diff --git a/list.tpl b/list.tpl
index 655ac70..4c03bc4 100644
--- a/list.tpl
+++ b/list.tpl
@@ -1,11 +1,6 @@
+<h2>Liste</h2>
 <ul>
-% for user in mongodb_database['users'].find():
-    <li>{{user}}</li>
-% end
-</ul>
-
-<ul>
-% for form in mongodb_database['forms'].find():
-    <li>{{form}}</li>
+% for item in data:
+    <li>{{item}}</li>
 % end
 </ul>
diff --git a/main.py b/main.py
index 6c797d1..dedfe13 100755
--- a/main.py
+++ b/main.py
@@ -112,17 +112,19 @@ def submission ():
     else:
         response.status = 400
         return 'Le jeton d’autentification est requis'
+
     if 'mail' in request.forms:
         from_address = request.forms.getunicode('mail')
     else:
-        response.status = 400
-        return 'Le mail est requis'
+        #response.status = 400
+        #return 'Le mail est requis'
+        from_address = ''
 
     try:
         form = mongodb_database['forms'].find({'token': token})[0]
     except IndexError as e:
         response.status = 400
-        return 'L’authentification a échouée'
+        return 'Le formulaire est introuvable'
 
     try:
         subject_fields = fill_fields(request, get_fields(form['subject']))
@@ -141,8 +143,9 @@ def submission ():
     # Redirection
     #redirect(success_redirect_default)
     origin = request.headers.get('origin')
-    return 'Mail envoyé !' + ('Retour au <a href="{}">formulaire de contact</a>'.format(origin) if origin else '')
+    return '<p>Mail envoyé !</p>' + ('<p>Retour au <a href="{}">formulaire de contact</a></p>'.format(origin) if origin else '')
 
+##################################################### Helpers ############################################$
 def get_fields (string):
     """ Parse the string looking for template elements and create an array with template to fill and their default values. None if mandatory. """
     result = {}
@@ -187,6 +190,26 @@ def send_mail(from_address, to, subject, content):
         return False
     return True
 
+def login(request):
+    """
+    Check if user is admin or simple user. Return a disct with _privilege key. dict is also a user if _privilege == 1
+    Privileges : 0=admin 1=loggedIn 1000=guest
+    """
+    if 'admin_pass' in request.forms and request.forms['admin_pass'] == admin_password:
+        return {'_privilege':0}
+    if 'token' in request.forms:
+        token = request.forms.getunicode('token')
+        try:
+            user = mongodb_database['users'].find({'token': token})[0]
+            user['_privilege'] = 1
+            return user
+        except IndexError as e:
+            pass
+
+    return {'_privilege': 1000} # anonymous
+
+
+##################################################### Forms ############################################$
 
 @app.post('/form')
 @app.post('/form/')
@@ -214,18 +237,10 @@ def create_form ():
         response.status = 400
         return 'Le champs « adresse » est requis'
 
-    # Getting auth token
-    if 'token' in request.forms:
-        token = request.forms.getunicode('token')
-    else:
+    user = login(request)
+    if user['_privilege'] > 1:
         response.status = 400
-        return 'Le jeton d’autentification n’a pas été envoyé'
-
-    try:
-        user = mongodb_database['users'].find({'token': token})[0]
-    except IndexError as e:
-        response.status = 400
-        return 'L’authentification a échouée'
+        return 'Privilèges insufisants'
 
     # TODO limit the insertion rate
     token = ''.join(random.sample(token_chars, token_len))
@@ -239,42 +254,81 @@ def create_form ():
 
     return 'Créé : ' + token
 
-
-
-##################################################### Admin ############################################$
-@app.post('/admin/list')
-@app.post('/admin/list/')
-def admin_list ():
-    if not ('admin_pass' in request.forms and request.forms['admin_pass'] == admin_password):
+@app.post('/form/list')
+@app.post('/form/list/')
+def list_forms ():
+    user = login(request)
+    if user['_privilege'] == 0:
+        filt = {}
+    elif user['_privilege'] == 1:
+        filt = {'user_id': user['_id']}
+    else:
         response.status = 400
-        return 'Le champs « admin_pass » est requis'
-    return bottle.template("list.tpl", mongodb_database=mongodb_database)
+        return 'Privilèges insufisants'
+    return bottle.template("list.tpl", data=mongodb_database['forms'].find(filt))
 
