diff --git a/hooks.md b/hooks.md
new file mode 100644
index 0000000000..09f5493292
--- /dev/null
+++ b/hooks.md
@@ -0,0 +1,38 @@
+### List of Hooks
+
+#### Application Name and Details
+
+1. `app_name` - slugified name e.g. "webnotes"
+1. `app_title` - full title name e.g. "Web Notes"
+1. `app_publisher`
+1. `app_description`
+1. `app_version`
+1. `app_icon` - font-awesome icon or image url
+1. `app_color` - hex colour background of the app icon
+
+#### Install
+
+1. `before_install` - method
+1. `after_install` - method
+
+
+#### Javascript / CSS Builds
+
+1. `app_include_js` - include in "app"
+1. `app_include_css` - assets/webnotes/css/splash.css
+
+1. `web_include_js` - assets/js/webnotes-web.min.js
+1. `web_include_css` - assets/css/webnotes-web.css
+
+#### Desktop
+
+1. `get_desktop_icons` - method to get list of desktop icons
+
+#### Notifications
+
+1. `notification_config` - method to get notification configuration
+
+#### Permissions
+
+1. `permission_query_conditions:[doctype]` - method to return additional query conditions at time of report / list etc.
+1. `has_permission:[doctype]` - method to call permissions to check at individual level
diff --git a/webnotes/__init__.py b/webnotes/__init__.py
index 8c17e4c92d..6d41307682 100644
--- a/webnotes/__init__.py
+++ b/webnotes/__init__.py
@@ -393,7 +393,7 @@ def get_installed_apps():
 	installed = json.loads(conn.get_global("installed_apps") or "[]")
 	return installed
 
-def get_hooks(app_name=None):
+def get_hooks(hook=None, app_name=None):
 	def load_app_hooks(app_name=None):
 		hooks = {}
 		for app in [app_name] if app_name else get_installed_apps():
@@ -404,9 +404,14 @@ def get_hooks(app_name=None):
 				hooks[key].append(value)
 		return hooks
 	if app_name:
-		return _dict(load_app_hooks(app_name))
+		hooks = _dict(load_app_hooks(app_name))
 	else:
-		return _dict(cache().get_value("app_hooks", load_app_hooks))
+		hooks = _dict(cache().get_value("app_hooks", load_app_hooks))
+		
+	if hook:
+		return hooks.get(hook) or []
+	else:
+		return hooks
 
 def setup_module_map():
 	_cache = cache()
@@ -544,7 +549,7 @@ def set_filters(jenv):
 	
 	# load jenv_filters from hooks.txt
 	for app in get_all_apps(True):
-		for jenv_filter in (get_hooks(app).jenv_filter or []):
+		for jenv_filter in (get_hooks(app_name=app).jenv_filter or []):
 			filter_name, filter_function = jenv_filter.split(":")
 			jenv.filters[filter_name] = get_attr(filter_function)
 
diff --git a/webnotes/core/doctype/event/event.py b/webnotes/core/doctype/event/event.py
index 9180e57f2f..d64e940508 100644
--- a/webnotes/core/doctype/event/event.py
+++ b/webnotes/core/doctype/event/event.py
@@ -16,7 +16,7 @@ class DocType:
 		if self.doc.starts_on and self.doc.ends_on and self.doc.starts_on > self.doc.ends_on:
 			webnotes.msgprint(webnotes._("Event End must be after Start"), raise_exception=True)
 			
