diff --git a/TODO.md b/TODO.md
index a5a83cfd92..f006cdf7a7 100644
--- a/TODO.md
+++ b/TODO.md
@@ -46,6 +46,9 @@ directory.  Project directories must be unique and be (also no ../, etc).  defau
 * permissions on launching a job should be same as creating a job template
 * should be able to access permissions as subcollection off of users or teams (no need for permissions tab)
 * make sure all can_user_add/edit methods ensure ownership/access on subobjects
+* project should have a method to list valid YAML files and not require default playbook
+* do not allow ../ in paths (etc)
+* should be able to specify in a launch job a limit string, combine with shell=False when using subprocess
 
 QUESTIONS
 ---------
diff --git a/lib/main/base_views.py b/lib/main/base_views.py
index 730698fe44..640bf1c4c6 100644
--- a/lib/main/base_views.py
+++ b/lib/main/base_views.py
@@ -45,6 +45,7 @@ class BaseList(generics.ListCreateAPIView):
                       raise PermissionDenied()
                   return True
              else:
+                  # audit all of these to check ownership/readability of subobjects
                   if not self.__class__.model.can_user_add(request.user, self.request.DATA):
                       raise PermissionDenied()
                   return True
@@ -236,8 +237,10 @@ class BaseDetail(generics.RetrieveUpdateDestroyAPIView):
                 return self.__class__.model.can_user_read(request.user, obj)
         elif request.method in [ 'PUT' ]:
             if type(obj) == User:
+                # FIXME: pass request.DATA to all of these and verify permissions on subobjects
                 return UserHelper.can_user_administrate(request.user, obj)
             else:
+                # FIXME: pass request.DATA to all of these and verify permission on subobjects
                 return self.__class__.model.can_user_administrate(request.user, obj)
         return False
 
diff --git a/lib/main/serializers.py b/lib/main/serializers.py
index 561e2c8364..437ac16c58 100644
--- a/lib/main/serializers.py
+++ b/lib/main/serializers.py
@@ -154,6 +154,7 @@ class CredentialSerializer(BaseSerializer):
 
     def validate(self, attrs):
         ''' some fields cannot be changed once written '''
+        import epdb; epdb.st()
         if self.object is not None:
             # this is an update
             if self.object.user != attrs['user']: