diff --git a/index.php b/index.php
index 4ad5295eea..9cf87e204e 100755
--- a/index.php
+++ b/index.php
@@ -34,10 +34,20 @@ if(isset($_GET['hasupdates']) && $_GET['hasupdates'] == 'yes')
 /*
 	This is the menuaction driver for the multi-layered design
 */
-if(isset($_GET['menuaction']) && preg_match('/^[A-Za-z0-9_]+\.[A-Za-z0-9_]+\.[A-Za-z0-9_]+$/',$_GET['menuaction']))
+if(isset($_GET['menuaction']) && preg_match('/^[A-Za-z0-9_]+\.[A-Za-z0-9_\\\\]+\.[A-Za-z0-9_]+$/',$_GET['menuaction']))
 {
 	list($app,$class,$method) = explode('.',$_GET['menuaction']);
-	if(! $app || ! $class || ! $method)
+
+	// check if autoloadable class belongs to given app
+	if (substr($class, 0, 11) == 'EGroupware\\')
+	{
+		list(,$app_from_class) = explode('\\', strtolower($class));
+	}
+	elseif(strpos($class, '_') !== false)
+	{
+		list($app_from_class) = explode('_', $class);
+	}
+	if(!$app || !$class || !$method || isset($app_from_class) && $app_from_class != $app)
 	{
 		$invalid_data = True;
 	}
@@ -62,9 +72,6 @@ $GLOBALS['egw_info'] = array(
 	)
 );
 include('./header.inc.php');
-// check if users are supposed to change their password every x sdays, then check if password is of old age or the devil-admin reset the users password
-// and forced the user to change his password on next login.
-auth::check_password_age($app,$class,$method);
 
 // user changed timezone
 if (isset($_GET['tz']))
@@ -130,7 +137,14 @@ else
 		$app = 'phpgwapi';
 	}
 
-	$obj = CreateObject($app.'.'.$class);
+	if (class_exists($class))
+	{
+		$obj = new $class;
+	}
+	else
+	{
+		$obj = CreateObject($app.'.'.$class);
+	}
 	if((is_array($obj->public_functions) && $obj->public_functions[$method]) && !$invalid_data)
 	{
 		$obj->$method();
diff --git a/json.php b/json.php
index 8e727118a2..a3ce6283ef 100644
--- a/json.php
+++ b/json.php
@@ -71,7 +71,15 @@ if (isset($_GET['menuaction']))
 	if (strpos($_GET['menuaction'],'::') !== false && strpos($_GET['menuaction'],'.') === false)	// static method name app_something::method
 	{
 		@list($className,$functionName,$handler) = explode('::',$_GET['menuaction']);
-		list($appName) = explode('_',$className);
+
+		if (substr($className, 0, 11) == 'EGroupware\\')
+		{
+			list(,$appName) = explode('\\', strtolower($className));
+		}
+		else
+		{
+			list($appName) = explode('_',$className);
+		}
 	}
 	else
 	{
diff --git a/phpgwapi/inc/class.egw.inc.php b/phpgwapi/inc/class.egw.inc.php
index a54f1e91e9..1608161f61 100644
--- a/phpgwapi/inc/class.egw.inc.php
+++ b/phpgwapi/inc/class.egw.inc.php
@@ -350,7 +350,7 @@ class egw extends egw_minimal
 	{
 		$this->currentapp = $GLOBALS['egw_info']['flags']['currentapp'];	// some apps change it later
 
-		if ($GLOBALS['egw_info']['flags']['currentapp'] != 'home')	// give everyone implicit home rights
+		if (!in_array($GLOBALS['egw_info']['flags']['currentapp'], array('api', 'home')))	// give everyone implicit home rights
 		{
 			// This will need to use ACL in the future
 			if (!$GLOBALS['egw_info']['user']['apps'][$currentapp = $GLOBALS['egw_info']['flags']['currentapp']] ||
diff --git a/phpgwapi/inc/common_functions.inc.php b/phpgwapi/inc/common_functions.inc.php
index 02ce94bc67..fef8ec4253 100755
--- a/phpgwapi/inc/common_functions.inc.php
+++ b/phpgwapi/inc/common_functions.inc.php
@@ -985,7 +985,7 @@ function get_var($variable,$method='any',$default_value='')
  * @param $p1,$p2,... class parameters (all optional)
  * @return object reference to an object
  */
-function &CreateObject($class)
+function CreateObject($class)
 {
 	list($appname,$classname) = explode('.',$class);