 
+@app.delete('/form/<token>')
+@app.delete('/form/<token>/')
+def delete_form(token):
+    # If admin or form owner
+    user = login(request)
+    if user['_privilege'] > 1:
+        response.status = 400
+        return 'Privilèges insufisants'
+
+    # Actually delete
+    try:
+        form = mongodb_database['forms'].find({'token':token })[0]
+    except IndexError as e:
+        response.status = 400
+        return 'Le token n’est pas valide'
+
+    if user['_privilege'] == 0 or (form['user_id'] == user['_id']):
+        mongodb_database['forms'].delete_one({
+            'token': token,
+        })
+        return 'Supprimé ' + token
+    response.status = 400
+    return 'Privilèges insufisants'
+
+
+##################################################### Users ############################################$
+
+@app.post('/user/list')
+@app.post('/user/list/')
+def list_users ():
+    user = login(request)
+    if user['_privilege'] > 0:
+        response.status = 400
+        return 'Privilèges insufisants'
+    return bottle.template("list.tpl", data=mongodb_database['users'].find())
+
 @app.put('/user/<username>')
 @app.put('/user/<username>/')
 def create_user (username):
-    if not ('admin_pass' in request.forms and request.forms['admin_pass'] == admin_password):
+    user = login(request)
+    if user['_privilege'] > 0:
         response.status = 400
-        return 'Le champs « admin_pass » est requis'
+        return 'Privilèges insufisants'
     try:
         mongodb_database['users'].find({'username': username})[0]
         return 'L’utilisateur existe déjà'
     except IndexError as e:
-        pass
-    inserted = mongodb_database['users'].insert_one({
-        'username': username,
-        'token': ''.join(random.sample(token_chars, token_len))
-    })
-    return 'Créé : ' + username
+        inserted = mongodb_database['users'].insert_one({
+            'username': username,
+            'token': ''.join(random.sample(token_chars, token_len))
+        })
+        return 'Créé : ' + username
 
 
 @app.delete('/user/<username>')
 @app.delete('/user/<username>/')
 def delete_user (username):
-    if not ('admin_pass' in request.forms and request.forms['admin_pass'] == admin_password):
+    user = login(request)
+    if user['_privilege'] > 0:
         response.status = 400
-        return 'Le champs « admin_pass » est requis'
+        return 'Privilèges insufisants'
     try:
         mongodb_database['users'].find({'username': username})[0]
     except IndexError as e:
@@ -286,37 +340,7 @@ def delete_user (username):
     return 'Supprimé ' + username
 
 
-@app.delete('/form/<token>')
-@app.delete('/form/<token>/')
-def delete_form(token):
-    # If admin or form owner
-    admin = False
-    if 'admin_pass' in request.forms and request.forms['admin_pass'] == admin_password:
-        admin = True
-
-    user_token = False
-    if 'token' in request.forms:
-        try:
-            user = mongodb_database['users'].find({'token':request.forms['token']})[0]
-            user_token = True
-        except IndexError as e:
-            pass
-
-    # Actually delete
-    try:
-        form = mongodb_database['forms'].find({'token':token })[0]
-    except IndexError as e:
-        response.status = 400
-        return 'Le token n’est pas valide'
-
-    if (user_token and form['user_id'] == user['_id']) or admin:
-        mongodb_database['forms'].delete_one({
-            'token': token,
-        })
-        return 'Supprimé ' + token
-    response.status = 400
-    return 'Vous n’avez pas les droits pour supprimer ce formulaire'
-
+##################################################### Bottle stuff ############################################$
 
 class StripPathMiddleware(object):
     '''