diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6de4999..d8c5635 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,25 +5,6 @@ All notable changes to wuttaweb will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## v0.7.0 (2024-08-15)
-
-### Feat
-
-- add sane views for 403 Forbidden and 404 Not Found
-- add permission checks for menus, view routes
-- add first-time setup page to create admin user
-- expose User password for editing in master views
-- expose Role permissions for editing
-- expose User "roles" for editing
-- improve widget, rendering for Role notes
-
-### Fix
-
-- add stub for `PersonView.make_user()`
-- allow arbitrary kwargs for `Form.render_vue_field()`
-- make some tweaks for better tailbone compatibility
-- prevent delete for built-in roles
-
 ## v0.6.0 (2024-08-13)
 
 ### Feat
diff --git a/pyproject.toml b/pyproject.toml
index 35d94ff..c3ce9d4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "WuttaWeb"
-version = "0.7.0"
+version = "0.6.0"
 description = "Web App for Wutta Framework"
 readme = "README.md"
 authors = [{name = "Lance Edgar", email = "lance@edbob.org"}]
@@ -39,7 +39,7 @@ dependencies = [
         "pyramid_tm",
         "waitress",
         "WebHelpers2",
-        "WuttJamaican[db]>=0.11.1",
+        "WuttJamaican[db]>=0.11.0",
         "zope.sqlalchemy>=1.5",
 ]
 
diff --git a/src/wuttaweb/app.py b/src/wuttaweb/app.py
index 845b41f..bafc921 100644
--- a/src/wuttaweb/app.py
+++ b/src/wuttaweb/app.py
@@ -135,12 +135,6 @@ def make_pyramid_config(settings):
     pyramid_config.include('pyramid_mako')
     pyramid_config.include('pyramid_tm')
 
-    # add some permissions magic
-    pyramid_config.add_directive('add_wutta_permission_group',
-                                 'wuttaweb.auth.add_permission_group')
-    pyramid_config.add_directive('add_wutta_permission',
-                                 'wuttaweb.auth.add_permission')
-
     return pyramid_config
 
 
diff --git a/src/wuttaweb/auth.py b/src/wuttaweb/auth.py
index 88b1fea..de9b868 100644
--- a/src/wuttaweb/auth.py
+++ b/src/wuttaweb/auth.py
@@ -148,93 +148,3 @@ class WuttaSecurityPolicy:
         auth = app.get_auth_handler()
         user = self.identity(request)
         return auth.has_permission(self.db_session, user, permission)
-
-
-def add_permission_group(pyramid_config, key, label=None, overwrite=True):
-    """
-    Pyramid directive to add a "permission group" to the app's
-    awareness.
-
-    The app must be made aware of all permissions, so they are exposed
-    when editing a
-    :class:`~wuttjamaican:wuttjamaican.db.model.auth.Role`.  The logic
-    for discovering permissions is in
-    :meth:`~wuttaweb.views.roles.RoleView.get_available_permissions()`.
-
-    This is usually called from within a master view's
-    :meth:`~wuttaweb.views.master.MasterView.defaults()` to establish
-    the permission group which applies to the view model.
-
-    A simple example of usage::
-
-       pyramid_config.add_permission_group('widgets', label="Widgets")
-
-    :param key: Unique key for the permission group.  In the context
-       of a master view, this will be the same as
-       :attr:`~wuttaweb.views.master.MasterView.permission_prefix`.
-
-    :param label: Optional label for the permission group.  If not
-       specified, it is derived from ``key``.
-
-    :param overwrite: If the permission group was already established,
-       this flag controls whether the group's label should be
-       overwritten (with ``label``).
-
-    See also :func:`add_permission()`.
-    """
-    config = pyramid_config.get_settings()['wutta_config']
-    app = config.get_app()
-    def action():
-        perms = pyramid_config.get_settings().get('wutta_permissions', {})
-        if overwrite or key not in perms:
-            group = perms.setdefault(key, {'key': key})
-            group['label'] = label or app.make_title(key)
-        pyramid_config.add_settings({'wutta_permissions': perms})
-    pyramid_config.action(None, action)
-
-
-def add_permission(pyramid_config, groupkey, key, label=None):
-    """
-    Pyramid directive to add a single "permission" to the app's
-    awareness.
-
-    The app must be made aware of all permissions, so they are exposed
-    when editing a
-    :class:`~wuttjamaican:wuttjamaican.db.model.auth.Role`.  The logic
-    for discovering permissions is in
-    :meth:`~wuttaweb.views.roles.RoleView.get_available_permissions()`.
-
-    This is usually called from within a master view's
-    :meth:`~wuttaweb.views.master.MasterView.defaults()` to establish
-    "known" permissions based on master view feature flags
-    (:attr:`~wuttaweb.views.master.MasterView.viewable`,
-    :attr:`~wuttaweb.views.master.MasterView.editable`, etc.).
-
-    A simple example of usage::
-
-       pyramid_config.add_permission('widgets', 'widgets.polish',
-                                     label="Polish all the widgets")
-
-    :param key: Unique key for the permission group.  In the context
-       of a master view, this will be the same as
-       :attr:`~wuttaweb.views.master.MasterView.permission_prefix`.
-
-    :param key: Unique key for the permission.  This should be the
-       "complete" permission name which includes the permission
-       prefix.
-
-    :param label: Optional label for the permission.  If not
-       specified, it is derived from ``key``.
-
-    See also :func:`add_permission_group()`.
-    """
-    def action():
-        config = pyramid_config.get_settings()['wutta_config']
-        app = config.get_app()
-        perms = pyramid_config.get_settings().get('wutta_permissions', {})
-        group = perms.setdefault(groupkey, {'key': groupkey})
-        group.setdefault('label', app.make_title(groupkey))
-        perm = group.setdefault('perms', {}).setdefault(key, {'key': key})
-        perm['label'] = label or app.make_title(key)
-        pyramid_config.add_settings({'wutta_permissions': perms})
-    pyramid_config.action(None, action)
diff --git a/src/wuttaweb/forms/base.py b/src/wuttaweb/forms/base.py
index 8ed17f8..7ee9b01 100644
--- a/src/wuttaweb/forms/base.py
+++ b/src/wuttaweb/forms/base.py
@@ -120,13 +120,6 @@ class Form:
 
        See also :meth:`set_validator()`.
 
-    .. attribute:: defaults
-
-       Dict of default field values, used to construct the form in
-       :meth:`get_schema()`.
-
-       See also :meth:`set_default()`.
-
     .. attribute:: readonly
 
        Boolean indicating the form does not allow submit.  In practice
@@ -255,7 +248,6 @@ class Form:
             nodes={},
             widgets={},
             validators={},
-            defaults={},
             readonly=False,
             readonly_fields=[],
             required_fields={},
@@ -279,7 +271,6 @@ class Form:
         self.nodes = nodes or {}
         self.widgets = widgets or {}
         self.validators = validators or {}
-        self.defaults = defaults or {}
         self.readonly = readonly
         self.readonly_fields = set(readonly_fields or [])
         self.required_fields = required_fields or {}
@@ -384,23 +375,6 @@ class Form:
         """
         self.fields = FieldList(fields)
 
-    def append(self, *keys):
-        """
-        Add some fields(s) to the form.
-
-        This is a convenience to allow adding multiple fields at
-        once::
-
-           form.append('first_field',
-                       'second_field',
-                       'third_field')
-
-        It will add each field to :attr:`fields`.
-        """
-        for key in keys:
-            if key not in self.fields:
-                self.fields.append(key)
-
     def remove(self, *keys):
         """
         Remove some fields(s) from the form.
@@ -497,18 +471,6 @@ class Form:
         if self.schema and key in self.schema:
             self.schema[key].validator = validator
 
-    def set_default(self, key, value):
-        """
-        Set/override the default value for a field.
-
-        :param key: Name of field.
-
-        :param validator: Default value for the field.
-
-        Default value overrides are tracked via :attr:`defaults`.
-        """
-        self.defaults[key] = value
-
     def set_readonly(self, key, readonly=True):
         """
         Enable or disable the "readonly" flag for a given field.
@@ -662,22 +624,29 @@ class Form:
 
             if self.model_class:
 
-                # collect list of field names and/or nodes
-                includes = []
-                for key in fields:
+                # first define full list of 'includes' - final schema
+                # should contain all of these fields
+                includes = list(fields)
+
+                # determine which we want ColanderAlchemy to handle
+                auto_includes = []
+                for key in includes:
+
+                    # skip if we already have a node defined
                     if key in self.nodes:
-                        includes.append(self.nodes[key])
-                    else:
-                        includes.append(key)
+                        continue
+
+                    # we want the magic for this field
+                    auto_includes.append(key)
 
                 # make initial schema with ColanderAlchemy magic
                 schema = SQLAlchemySchemaNode(self.model_class,
-                                              includes=includes)
+                                              includes=auto_includes)
 
-                # fill in the blanks if anything got missed
-                for key in fields:
-                    if key not in schema:
-                        node = colander.SchemaNode(colander.String(), name=key)
+                # now fill in the blanks for non-magic fields
+                for key in includes:
+                    if key not in auto_includes:
+                        node = self.nodes[key]
                         schema.add(node)
 
             else:
@@ -716,11 +685,6 @@ class Form:
                 elif key in schema: # field-level
                     schema[key].validator = validator
 
-            # apply default value overrides
-            for key, value in self.defaults.items():
-                if key in schema:
-                    schema[key].default = value
-
             # apply required flags
             for key, required in self.required_fields.items():
                 if key in schema:
@@ -811,12 +775,7 @@ class Form:
         output = render(template, context)
         return HTML.literal(output)
 
