diff --git a/addressbook/inc/class.boaddressbook.inc.php b/addressbook/inc/class.boaddressbook.inc.php
index 85c7432f78..c61ffb92d7 100644
--- a/addressbook/inc/class.boaddressbook.inc.php
+++ b/addressbook/inc/class.boaddressbook.inc.php
@@ -21,7 +21,8 @@
 			'add_entry'       => True,
 			'add_vcard'       => True,
 			'add_email'       => True,
-			'update_entry'    => True
+			'update_entry'    => True,
+			'delete_entry'    => True,
 		);
 
 		var $xml_functions  = array();
@@ -60,29 +61,29 @@
 		var $filter;
 		var $cat_id;
 		var $total;
+		var $contact_cache = array();
 
 		var $use_session = False;
 
 		function boaddressbook($session=False)
 		{
 			$this->so = CreateObject('addressbook.soaddressbook');
-			$this->rights = $this->so->rights;
-			$this->grants = $this->so->grants;
+			$this->grants = &$this->so->grants;
 
 			if($session)
 			{
 				$this->read_sessiondata();
 				$this->use_session = True;
 			}
-			/* _debug_array($GLOBALS['HTTP_POST_VARS']); */
+			/* _debug_array($_POST); */
 			/* Might change this to '' at the end---> */
-			$_start   = $GLOBALS['HTTP_POST_VARS']['start']   ? $GLOBALS['HTTP_POST_VARS']['start']   : $GLOBALS['HTTP_GET_VARS']['start'];
-			$_query   = $GLOBALS['HTTP_POST_VARS']['query']   ? $GLOBALS['HTTP_POST_VARS']['query']   : $GLOBALS['HTTP_GET_VARS']['query'];
-			$_sort    = $GLOBALS['HTTP_POST_VARS']['sort']    ? $GLOBALS['HTTP_POST_VARS']['sort']    : $GLOBALS['HTTP_GET_VARS']['sort'];
-			$_order   = $GLOBALS['HTTP_POST_VARS']['order']   ? $GLOBALS['HTTP_POST_VARS']['order']   : $GLOBALS['HTTP_GET_VARS']['order'];
-			$_filter  = $GLOBALS['HTTP_POST_VARS']['filter']  ? $GLOBALS['HTTP_POST_VARS']['filter']  : $GLOBALS['HTTP_GET_VARS']['filter'];
-			$_cat_id  = $GLOBALS['HTTP_POST_VARS']['cat_id']  ? $GLOBALS['HTTP_POST_VARS']['cat_id']  : $GLOBALS['HTTP_GET_VARS']['cat_id'];
-			$_fcat_id = $GLOBALS['HTTP_POST_VARS']['fcat_id'] ? $GLOBALS['HTTP_POST_VARS']['fcat_id'] : $GLOBALS['HTTP_GET_VARS']['fcat_id'];
+			$_start   = get_var('start',array('POST','GET'));
+			$_query   = get_var('query',array('POST','GET'));
+			$_sort    = get_var('sort',array('POST','GET'));
+			$_order   = get_var('order',array('POST','GET'));
+			$_filter  = get_var('filter',array('POST','GET'));
+			$_cat_id  = get_var('cat_id',array('POST','GET'));
+			$_fcat_id = get_var('fcat_id',array('POST','GET'));
 
 			if(!empty($_start) || ($_start == '0') || ($_start == 0))
 			{
@@ -98,7 +99,7 @@
 				$this->query  = $_query;
 			}
 
-			if(isset($GLOBALS['HTTP_POST_VARS']['fcat_id']) || isset($GLOBALS['HTTP_POST_VARS']['fcat_id']))
+			if(isset($_POST['fcat_id']) || isset($_POST['fcat_id']))
 			{
 				$this->cat_id = $_fcat_id;
 			}
@@ -262,14 +263,22 @@
 
 		function read_entry($data)
 		{
-			$entry = $this->so->read_entry($data['id'],$data['fields']);
-			return $this->strip_html($entry);
+			if ($this->check_perms($data,PHPGW_ACL_DELETE))
+			{
+				$entry = $this->so->read_entry($data['id'],$data['fields']);
+				return $this->strip_html($entry);
+			}
+			return array(0 => array('No access' => 'No access'));
 		}
 
