diff --git a/app/Routes/API.js b/app/Routes/API.js
index 36d6438c..2ca20b7c 100644
--- a/app/Routes/API.js
+++ b/app/Routes/API.js
@@ -71,8 +71,30 @@ Router.map(function () {
         where: "server"
     }).post(
         function () {
-            ifPostOK(this, "addSpellsToCharacter", () => {
-
+            ifPostOK(this, "addSpellsToList", () => {
+                const spells = this.request.body;
+                const charId = this.params._id;
+                const listId = this.params.listId;
+                let spellIds = [];
+                let error;
+                for (let spell of spells) {
+                    spell.parent = {id: listId, collection: "SpellLists"};
+                    spell.charId = charId;
+                    let id = Spells.insert(spell, (err, _id) => {
+                        if (err) {
+                            error = err.message;
+                        }
+                    });
+                    if (error)
+                        break;
+                    spellIds.push(id);
+                }
+                if (error) {
+                    this.response.writeHead(400, "Failed to insert one or more spells");
+                    this.response.end(JSON.stringify({err: error, inserted: spellIds}));
+                } else {
+                    this.response.end(JSON.stringify(spellIds));
+                }
             });
         }
     );
@@ -147,7 +169,7 @@ Router.map(function () {
 var ifPostOK = function (router, endpoint, callback) {
     router.response.setHeader("Content-Type", "application/json");
     var header = router.request.headers;
-    var key = header && header['Authorization'];
+    var key = header && header['authorization'];
     ifKeyValid(key, router.response, endpoint, () => {
             if (canEditCharacter(router.params._id, userIdFromKey(key))) {
                 callback();
diff --git a/app/lib/constants/characterAssetAllowDeny.js b/app/lib/constants/characterAssetAllowDeny.js
index 65730cfb..70277148 100644
--- a/app/lib/constants/characterAssetAllowDeny.js
+++ b/app/lib/constants/characterAssetAllowDeny.js
@@ -12,19 +12,20 @@ Meteor.methods({
 
 CHARACTER_SUBSCHEMA_ALLOW = {
 	// the user must be logged in, and the user must be a writer of the character
+	// or we must be the server
 	insert: function(userId, doc) {
 		var char = Characters.findOne(
 			doc.charId,
 			{fields: {owner: 1, writers: 1}}
 		);
-		return (userId && char.owner === userId || _.contains(char.writers, userId));
+		return (userId && char.owner === userId || _.contains(char.writers, userId) || Meteor.isServer);
 	},
 	update: function(userId, doc, fields, modifier) {
 		var char = Characters.findOne(
 			doc.charId,
 			{fields: {owner: 1, writers: 1}}
 		);
-		return (userId && char.owner === userId || _.contains(char.writers, userId));
+		return (userId && char.owner === userId || _.contains(char.writers, userId) || Meteor.isServer);
 	},
 	remove: function(userId, doc) {
 		var char = Characters.findOne(
@@ -32,7 +33,7 @@ CHARACTER_SUBSCHEMA_ALLOW = {
 			{fields: {owner: 1, writers: 1}}
 		);
 		if (!char) return true;
-		return userId && char.owner === userId || _.contains(char.writers, userId);
+		return userId && char.owner === userId || _.contains(char.writers, userId) || Meteor.isServer;
 	},
 	fetch: ["charId"],
 };
diff --git a/app/lib/functions/parenting.js b/app/lib/functions/parenting.js
index 82ecf204..d26dc885 100644
--- a/app/lib/functions/parenting.js
+++ b/app/lib/functions/parenting.js
@@ -132,6 +132,9 @@ makeParent = function(collection, donatedKeys){
 };
 
 var checkPermission = function(userId, charId){
+	if (Meteor.isServer) {  // we always trust server
+		return true;
+	}
 	var char = Characters.findOne(charId, {fields: {owner: 1, writers: 1}});
 	if (!char)
 		throw new Meteor.Error("Access Denied, no charId",