-    def render_vue_field(
-            self,
-            fieldname,
-            readonly=None,
-            **kwargs,
-    ):
+    def render_vue_field(self, fieldname, readonly=None):
         """
         Render the given field completely, i.e. ``<b-field>`` wrapper
         with label and containing a widget.
@@ -832,12 +791,6 @@ class Form:
                     message="something went wrong!">
               <!-- widget element(s) -->
            </b-field>
-
-        .. warning::
-
-           Any ``**kwargs`` received from caller are ignored by this
-           method.  For now they are allowed, for sake of backwawrd
-           compatibility.  This may change in the future.
         """
         # readonly comes from: caller, field flag, or form flag
         if readonly is None:
@@ -950,20 +903,6 @@ class Form:
 
         return model_data
 
-    # TODO: for tailbone compat, should document?
-    # (ideally should remove this and find a better way)
-    def get_vue_field_value(self, key):
-        """ """
-        if key not in self.fields:
-            return
-
-        dform = self.get_deform()
-        if key not in dform:
-            return
-
-        field = dform[key]
-        return make_json_safe(field.cstruct)
-
     def validate(self):
         """
         Try to validate the form, using data from the :attr:`request`.
diff --git a/src/wuttaweb/forms/schema.py b/src/wuttaweb/forms/schema.py
index 98ce0f1..ccb357f 100644
--- a/src/wuttaweb/forms/schema.py
+++ b/src/wuttaweb/forms/schema.py
@@ -257,101 +257,3 @@ class PersonRef(ObjectRef):
     def sort_query(self, query):
         """ """
         return query.order_by(self.model_class.full_name)
-
-
-class WuttaSet(colander.Set):
-    """
-    Custom schema type for :class:`python:set` fields.
-
-    This is a subclass of :class:`colander.Set`, but adds
-    Wutta-related params to the constructor.
-
-    :param request: Current :term:`request` object.
-
-    :param session: Optional :term:`db session` to use instead of
-       :class:`wuttaweb.db.Session`.
-    """
-
-    def __init__(self, request, session=None):
-        super().__init__()
-        self.request = request
-        self.config = self.request.wutta_config
-        self.app = self.config.get_app()
-        self.session = session or Session()
-
-
-class RoleRefs(WuttaSet):
-    """
-    Form schema type for the User
-    :attr:`~wuttjamaican:wuttjamaican.db.model.auth.User.roles`
-    association proxy field.
-
-    This is a subclass of :class:`WuttaSet`.  It uses a ``set`` of
-    :class:`~wuttjamaican:wuttjamaican.db.model.auth.Role` ``uuid``
-    values for underlying data format.
-    """
-
-    def widget_maker(self, **kwargs):
-        """
-        Constructs a default widget for the field.
-
-        :returns: Instance of
-           :class:`~wuttaweb.forms.widgets.RoleRefsWidget`.
-        """
-        kwargs.setdefault('session', self.session)
-
-        if 'values' not in kwargs:
-            model = self.app.model
-            auth = self.app.get_auth_handler()
-            avoid = {
-                auth.get_role_authenticated(self.session),
-                auth.get_role_anonymous(self.session),
-            }
-            avoid = set([role.uuid for role in avoid])
-            roles = self.session.query(model.Role)\
-                                .filter(~model.Role.uuid.in_(avoid))\
-                                .order_by(model.Role.name)\
-                                .all()
-            values = [(role.uuid, role.name) for role in roles]
-            kwargs['values'] = values
-
-        return widgets.RoleRefsWidget(self.request, **kwargs)
-
-
-class Permissions(WuttaSet):
-    """
-    Form schema type for the Role
-    :attr:`~wuttjamaican:wuttjamaican.db.model.auth.Role.permissions`
-    association proxy field.
-
-    This is a subclass of :class:`WuttaSet`.  It uses a ``set`` of
-    :attr:`~wuttjamaican:wuttjamaican.db.model.auth.Permission.permission`
-    values for underlying data format.
-
-    :param permissions: Dict with all possible permissions.  Should be
-       in the same format as returned by
-       :meth:`~wuttaweb.views.roles.RoleView.get_available_permissions()`.
-    """
-
-    def __init__(self, request, permissions, *args, **kwargs):
-        super().__init__(request, *args, **kwargs)
-        self.permissions = permissions
-
-    def widget_maker(self, **kwargs):
-        """
-        Constructs a default widget for the field.
-
-        :returns: Instance of
-           :class:`~wuttaweb.forms.widgets.PermissionsWidget`.
-        """
-        kwargs.setdefault('session', self.session)
-        kwargs.setdefault('permissions', self.permissions)
-
-        if 'values' not in kwargs:
-            values = []
-            for gkey, group in self.permissions.items():
-                for pkey, perm in group['perms'].items():
-                    values.append((pkey, perm['label']))
-            kwargs['values'] = values
-
-        return widgets.PermissionsWidget(self.request, **kwargs)
diff --git a/src/wuttaweb/forms/widgets.py b/src/wuttaweb/forms/widgets.py
index b4d8254..6627375 100644
--- a/src/wuttaweb/forms/widgets.py
+++ b/src/wuttaweb/forms/widgets.py
@@ -30,21 +30,12 @@ in the namespace:
 
 * :class:`deform:deform.widget.Widget` (base class)
 * :class:`deform:deform.widget.TextInputWidget`
-* :class:`deform:deform.widget.TextAreaWidget`
-* :class:`deform:deform.widget.PasswordWidget`
-* :class:`deform:deform.widget.CheckedPasswordWidget`
 * :class:`deform:deform.widget.SelectWidget`
-* :class:`deform:deform.widget.CheckboxChoiceWidget`
 """
 
-import colander
-from deform.widget import (Widget, TextInputWidget, TextAreaWidget,
-                           PasswordWidget, CheckedPasswordWidget,
-                           SelectWidget, CheckboxChoiceWidget)
+from deform.widget import Widget, TextInputWidget, SelectWidget
 from webhelpers2.html import HTML
 
-from wuttaweb.db import Session
-
 
 class ObjectRefWidget(SelectWidget):
     """
@@ -57,18 +48,6 @@ class ObjectRefWidget(SelectWidget):
     the form schema; via
     :meth:`~wuttaweb.forms.schema.ObjectRef.widget_maker()`.
 
-    In readonly mode, this renders a ``<span>`` tag around the
-    :attr:`model_instance` (converted to string).
-
-    Otherwise it renders a select (dropdown) element allowing user to
-    choose from available records.
-
-    This is a subclass of :class:`deform:deform.widget.SelectWidget`
-    and uses these Deform templates:
-
-    * ``select``
-    * ``readonly/objectref``
-
     .. attribute:: model_instance
 
        Reference to the model record instance, i.e. the "far side" of
@@ -81,112 +60,23 @@ class ObjectRefWidget(SelectWidget):
           when the :class:`~wuttaweb.forms.schema.ObjectRef` type
           instance (associated with the node) is serialized.
     """
-    readonly_template = 'readonly/objectref'
 
     def __init__(self, request, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.request = request
 
-
-class NotesWidget(TextAreaWidget):
-    """
-    Widget for use with "notes" fields.
-
-    In readonly mode, this shows the notes with a background to make
-    them stand out a bit more.
-
-    Otherwise it effectively shows a ``<textarea>`` input element.
-
-    This is a subclass of :class:`deform:deform.widget.TextAreaWidget`
-    and uses these Deform templates:
-
-    * ``textarea``
-    * ``readonly/notes``
-    """
-    readonly_template = 'readonly/notes'
-
-
-class WuttaCheckboxChoiceWidget(CheckboxChoiceWidget):
-    """
-    Custom widget for :class:`python:set` fields.
-
-    This is a subclass of
-    :class:`deform:deform.widget.CheckboxChoiceWidget`, but adds
-    Wutta-related params to the constructor.
-
-    :param request: Current :term:`request` object.
-
-    :param session: Optional :term:`db session` to use instead of
-       :class:`wuttaweb.db.Session`.
-
-    It uses these Deform templates:
-
-    * ``checkbox_choice``
-    * ``readonly/checkbox_choice``
-    """
-
-    def __init__(self, request, session=None, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.request = request
-        self.config = self.request.wutta_config
-        self.app = self.config.get_app()
-        self.session = session or Session()
-
-
-class RoleRefsWidget(WuttaCheckboxChoiceWidget):
-    """
-    Widget for use with User
-    :attr:`~wuttjamaican:wuttjamaican.db.model.auth.User.roles` field.
-
-    This is a subclass of :class:`WuttaCheckboxChoiceWidget`.
-    """
-
     def serialize(self, field, cstruct, **kw):
-        """ """
-        # special logic when field is editable
+        """
+        Serialize the widget.
+
+        In readonly mode, returns a ``<span>`` tag around the
+        :attr:`model_instance` rendered as string.
+
+        Otherwise renders via the ``deform/select`` template.
+        """
         readonly = kw.get('readonly', self.readonly)
-        if not readonly:
-
-            # but does not apply if current user is root
-            if not self.request.is_root:
-                auth = self.app.get_auth_handler()
-                admin = auth.get_role_administrator(self.session)
-
-                # prune admin role from values list; it should not be
-                # one of the options since current user is not admin
-                values = kw.get('values', self.values)
-                values = [val for val in values
-                          if val[0] != admin.uuid]
-                kw['values'] = values
-
-        # default logic from here
-        return super().serialize(field, cstruct, **kw)
-
-
-class PermissionsWidget(WuttaCheckboxChoiceWidget):
-    """
-    Widget for use with Role
-    :attr:`~wuttjamaican:wuttjamaican.db.model.auth.Role.permissions`
-    field.
-
-    This is a subclass of :class:`WuttaCheckboxChoiceWidget`.  It uses
-    these Deform templates:
-
-    * ``permissions``
-    * ``readonly/permissions``
-    """
-    template = 'permissions'
-    readonly_template = 'readonly/permissions'
-
-    def serialize(self, field, cstruct, **kw):
-        """ """
-        kw.setdefault('permissions', self.permissions)
-
-        if 'values' not in kw:
-            values = []
-            for gkey, group in self.permissions.items():
-                for pkey, perm in group['perms'].items():
-                    values.append((pkey, perm['label']))
-            kw['values'] = values
+        if readonly:
+            obj = field.schema.model_instance
+            return HTML.tag('span', c=str(obj or ''))
 
         return super().serialize(field, cstruct, **kw)
diff --git a/src/wuttaweb/grids/base.py b/src/wuttaweb/grids/base.py
index 1e793bd..a53cca4 100644
--- a/src/wuttaweb/grids/base.py
+++ b/src/wuttaweb/grids/base.py
@@ -24,7 +24,6 @@
 Base grid classes
 """
 
-import functools
 import json
 import logging
 
@@ -82,12 +81,6 @@ class Grid:
        model records) or else an object capable of producing such a
        list, e.g. SQLAlchemy query.
 