-def get_match_conditions():
+def get_permission_query_conditions():
 	return """(tabEvent.event_type='Public' or tabEvent.owner='%(user)s'
 		or exists(select * from `tabEvent User` where 
 			`tabEvent User`.parent=tabEvent.name and `tabEvent User`.person='%(user)s')
@@ -27,7 +27,26 @@ def get_match_conditions():
 			"user": webnotes.session.user,
 			"roles": "', '".join(webnotes.get_roles(webnotes.session.user))
 		}
-			
+
+def has_permission(doc):
+	if doc.event_type=="Public" or doc.owner==webnotes.session.user:
+		return True
+		
+	# need full doclist to check roles and users
+	bean = webnotes.bean("Event", doc.name)
+		
+	if len(bean.doclist)==1:
+		return False
+	
+	if bean.doclist.get({"doctype":"Event User", "person":webnotes.session.user}):
+		return True
+		
+	if bean.doclist.get({"doctype":"Event Role", "role":("in", webnotes.get_roles())}):
+		return True
+		
+	return False
+
+
 def send_event_digest():
 	today = nowdate()
 	for user in webnotes.conn.sql("""select name, email, language 
diff --git a/webnotes/core/doctype/event/test_event.py b/webnotes/core/doctype/event/test_event.py
new file mode 100644
index 0000000000..d831cca738
--- /dev/null
+++ b/webnotes/core/doctype/event/test_event.py
@@ -0,0 +1,67 @@
+# Copyright (c) 2013, Web Notes Technologies Pvt. Ltd. and Contributors
+# MIT License. See license.txt
+
+"""Use blog post test to test permission restriction logic"""
+
+test_records = [
+	[{
+		"doctype": "Event",
+		"subject":"_Test Event 1",
+		"starts_on": "2014-01-01",
+		"event_type": "Public",
+	}],
+	[{
+		"doctype": "Event",
+		"starts_on": "2014-01-01",
+		"subject":"_Test Event 2",
+		"event_type": "Private",
+	}],
+	[{
+		"doctype": "Event",
+		"starts_on": "2014-01-01",
+		"subject":"_Test Event 3",
+		"event_type": "Private",
+	}, {
+		"doctype": "Event User",
+		"parentfield": "event_individuals",
+		"person": "test1@example.com"
+	}],
+	
+]
+
+import webnotes
+import webnotes.defaults
+import unittest
+
+class TestEvent(unittest.TestCase):
+	# def setUp(self):
+	# 	profile = webnotes.bean("Profile", "test1@example.com")
+	# 	profile.get_controller().add_roles("Website Manager")
+
+	def tearDown(self):
+		webnotes.set_user("Administrator")
+
+	def test_allowed_public(self):
+		webnotes.set_user("test1@example.com")
+		doc = webnotes.doc("Event", webnotes.conn.get_value("Event", {"subject":"_Test Event 1"}))
+		self.assertTrue(webnotes.has_permission("Event", refdoc=doc))
+				
+	def test_not_allowed_private(self):
+		webnotes.set_user("test1@example.com")
+		doc = webnotes.doc("Event", webnotes.conn.get_value("Event", {"subject":"_Test Event 2"}))
+		self.assertFalse(webnotes.has_permission("Event", refdoc=doc))
+
+	def test_allowed_private_if_in_event_user(self):
+		webnotes.set_user("test1@example.com")
+		doc = webnotes.doc("Event", webnotes.conn.get_value("Event", {"subject":"_Test Event 3"}))
+		self.assertTrue(webnotes.has_permission("Event", refdoc=doc))
+		
+	def test_event_list(self):
+		webnotes.set_user("test1@example.com")
+		res = webnotes.get_list("Event", filters=[["Event", "subject", "like", "_Test Event%"]], fields=["name", "subject"])
+		self.assertEquals(len(res), 2)
+		subjects = [r.subject for r in res]
+		self.assertTrue("_Test Event 1" in subjects)
+		self.assertTrue("_Test Event 3" in subjects)
+		self.assertFalse("_Test Event 2" in subjects)
+	
\ No newline at end of file
diff --git a/webnotes/core/doctype/profile/profile.txt b/webnotes/core/doctype/profile/profile.txt
index d6cb31a1e5..a37cbbc3ac 100644
--- a/webnotes/core/doctype/profile/profile.txt
+++ b/webnotes/core/doctype/profile/profile.txt
@@ -2,7 +2,7 @@
  {
   "creation": "2013-03-07 11:54:44", 
   "docstatus": 0, 
-  "modified": "2014-01-22 16:05:34", 
+  "modified": "2014-01-23 13:27:37", 
   "modified_by": "Administrator", 
   "owner": "Administrator"
  }, 
@@ -30,8 +30,7 @@
   "name": "__common__", 
   "parent": "Profile", 
   "parentfield": "fields", 
-  "parenttype": "DocType", 
-  "permlevel": 0
+  "parenttype": "DocType"
  }, 
  {
   "cancel": 0, 
@@ -46,6 +45,13 @@
   "doctype": "DocType", 
   "name": "Profile"
  }, 
+ {
+  "doctype": "DocField", 
+  "fieldname": "sb0_5", 
+  "fieldtype": "Section Break", 
+  "label": "Personal Info", 
+  "permlevel": 0
+ }, 
  {
   "default": "1", 
   "doctype": "DocField", 
@@ -55,19 +61,16 @@
   "label": "Enabled", 
