diff --git a/lib/db.js b/lib/db.js
index 8dcd4dc..6d4dcc1 100644
--- a/lib/db.js
+++ b/lib/db.js
@@ -29,7 +29,12 @@ function collection(db, model, fn) {
 module.exports = {
   
   find: ready(function(model) {
-    var query = model.toQuery() || {};
+    var query = model.toQuery() || {}
+      , id = model.get('_id')
+      , _id = id && ObjectID(id)
+    ;
+    
+    if(_id) query._id = _id;
     
     collection(db, model, function(err, collection) {
       // TODO limit 1 for models, allow all for collections
@@ -44,11 +49,15 @@ module.exports = {
     var query = model.toQuery()
       , changes = model.attributes
       , options = {safe: true, upsert: true}
+      , id = model.get('_id')
+      , _id = id && ObjectID(id)
       , callback = function(err, result) {
           model.refresh(changes);
         }
     ;
     
+    if(_id && query) query._id = _id;
+    
     collection(db, model, function(err, collection) {
       if(query) {
         collection.update(query, changes, options, callback);
diff --git a/lib/model.js b/lib/model.js
index e618ea2..a2b27c9 100644
--- a/lib/model.js
+++ b/lib/model.js
@@ -145,30 +145,12 @@ Model = module.exports = emitter.spawn({
     var permissions = this.allowed
       , special = permissions.special
       , rights = permissions[action]
-      , requiresUser = action === 'create' && rights === 'user'
+      , requiresUser = rights === 'user'
       , actor = this.actor()
       , allowed = true
       , model = this
     ;
     
-    if(special) {
-      Object.getOwnPropertyNames(special).forEach(function(key) {
-        var perms = special[key]
-          , right = perms[action]
-          , allowed = group === 'public' || group === right || root
-        ;
-        
-        if(!allowed) {
-          if(action === 'read') {
-            // TODO build select object where {key: 0}
-            delete model.attributes[key];
-          } else {
-            model.error('The current user cannot ' + action + ' the key: ', key, 'Not Allowed');
-          }
-        }
-      })
-    }
-    
     if(requiresUser && !actor) {
       model.error('Only logged in users can ' + action);
       fn();
@@ -189,6 +171,24 @@ Model = module.exports = emitter.spawn({
             , allowed = root || (groups && groups[rights]) || (requiresCreator && isCreator)
           ;
           
+          if(special) {
+            Object.getOwnPropertyNames(special).forEach(function(key) {
+              var perms = special[key]
+                , right = perms[action]
+                , allowed = right === 'public' || (groups && groups[right]) || root
+              ;
+
+              if(!allowed) {
+                if(action === 'read') {
+                  // TODO build select object where {key: 0}
+                  delete model.attributes[key];
+                } else {
+                  model.error('The current user cannot ' + action + ' the key: ', key, 'Not Allowed');
+                }
+              }
+            })
+          }
+          
           if(requiresCreator && !isCreator) {
             model.error('The current user must be the creator to ' + action, 'Not Allowed');
           }
@@ -398,11 +398,18 @@ Model = module.exports = emitter.spawn({
   
 });
 
-var spawn = module.exports.spawn;
+var spawn = module.exports.spawn
+  , _models = {}
+;
+
+module.exports.refreshSettings = function(collection) {
+  _models[collection].updateSettings();
+}
 
 module.exports.spawn = function(model) {
   var instance = spawn.apply(this, arguments);
   if(model && model.collection) {
+    _models[instance.collection] = instance;
     instance.updateSettings();
   }
   return instance;
diff --git a/lib/plugins/settings/index.js b/lib/plugins/settings/index.js
index 4ff562c..52500c5 100644
--- a/lib/plugins/settings/index.js
+++ b/lib/plugins/settings/index.js
@@ -2,17 +2,10 @@ var app = require('../../app')
   , config = require('../../config').load()
   , Settings = require('./settings')
   , Setting = require('./setting')
+  , graph = require('../graph')
+  , Model = require('../../model')
 ;
 