-    .. attribute:: renderers
-
-       Dict of column (cell) value renderer overrides.
-
-       See also :meth:`set_renderer()`.
-
     .. attribute:: actions
 
        List of :class:`GridAction` instances represenging action links
@@ -113,7 +106,6 @@ class Grid:
             key=None,
             columns=None,
             data=None,
-            renderers={},
             actions=[],
             linked_columns=[],
             vue_tagname='wutta-grid',
@@ -122,7 +114,6 @@ class Grid:
         self.model_class = model_class
         self.key = key
         self.data = data
-        self.renderers = renderers or {}
         self.actions = actions or []
         self.linked_columns = linked_columns or []
         self.vue_tagname = vue_tagname
@@ -186,23 +177,6 @@ class Grid:
         """
         self.columns = FieldList(columns)
 
-    def append(self, *keys):
-        """
-        Add some columns(s) to the grid.
-
-        This is a convenience to allow adding multiple columns at
-        once::
-
-           grid.append('first_field',
-                       'second_field',
-                       'third_field')
-
-        It will add each column to :attr:`columns`.
-        """
-        for key in keys:
-            if key not in self.columns:
-                self.columns.append(key)
-
     def remove(self, *keys):
         """
         Remove some column(s) from the grid.
@@ -220,47 +194,6 @@ class Grid:
             if key in self.columns:
                 self.columns.remove(key)
 
-    def set_renderer(self, key, renderer, **kwargs):
-        """
-        Set/override the value renderer for a column.
-
-        :param key: Name of column.
-
-        :param renderer: Callable as described below.
-
-        Depending on the nature of grid data, sometimes a cell's
-        "as-is" value will be undesirable for display purposes.
-
-        The logic in :meth:`get_vue_data()` will first "convert" all
-        grid data as necessary so that it is at least JSON-compatible.
-
-        But then it also will invoke a renderer override (if defined)
-        to obtain the "final" cell value.
-
-        A renderer must be a callable which accepts 3 args ``(record,
-        key, value)``:
-
-        * ``record`` is the "original" record from :attr:`data`
-        * ``key`` is the column name
-        * ``value`` is the JSON-safe cell value
-
-        Whatever the renderer returns, is then used as final cell
-        value.  For instance::
-
-           from webhelpers2.html import HTML
-
-           def render_foo(record, key, value):
-              return HTML.literal("<p>this is the final cell value</p>")
-
-           grid = Grid(columns=['foo', 'bar'])
-           grid.set_renderer('foo', render_foo)
-
-        Renderer overrides are tracked via :attr:`renderers`.
-        """
-        if kwargs:
-            renderer = functools.partial(renderer, **kwargs)
-        self.renderers[key] = renderer
-
     def set_link(self, key, link=True):
         """
         Explicitly enable or disable auto-link behavior for a given
@@ -419,27 +352,17 @@ class Grid:
         # we have action(s), so add URL(s) for each record in data
         data = []
         for i, record in enumerate(original_data):
-            original_record = record
-
-            record = dict(record)
 
             # convert data if needed, for json compat
             record = make_json_safe(record,
                                     # TODO: is this a good idea?
                                     warn=False)
 
-            # customize value rendering where applicable
-            for key in self.renderers:
-                value = record[key]
-                record[key] = self.renderers[key](original_record, key, value)
-
             # add action urls to each record
             for action in self.actions:
+                url = action.get_url(record, i)
                 key = f'_action_url_{action.key}'
-                if key not in record:
-                    url = action.get_url(original_record, i)
-                    if url:
-                        record[key] = url
+                record[key] = url
 
             data.append(record)
 
@@ -552,7 +475,7 @@ class GridAction:
         See also :meth:`render_icon_and_label()`.
         """
         if self.request.use_oruga:
-            return HTML.tag('o-icon', icon=self.icon)
+            raise NotImplementedError
 
         return HTML.tag('i', class_=f'fas fa-{self.icon}')
 
diff --git a/src/wuttaweb/menus.py b/src/wuttaweb/menus.py
index 84d5534..fc4581a 100644
--- a/src/wuttaweb/menus.py
+++ b/src/wuttaweb/menus.py
@@ -272,8 +272,9 @@ class MenuHandler(GenericHandler):
         current user.
         """
         perm = item.get('perm')
-        if perm:
-            return request.has_perm(perm)
+        # TODO
+        # if perm:
+        #     return request.has_perm(perm)
         return True
 
     def _mark_allowed(self, request, menus):
diff --git a/src/wuttaweb/subscribers.py b/src/wuttaweb/subscribers.py
index eed4efe..2202059 100644
--- a/src/wuttaweb/subscribers.py
+++ b/src/wuttaweb/subscribers.py
@@ -139,16 +139,6 @@ def new_request_set_user(
        pyramid_config.add_subscriber('wuttaweb.subscribers.new_request_set_user',
                                      'pyramid.events.NewRequest')
 
-    You may wish to "supplement" this hook by registering your own
-    custom hook and then invoking this one as needed.  You can then
-    pass certain params to override only parts of the logic:
-
-    :param user_getter: Optional getter function to retrieve the user
-       from database, instead of :func:`default_user_getter()`.
-
-    :param db_session: Optional :term:`db session` to use,
-       instead of :class:`wuttaweb.db.Session`.
-
     This will add to the request object:
 
     .. attribute:: request.user
@@ -168,36 +158,19 @@ def new_request_set_user(
        privileges.  This is only possible if :attr:`request.is_admin`
        is also true.
 
-    .. attribute:: request.user_permissions
+    You may wish to "supplement" this hook by registering your own
+    custom hook and then invoking this one as needed.  You can then
+    pass certain params to override only parts of the logic:
 
-       The ``set`` of permission names which are granted to the
-       current user.
-
-       This set is obtained by calling
-       :meth:`~wuttjamaican:wuttjamaican.auth.AuthHandler.get_permissions()`.
-
-    .. function:: request.has_perm(name)
-
-       Shortcut to check if current user has the given permission::
-
-          if not request.has_perm('users.edit'):
-              raise self.forbidden()
-
-    .. function:: request.has_any_perm(*names)
-
-       Shortcut to check if current user has any of the given
-       permissions::
-
-          if request.has_any_perm('users.list', 'users.view'):
-              return "can either list or view"
-          else:
-              raise self.forbidden()
+    :param user_getter: Optional getter function to retrieve the user
+       from database, instead of :func:`default_user_getter()`.
 
+    :param db_session: Optional :term:`db session` to use,
+       instead of :class:`wuttaweb.db.Session`.
     """
     request = event.request
     config = request.registry.settings['wutta_config']
     app = config.get_app()
-    auth = app.get_auth_handler()
 
     # request.user
     if db_session:
@@ -206,6 +179,7 @@ def new_request_set_user(
 
     # request.is_admin
     def is_admin(request):
+        auth = app.get_auth_handler()
         return auth.user_is_admin(request.user)
     request.set_property(is_admin, reify=True)
 
@@ -217,29 +191,6 @@ def new_request_set_user(
         return False
     request.set_property(is_root, reify=True)
 
-    # request.user_permissions
-    def user_permissions(request):
-        session = db_session or Session()
-        return auth.get_permissions(session, request.user)
-    request.set_property(user_permissions, reify=True)
-
-    # request.has_perm()
-    def has_perm(name):
-        if request.is_root:
-            return True
-        if name in request.user_permissions:
-            return True
-        return False
-    request.has_perm = has_perm
-
-    # request.has_any_perm()
-    def has_any_perm(*names):
-        for name in names:
-            if request.has_perm(name):
-                return True
-        return False
-    request.has_any_perm = has_any_perm
-
 
 def before_render(event):
     """
diff --git a/src/wuttaweb/templates/base.mako b/src/wuttaweb/templates/base.mako
index 32635d7..ef5a295 100644
--- a/src/wuttaweb/templates/base.mako
+++ b/src/wuttaweb/templates/base.mako
@@ -222,7 +222,7 @@
                     % else:
                         <h1 class="title">${index_title}</h1>
                     % endif
-                    % if master and master.creatable and not master.creating and master.has_perm('create'):
+                    % if master and master.creatable and not master.creating:
                         <wutta-button once type="is-primary"
                                       tag="a" href="${url(f'{route_prefix}.create')}"
                                       icon-left="plus"
@@ -235,7 +235,8 @@
 
