>">
 					<?php else: ?>
@@ -202,9 +202,9 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 			</div>
 		<?php endif ?>
 
-		<?php if (Access::check(
+		<?php if (Access::check(new Privilege(
 			Privilege::FavoritePost,
-			Access::getIdentity($this->context->transport->post->getUploader()))): ?>
+			Access::getIdentity($this->context->transport->post->getUploader())))): ?>
 			<div class="hl-option">
 				<?php if (!$this->context->favorite): ?>
 					<a class="add-fav icon simple-action"
@@ -271,9 +271,9 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 	<?php
 		$options = [];
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::FeaturePost,
-			Access::getIdentity($this->context->transport->post->getUploader())))
+			Access::getIdentity($this->context->transport->post->getUploader()))))
 		{
 			$options []=
 			[
@@ -287,9 +287,9 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 			];
 		}
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::FlagPost,
-			Access::getIdentity($this->context->transport->post->getUploader())))
+			Access::getIdentity($this->context->transport->post->getUploader()))))
 		{
 			if ($this->context->flagged)
 			{
@@ -314,9 +314,9 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 			}
 		}
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::HidePost,
-			Access::getIdentity($this->context->transport->post->getUploader())))
+			Access::getIdentity($this->context->transport->post->getUploader()))))
 		{
 			if ($this->context->transport->post->hidden)
 			{
@@ -342,9 +342,9 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 			}
 		}
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::DeletePost,
-			Access::getIdentity($this->context->transport->post->getUploader())))
+			Access::getIdentity($this->context->transport->post->getUploader()))))
 		{
 			$options []=
 			[
@@ -392,7 +392,7 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
 		<?php endif ?>
 	</div>
 
-	<?php if (Access::check(Privilege::AddComment)): ?>
+	<?php if (Access::check(new Privilege(Privilege::AddComment))): ?>
 		<div class="unit comment-add">
 			<?php \Chibi\View::render('comment-add', $this->context) ?>
 		</div>
diff --git a/src/Views/tag-list-wrapper.phtml b/src/Views/tag-list-wrapper.phtml
index cfe8bd68..612c685b 100644
--- a/src/Views/tag-list-wrapper.phtml
+++ b/src/Views/tag-list-wrapper.phtml
@@ -3,10 +3,18 @@ Assets::setSubTitle('tags');
 Assets::addStylesheet('tag-list.css');
 
 $tabs = [];
-if (Access::check(Privilege::ListTags)) $tabs['list'] = ['List', 'listView'];
-if (Access::check(Privilege::RenameTags)) $tabs['rename'] = ['Rename', 'renameView'];
-if (Access::check(Privilege::MergeTags)) $tabs['merge'] = ['Merge', 'mergeView'];
-if (Access::check(Privilege::MassTag)) $tabs['mass-tag-redirect'] = ['Mass tag', 'massTagRedirectAction'];
+if (Access::check(new Privilege(Privilege::ListTags)))
+	$tabs['list'] = ['List', 'listView'];
+
+if (Access::check(new Privilege(Privilege::RenameTags)))
+	$tabs['rename'] = ['Rename', 'renameView'];
+
+if (Access::check(new Privilege(Privilege::MergeTags)))
+	$tabs['merge'] = ['Merge', 'mergeView'];
+
+if (Access::check(new Privilege(Privilege::MassTag)))
+	$tabs['mass-tag-redirect'] = ['Mass tag', 'massTagRedirectAction'];
+
 $showTabs = count($tabs) > 1;
 ?>
 
diff --git a/src/Views/top-navigation.phtml b/src/Views/top-navigation.phtml
index da463304..f62864d8 100644
--- a/src/Views/top-navigation.phtml
+++ b/src/Views/top-navigation.phtml
@@ -18,7 +18,7 @@
 		\Chibi\Router::linkTo(['StaticPagesController', 'mainPageView']),
 		$activeController == 'static-pages' and $activeAction == 'main-page');
 