   "oldfieldname": "enabled", 
   "oldfieldtype": "Check", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
- {
-  "doctype": "DocField", 
-  "fieldname": "sb0_5", 
-  "fieldtype": "Section Break"
- }, 
  {
   "doctype": "DocField", 
   "fieldname": "unsubscribed", 
   "fieldtype": "Check", 
   "hidden": 1, 
-  "label": "Unsubscribed"
+  "label": "Unsubscribed", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
@@ -77,6 +80,7 @@
   "label": "Email", 
   "oldfieldname": "email", 
   "oldfieldtype": "Data", 
+  "permlevel": 0, 
   "reqd": 1, 
   "search_index": 0
  }, 
@@ -88,6 +92,7 @@
   "label": "First Name", 
   "oldfieldname": "first_name", 
   "oldfieldtype": "Data", 
+  "permlevel": 0, 
   "reqd": 1
  }, 
  {
@@ -96,7 +101,8 @@
   "fieldtype": "Data", 
   "label": "Middle Name (Optional)", 
   "oldfieldname": "middle_name", 
-  "oldfieldtype": "Data"
+  "oldfieldtype": "Data", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
@@ -105,13 +111,15 @@
   "in_list_view": 1, 
   "label": "Last Name", 
   "oldfieldname": "last_name", 
-  "oldfieldtype": "Data"
+  "oldfieldtype": "Data", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "column_break0", 
   "fieldtype": "Column Break", 
   "oldfieldtype": "Column Break", 
+  "permlevel": 0, 
   "print_width": "50%", 
   "width": "50%"
  }, 
@@ -121,7 +129,8 @@
   "fieldname": "language", 
   "fieldtype": "Select", 
   "label": "Language", 
-  "options": "Loading..."
+  "options": "Loading...", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
@@ -129,7 +138,8 @@
   "fieldtype": "Date", 
   "label": "Birth Date", 
   "oldfieldname": "birth_date", 
-  "oldfieldtype": "Date"
+  "oldfieldtype": "Date", 
+  "permlevel": 0
  }, 
  {
   "default": "System User", 
@@ -140,6 +150,7 @@
   "oldfieldname": "user_type", 
   "oldfieldtype": "Select", 
   "options": "System User\nWebsite User", 
+  "permlevel": 0, 
   "read_only": 1, 
   "reqd": 1
  }, 
@@ -151,19 +162,22 @@
   "oldfieldname": "gender", 
   "oldfieldtype": "Select", 
   "options": "\nMale\nFemale\nOther", 
+  "permlevel": 0, 
   "search_index": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "change_password", 
   "fieldtype": "Section Break", 
-  "label": "Set Password"
+  "label": "Set Password", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "new_password", 
   "fieldtype": "Password", 
-  "label": "New Password"
+  "label": "New Password", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
@@ -171,6 +185,7 @@
   "fieldtype": "Data", 
   "hidden": 1, 
   "label": "Reset Password Key", 
+  "permlevel": 0, 
   "print_hide": 1, 
   "read_only": 1
  }, 
@@ -179,45 +194,52 @@
   "doctype": "DocField", 
   "fieldname": "display_settings", 
   "fieldtype": "Section Break", 
-  "label": "Display Settings"
+  "label": "Display Settings", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "user_image", 
   "fieldtype": "Attach", 
   "hidden": 0, 
-  "label": "User Image"
+  "label": "User Image", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "background_image", 
   "fieldtype": "Attach", 
   "hidden": 0, 
-  "label": "Background Image"
+  "label": "Background Image", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "cb21", 
-  "fieldtype": "Column Break"
+  "fieldtype": "Column Break", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "user_image_show", 
   "fieldtype": "Image", 
   "label": "user_image_show", 
-  "options": "user_image"
+  "options": "user_image", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "short_bio", 
   "fieldtype": "Section Break", 
-  "label": "Short Bio"
+  "label": "Short Bio", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "bio", 
   "fieldtype": "Small Text", 
-  "label": "Bio"
+  "label": "Bio", 
+  "permlevel": 0
  }, 
  {
   "description": "Check / Uncheck roles assigned to the Profile. Click on the Role to find out what permissions that Role has.", 
@@ -225,6 +247,7 @@
   "fieldname": "sb1", 
   "fieldtype": "Section Break", 
   "label": "Roles", 
+  "permlevel": 1, 
   "read_only": 1
  }, 
  {
@@ -232,29 +255,34 @@
   "fieldname": "roles_html", 
   "fieldtype": "HTML", 
   "label": "Roles HTML", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "incoming_email_settings", 
   "fieldtype": "Section Break", 
-  "label": "Email Settings"
+  "label": "Email Settings", 
+  "permlevel": 1