             <div class="level-right">
 
-              % if master and master.configurable and not master.configuring and master.has_perm('configure'):
+              ## TODO
+              % if master and master.configurable and not master.configuring:
                   <div class="level-item">
                     <wutta-button once type="is-primary"
                                   tag="a" href="${url(f'{route_prefix}.configure')}"
@@ -347,7 +348,7 @@
           % elif request.is_admin:
               ${h.form(url('become_root'), ref='startBeingRootForm')}
               ${h.csrf_token(request)}
-              <input type="hidden" name="referrer" value="${request.url}" />
+              <input type="hidden" name="referrer" value="${request.current_route_url()}" />
               <a @click="startBeingRoot()"
                  class="navbar-item has-background-danger has-text-white">
                 Become root
@@ -377,23 +378,19 @@
                        tag="a" href="${master.get_action_url('edit', instance)}"
                        icon-left="edit"
                        label="Edit This" />
-         % if instance_deletable:
-             <wutta-button once type="is-danger"
-                           tag="a" href="${master.get_action_url('delete', instance)}"
-                           icon-left="trash"
-                           label="Delete This" />
-         % endif
+         <wutta-button once type="is-danger"
+                       tag="a" href="${master.get_action_url('delete', instance)}"
+                       icon-left="trash"
+                       label="Delete This" />
      % elif master.editing:
          <wutta-button once
                        tag="a" href="${master.get_action_url('view', instance)}"
                        icon-left="eye"
                        label="View This" />
-         % if instance_deletable:
-             <wutta-button once type="is-danger"
-                           tag="a" href="${master.get_action_url('delete', instance)}"
-                           icon-left="trash"
-                           label="Delete This" />
-         % endif
+         <wutta-button once type="is-danger"
+                       tag="a" href="${master.get_action_url('delete', instance)}"
+                       icon-left="trash"
+                       label="Delete This" />
      % elif master.deleting:
          <wutta-button once
                        tag="a" href="${master.get_action_url('view', instance)}"
diff --git a/src/wuttaweb/templates/deform/checkbox_choice.pt b/src/wuttaweb/templates/deform/checkbox_choice.pt
deleted file mode 100644
index f09b373..0000000
--- a/src/wuttaweb/templates/deform/checkbox_choice.pt
+++ /dev/null
@@ -1,18 +0,0 @@
-<div tal:define="css_class css_class|field.widget.css_class;
-                 style style|field.widget.style;
-                 oid oid|field.oid;">
-  ${field.start_sequence()}
-  <div style="display: flex; flex-direction: column; gap: 0.5rem;">
-    <div tal:repeat="choice values | field.widget.values"
-         tal:omit-tag="">
-      <b-checkbox tal:define="(value, title) choice"
-                  name="checkbox"
-                  native-value="${value}"
-                  tal:attributes=":value 'true' if value in cstruct else 'false';
-                                  attributes|field.widget.attributes|{};">
-        ${title}
-      </b-checkbox>
-    </div>
-  </div>
-  ${field.end_sequence()}
-</div>
diff --git a/src/wuttaweb/templates/deform/permissions.pt b/src/wuttaweb/templates/deform/permissions.pt
deleted file mode 100644
index 4b34793..0000000
--- a/src/wuttaweb/templates/deform/permissions.pt
+++ /dev/null
@@ -1,23 +0,0 @@
-<div>
-  ${field.start_sequence()}
-  <tal:loop tal:repeat="groupkey sorted(permissions, key=lambda k: permissions[k]['label'].lower())">
-    <div class="card block"
-         tal:define="perms permissions[groupkey]['perms'];">
-      <header class="card-header">
-        <p class="card-header-title">${permissions[groupkey]['label']}</p>
-      </header>
-      <div class="card-content">
-        <div style="display: flex; flex-direction: column; gap: 0.5rem;">
-          <tal:loop tal:repeat="key sorted(perms, key=lambda p: perms[p]['label'].lower())">
-            <b-checkbox name="checkbox"
-                        native-value="${key}"
-                        tal:attributes=":value 'true' if key in cstruct else 'false';">
-              ${perms[key]['label']}
-            </b-checkbox>
-          </tal:loop>
-        </div>
-      </div>
-    </div>
-  </tal:loop>
-  ${field.end_sequence()}
-</div>
diff --git a/src/wuttaweb/templates/deform/readonly/notes.pt b/src/wuttaweb/templates/deform/readonly/notes.pt
deleted file mode 100644
index d109f59..0000000
--- a/src/wuttaweb/templates/deform/readonly/notes.pt
+++ /dev/null
@@ -1,7 +0,0 @@
-<div tal:omit-tag="">
-  <span tal:condition="not cstruct"></span>
-  <pre tal:condition="cstruct"
-       class="is-family-sans-serif"
-       style="white-space: pre-wrap;"
-       >${cstruct}</pre>
-</div>
diff --git a/src/wuttaweb/templates/deform/readonly/objectref.pt b/src/wuttaweb/templates/deform/readonly/objectref.pt
deleted file mode 100644
index 0b941ab..0000000
--- a/src/wuttaweb/templates/deform/readonly/objectref.pt
+++ /dev/null
@@ -1 +0,0 @@
-<span>${str(field.schema.model_instance or '')}</span>
diff --git a/src/wuttaweb/templates/deform/readonly/permissions.pt b/src/wuttaweb/templates/deform/readonly/permissions.pt
deleted file mode 100644
index 6a433b3..0000000
--- a/src/wuttaweb/templates/deform/readonly/permissions.pt
+++ /dev/null
@@ -1,18 +0,0 @@
-<div>
-  <tal:loop tal:repeat="groupkey sorted(permissions, key=lambda k: permissions[k]['label'].lower())">
-    <div class="card block"
-         tal:condition="any([key in cstruct for key in permissions[groupkey]['perms']])"
-         tal:define="perms permissions[groupkey]['perms'];">
-      <header class="card-header">
-        <p class="card-header-title">${permissions[groupkey]['label']}</p>
-      </header>
-      <div class="card-content">
-        <div style="display: flex; flex-direction: column; gap: 0.5rem;">
-          <tal:loop tal:repeat="key sorted(perms, key=lambda p: perms[p]['label'].lower())">
-            <span tal:condition="key in cstruct">${perms[key]['label']}</span>
-          </tal:loop>
-        </div>
-      </div>
-    </div>
-  </tal:loop>
-</div>
diff --git a/src/wuttaweb/templates/deform/textarea.pt b/src/wuttaweb/templates/deform/textarea.pt
deleted file mode 100644
index 00c82b5..0000000
--- a/src/wuttaweb/templates/deform/textarea.pt
+++ /dev/null
@@ -1,11 +0,0 @@
-<div tal:define="name name|field.name;
-                 oid oid|field.oid;
-                 vmodel vmodel|'modelData.'+oid;
-                 rows rows|field.widget.rows;
-                 cols cols|field.widget.cols;"
-     tal:omit-tag="">
-  <b-input name="${name}"
-           v-model="${vmodel}"
-           type="textarea"
-           tal:attributes="attributes|field.widget.attributes|{};" />
-</div>
diff --git a/src/wuttaweb/templates/forbidden.mako b/src/wuttaweb/templates/forbidden.mako
deleted file mode 100644
index b65e02f..0000000
--- a/src/wuttaweb/templates/forbidden.mako
+++ /dev/null
@@ -1,26 +0,0 @@
-## -*- coding: utf-8; -*-
-<%inherit file="/page.mako" />
-
-<%def name="title()">Access Denied</%def>
-
-<%def name="page_content()">
-  <div style="padding: 4rem;">
-    <p class="block is-size-5">
-      You are trying to access something for which you do not have permission.
-    </p>
-    <p class="block is-size-5">
-      If you feel this is an error, please ask a site admin to give you access.
-    </p>
-    % if not request.user:
-        <p class="block is-size-5">
-          Or probably, you should just ${h.link_to("Login", url('login'))}.
-        </p>
-    % endif
-    <b-field label="Current URL">
-      ${request.url}
-    </b-field>
-  </div>
-</%def>
-
-
-${parent.body()}
diff --git a/src/wuttaweb/templates/form.mako b/src/wuttaweb/templates/form.mako
index fc6d3c0..81b6ece 100644
--- a/src/wuttaweb/templates/form.mako
+++ b/src/wuttaweb/templates/form.mako
@@ -9,19 +9,15 @@
 
 <%def name="render_this_page_template()">
   ${parent.render_this_page_template()}
-  % if form is not Undefined:
-      ${form.render_vue_template()}
-  % endif
+  ${form.render_vue_template()}
 </%def>
 
 <%def name="finalize_this_page_vars()">
   ${parent.finalize_this_page_vars()}
-  % if form is not Undefined:
-      <script>
-        ${form.vue_component}.data = function() { return ${form.vue_component}Data }
-        Vue.component('${form.vue_tagname}', ${form.vue_component})
-      </script>
-  % endif
+  <script>
+    ${form.vue_component}.data = function() { return ${form.vue_component}Data }
+    Vue.component('${form.vue_tagname}', ${form.vue_component})
+  </script>
 </%def>
 
 
diff --git a/src/wuttaweb/templates/grids/vue_template.mako b/src/wuttaweb/templates/grids/vue_template.mako
index 5e60bab..cbeb4ca 100644
--- a/src/wuttaweb/templates/grids/vue_template.mako
+++ b/src/wuttaweb/templates/grids/vue_template.mako
@@ -24,8 +24,7 @@
                            label="Actions"
                            v-slot="props">
           % for action in grid.actions:
-              <a v-if="props.row._action_url_${action.key}"
-                 :href="props.row._action_url_${action.key}"
+              <a :href="props.row._action_url_${action.key}"
                  class="${action.link_class}">
                 ${action.render_icon_and_label()}
               </a>
diff --git a/src/wuttaweb/templates/notfound.mako b/src/wuttaweb/templates/notfound.mako
deleted file mode 100644
index d28072a..0000000
--- a/src/wuttaweb/templates/notfound.mako
+++ /dev/null
@@ -1,23 +0,0 @@
-## -*- coding: utf-8; -*-
-<%inherit file="/page.mako" />
-
-<%def name="title()">Not Found</%def>
-
-<%def name="page_content()">
-  <div style="padding: 4rem;">
-    <p class="block is-size-5">
-      Not saying <span class="has-text-weight-bold">you</span> don't
-      know what you're talking about..
-    </p>
-    <p class="block is-size-5">
-      ..but <span class="has-text-weight-bold">*I*</span> don't know
-      what you're talking about.
-    </p>
-    <b-field label="Current URL">
-      ${request.url}
-    </b-field>
-  </div>
-</%def>
-
-
-${parent.body()}
diff --git a/src/wuttaweb/templates/people/view_profile.mako b/src/wuttaweb/templates/people/view_profile.mako
deleted file mode 100644
index 1457074..0000000
--- a/src/wuttaweb/templates/people/view_profile.mako
+++ /dev/null
@@ -1,12 +0,0 @@
-## -*- coding: utf-8; -*-
-<%inherit file="/master/view.mako" />
-
-<%def name="page_content()">
-  <p class="block is-size-5">
-    TODO: view profile page content
-  </p>
-</%def>
-
-<%def name="title()">TODO: title</%def>
-
-${parent.body()}
diff --git a/src/wuttaweb/templates/setup.mako b/src/wuttaweb/templates/setup.mako
deleted file mode 100644
index 9728d9f..0000000
--- a/src/wuttaweb/templates/setup.mako
+++ /dev/null
@@ -1,20 +0,0 @@
-## -*- coding: utf-8; -*-
-<%inherit file="/form.mako" />
-
-<%def name="title()">First-Time Setup</%def>
-
-<%def name="page_content()">
-  <b-notification type="is-success">
-    <p class="block">
-      The app is running okay!
-    </p>
-    <p class="block">
-      Please setup the first Administrator account below.
-    </p>
-  </b-notification>
-
-  ${parent.page_content()}
-</%def>
-
-
-${parent.body()}
diff --git a/src/wuttaweb/util.py b/src/wuttaweb/util.py
index 02b5bcd..36942c3 100644
--- a/src/wuttaweb/util.py
+++ b/src/wuttaweb/util.py
@@ -28,8 +28,6 @@ import importlib
 import json
 import logging
 
