diff --git a/src/actions.ts b/src/actions.ts
index f1a9120..b3c777f 100644
--- a/src/actions.ts
+++ b/src/actions.ts
@@ -743,6 +743,43 @@ export const actions: {[k: string]: QueryHandler} = {
 		if (!search.page) search.page = 1;
 		return Replays.search(search);
 	},
+	async 'replays/edit'(params) {
+		if (!this.user.isLeader()) throw new ActionError(`Access denied.`);
+		const id = toID(params.id);
+		if (!id) throw new ActionError(`No replay ID was provided.`);
+		const replay = await tables.replays.get(id);
+		if (!replay) throw new ActionError(`Replay ${id} not found.`);
+		let pw;
+		switch (Number(params.private)) {
+		case 3:
+			await tables.replays.update(id, {
+				password: null,
+				private: 3,
+			});
+			break;
+		case 2: // private [1], no pass
+			await tables.replays.update(id, {
+				private: 1,
+				password: null,
+			});
+			break;
+		case 1:
+			if (!replay.password) replay.password = Replays.generatePassword();
+			pw = replay.password;
+			await tables.replays.update(id, {
+				private: 1,
+				password: replay.password,
+			});
+			break;
+		default:
+			await tables.replays.update(id, {
+				password: null,
+				private: 0,
+			});
+			break;
+		}
+		return {password: pw};
+	},
 };
 
 if (Config.actions) {
diff --git a/src/user.ts b/src/user.ts
index e1a0396..e636dcb 100644
--- a/src/user.ts
+++ b/src/user.ts
@@ -23,6 +23,7 @@ export class User {
 	name = 'Guest';
 	id = 'guest';
 	loggedIn = '';
+	group = 0;
 	constructor(name?: string) {
 		if (name) this.setName(name);
 	}
@@ -42,6 +43,11 @@ export class User {
 	isSysop() {
 		return Config.sysops.includes(this.id);
 	}
+	isLeader() {
+		// 2 - admin with 2fa
+		// 6 - admin (no 2fa)
+		return [2, 6].includes(this.group);
+	}
 }
 
 export class Session {
@@ -474,6 +480,7 @@ export class Session {
 		// okay, legit session ID - you're logged in now.
 		const user = new User();
 		user.login(cookieName as string);
+		user.group = (await users.get(user.id))?.group || 0;
 
 		this.sidhash = sid;
 		this.session = session;