 		function read_last_entry($fields)
 		{
-			$entry = $this->so->read_last_entry($fields);
-			return $this->strip_html($entry);
+			if ($this->check_perms($fields,PHPGW_ACL_DELETE))
+			{
+				$entry = $this->so->read_last_entry($fields);
+				return $this->strip_html($entry);
+			}
+			return array(0 => array('No access' => 'No access'));
 		}
 
 		function add_vcard()
@@ -342,6 +351,20 @@
 
 		function add_entry($fields)
 		{
+			// setting some defaults, if not set eg. via xmlrpc
+			$fields['tid'] = trim($fields['tid']);
+			if(empty($fields['tid']))
+			{
+				$fields['tid'] = 'n';
+			}
+			if(!@$fields['owner'])
+			{
+				$fields['owner'] = $GLOBALS['phpgw_info']['user']['account_id'];
+			}
+			if(empty($fields['access']))
+			{
+				$fields['access'] = 'public';
+			}
 			return $this->so->add_entry($fields);
 		}
 
@@ -352,12 +375,47 @@
 
 		function update_entry($fields)
 		{
-			return $this->so->update_entry($fields);
+			if ($this->check_perms($fields,PHPGW_ACL_EDIT))
+			{
+				return $this->so->update_entry($fields);
+			}
+			return False;
 		}
 
-		function delete_entry($ab_id)
+		function delete_entry($addr)
 		{
-			return $this->so->delete_entry($ab_id);
+			$id = !is_array($addr) ? $addr : (isset($addr['id']) ? $addr['id'] : $addr['ab_id']);
+
+			if ($this->check_perms($id,PHPGW_ACL_DELETE))
+			{
+				return $this->so->delete_entry($id);
+			}
+			return False;
+		}
+
+		/*!
+		@function check_perms
+		@abstract checks if user has the necessary rights on the given address or address-id
+		@syntax check_perms($addr,$rights)
+		@param $addr mixed address-record with id and owner or addr-id
+		@param $rights integer PHPGW_ACL_{READ|EDIT|ADD|DELETE}
+		@return True if the user has the requested rights, else False
+		*/
+		function check_perms($addr,$rights)
+		{
+			$id = !is_array($addr) ? $addr : (isset($addr['id']) ? $addr['id'] : $addr['ab_id']);
+
+			if (!is_array($addr) || !isset($addr['owner']))
+			{
+				$a = $this->so->read_entry($id,array('owner'));
+				$owner = $a[0]['owner'];
+			}
+			else
+			{
+				$owner = $addr['owner'];
+			}
+			//echo "<p>boaddressbook::check_perms(id='$id',rights=$rights): grant[owner='$owner']='".$this->grants[$owner]."' => ".(($this->grants[$owner] & 4) ? 'True':'False')."</p>\n";
+			return !!($this->grants[$owner] & $rights);
 		}
 
 		function save_preferences($prefs,$other,$qfields,$fcat_id)
diff --git a/addressbook/inc/class.soaddressbook.inc.php b/addressbook/inc/class.soaddressbook.inc.php
index 73d25e7dc3..fadf89bbbb 100644
--- a/addressbook/inc/class.soaddressbook.inc.php
+++ b/addressbook/inc/class.soaddressbook.inc.php
@@ -21,39 +21,15 @@
 
 		function soaddressbook()
 		{
-			if(!isset($GLOBALS['owner']))
+			if (!is_object($GLOBALS['phpgw']->contacts))
 			{
-				$GLOBALS['owner'] = 0;
+				$GLOBALS['phpgw']->contacts = CreateObject('phpgwapi.contacts');
 			}
-			$owner = $GLOBALS['owner'];
+			$this->contacts = &$GLOBALS['phpgw']->contacts;
+			$this->grants = &$this->contacts->grants;
 