-import sqlalchemy as sa
-
 import colander
 from webhelpers2.html import HTML, tags
 
@@ -422,17 +420,14 @@ def get_model_fields(config, model_class=None):
     that to determine the field listing if applicable.  Otherwise this
     returns ``None``.
     """
-    if not model_class:
-        return
-
-    app = config.get_app()
-    model = app.model
-    if not issubclass(model_class, model.Base):
-        return
-
-    mapper = sa.inspect(model_class)
-    fields = [prop.key for prop in mapper.iterate_properties]
-    return fields
+    if model_class:
+        import sqlalchemy as sa
+        app = config.get_app()
+        model = app.model
+        if model_class and issubclass(model_class, model.Base):
+            mapper = sa.inspect(model_class)
+            fields = list([prop.key for prop in mapper.iterate_properties])
+            return fields
 
 
 def make_json_safe(value, key=None, warn=True):
diff --git a/src/wuttaweb/views/auth.py b/src/wuttaweb/views/auth.py
index abb52ea..894752a 100644
--- a/src/wuttaweb/views/auth.py
+++ b/src/wuttaweb/views/auth.py
@@ -25,11 +25,11 @@ Auth Views
 """
 
 import colander
+from deform.widget import TextInputWidget, PasswordWidget, CheckedPasswordWidget
 
 from wuttaweb.views import View
 from wuttaweb.db import Session
 from wuttaweb.auth import login_user, logout_user
-from wuttaweb.forms import widgets
 
 
 class AuthView(View):
@@ -47,16 +47,10 @@ class AuthView(View):
         * route: ``login``
         * template: ``/auth/login.mako``
         """
-        model = self.app.model
-        session = session or Session()
         auth = self.app.get_auth_handler()
 
-        # nb. redirect to /setup if no users exist
-        user = session.query(model.User).first()
-        if not user:
-            return self.redirect(self.request.route_url('setup'))
-
-        referrer = self.request.get_referrer()
+        # TODO: should call request.get_referrer()
+        referrer = self.request.route_url('home')
 
         # redirect if already logged in
         if self.request.user:
@@ -75,6 +69,7 @@ class AuthView(View):
         if data:
 
             # truly validate user credentials
+            session = session or Session()
             user = auth.authenticate_user(session, data['username'], data['password'])
             if user:
 
@@ -102,14 +97,14 @@ class AuthView(View):
         schema.add(colander.SchemaNode(
             colander.String(),
             name='username',
-            widget=widgets.TextInputWidget(attributes={
+            widget=TextInputWidget(attributes={
                 'ref': 'username',
             })))
 
         schema.add(colander.SchemaNode(
             colander.String(),
             name='password',
-            widget=widgets.PasswordWidget(attributes={
+            widget=PasswordWidget(attributes={
                 'ref': 'password',
             })))
 
@@ -179,13 +174,13 @@ class AuthView(View):
         schema.add(colander.SchemaNode(
             colander.String(),
             name='current_password',
-            widget=widgets.PasswordWidget(),
+            widget=PasswordWidget(),
             validator=self.change_password_validate_current_password))
 
         schema.add(colander.SchemaNode(
             colander.String(),
             name='new_password',
-            widget=widgets.CheckedPasswordWidget(),
+            widget=CheckedPasswordWidget(),
             validator=self.change_password_validate_new_password))
 
         return schema
diff --git a/src/wuttaweb/views/common.py b/src/wuttaweb/views/common.py
index 233ef20..b5c108e 100644
--- a/src/wuttaweb/views/common.py
+++ b/src/wuttaweb/views/common.py
@@ -24,11 +24,7 @@
 Common Views
 """
 
-import colander
-
 from wuttaweb.views import View
-from wuttaweb.forms import widgets
-from wuttaweb.db import Session
 
 
 class CommonView(View):
@@ -36,7 +32,7 @@ class CommonView(View):
     Common views shared by all apps.
     """
 
-    def home(self, session=None):
+    def home(self):
         """
         Home page view.
 
@@ -44,144 +40,12 @@ class CommonView(View):
 
         This is normally the view shown when a user navigates to the
         root URL for the web app.
+
         """
-        model = self.app.model
-        session = session or Session()
-
-        # nb. redirect to /setup if no users exist
-        user = session.query(model.User).first()
-        if not user:
-            return self.redirect(self.request.route_url('setup'))
-
         return {
             'index_title': self.app.get_title(),
         }
 
-    def forbidden_view(self):
-        """
-        This view is shown when a request triggers a 403 Forbidden error.
-
-        Template: ``/forbidden.mako``
-        """
-        return {'index_title': self.app.get_title()}
-
-    def notfound_view(self):
-        """
-        This view is shown when a request triggers a 404 Not Found error.
-
-        Template: ``/notfound.mako``
-        """
-        return {'index_title': self.app.get_title()}
-
-    def setup(self, session=None):
-        """
-        View for first-time app setup, to create admin user.
-
-        Template: ``/setup.mako``
-
-        This page is only meant for one-time use.  As such, if the app
-        DB contains any users, this page will always redirect to the
-        home page.
-
-        However if no users exist yet, this will show a form which may
-        be used to create the first admin user.  When finished, user
-        will be redirected to the login page.
-
-        .. note::
-
-           As long as there are no users in the DB, both the home and
-           login pages will automatically redirect to this one.
-        """
-        model = self.app.model
-        session = session or Session()
-
-        # nb. this view only available until first user is created
-        user = session.query(model.User).first()
-        if user:
-            return self.redirect(self.request.route_url('home'))
-
-        form = self.make_form(fields=['username', 'password', 'first_name', 'last_name'],
-                              show_button_cancel=False,
-                              show_button_reset=True)
-        form.set_widget('password', widgets.CheckedPasswordWidget())
-        form.set_required('first_name', False)
-        form.set_required('last_name', False)
-
-        if form.validate():
-            auth = self.app.get_auth_handler()
-            data = form.validated
-
-            # make user
-            user = auth.make_user(session=session, username=data['username'])
-            auth.set_user_password(user, data['password'])
-
-            # assign admin role
-            admin = auth.get_role_administrator(session)
-            user.roles.append(admin)
-            admin.notes = ("users in this role may \"become root\".\n\n"
-                           "it's recommended not to grant other perms to this role.")
-
-            # initialize built-in roles
-            authed = auth.get_role_authenticated(session)
-            authed.notes = ("this role represents any user who *is* logged in.\n\n"
-                            "you may grant any perms you like to it.")
-            anon = auth.get_role_anonymous(session)
-            anon.notes = ("this role represents any user who is *not* logged in.\n\n"
-                          "you may grant any perms you like to it.")
-
-            # also make "Site Admin" role
-            site_admin_perms = [
-                'appinfo.list',
-                'appinfo.configure',
-                'people.list',
-                'people.create',
-                'people.view',
-                'people.edit',
-                'people.delete',
-                'roles.list',
-                'roles.create',
-                'roles.view',
-                'roles.edit',
-                'roles.edit_builtin',
-                'roles.delete',
-                'settings.list',
-                'settings.create',
-                'settings.view',
-                'settings.edit',
-                'settings.delete',
-                'users.list',
-                'users.create',
-                'users.view',
-                'users.edit',
-                'users.delete',
-            ]
-            admin2 = model.Role(name="Site Admin")
-            admin2.notes = ("this is the \"daily driver\" admin role.\n\n"
-                            "you may grant any perms you like to it.")
-            session.add(admin2)
-            user.roles.append(admin2)
-            for perm in site_admin_perms:
-                auth.grant_permission(admin2, perm)
-
-            # maybe make person
-            if data['first_name'] or data['last_name']:
-                first = data['first_name']
-                last = data['last_name']
-                person = model.Person(first_name=first,
-                                      last_name=last,
-                                      full_name=(f"{first} {last}").strip())
-                session.add(person)
-                user.person = person
-
-            # send user to /login
-            self.request.session.flash("Account created! Please login below.")
-            return self.redirect(self.request.route_url('login'))
-
-        return {
-            'index_title': self.app.get_title(),
-            'form': form,
-        }
-
     @classmethod
     def defaults(cls, config):
         cls._defaults(config)
@@ -189,28 +53,15 @@ class CommonView(View):
     @classmethod
     def _defaults(cls, config):
 
+        # auto-correct URLs which require trailing slash
+        config.add_notfound_view(cls, attr='notfound', append_slash=True)
+
         # home page
         config.add_route('home', '/')
         config.add_view(cls, attr='home',
                         route_name='home',
                         renderer='/home.mako')
 
-        # forbidden
-        config.add_forbidden_view(cls, attr='forbidden_view',
-                                  renderer='/forbidden.mako')
-
-        # notfound
-        # nb. also, auto-correct URLs which require trailing slash
-        config.add_notfound_view(cls, attr='notfound_view',
-                                 append_slash=True,
-                                 renderer='/notfound.mako')
-
-        # setup
-        config.add_route('setup', '/setup')
-        config.add_view(cls, attr='setup',
-                        route_name='setup',
-                        renderer='/setup.mako')
-
 
 def defaults(config, **kwargs):
     base = globals()
diff --git a/src/wuttaweb/views/master.py b/src/wuttaweb/views/master.py
index fe4448f..2cd816a 100644
--- a/src/wuttaweb/views/master.py
+++ b/src/wuttaweb/views/master.py
@@ -28,7 +28,6 @@ import sqlalchemy as sa
 from sqlalchemy import orm
 
 from pyramid.renderers import render_to_response
-from webhelpers2.html import HTML
 
 from wuttaweb.views import View
 from wuttaweb.util import get_form_data, get_model_fields
@@ -139,14 +138,6 @@ class MasterView(View):
        Code should not access this directly but instead call
        :meth:`get_route_prefix()`.
 
