diff --git a/node/db/SecurityManager.js b/node/db/SecurityManager.js
index 7ad8f8d2..0f35d873 100644
--- a/node/db/SecurityManager.js
+++ b/node/db/SecurityManager.js
@@ -23,6 +23,7 @@ var async = require("async");
 var authorManager = require("./AuthorManager");
 var padManager = require("./PadManager");
 var sessionManager = require("./SessionManager");
+var settings = require("../utils/Settings")
 
 /**
  * This function controlls the access to a pad, it checks if the user can access a pad.
@@ -34,18 +35,52 @@ var sessionManager = require("./SessionManager");
  */ 
 exports.checkAccess = function (padID, sessionID, token, password, callback)
 { 
-  // it's not a group pad, means we can grant access
-  if(padID.indexOf("$") == -1)
+  var statusObject;
+
+  // a valid session is required (api-only mode)
+  if(settings.requireSession)
   {
-    //get author for this token
-    authorManager.getAuthor4Token(token, function(err, author)
+    // no sessionID, access is denied
+    if(!sessionID)
     {
-      // grant access, with author of token
-      callback(err, {accessStatus: "grant", authorID: author});
-    })
-    
-    //don't continue
-    return;
+      callback(null, {accessStatus: "deny"});
+      return;
+    }
+  }
+  // a session is not required, so we'll check if it's a public pad
+  else
+  {
+    // it's not a group pad, means we can grant access
+    if(padID.indexOf("$") == -1)
+    {
+      //get author for this token
+      authorManager.getAuthor4Token(token, function(err, author)
+      {
+        // assume user has access
+        statusObject = {accessStatus: "grant", authorID: author};
+        // user can't create pads
+        if(settings.editOnly)
+        {
+          // check if pad exists
+          padManager.doesPadExists(padID, function(err, exists)
+          {
+            // pad doesn't exist - user can't have access
+            if(!exists) statusObject.accessStatus = "deny";
+            // grant or deny access, with author of token
+            callback(err, statusObject);
+          });
+        }
+        // user may create new pads - no need to check anything
+        else
+        {
+          // grant access, with author of token
+          callback(err, statusObject);
+        }
+      })
+      
+      //don't continue
+      return;
+    }
   }
    
   var groupID = padID.split("$")[0];
@@ -57,8 +92,6 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
   var isPasswordProtected;
   var passwordStatus = password == null ? "notGiven" : "wrong"; // notGiven, correct, wrong
 
-  var statusObject;
-
   async.series([
     //get basic informations from the database 
     function(callback)
@@ -180,6 +213,8 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
       {
         //--> grant access
         statusObject = {accessStatus: "grant", authorID: sessionAuthor};
+        //--> deny access if user isn't allowed to create the pad
+        if(settings.editOnly) statusObject.accessStatus = "deny";
       }
       // there is no valid session avaiable AND pad exists
       else if(!validSession && padExists)
diff --git a/node/utils/Settings.js b/node/utils/Settings.js
index 1d855a53..2aef834d 100644
--- a/node/utils/Settings.js
+++ b/node/utils/Settings.js
@@ -42,6 +42,17 @@ exports.dbSettings = { "filename" : "../var/dirty.db" };
  * The default Text of a new pad
  */
 exports.defaultPadText = "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n";
+
+/**
+ * A flag that requires any user to have a valid session (via the api) before accessing a pad
+ */
+exports.requireSession = false;
+
+/**
+ * A flag that prevents users from creating new pads
+ */
+exports.editOnly = false;
+
 /**
  * A flag that shows if minification is enabled or not
  */
diff --git a/settings.json.template b/settings.json.template
index 199ac6d0..da7b32a4 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -29,6 +29,12 @@
   //the default text of a pad
   "defaultPadText" : "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n",
   
+  /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */
+  "requireSession" : false,
+
+  /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
+  "editOnly" : false,
+  
   /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, 
      but makes it impossible to debug the javascript/css */
   "minify" : true,
diff --git a/settings.json.template_windows b/settings.json.template_windows
index 235ec71a..61f14dce 100644
--- a/settings.json.template_windows
+++ b/settings.json.template_windows
@@ -28,6 +28,12 @@
   //the default text of a pad
   "defaultPadText" : "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n",
   
+  /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */
+  "requireSession" : false,
+
+  /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
+  "editOnly" : false,
+  
   /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, 
      but makes it impossible to debug the javascript/css */
   "minify" : false,