-app.post('/setting', function (req, res) {
-  Setting
-    .spawn()
-    .set(req.body)
-    .notify(res)
-    .save()
-  ;
-});
-
 app.get('/settings', function(req, res) {
   Settings
     .spawn()
@@ -26,9 +19,13 @@ app.post('/settings', function(req, res) {
   Settings
     .spawn()
     .for(req)
-    .find({name: req.body.name, plugin: req.body.name})
+    .find({name: req.body.name, plugin: req.body.plugin})
     .set(req.body)
-    .notify(res)
+    .notify(function(json) {
+      if(req.body.plugin === 'graph') graph.refresh();
+      else if(json.collection) Model.refreshSettings(json.collection);
+      res.send(json);
+    })
     .save()
   ;
 });
diff --git a/lib/plugins/user/index.js b/lib/plugins/user/index.js
index 7d498e3..bacdc59 100644
--- a/lib/plugins/user/index.js
+++ b/lib/plugins/user/index.js
@@ -2,6 +2,7 @@ var app = require('../../app')
   , Group = require('./group')
   , User = require('./user')
   , Users = require('./users')
+  , ObjectID = require('mongodb').BSON
 ;
 
 function user(action, params, req, res) {
@@ -42,8 +43,14 @@ app.del('/me', function(req, res) {
   if(u) user('remove', u, req, res);
 });
 
-app.get('/user/:email', function(req, res) {
-  user('fetch', {email: req.param('email')}, req, res);
+app.get('/user/:id', function(req, res) {
+  User
+    .spawn()
+    .for(req)
+    .find({_id: req.param('id')})
+    .notify(res)
+    .fetch()
+  ;
 });
 
 app.post('/user/:email/group', function(req, res) {
diff --git a/lib/plugins/user/user.js b/lib/plugins/user/user.js
index 04a1e17..156ac3d 100644
--- a/lib/plugins/user/user.js
+++ b/lib/plugins/user/user.js
@@ -24,7 +24,8 @@ module.exports = Model.spawn({
     remove: 'creator',
     create: 'public',
     special: {
-      groups: 'root'
+      groups: {read: 'public', write: 'root'},
+      email: {read: 'creator'}
     }
   },
   
diff --git a/public/test/deployd.test.js b/public/test/deployd.test.js
index f6cb787..4cd1473 100644
--- a/public/test/deployd.test.js
+++ b/public/test/deployd.test.js
@@ -33,16 +33,15 @@ var tests = {
     }
   },
   
-  '2. find user by id': {
-    route: '/user/' + user.email,
+  '3. add a user to group': {
+    route: '/user/' + user.email + '/group',
+    data: {group: 'root'},
     expect: {
-      _id: 'toExist',
-      password: 'toNotExist',
       errors: 'toNotExist'
     }
   },
   
-  '3. login a user': {
+  '4. login a user': {
     route: '/user/login',
     data: user,
     expect: {
@@ -56,7 +55,7 @@ var tests = {
     }
   },
   
-  '4. get current user': {
+  '5. get current user': {
     route: '/me',
     expect: {
       email: user.email,
@@ -66,7 +65,7 @@ var tests = {
     }
   },
   
-  '5. searching users': {
+  '6. searching users': {
     route: '/search?type=users&find={"email": "skawful@gmail.com"}',
     expect: {
       results: 'toExist', 
@@ -110,15 +109,7 @@ var tests = {
     }
   },
   
-  '10. add a user to group': {
-    route: '/user/' + user.email + '/group',
-    data: {group: 'root'},
-    expect: {
-      errors: 'toNotExist'
-    }
-  },
-  
-  '11. only 1 user per email': {
+  '10. only 1 user per email': {
     route: '/search/users', 
     data: {email: user.email},
     expect: {
@@ -126,7 +117,7 @@ var tests = {
     }
   },
   
-  '12. only 1 app per name': {
+  '11. only 1 app per name': {
     route: '/search/apps', 
     data: {name: app.name},
     expect: {
@@ -134,15 +125,15 @@ var tests = {
     }
   },
   
-  '13. only 1 user': {
+  '12. only 1 user': {
     route: '/search/users', 
     data: {},
     expect: {
       results: 'toContainOne'
     }
-  },
+  }
 
-  // '14. delete a user': {
+  // '13. delete a user': {
   //   route: '/me?method=delete',
   //   expect: {
   //     errors: 'toNotExist'