-    .. attribute:: permission_prefix
-
-       Optional override for the view's permission prefix,
-       e.g. ``'wutta_widgets'``.
-
-       Code should not access this directly but instead call
-       :meth:`get_permission_prefix()`.
-
     .. attribute:: url_prefix
 
        Optional override for the view's URL prefix,
@@ -198,16 +189,12 @@ class MasterView(View):
        i.e. it should have an :meth:`edit()` view.  Default value is
        ``True``.
 
-       See also :meth:`is_editable()`.
-
     .. attribute:: deletable
 
        Boolean indicating whether the view model supports "deleting" -
        i.e. it should have a :meth:`delete()` view.  Default value is
        ``True``.
 
-       See also :meth:`is_deletable()`.
-
     .. attribute:: form_fields
 
        List of columns for the model form.
@@ -242,9 +229,6 @@ class MasterView(View):
     deleting = False
     configuring = False
 
-    # default DB session
-    Session = Session
-
     ##############################
     # index methods
     ##############################
@@ -308,7 +292,7 @@ class MasterView(View):
 
         if form.validate():
             obj = self.create_save_form(form)
-            self.Session.flush()
+            Session.flush()
             return self.redirect(self.get_action_url('view', obj))
 
         context = {
@@ -365,6 +349,7 @@ class MasterView(View):
 
         context = {
             'instance': instance,
+            'instance_title': self.get_instance_title(instance),
             'form': form,
         }
         return self.render_to_response('view', context)
@@ -398,6 +383,7 @@ class MasterView(View):
         """
         self.editing = True
         instance = self.get_instance()
+        instance_title = self.get_instance_title(instance)
 
         form = self.make_model_form(instance,
                                     cancel_url_fallback=self.get_action_url('view', instance))
@@ -408,6 +394,7 @@ class MasterView(View):
 
         context = {
             'instance': instance,
+            'instance_title': instance_title,
             'form': form,
         }
         return self.render_to_response('edit', context)
@@ -460,9 +447,7 @@ class MasterView(View):
         """
         self.deleting = True
         instance = self.get_instance()
-
-        if not self.is_deletable(instance):
-            return self.redirect(self.get_action_url('view', instance))
+        instance_title = self.get_instance_title(instance)
 
         # nb. this form proper is not readonly..
         form = self.make_model_form(instance,
@@ -480,6 +465,7 @@ class MasterView(View):
 
         context = {
             'instance': instance,
+            'instance_title': instance_title,
             'form': form,
         }
         return self.render_to_response('delete', context)
@@ -514,7 +500,7 @@ class MasterView(View):
     # configure methods
     ##############################
 
-    def configure(self, session=None):
+    def configure(self):
         """
         View for configuring aspects of the app which are pertinent to
         this master view and/or model.
@@ -560,7 +546,7 @@ class MasterView(View):
 
             # maybe just remove settings
             if self.request.POST.get('remove_settings'):
-                self.configure_remove_settings(session=session)
+                self.configure_remove_settings()
                 self.request.session.flash(f"All settings for {config_title} have been removed.",
                                            'warning')
 
@@ -570,8 +556,8 @@ class MasterView(View):
             # gather/save settings
             data = get_form_data(self.request)
             settings = self.configure_gather_settings(data)
-            self.configure_remove_settings(session=session)
-            self.configure_save_settings(settings, session=session)
+            self.configure_remove_settings()
+            self.configure_save_settings(settings)
             self.request.session.flash("Settings have been saved.")
 
             # reload configure page
@@ -749,7 +735,6 @@ class MasterView(View):
     def configure_remove_settings(
             self,
             simple_settings=None,
-            session=None,
     ):
         """
         Remove all "known" settings from the DB; this is called by
@@ -777,11 +762,11 @@ class MasterView(View):
         if names:
             # nb. must avoid self.Session here in case that does not
             # point to our primary app DB
-            session = session or self.Session()
+            session = Session()
             for name in names:
                 self.app.delete_setting(session, name)
 
-    def configure_save_settings(self, settings, session=None):
+    def configure_save_settings(self, settings):
         """
         Save the given settings to the DB; this is called by
         :meth:`configure()`.
@@ -794,7 +779,7 @@ class MasterView(View):
         """
         # nb. must avoid self.Session here in case that does not point
         # to our primary app DB
-        session = session or self.Session()
+        session = Session()
         for setting in settings:
             self.app.save_setting(session, setting['name'], setting['value'],
                                   force_create=True)
@@ -803,43 +788,6 @@ class MasterView(View):
     # support methods
     ##############################
 
-    def has_perm(self, name):
-        """
-        Shortcut to check if current user has the given permission.
-
-        This will automatically add the :attr:`permission_prefix` to
-        ``name`` before passing it on to
-        :func:`~wuttaweb.subscribers.request.has_perm()`.
-
-        For instance within the
-        :class:`~wuttaweb.views.users.UserView` these give the same
-        result::
-
-           self.request.has_perm('users.edit')
-
-           self.has_perm('edit')
-
-        So this shortcut only applies to permissions defined for the
-        current master view.  The first example above must still be
-        used to check for "foreign" permissions (i.e. any needing a
-        different prefix).
-        """
-        permission_prefix = self.get_permission_prefix()
-        return self.request.has_perm(f'{permission_prefix}.{name}')
-
-    def has_any_perm(self, *names):
-        """
-        Shortcut to check if current user has any of the given
-        permissions.
-
-        This calls :meth:`has_perm()` until one returns ``True``.  If
-        none do, returns ``False``.
-        """
-        for name in names:
-            if self.has_perm(name):
-                return True
-        return False
-
     def render_to_response(self, template, context):
         """
         Locate and render an appropriate template, with the given
@@ -882,16 +830,6 @@ class MasterView(View):
         defaults.update(context)
         context = defaults
 
-        # add crud flags if we have an instance
-        if 'instance' in context:
-            instance = context['instance']
-            if 'instance_title' not in context:
-                context['instance_title'] = self.get_instance_title(instance)
-            if 'instance_editable' not in context:
-                context['instance_editable'] = self.is_editable(instance)
-            if 'instance_deletable' not in context:
-                context['instance_deletable'] = self.is_deletable(instance)
-
         # first try the template path most specific to this view
         template_prefix = self.get_template_prefix()
         mako_path = f'{template_prefix}/{template}.mako'
@@ -981,15 +919,15 @@ class MasterView(View):
 
             # TODO: should split this off into index_get_grid_actions() ?
 
-            if self.viewable and self.has_perm('view'):
+            if self.viewable:
                 actions.append(self.make_grid_action('view', icon='eye',
                                                      url=self.get_action_url_view))
 
-            if self.editable and self.has_perm('edit'):
+            if self.editable:
                 actions.append(self.make_grid_action('edit', icon='edit',
                                                      url=self.get_action_url_edit))
 
-            if self.deletable and self.has_perm('delete'):
+            if self.deletable:
                 actions.append(self.make_grid_action('delete', icon='trash',
                                                      url=self.get_action_url_delete,
                                                      link_class='has-text-danger'))
@@ -1039,7 +977,26 @@ class MasterView(View):
         """
         query = self.get_query(session=session)
         if query:
-            return query.all()
+            data = query.all()
+
+            # determine which columns are relevant for data set
+            if not columns:
+                columns = self.get_grid_columns()
+                if not columns:
+                    model_class = self.get_model_class()
+                    if model_class:
+                        columns = get_model_fields(self.config, model_class)
+                    if not columns:
+                        raise ValueError("cannot determine columns for the grid")
+            columns = set(columns)
+            columns.update(self.get_model_key())
+
+            # prune data fields for which no column is defined
+            for i, record in enumerate(data):
+                data[i]= dict([(key, record[key])
+                               for key in columns])
+
+            return data
 
         return []
 
@@ -1055,7 +1012,7 @@ class MasterView(View):
         model = self.app.model
         model_class = self.get_model_class()
         if model_class and issubclass(model_class, model.Base):
-            session = session or self.Session()
+            session = session or Session()
             return session.query(model_class)
 
     def configure_grid(self, grid):
@@ -1075,33 +1032,6 @@ class MasterView(View):
         for key in self.get_model_key():
             grid.set_link(key)
 
-    def grid_render_notes(self, record, key, value, maxlen=100):
-        """
-        Custom grid renderer callable for "notes" fields.
-
-        If the given text ``value`` is shorter than ``maxlen``
-        characters, it is returned as-is.
-
-        But if it is longer, then it is truncated and an ellispsis is
-        added.  The resulting ``<span>`` tag is also given a ``title``
-        attribute with the original (full) text, so that appears on
-        mouse hover.
-
-        To use this feature for your grid::
-
-           grid.set_renderer('my_notes_field', self.grid_render_notes)
-
-           # you can also override maxlen
-           grid.set_renderer('my_notes_field', self.grid_render_notes, maxlen=50)
-        """
-        if value is None:
-            return
-
-        if len(value) < maxlen:
-            return value
-
-        return HTML.tag('span', title=value, c=f"{value[:maxlen]}...")
-
     def get_instance(self, session=None):
         """
         This should return the "current" model instance based on the
@@ -1115,7 +1045,7 @@ class MasterView(View):
         """
         model_class = self.get_model_class()
         if model_class:
-            session = session or self.Session()
+            session = session or Session()
 
             def filtr(query, model_key):
                 key = self.request.matchdict[model_key]
@@ -1181,61 +1111,25 @@ class MasterView(View):
 
     def get_action_url_edit(self, obj, i):
         """
-        Returns the "edit" grid action URL for the given object, if
-        applicable.
+        Returns the "edit" grid action URL for the given object.
 