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "cb18", 
-  "fieldtype": "Column Break"
+  "fieldtype": "Column Break", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "email_signature", 
   "fieldtype": "Small Text", 
-  "label": "Email Signature"
+  "label": "Email Signature", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "cb20", 
-  "fieldtype": "Column Break"
+  "fieldtype": "Column Break", 
+  "permlevel": 0
  }, 
  {
   "description": "Pull Emails from the Inbox and attach them as Communication records (for known contacts).", 
@@ -262,7 +290,8 @@
   "fieldname": "sync_inbox", 
   "fieldtype": "Check", 
   "hidden": 1, 
-  "label": "Sync Inbox"
+  "label": "Sync Inbox", 
+  "permlevel": 0
  }, 
  {
   "description": "POP3 Mail Server (e.g. pop.gmail.com)", 
@@ -270,28 +299,32 @@
   "fieldname": "email_host", 
   "fieldtype": "Data", 
   "hidden": 1, 
-  "label": "Email Host"
+  "label": "Email Host", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "email_use_ssl", 
   "fieldtype": "Check", 
   "hidden": 1, 
-  "label": "Email Use SSL"
+  "label": "Email Use SSL", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "email_login", 
   "fieldtype": "Data", 
   "hidden": 1, 
-  "label": "Email Login"
+  "label": "Email Login", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
   "fieldname": "email_password", 
   "fieldtype": "Password", 
   "hidden": 1, 
-  "label": "Email Password"
+  "label": "Email Password", 
+  "permlevel": 0
  }, 
  {
   "description": "These values will be automatically updated in transactions and also will be useful to restrict permissions for this user on transactions containing these values.", 
@@ -301,6 +334,7 @@
   "hidden": 1, 
   "label": "Defaults", 
   "oldfieldtype": "Column Break", 
+  "permlevel": 1, 
   "print_width": "50%", 
   "read_only": 1, 
   "width": "50%"
@@ -312,7 +346,8 @@
   "fieldtype": "Table", 
   "hidden": 1, 
   "label": "Profile Defaults", 
-  "options": "DefaultValue"
+  "options": "DefaultValue", 
+  "permlevel": 0
  }, 
  {
   "doctype": "DocField", 
@@ -320,6 +355,7 @@
   "fieldtype": "Section Break", 
   "label": "Security Settings", 
   "oldfieldtype": "Section Break", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
  {
@@ -328,6 +364,7 @@
   "fieldname": "login_after", 
   "fieldtype": "Int", 
   "label": "Login After", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
  {
@@ -336,6 +373,7 @@
   "fieldname": "login_before", 
   "fieldtype": "Int", 
   "label": "Login Before", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
  {
@@ -344,6 +382,7 @@
   "fieldname": "restrict_ip", 
   "fieldtype": "Data", 
   "label": "Restrict IP", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
  {
@@ -351,6 +390,7 @@
   "fieldname": "column_break1", 
   "fieldtype": "Column Break", 
   "oldfieldtype": "Column Break", 
+  "permlevel": 0, 
   "print_width": "50%", 
   "width": "50%"
  }, 
@@ -362,6 +402,7 @@
   "label": "Last Login", 
   "oldfieldname": "last_login", 
   "oldfieldtype": "Read Only", 
+  "permlevel": 0, 
   "read_only": 1, 
   "reqd": 0, 
   "search_index": 0
@@ -373,6 +414,7 @@
   "label": "Last IP", 
   "oldfieldname": "last_ip", 
   "oldfieldtype": "Read Only", 
+  "permlevel": 0, 
   "read_only": 1
  }, 
  {
@@ -382,6 +424,7 @@
   "hidden": 1, 
   "label": "Roles Assigned To User", 
   "no_copy": 0, 
+  "permlevel": 0, 
   "print_hide": 1, 
   "read_only": 1
  }, 
@@ -392,6 +435,7 @@
   "hidden": 1, 
   "label": "Roles Assigned", 
   "options": "UserRole", 
+  "permlevel": 0, 
   "print_hide": 1, 
   "read_only": 1
  }, 
@@ -417,19 +461,6 @@
   "role": "All", 
   "write": 0
  }, 
- {
-  "create": 0, 
-  "delete": 0, 
-  "doctype": "DocPerm", 
-  "email": 1, 
-  "permlevel": 0, 
-  "print": 1, 
-  "report": 1, 
-  "restricted": 1, 
-  "role": "All", 
-  "submit": 0, 
-  "write": 0
- }, 
  {
   "amend": 0, 
   "create": 0, 
diff --git a/webnotes/core/doctype/todo/todo.txt b/webnotes/core/doctype/todo/todo.txt
index e9482650cc..4d2e41a089 100644
--- a/webnotes/core/doctype/todo/todo.txt
+++ b/webnotes/core/doctype/todo/todo.txt
@@ -2,7 +2,7 @@
  {
   "creation": "2012-07-03 13:30:35", 
   "docstatus": 0, 
-  "modified": "2013-12-20 19:24:39", 
+  "modified": "2014-01-23 12:15:38", 
   "modified_by": "Administrator", 
   "owner": "Administrator"
  }, 
@@ -15,13 +15,13 @@
   "hide_heading": 0, 
   "hide_toolbar": 0, 
