diff --git a/db_schema.sql b/db_schema.sql
index bb9e81cc2725f451f34cd3a5086a0940031e1136..e48bd14cce69d37acecd4b4f4f8af42061395f66 100644
--- a/db_schema.sql
+++ b/db_schema.sql
@@ -93,6 +93,15 @@ CREATE TABLE IF NOT EXISTS `places` (
   `campus_room` varchar(20) NOT NULL,
   `campus_name` varchar(30) NOT NULL
 );
+CREATE TABLE IF NOT EXISTS `auth` (
+	`auth_id` INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	`course_id` INTEGER,
+	`lecture_id` INTEGER,
+	`video_id` INTEGER,
+	`auth_type` varchar(10),
+	`auth_user` varchar(127),
+	`auth_passwd` varchar(127)
+);
 CREATE TABLE IF NOT EXISTS `site_texts` (
   `key` varchar(64) NOT NULL PRIMARY KEY,
   `value` text NOT NULL,
diff --git a/server.py b/server.py
index 5e7ad1fb5f33dc15f3adabb5a7d79bd5d87090d6..7fa2ced0e5c7af7fd221c8408eaf845351756561 100755
--- a/server.py
+++ b/server.py
@@ -1,5 +1,4 @@
-#!/bin/python
-from flask import Flask, g, request, url_for, redirect, session, render_template, flash
+from flask import Flask, g, request, url_for, redirect, session, render_template, flash, Response
 from werkzeug.routing import Rule
 from functools import wraps
 from datetime import date, timedelta, datetime, time
@@ -161,12 +160,15 @@ def search():
 			'WHERE (? OR (coursevisible AND listed AND visible)) GROUP BY id ORDER BY _score DESC, time DESC LIMIT 30', ismod())
 	return render_template('search.html', searchtext=request.args['q'], courses=courses, lectures=lectures)
 
+def check_mod(user, groups):
+	return user and 'users' in groups
+
 @app.route('/login', methods=['GET', 'POST'])
 def login():
 	if request.method == 'GET':
 		return render_template('login.html')
 	user, groups = ldapauth(request.form.get('user'), request.form.get('password'))
-	if not user or not 'users' in groups:
+	if not check_mod(user, groups):
 		flash('Login fehlgeschlagen!')
 		return render_template('login.html')
 	session['user'] = ldapget(user)
@@ -205,7 +207,6 @@ def edit():
 		assert column in tabs[table][2]
 		query('INSERT INTO changelog ("table",id_value,id_key,field,value_new,value_old,"when",who,executed) VALUES (?,?,?,?,?,(SELECT %s FROM %s WHERE %s = ?),?,?,1)'%(column,tabs[table][0],tabs[table][1]),table,id,tabs[table][1],column,val,id,datetime.now(),session['user']['givenName'])
 		query('UPDATE %s SET %s = ? WHERE %s = ?'%(tabs[table][0], column,tabs[table][1]), val, id)
-
 	query('COMMIT')
 	return "OK", 200
 
@@ -216,21 +217,41 @@ def auth(): # For use with nginx auth_request
 		return 'Internal Server Error', 500
 	url = request.headers['X-Original-Uri'].lstrip(config['VIDEOPREFIX'])
 	ip = request.headers.get('X-Real-IP', '')
-	videos = query('''SELECT videos.path, videos.id
-			FROM videos
-			JOIN lectures ON (videos.lecture_id = lectures.id)
-			JOIN courses ON (lectures.course_id = courses.id)
-			WHERE videos.path = ?
-			AND (? OR (courses.visible AND lectures.visible AND videos.visible))''',
-			url, ismod())
-	if videos and (url.startswith('pub') or ismod()):
-		query('INSERT INTO log VALUES (?, "", ?, "video", ?, ?)', ip, datetime.now(), videos[0]['id'], url)
+	if url.endswith('jpg'):
 		return "OK", 200
-	elif url.endswith('jpg'):
-		return "OK", 200
-	else:
+	videos = query('''SELECT videos.path, videos.id, lectures.id AS lecture_id, courses.id AS course_id, auth.*
+      FROM videos
+      JOIN lectures ON (videos.lecture_id = lectures.id)
+      JOIN courses ON (lectures.course_id = courses.id)
+			LEFT JOIN auth ON (videos.id = auth.video_id OR lectures.id = auth.lecture_id OR courses.id = auth.course_id)
+      WHERE videos.path = ?
+      AND (? OR (courses.visible AND lectures.visible AND videos.visible))
+			ORDER BY auth.video_id DESC, auth.lecture_id DESC, auth.course_id DESC''',
+			url, ismod())
+	if not videos:
 		return "Not allowed", 403
-
+	allowed = False
+	types = []
+	auth = request.authorization
+	for video in videos:
+		if videos[0] and ((videos[0]['video_id'] and not video['video_id']) \
+				or (videos[0]['lecture_id'] and not video['lecture_id'])):
+			break
+		types.append(video['auth_type'])
+		if video['auth_type'] == 'public':
+			allowed = True
+			break
+		elif video['auth_type'] == 'password':
+			if auth and video['auth_user'] == auth.username and video['auth_passwd'] == auth.password:
+				allowed = True
+				break
+	if not types[0] or allowed or ismod() or \
+			(auth and check_mod(*ldapauth(auth.username, auth.password))):
+		return 'OK', 200
+		query('INSERT INTO log VALUES (?, "", ?, "video", ?, ?)', ip, datetime.now(), videos[0]['id'], url)
+	elif 'password' in types:
+		return Response("Login required", 401, {'WWW-Authenticate': 'Basic realm="Login Required"'})
+	return "Not allowed", 403
 
 @app.route('/schedule')
 @register_navbar('Drehplan', 'calendar')
@@ -286,7 +307,6 @@ def schedule():
 	for i in range(s.hour*4,min(int((60*e.hour/15)/4)*4+5,24*4)):
 		t = i*15
 		times.append(time(int(t/60),t%60))
-	
 	return render_template('schedule.html',days=days,times=times,kw=kw)
 
 @app.route('/stats')