-	if (Access::check(Privilege::ListPosts))
+	if (Access::check(new Privilege(Privilege::ListPosts)))
 	{
 		$registerNavItem(
 			'Browse',
@@ -26,7 +26,7 @@
 			$activeController == 'post' and $activeAction != 'upload');
 	}
 
-	if (Access::check(Privilege::UploadPost))
+	if (Access::check(new Privilege(Privilege::UploadPost)))
 	{
 		$registerNavItem(
 			'Upload',
@@ -34,7 +34,7 @@
 			$activeController == 'post' and $activeAction == 'upload');
 	}
 
-	if (Access::check(Privilege::ListComments))
+	if (Access::check(new Privilege(Privilege::ListComments)))
 	{
 		$registerNavItem(
 			'Comments',
@@ -42,7 +42,7 @@
 			$activeController == 'comment');
 	}
 
-	if (Access::check(Privilege::ListTags))
+	if (Access::check(new Privilege(Privilege::ListTags)))
 	{
 		$registerNavItem(
 			'Tags',
@@ -50,7 +50,7 @@
 			$activeController == 'tag');
 	}
 
-	if (Access::check(Privilege::ListUsers))
+	if (Access::check(new Privilege(Privilege::ListUsers)))
 	{
 		$registerNavItem(
 			'Users',
@@ -104,13 +104,15 @@
 	}
 	?>
 
-	<?php if (Access::check(Privilege::ChangeUserSettings, Access::getIdentity(Auth::getCurrentUser()))): ?>
+	<?php if (Access::check(new Privilege(
+		Privilege::ChangeUserSettings,
+		Access::getIdentity(Auth::getCurrentUser())))): ?>
 		<li class="safety">
 			<ul>
 				<?php foreach (PostSafety::getAll() as $safety): ?>
-					<?php if (Access::check(
+					<?php if (Access::check(new Privilege(
 						Privilege::ListPosts,
-						PostSafety::toString($safety))): ?>
+						PostSafety::toString($safety)))): ?>
 
 						<li class="safety-<?= TextCaseConverter::convert(
 							PostSafety::toString($safety),
diff --git a/src/Views/user-edit.phtml b/src/Views/user-edit.phtml
index c5f3ab26..e4d6751e 100644
--- a/src/Views/user-edit.phtml
+++ b/src/Views/user-edit.phtml
@@ -20,9 +20,9 @@
 		<hr>
 	<?php endif ?>
 
-	<?php if (Access::check(
+	<?php if (Access::check(new Privilege(
 		Privilege::ChangeUserName,
-		Access::getIdentity($this->context->transport->user))): ?>
+		Access::getIdentity($this->context->transport->user)))): ?>
 
 		<div class="form-row nickname">
 			<label for="name">Name:</label>
@@ -37,9 +37,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (Access::check(
+	<?php if (Access::check(new Privilege(
 		Privilege::ChangeUserEmail,
-		Access::getIdentity($this->context->transport->user))): ?>
+		Access::getIdentity($this->context->transport->user)))): ?>
 
 		<div class="form-row email">
 			<label for="name">E-mail:</label>
@@ -54,9 +54,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (
-		Access::check(Privilege::ChangeUserPassword,
-		Access::getIdentity($this->context->transport->user))): ?>
+	<?php if (Access::check(new Privilege(
+		Privilege::ChangeUserPassword,
+		Access::getIdentity($this->context->transport->user)))): ?>
 
 		<div class="form-row password1">
 			<label for="password1">New password:</label>
@@ -82,9 +82,9 @@
 		</div>
 	<?php endif ?>
 
-	<?php if (Access::check(
+	<?php if (Access::check(new Privilege(
 		Privilege::ChangeUserAccessRank,
-		Access::getIdentity($this->context->transport->user))): ?>
+		Access::getIdentity($this->context->transport->user)))): ?>
 