   "icon": "icon-check", 
-  "in_create": 1, 
+  "in_create": 0, 
   "in_dialog": 0, 
   "issingle": 0, 
   "max_attachments": 0, 
   "module": "Core", 
   "name": "__common__", 
-  "read_only": 1, 
+  "read_only": 0, 
   "read_only_onload": 0
  }, 
  {
@@ -34,6 +34,7 @@
  }, 
  {
   "create": 1, 
+  "delete": 0, 
   "doctype": "DocPerm", 
   "email": 1, 
   "name": "__common__", 
@@ -42,12 +43,20 @@
   "parenttype": "DocType", 
   "permlevel": 0, 
   "print": 1, 
-  "read": 1
+  "read": 1, 
+  "report": 1, 
+  "write": 1
  }, 
  {
   "doctype": "DocType", 
   "name": "ToDo"
  }, 
+ {
+  "doctype": "DocField", 
+  "fieldname": "description_and_status", 
+  "fieldtype": "Section Break", 
+  "label": "Description and Status"
+ }, 
  {
   "allow_on_submit": 0, 
   "doctype": "DocField", 
@@ -55,6 +64,7 @@
   "fieldtype": "Text", 
   "hidden": 0, 
   "in_filter": 0, 
+  "in_list_view": 1, 
   "label": "Description", 
   "no_copy": 0, 
   "oldfieldname": "description", 
@@ -66,6 +76,37 @@
   "search_index": 0, 
   "width": "300px"
  }, 
+ {
+  "doctype": "DocField", 
+  "fieldname": "column_break_2", 
+  "fieldtype": "Column Break"
+ }, 
+ {
+  "doctype": "DocField", 
+  "fieldname": "status", 
+  "fieldtype": "Select", 
+  "in_list_view": 1, 
+  "label": "Status", 
+  "options": "Open\nClosed"
+ }, 
+ {
+  "allow_on_submit": 0, 
+  "doctype": "DocField", 
+  "fieldname": "priority", 
+  "fieldtype": "Select", 
+  "hidden": 0, 
+  "in_filter": 0, 
+  "in_list_view": 1, 
+  "label": "Priority", 
+  "no_copy": 0, 
+  "oldfieldname": "priority", 
+  "oldfieldtype": "Data", 
+  "options": "High\nMedium\nLow", 
+  "print_hide": 0, 
+  "report_hide": 0, 
+  "reqd": 0, 
+  "search_index": 0
+ }, 
  {
   "allow_on_submit": 0, 
   "doctype": "DocField", 
@@ -73,7 +114,8 @@
   "fieldtype": "Date", 
   "hidden": 0, 
   "in_filter": 0, 
-  "label": "Date", 
+  "in_list_view": 1, 
+  "label": "Due Date", 
   "no_copy": 0, 
   "oldfieldname": "date", 
   "oldfieldtype": "Date", 
@@ -83,20 +125,10 @@
   "search_index": 0
  }, 
  {
-  "allow_on_submit": 0, 
   "doctype": "DocField", 
-  "fieldname": "priority", 
-  "fieldtype": "Data", 
-  "hidden": 0, 
-  "in_filter": 0, 
-  "label": "Priority", 
-  "no_copy": 0, 
-  "oldfieldname": "priority", 
-  "oldfieldtype": "Data", 
-  "print_hide": 0, 
-  "report_hide": 0, 
-  "reqd": 0, 
-  "search_index": 0
+  "fieldname": "section_break_6", 
+  "fieldtype": "Section Break", 
+  "label": "Reference"
  }, 
  {
   "allow_on_submit": 0, 
@@ -137,7 +169,8 @@
   "fieldtype": "Check", 
   "hidden": 0, 
   "in_filter": 0, 
-  "label": "Checked", 
+  "in_list_view": 1, 
+  "label": "Completed", 
   "no_copy": 0, 
   "oldfieldname": "checked", 
   "oldfieldtype": "Check", 
@@ -146,6 +179,11 @@
   "reqd": 0, 
   "search_index": 0
  }, 
+ {
+  "doctype": "DocField", 
+  "fieldname": "column_break_10", 
+  "fieldtype": "Column Break"
+ }, 
  {
   "allow_on_submit": 0, 
   "doctype": "DocField", 
@@ -171,14 +209,16 @@
   "options": "Profile"
  }, 
  {
+  "cancel": 0, 
   "doctype": "DocPerm", 
-  "report": 0, 
+  "export": 0, 
+  "restricted": 1, 
   "role": "All", 
   "submit": 0
  }, 
  {
   "doctype": "DocPerm", 
-  "report": 1, 
+  "export": 1, 
   "role": "System Manager"
  }
 ]
\ No newline at end of file
diff --git a/webnotes/core/page/applications/applications.py b/webnotes/core/page/applications/applications.py
index 1f7cffcdb0..f0790b1991 100644
--- a/webnotes/core/page/applications/applications.py
+++ b/webnotes/core/page/applications/applications.py
@@ -10,7 +10,7 @@ def get_app_list():
 	installed = webnotes.get_installed_apps()
 	for app in webnotes.get_all_apps(True):
 		out[app] = {}
-		app_hooks = webnotes.get_hooks(app)
+		app_hooks = webnotes.get_hooks(app_name=app)
 		for key in ("app_name", "app_title", "app_description", "app_icon",
 			"app_publisher", "app_version", "app_url", "app_color"):
 			out[app][key] = app_hooks.get(key)
diff --git a/webnotes/hooks.txt b/webnotes/hooks.txt
index 7b921f51df..6c9d3decbb 100644
--- a/webnotes/hooks.txt
+++ b/webnotes/hooks.txt
@@ -21,4 +21,9 @@ scheduler_event = daily:webnotes.utils.email_lib.bulk.clear_outbox
 scheduler_event = daily:webnotes.core.doctype.notification_count.notification_count.delete_event_notification_count
 scheduler_event = daily:webnotes.core.doctype.event.event.send_event_digest
 