         Most typically this is like ``/widgets/XXX/edit`` where
         ``XXX`` represents the object's key/ID.
 
-        This first calls :meth:`is_editable()` and if that is false,
-        this method will return ``None``.
-
-        Calls :meth:`get_action_url()` to generate the true URL.
+        Calls :meth:`get_action_url()` under the hood.
         """
-        if self.is_editable(obj):
-            return self.get_action_url('edit', obj)
+        return self.get_action_url('edit', obj)
 
     def get_action_url_delete(self, obj, i):
         """
-        Returns the "delete" grid action URL for the given object, if
-        applicable.
+        Returns the "delete" grid action URL for the given object.
 
         Most typically this is like ``/widgets/XXX/delete`` where
         ``XXX`` represents the object's key/ID.
 
-        This first calls :meth:`is_deletable()` and if that is false,
-        this method will return ``None``.
-
-        Calls :meth:`get_action_url()` to generate the true URL.
+        Calls :meth:`get_action_url()` under the hood.
         """
-        if self.is_deletable(obj):
-            return self.get_action_url('delete', obj)
-
-    def is_editable(self, obj):
-        """
-        Returns a boolean indicating whether "edit" should be allowed
-        for the given model instance (and for current user).
-
-        By default this always return ``True``; subclass can override
-        if needed.
-
-        Note that the use of this method implies :attr:`editable` is
-        true, so the method does not need to check that flag.
-        """
-        return True
-
-    def is_deletable(self, obj):
-        """
-        Returns a boolean indicating whether "delete" should be
-        allowed for the given model instance (and for current user).
-
-        By default this always return ``True``; subclass can override
-        if needed.
-
-        Note that the use of this method implies :attr:`deletable` is
-        true, so the method does not need to check that flag.
-        """
-        return True
+        return self.get_action_url('delete', obj)
 
     def make_model_form(self, model_instance=None, **kwargs):
         """
@@ -1366,7 +1260,7 @@ class MasterView(View):
         if model_class and issubclass(model_class, model.Base):
 
             # add sqlalchemy model to session
-            session = session or self.Session()
+            session = session or Session()
             session.add(obj)
 
     ##############################
@@ -1520,29 +1414,6 @@ class MasterView(View):
         model_name = cls.get_model_name_normalized()
         return f'{model_name}s'
 
-    @classmethod
-    def get_permission_prefix(cls):
-        """
-        Returns the "permission prefix" for the master view.  This
-        prefix is used for all permissions defined by the view class.
-
-        For instance if permission prefix is ``'widgets'`` then a view
-        might have these permissions:
-
-        * ``'widgets.list'``
-        * ``'widgets.create'``
-        * ``'widgets.edit'``
-        * ``'widgets.delete'``
-
-        The default logic will call :meth:`get_route_prefix()` and use
-        that value as-is.  A subclass may override by assigning
-        :attr:`permission_prefix`.
-        """
-        if hasattr(cls, 'permission_prefix'):
-            return cls.permission_prefix
-
-        return cls.get_route_prefix()
-
     @classmethod
     def get_url_prefix(cls):
         """
@@ -1682,47 +1553,27 @@ class MasterView(View):
     @classmethod
     def _defaults(cls, config):
         route_prefix = cls.get_route_prefix()
-        permission_prefix = cls.get_permission_prefix()
         url_prefix = cls.get_url_prefix()
-        model_title = cls.get_model_title()
-        model_title_plural = cls.get_model_title_plural()
-
-        # permission group
-        config.add_wutta_permission_group(permission_prefix,
-                                          model_title_plural,
-                                          overwrite=False)
 
         # index
         if cls.listable:
             config.add_route(route_prefix, f'{url_prefix}/')
             config.add_view(cls, attr='index',
-                            route_name=route_prefix,
-                            permission=f'{permission_prefix}.list')
-            config.add_wutta_permission(permission_prefix,
-                                        f'{permission_prefix}.list',
-                                        f"Browse / search {model_title_plural}")
+                            route_name=route_prefix)
 
         # create
         if cls.creatable:
             config.add_route(f'{route_prefix}.create',
                              f'{url_prefix}/new')
             config.add_view(cls, attr='create',
-                            route_name=f'{route_prefix}.create',
-                            permission=f'{permission_prefix}.create')
-            config.add_wutta_permission(permission_prefix,
-                                        f'{permission_prefix}.create',
-                                        f"Create new {model_title}")
+                            route_name=f'{route_prefix}.create')
 
         # view
         if cls.viewable:
             instance_url_prefix = cls.get_instance_url_prefix()
             config.add_route(f'{route_prefix}.view', instance_url_prefix)
             config.add_view(cls, attr='view',
-                            route_name=f'{route_prefix}.view',
-                            permission=f'{permission_prefix}.view')
-            config.add_wutta_permission(permission_prefix,
-                                        f'{permission_prefix}.view',
-                                        f"View {model_title}")
+                            route_name=f'{route_prefix}.view')
 
         # edit
         if cls.editable:
@@ -1730,11 +1581,7 @@ class MasterView(View):
             config.add_route(f'{route_prefix}.edit',
                              f'{instance_url_prefix}/edit')
             config.add_view(cls, attr='edit',
-                            route_name=f'{route_prefix}.edit',
-                            permission=f'{permission_prefix}.edit')
-            config.add_wutta_permission(permission_prefix,
-                                        f'{permission_prefix}.edit',
-                                        f"Edit {model_title}")
+                            route_name=f'{route_prefix}.edit')
 
         # delete
         if cls.deletable:
@@ -1742,19 +1589,11 @@ class MasterView(View):
             config.add_route(f'{route_prefix}.delete',
                              f'{instance_url_prefix}/delete')
             config.add_view(cls, attr='delete',
-                            route_name=f'{route_prefix}.delete',
-                            permission=f'{permission_prefix}.delete')
-            config.add_wutta_permission(permission_prefix,
-                                        f'{permission_prefix}.delete',
-                                        f"Delete {model_title}")
+                            route_name=f'{route_prefix}.delete')
 
         # configure
         if cls.configurable:
             config.add_route(f'{route_prefix}.configure',
                              f'{url_prefix}/configure')
             config.add_view(cls, attr='configure',
-                            route_name=f'{route_prefix}.configure',
-                            permission=f'{permission_prefix}.configure')
-            config.add_wutta_permission(permission_prefix,
-                                        f'{permission_prefix}.configure',
-                                        f"Configure {model_title_plural}")
+                            route_name=f'{route_prefix}.configure')
diff --git a/src/wuttaweb/views/people.py b/src/wuttaweb/views/people.py
index b840a25..cd56c83 100644
--- a/src/wuttaweb/views/people.py
+++ b/src/wuttaweb/views/people.py
@@ -32,8 +32,6 @@ class PersonView(MasterView):
     """
     Master view for people.
 
-    Default route prefix is ``people``.
-
     Notable URLs provided by this class:
 
     * ``/people/``
@@ -85,47 +83,6 @@ class PersonView(MasterView):
         if 'users' in f:
             f.fields.remove('users')
 
-    def view_profile(self, session=None):
-        """ """
-        instance = self.get_instance(session=session)
-        context = {
-            'instance': instance,
-        }
-        return self.render_to_response('view_profile', context)
-
-    def make_user(self):
-        """ """
-        self.request.session.flash("TODO: this feature is not yet supported", 'error')
-        return self.redirect(self.request.get_referrer())
-
-    @classmethod
-    def defaults(cls, config):
-        cls._defaults(config)
-        cls._people_defaults(config)
-
-    @classmethod
-    def _people_defaults(cls, config):
-        route_prefix = cls.get_route_prefix()
-        url_prefix = cls.get_url_prefix()
-        instance_url_prefix = cls.get_instance_url_prefix()
-        permission_prefix = cls.get_permission_prefix()
-
-        # view profile
-        config.add_route(f'{route_prefix}.view_profile',
-                         f'{instance_url_prefix}/profile',
-                         request_method='GET')
-        config.add_view(cls, attr='view_profile',
-                        route_name=f'{route_prefix}.view_profile',
-                        permission=f'{permission_prefix}.view_profile')
-
-        # make user for person
-        config.add_route(f'{route_prefix}.make_user',
-                         f'{url_prefix}/make-user',
-                         request_method='POST')
-        config.add_view(cls, attr='make_user',
-                        route_name=f'{route_prefix}.make_user',
-                        permission='users.create')
-
 
 def defaults(config, **kwargs):
     base = globals()
diff --git a/src/wuttaweb/views/roles.py b/src/wuttaweb/views/roles.py
index 3f2e350..51111e0 100644
--- a/src/wuttaweb/views/roles.py
+++ b/src/wuttaweb/views/roles.py
@@ -27,16 +27,12 @@ Views for roles
 from wuttjamaican.db.model import Role
 from wuttaweb.views import MasterView
 from wuttaweb.db import Session
-from wuttaweb.forms import widgets
-from wuttaweb.forms.schema import Permissions
 
 
 class RoleView(MasterView):
     """
     Master view for roles.
 