 		<div class="form-row access-rank">
 			<label for="access-rank">Access rank:</label>
diff --git a/src/Views/user-settings.phtml b/src/Views/user-settings.phtml
index 98332702..1e4155bd 100644
--- a/src/Views/user-settings.phtml
+++ b/src/Views/user-settings.phtml
@@ -9,7 +9,9 @@
 		<label>Safety:</label>
 		<div class="input-wrapper">
 			<?php foreach (PostSafety::getAll() as $safety): ?>
-				<?php if (Access::check(Privilege::ListPosts, PostSafety::toString($safety))): ?>
+				<?php if (Access::check(new Privilege(
+					Privilege::ListPosts,
+					PostSafety::toString($safety)))): ?>
 					<label>
 						<?php
 							$attrs = [];
diff --git a/src/Views/user-view.phtml b/src/Views/user-view.phtml
index 4d7fe073..a64daab2 100644
--- a/src/Views/user-view.phtml
+++ b/src/Views/user-view.phtml
@@ -52,9 +52,9 @@ Assets::addStylesheet('user-view.css');
 			</span>
 		</div>
 
-		<?php if (Access::check(
+		<?php if (Access::check(new Privilege(
 			Privilege::ViewUserEmail,
-			Access::getIdentity($this->context->transport->user))): ?>
+			Access::getIdentity($this->context->transport->user)))): ?>
 
 			<div class="key-value email">
 				<span class="key">E-mail:</span>
@@ -79,9 +79,9 @@ Assets::addStylesheet('user-view.css');
 		foreach (array_keys($userModificationPrivileges) as $privilege)
 		{
 
-			if (Access::check(
+			if (Access::check(new Privilege(
 				$privilege,
-				Access::getIdentity($this->context->transport->user)))
+				Access::getIdentity($this->context->transport->user))))
 			{
 				$userModificationPrivileges[$privilege] = true;
 			}
@@ -102,7 +102,7 @@ Assets::addStylesheet('user-view.css');
 			];
 		}
 
-		if (Access::check(Privilege::AcceptUserRegistration)
+		if (Access::check(new Privilege(Privilege::AcceptUserRegistration))
 			and !$this->context->transport->user->staffConfirmed
 			and getConfig()->registration->staffActivation)
 		{
@@ -116,9 +116,9 @@ Assets::addStylesheet('user-view.css');
 			];
 		}
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::FlagUser,
-			Access::getIdentity($this->context->transport->user)))
+			Access::getIdentity($this->context->transport->user))))
 		{
 			if ($this->context->flagged)
 			{
@@ -143,9 +143,9 @@ Assets::addStylesheet('user-view.css');
 			}
 		}
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::BanUser,
-			Access::getIdentity($this->context->transport->user)))
+			Access::getIdentity($this->context->transport->user))))
 		{
 			if (!$this->context->transport->user->banned)
 			{
@@ -173,9 +173,9 @@ Assets::addStylesheet('user-view.css');
 			}
 		}
 
-		if (Access::check(
+		if (Access::check(new Privilege(
 			Privilege::DeleteUser,
-			Access::getIdentity($this->context->transport->user)))
+			Access::getIdentity($this->context->transport->user))))
 		{
 			$options []=
 			[
@@ -223,9 +223,9 @@ Assets::addStylesheet('user-view.css');
 				</a>
 			</li>
 
-			<?php if (Access::check(
+			<?php if (Access::check(new Privilege(
 				Privilege::ChangeUserSettings,
-				Access::getIdentity($this->context->transport->user))): ?>
+				Access::getIdentity($this->context->transport->user)))): ?>
 
 				<?php if ($this->context->transport->tab == 'settings'): ?>
 					<li class="selected settings">
@@ -256,9 +256,9 @@ Assets::addStylesheet('user-view.css');
 				</li>
 			<?php endif ?>
 
-			<?php if (Access::check(
+			<?php if (Access::check(new Privilege(
 				Privilege::DeleteUser,
-				Access::getIdentity($this->context->transport->user))): ?>
+				Access::getIdentity($this->context->transport->user)))): ?>
 				<?php if ($this->context->transport->tab == 'delete'): ?>
 					<li class="selected delete">
 				<?php else: ?>