-on_session_creation = webnotes.auth.notify_administrator_login
\ No newline at end of file
+on_session_creation = webnotes.auth.notify_administrator_login
+
+# permissions
+
+permission_query_conditions:Event = webnotes.core.doctype.event.event.get_permission_query_conditions
+has_permission:Event =  webnotes.core.doctype.event.event.has_permission
\ No newline at end of file
diff --git a/webnotes/permissions.py b/webnotes/permissions.py
index 9faa9ad4ea..1d9e1d159b 100644
--- a/webnotes/permissions.py
+++ b/webnotes/permissions.py
@@ -30,16 +30,18 @@ def has_permission(doctype, ptype="read", refdoc=None, verbose=True):
 	# get user permissions
 	if not get_user_perms(meta).get(ptype):
 		return False
-	elif refdoc:
+		
+	if refdoc:
 		if isinstance(refdoc, basestring):
 			refdoc = webnotes.doc(meta[0].name, refdoc)
 		
-		if has_unrestricted_access(meta, refdoc, verbose=verbose):
-			return True
-		else:
+		if not has_unrestricted_access(meta, refdoc, verbose=verbose):
 			return False
-	else:
-		return True
+		
+		if not has_additional_permission(refdoc):
+			return False
+
+	return True
 		
 rights = ["read", "write", "create", "submit", "cancel", "amend",
 	"report", "import", "export", "print", "email", "restrict", "delete", "restricted"]
@@ -98,6 +100,14 @@ def has_unrestricted_access(meta, refdoc, verbose=True):
 	# check all restrictions before returning
 	return False if has_restricted_data else True
 	