-			$this->contacts = CreateObject('phpgwapi.contacts');
-			$grants = $this->contacts->grants;
 			/* _debug_array($GLOBALS['phpgw_info']); */
 			/* _debug_array($grants); */
-
-			if(!isset($owner) || !$owner)
-			{
-				$owner = $GLOBALS['phpgw_info']['user']['account_id'];
-				/* echo $owner; */
-				$rights = PHPGW_ACL_READ + PHPGW_ACL_ADD + PHPGW_ACL_EDIT + PHPGW_ACL_DELETE + 16;
-				/* echo $rights; */
-			}
-			else
-			{
-				if($grants[$owner])
-				{
-					$rights = $grants[$owner];
-					if (!($rights & PHPGW_ACL_READ))
-					{
-						$owner = $GLOBALS['phpgw_info']['user']['account_id'];
-						$rights = PHPGW_ACL_READ + PHPGW_ACL_ADD + PHPGW_ACL_EDIT + PHPGW_ACL_DELETE + 16;
-					}
-				}
-			}
-			$this->rights = $rights;
-			$this->grants = $grants;
-			$this->owner  = $owner;
 		}
 
 		function read_entries($data)
@@ -71,89 +47,54 @@
 
 		function read_entry($id,$fields)
 		{
-			if ($this->rights & PHPGW_ACL_READ)
-			{
-				return $this->contacts->read_single_entry($id,$fields);
-			}
-			else
-			{
-				$rtrn = array(0 => array('No access' => 'No access'));
-				return $rtrn;
-			}
+			return $this->contacts->read_single_entry($id,$fields);
 		}
 
 		function read_last_entry($fields)
 		{
-			if ($this->rights & PHPGW_ACL_READ)
-			{
-				return $this->contacts->read_last_entry($fields);
-			}
-			else
-			{
-				$rtrn = array(0 => array('No access' => 'No access'));
-				return $rtrn;
-			}
+			return $this->contacts->read_last_entry($fields);
 		}
 
 		function add_entry($fields)
 		{
-			$fields['tid'] = trim($fields['tid']);
-			if(empty($fields['tid']))
-			{
-				$fields['tid'] = 'n';
-			}
-			if ($this->rights & PHPGW_ACL_ADD)
-			{
-				$ab_id  = $fields['ab_id'];
-				$owner  = $fields['owner'];
-				$access = $fields['access'];
-				$cat_id = $fields['cat_id'];
-				$tid    = $fields['tid'];
-				unset($fields['owner']);
-				unset($fields['access']);
-				unset($fields['cat_id']);
-				unset($fields['ab_id']);
-				unset($fields['tid']);
+			$owner  = $fields['owner'];
+			$access = $fields['access'];
+			$cat_id = $fields['cat_id'];
+			$tid    = $fields['tid'];
+			unset($fields['owner']);
+			unset($fields['access']);
+			unset($fields['cat_id']);
+			unset($fields['ab_id']);
+			unset($fields['tid']);
 
-				$id = $this->contacts->add($owner,$fields,$access,$cat_id,$tid);
-			}
-			return $id;
+			return $this->contacts->add($owner,$fields,$access,$cat_id,$tid);
 		}
 
 		function get_lastid()
 		{
 		 	$entry = $this->contacts->read_last_entry();
-			$id = $entry[0]['id'];
-			return $id;
+			return $entry[0]['id'];
 		}
 
 		function update_entry($fields)
 		{
-			if ($this->rights & PHPGW_ACL_EDIT)
-			{
-				$ab_id  = $fields['ab_id'];
-				$owner  = $fields['owner'];
-				$access = $fields['access'];
-				$cat_id = $fields['cat_id'];
-				$tid = $fields['tid'];
-				unset($fields['owner']);
-				unset($fields['access']);
-				unset($fields['cat_id']);
-				unset($fields['ab_id']);
-				unset($fields['tid']);
+			$ab_id  = $fields['ab_id'];
+			$owner  = $fields['owner'];
+			$access = $fields['access'];
+			$cat_id = $fields['cat_id'];
+			$tid = $fields['tid'];
+			unset($fields['owner']);
+			unset($fields['access']);
+			unset($fields['cat_id']);
+			unset($fields['ab_id']);
+			unset($fields['tid']);
 
-				$this->contacts->update($ab_id,$owner,$fields,$access,$cat_id,$tid);
-			}
-			return;
+			return $this->contacts->update($ab_id,$owner,$fields,$access,$cat_id,$tid);
 		}
 
-		function delete_entry($data)
+		function delete_entry($id)
 		{
-			if ($this->rights & PHPGW_ACL_DELETE)
-			{
-				$this->contacts->delete($data['id']);
-			}
-			return;
+			return $this->contacts->delete($id);
 		}
 	}
 ?>