diff --git a/src/wanijo/framework/neo4j.clj b/src/wanijo/framework/neo4j.clj
index 150604e..51c387b 100644
--- a/src/wanijo/framework/neo4j.clj
+++ b/src/wanijo/framework/neo4j.clj
@@ -56,3 +56,8 @@
   (time-format/unparse
    (time-format/formatters :basic-date-time)
    (time-local/local-now)))
+
+(defn bool [value]
+  (if value
+    (.asBoolean value)
+    false))
diff --git a/src/wanijo/framework/view.clj b/src/wanijo/framework/view.clj
index abd1694..c5843d2 100644
--- a/src/wanijo/framework/view.clj
+++ b/src/wanijo/framework/view.clj
@@ -16,12 +16,19 @@
   (hform/submit-button {:class "delete-btn"}
                        "☒ Delete!"))
 
+(defn flash-error [content]
+  [:section.flash--error
+   [:h2.flash__heading--error "Warning"]
+   content])
+
 (defn layout!
-  [& {:keys [content title session]
+  [& {:keys [content title session request]
       :or {content []
            title nil
-           session {}}}]
-  (let [ident (:ident session)
+           request {}
+           session nil}}]
+  (let [session (or session (:session request))
+        ident (:ident session)
         authed? (some? ident)
         devmode? (:devmode session)]
     (html5
@@ -60,12 +67,9 @@
            [:ul
             (for [schema (:other-schemas session)]
               [:li (:name schema)])]])]
-       (into [:main] content)
-;;       [:aside (when authed? "aside")]
+       (into [:main
+              (for [msg (:flash request)]
+                (flash-error msg))]
+             content)
        [:footer
         [:small "Ilo pali e ijo"]]]])))
-
-(defn flash-error [content]
-  [:section.flash--error
-   [:h2.flash__heading--error "Warning"]
-   content])
diff --git a/src/wanijo/schema/domain.clj b/src/wanijo/schema/domain.clj
index bdcff91..ecfe260 100644
--- a/src/wanijo/schema/domain.clj
+++ b/src/wanijo/schema/domain.clj
@@ -85,9 +85,25 @@
    first
    :uuid))
 
-(defn can-user-modify? [schema-uuid user-uuid]
-  (let [creator (find-schema-creator! schema-uuid)]
-    (= creator user-uuid)))
+(neo4j/defquery
+  schema-permissions
+  "MATCH (s:schema {uuid:{schema_uuid}})
+   RETURN
+     EXISTS((:user {uuid:{user_uuid}})
+            -[:permission {type:{type}}]-
+            (s)) AS user_has_permission,
+     NOT EXISTS((:user)
+                -[:permission {type:{type}}]-
+                (s)) AS is_public")
+
+(defn has-user-write-permissions? [schema-uuid user-uuid]
+  (let [permissions (first (neo4j/exec-query! schema-permissions
+                                              {:schema_uuid schema-uuid
+                                               :user_uuid user-uuid
+                                               :type "write"}))
+        public? (neo4j/bool (:is_public permissions))
+        user? (neo4j/bool (:user_has_permission permissions))]
+    (or public? user?)))
 
 (neo4j/defquery
   delete
diff --git a/src/wanijo/schema/routes.clj b/src/wanijo/schema/routes.clj
index 816cfc4..ba06b08 100644
--- a/src/wanijo/schema/routes.clj
+++ b/src/wanijo/schema/routes.clj
@@ -1,5 +1,5 @@
 (ns wanijo.schema.routes
-  (:require [compojure.core :refer [defroutes GET POST DELETE]]
+  (:require [compojure.core :refer [defroutes GET POST DELETE] :as comp]
             [ring.util.response :as resp]
             [formulare.core :as form]
             [wanijo.framework.view :as view]
@@ -19,11 +19,8 @@
     (view-schema/overview! req)))
 
 (defn delete-schema! [uuid session]
-  (if (domain/can-user-modify? uuid (:uuid session))
-    (do
-      (domain/delete! uuid)
-      (resp/redirect (path :schema-overview)))
-    {:status 403}))
+  (domain/delete! uuid)
+  (resp/redirect (path :schema-overview)))
 
 (defn view! [uuid req]
   (view-schema/show-schema!
@@ -65,7 +62,18 @@
         (resp/redirect (path :schema-show (:params req))))
       (view! uuid req))))
 
+(defn wrap-allowed-to-write [handler]
+  (fn [req]
+    (let [uuid (get-in req [:params :uuid])
+          user (get-in req [:session :uuid])]
+      (if (domain/has-user-write-permissions? uuid user)
+        (handler req)
+        (assoc
+         (resp/redirect (path :schema-show (:params req)))
+         :flash ["No write permission for schema"])))))
+
 (defroutes routes
+  (GET "/403" [] {:status 403 :body "NE"})
   (GET (register! :schema-overview "/schema")
        []
        view-schema/overview!)
@@ -75,15 +83,14 @@
   (POST (register! :schema-new "/schema/new")
         []
         new!)
-  (POST (register! :schema-edit "/schema/edit")
-        []
-        edit!)
-  (POST (register! :schema-assign-users "/schema/assign/users")
-        []
-        assign-users!)
-  (POST (register! :schema-assign-schemas "/schema/assign/schemas")
-        []
-        assign-schemas!)
-  (DELETE (register! :schema-delete "/schema/:uuid")
-          [uuid :as req]
-          (delete-schema! uuid (:session req))))
+  (wrap-allowed-to-write
+   (comp/routes
+    (POST (register! :schema-edit "/schema/edit") []
+          edit!)
+    (POST (register! :schema-assign-users "/schema/assign/users") []
+          assign-users!)
+    (POST (register! :schema-assign-schemas "/schema/assign/schemas") []
+          assign-schemas!)
+    (DELETE (register! :schema-delete "/schema/:uuid")
+            [uuid :as req]
+            (delete-schema! uuid (:session req))))))
diff --git a/src/wanijo/schema/view.clj b/src/wanijo/schema/view.clj
index d2abacb..8cf9870 100644
--- a/src/wanijo/schema/view.clj
+++ b/src/wanijo/schema/view.clj
@@ -75,7 +75,7 @@
 
 (defn show-schema! [schema attrs assign-form conn-form req]
   (view/layout!
-   :session (:session req)
+   :request req
    :content
    [[:h1 "Schema "
      [:span.schema-title__name (:name schema)]]