+def has_additional_permission(doc):
+	condition_methods = webnotes.get_hooks("has_permission:" + doc.doctype)
+	for method in webnotes.get_hooks("has_permission:" + doc.doctype):
+		if not webnotes.get_attr(method)(doc):
+			return False
+		
+	return True
+	
 def can_restrict_user(user, doctype, docname=None):
 	if not can_restrict(doctype, docname):
 		return False
diff --git a/webnotes/public/css/common.css b/webnotes/public/css/common.css
index 4bf429009c..ed2f678ea8 100644
--- a/webnotes/public/css/common.css
+++ b/webnotes/public/css/common.css
@@ -53,6 +53,7 @@ div#freeze {
 /* listing */
 
 .show_filters {
+	padding-top: 15px;
 	padding-bottom: 15px;
 	margin-bottom: 15px;
 	border-bottom: 1px solid #c7c7c7;
diff --git a/webnotes/public/js/wn/app.js b/webnotes/public/js/wn/app.js
index a2fcc94aa5..b7a743a065 100644
--- a/webnotes/public/js/wn/app.js
+++ b/webnotes/public/js/wn/app.js
@@ -29,7 +29,7 @@ wn.Application = Class.extend({
 					wn.provide('wn.boot');
 					wn.boot = r;
 					if(wn.boot.profile.name==='Guest' || wn.boot.profile.user_type==="Website User") {
-						window.location = 'index.html';
+						window.location = 'index';
 						return;
 					}
 					me.startup();
diff --git a/webnotes/public/js/wn/form/assign_to.js b/webnotes/public/js/wn/form/assign_to.js
index af2111bfd9..62a9a25726 100644
--- a/webnotes/public/js/wn/form/assign_to.js
+++ b/webnotes/public/js/wn/form/assign_to.js
@@ -97,7 +97,7 @@ wn.ui.form.AssignTo = Class.extend({
 					{fieldtype:'Button', label:wn._("Add"), fieldname:'add_btn'}
 				]
 			});
-			
+						
 			me.dialog.fields_dict.restrict.$wrapper
 				.find(".assign-user-properties")
 				.on("click", function() {
@@ -141,6 +141,11 @@ wn.ui.form.AssignTo = Class.extend({
 		})();
 		
 		me.dialog.show();
+		
+		if(!wn.perm.get_perm(me.frm.doctype)[0].restricted) {
+			me.dialog.fields_dict.restrict.set_input(0);
+			me.dialog.fields_dict.restrict.$wrapper.toggle(false);
+		}
 	}
 });
 
diff --git a/webnotes/public/js/wn/form/control.js b/webnotes/public/js/wn/form/control.js
index f3f5e7339e..6644dbce79 100644
--- a/webnotes/public/js/wn/form/control.js
+++ b/webnotes/public/js/wn/form/control.js
@@ -460,7 +460,7 @@ wn.ui.form.ControlCheck = wn.ui.form.ControlData.extend({
 	input_type: "checkbox",
 	make_wrapper: function() {
 		this.$wrapper = $('<div class="form-group row" style="margin: 0px;">\
-		<div class="col-md-offset-4 col-md-8">\
+		<div class="col-md-offset-3 col-md-8">\
 			<div class="checkbox" style="margin: 5px 0px">\
 				<label>\
 					<span class="input-area"></span>\
diff --git a/webnotes/templates/includes/login.js b/webnotes/templates/includes/login.js
index 0a691ab01c..db7c876a66 100644
--- a/webnotes/templates/includes/login.js
+++ b/webnotes/templates/includes/login.js
@@ -65,7 +65,7 @@ login.do_login = function(){
 		statusCode: {
 			200: function(data) {
 				if(data.message=="Logged In") {
-					window.location.href = "app.html";
+					window.location.href = "app";
 				} else if(data.message=="No App") {
 					if(localStorage) {
 						var last_visited = localStorage.getItem("last_visited") || "index";
diff --git a/webnotes/widgets/reportview.py b/webnotes/widgets/reportview.py
index d87e535522..622dd84349 100644
--- a/webnotes/widgets/reportview.py
+++ b/webnotes/widgets/reportview.py
@@ -171,7 +171,12 @@ def build_filter_conditions(filters, conditions):
 		if isinstance(f, basestring):
 			conditions.append(f)
 		else:
-			
+			if not isinstance(f, (list, tuple)):
+				webnotes.throw("Filter must be a tuple or list (in a list)")
+
+			if len(f) != 4:
+				webnotes.throw("Filter must have 4 values (doctype, fieldname, condition, value): " + str(f))
+				
 			tname = ('`tab' + f[0] + '`')
 			if not tname in webnotes.local.reportview_tables:
 				webnotes.local.reportview_tables.append(tname)
@@ -240,7 +245,7 @@ def build_match_conditions(doctype, fields=None, as_condition=True):
 										
 	if as_condition:
 		conditions = " and ".join(match_conditions)
-		doctype_conditions = get_doctype_conditions(doctype)
+		doctype_conditions = get_permission_query_conditions(doctype)
 		if doctype_conditions:
 			conditions += ' and ' + doctype_conditions if conditions else doctype_conditions
 			
@@ -255,12 +260,15 @@ def build_match_conditions(doctype, fields=None, as_condition=True):
 	else:
 		return match_filters
 		
-def get_doctype_conditions(doctype):
-	from webnotes.model.code import load_doctype_module
-	module = load_doctype_module(doctype)
-	if module and hasattr(module, 'get_match_conditions'):
-		return getattr(module, 'get_match_conditions')()
-
+def get_permission_query_conditions(doctype):
+	condition_methods = webnotes.get_hooks("permission_query_conditions:" + doctype)
+	if condition_methods:
+		conditions = []
+		for method in condition_methods:
+			conditions.append(webnotes.get_attr(method)())
+				
+		return " and ".join(conditions)
+		
 def get_tables(doctype, fields):
 	"""extract tables from fields"""
 	tables = ['`tab' + doctype + '`']