-    Default route prefix is ``roles``.
-
     Notable URLs provided by this class:
 
     * ``/roles/``
@@ -66,44 +62,9 @@ class RoleView(MasterView):
         # name
         g.set_link('name')
 
-        # notes
-        g.set_renderer('notes', self.grid_render_notes)
-
-    def is_editable(self, role):
-        """ """
-        session = self.app.get_session(role)
-        auth = self.app.get_auth_handler()
-
-        # only "root" can edit admin role
-        if role is auth.get_role_administrator(session):
-            return self.request.is_root
-
-        # other built-in roles require special perm
-        if role in (auth.get_role_authenticated(session),
-                    auth.get_role_anonymous(session)):
-            return self.has_perm('edit_builtin')
-
-        return True
-
-    def is_deletable(self, role):
-        """ """
-        session = self.app.get_session(role)
-        auth = self.app.get_auth_handler()
-
-        # prevent delete for built-in roles
-        if role is auth.get_role_authenticated(session):
-            return False
-        if role is auth.get_role_anonymous(session):
-            return False
-        if role is auth.get_role_administrator(session):
-            return False
-
-        return True
-
     def configure_form(self, f):
         """ """
         super().configure_form(f)
-        role = f.model_instance
 
         # never show these
         f.remove('permission_refs',
@@ -112,16 +73,6 @@ class RoleView(MasterView):
         # name
         f.set_validator('name', self.unique_name)
 
-        # notes
-        f.set_widget('notes', widgets.NotesWidget())
-
-        # permissions
-        f.append('permissions')
-        self.wutta_permissions = self.get_available_permissions()
-        f.set_node('permissions', Permissions(self.request, permissions=self.wutta_permissions))
-        if not self.creating:
-            f.set_default('permissions', list(role.permissions))
-
     def unique_name(self, node, value):
         """ """
         model = self.app.model
@@ -137,128 +88,6 @@ class RoleView(MasterView):
         if query.count():
             node.raise_invalid("Name must be unique")
 
-    def get_available_permissions(self):
-        """
-        Returns all "available" permissions.  This is used when
-        viewing or editing a role; the result is passed into the
-        :class:`~wuttaweb.forms.schema.Permissions` field schema.
-
-        The app itself must be made aware of each permission, in order
-        for them to found by this method.  This is done via
-        :func:`~wuttaweb.auth.add_permission_group()` and
-        :func:`~wuttaweb.auth.add_permission()`.
-
-        When in "view" (readonly) mode, this method will return the
-        full set of known permissions.
-
-        However in "edit" mode, it will prune the set to remove any
-        permissions which the current user does not also have.  The
-        idea here is to allow "many" users to manage roles, but ensure
-        they cannot "break out" of their own role by assigning extra
-        permissions to it.
-
-        The permissions returned will also be grouped, and each single
-        permission is also represented as a simple dict, e.g.::
-
-           {
-               'books': {
-                   'key': 'books',
-                   'label': "Books",
-                   'perms': {
-                       'books.list': {
-                           'key': 'books.list',
-                           'label': "Browse / search Books",
-                       },
-                       'books.view': {
-                           'key': 'books.view',
-                           'label': "View Book",
-                       },
-                   },
-               },
-               'widgets': {
-                   'key': 'widgets',
-                   'label': "Widgets",
-                   'perms': {
-                       'widgets.list': {
-                           'key': 'widgets.list',
-                           'label': "Browse / search Widgets",
-                       },
-                       'widgets.view': {
-                           'key': 'widgets.view',
-                           'label': "View Widget",
-                       },
-                   },
-               },
-           }
-        """
-
-        # get all known permissions from settings cache
-        permissions = self.request.registry.settings.get('wutta_permissions', {})
-
-        # when viewing, we allow all permissions to be exposed for all users
-        if self.viewing:
-            return permissions
-
-        # admin user gets to manage all permissions
-        if self.request.is_admin:
-            return permissions
-
-        # non-admin user can only see permissions they're granted
-        available = {}
-        for gkey, group in permissions.items():
-            for pkey, perm in group['perms'].items():
-                if self.request.has_perm(pkey):
-                    if gkey not in available:
-                        available[gkey] = {
-                            'key': gkey,
-                            'label': group['label'],
-                            'perms': {},
-                        }
-                    available[gkey]['perms'][pkey] = perm
-
-        return available
-
-    def objectify(self, form):
-        """ """
-        # normal logic first
-        role = super().objectify(form)
-
-        # update permissions for role
-        self.update_permissions(role, form)
-
-        return role
-
-    def update_permissions(self, role, form):
-        """ """
-        if 'permissions' not in form.validated:
-            return
-
-        auth = self.app.get_auth_handler()
-        available = self.wutta_permissions
-        permissions = form.validated['permissions']
-
-        for gkey, group in available.items():
-            for pkey, perm in group['perms'].items():
-                if pkey in permissions:
-                    auth.grant_permission(role, pkey)
-                else:
-                    auth.revoke_permission(role, pkey)
-
-    @classmethod
-    def defaults(cls, config):
-        cls._defaults(config)
-        cls._role_defaults(config)
-
-    @classmethod
-    def _role_defaults(cls, config):
-        permission_prefix = cls.get_permission_prefix()
-        model_title_plural = cls.get_model_title_plural()
-
-        # perm to edit built-in roles
-        config.add_wutta_permission(permission_prefix,
-                                    f'{permission_prefix}.edit_builtin',
-                                    f"Edit the Built-in {model_title_plural}")
-
 
 def defaults(config, **kwargs):
     base = globals()
diff --git a/src/wuttaweb/views/settings.py b/src/wuttaweb/views/settings.py
index 7fd027b..a85be38 100644
--- a/src/wuttaweb/views/settings.py
+++ b/src/wuttaweb/views/settings.py
@@ -35,8 +35,6 @@ class AppInfoView(MasterView):
     """
     Master view for the core app info, to show/edit config etc.
 
-    Default route prefix is ``appinfo``.
-
     Notable URLs provided by this class:
 
     * ``/appinfo/``
@@ -139,8 +137,6 @@ class SettingView(MasterView):
     """
     Master view for the "raw" settings table.
 
-    Default route prefix is ``settings``.
-
     Notable URLs provided by this class:
 
     * ``/settings/``
diff --git a/src/wuttaweb/views/users.py b/src/wuttaweb/views/users.py
index 4f4b6f0..124aa59 100644
--- a/src/wuttaweb/views/users.py
+++ b/src/wuttaweb/views/users.py
@@ -28,8 +28,7 @@ import colander
 
 from wuttjamaican.db.model import User
 from wuttaweb.views import MasterView
-from wuttaweb.forms import widgets
-from wuttaweb.forms.schema import PersonRef, RoleRefs
+from wuttaweb.forms.schema import PersonRef
 from wuttaweb.db import Session
 
 
@@ -37,8 +36,6 @@ class UserView(MasterView):
     """
     Master view for users.
 
-    Default route prefix is ``users``.
-
     Notable URLs provided by this class:
 
     * ``/users/``
@@ -80,10 +77,10 @@ class UserView(MasterView):
     def configure_form(self, f):
         """ """
         super().configure_form(f)
-        user = f.model_instance
 
         # never show these
         f.remove('person_uuid',
+                 'password',
                  'role_refs')
 
         # person
@@ -93,24 +90,6 @@ class UserView(MasterView):
         # username
         f.set_validator('username', self.unique_username)
 
-        # password
-        # nb. we must avoid 'password' as field name since
-        # ColanderAlchemy wants to handle the raw/hashed value
-        f.remove('password')
-        # nb. no need for password field if readonly
-        if self.creating or self.editing:
-            # nb. use 'set_password' as field name
-            f.append('set_password')
-            f.set_required('set_password', False)
-            f.set_widget('set_password', widgets.CheckedPasswordWidget())
-
-        # roles
-        f.append('roles')
-        f.set_node('roles', RoleRefs(self.request))
-
-        if not self.creating:
-            f.set_default('roles', [role.uuid for role in user.roles])
-
     def unique_username(self, node, value):
         """ """
         model = self.app.model
@@ -126,69 +105,6 @@ class UserView(MasterView):
         if query.count():
             node.raise_invalid("Username must be unique")
 
-    def objectify(self, form, session=None):
-        """ """
-        data = form.validated
-
-        # normal logic first
-        user = super().objectify(form)
-
-        # maybe set user password
-        if 'set_password' in form and data.get('set_password'):
-            auth = self.app.get_auth_handler()
-            auth.set_user_password(user, data['set_password'])
-
-        # update roles for user
-        # TODO
-        # if self.has_perm('edit_roles'):
-        self.update_roles(user, form, session=session)
-
-        return user
-
-    def update_roles(self, user, form, session=None):
-        """ """
-        # TODO
-        # if not self.has_perm('edit_roles'):
-        #     return
-        data = form.validated
-        if 'roles' not in data:
-            return
-
-        model = self.app.model
-        session = session or Session()
-        auth = self.app.get_auth_handler()
-
-        old_roles = set([role.uuid for role in user.roles])
-        new_roles = data['roles']
-
-        admin = auth.get_role_administrator(session)
-        ignored = {
-            auth.get_role_authenticated(session).uuid,
-            auth.get_role_anonymous(session).uuid,
-        }
-
-        # add any new roles for the user, taking care to avoid certain
-        # unwanted operations for built-in roles
-        for uuid in new_roles:
-            if uuid in ignored:
-                continue
-            if uuid in old_roles:
-                continue
-            if uuid == admin.uuid and not self.request.is_root:
-                continue
-            role = session.get(model.Role, uuid)
-            user.roles.append(role)
-
-        # remove any roles which were *not* specified, taking care to
-        # avoid certain unwanted operations for built-in roles
-        for uuid in old_roles:
-            if uuid in new_roles:
-                continue
-            if uuid == admin.uuid and not self.request.is_root:
-                continue
-            role = session.get(model.Role, uuid)
-            user.roles.remove(role)
-
 
 def defaults(config, **kwargs):
     base = globals()
diff --git a/tests/forms/test_base.py b/tests/forms/test_base.py
index 399ecaf..b3aade2 100644
--- a/tests/forms/test_base.py
+++ b/tests/forms/test_base.py
@@ -84,12 +84,6 @@ class TestForm(TestCase):
         form.set_fields(['baz'])
         self.assertEqual(form.fields, ['baz'])
 
-    def test_append(self):
-        form = self.make_form(fields=['one', 'two'])
-        self.assertEqual(form.fields, ['one', 'two'])
-        form.append('one', 'two', 'three')
-        self.assertEqual(form.fields, ['one', 'two', 'three'])
-
     def test_remove(self):
         form = self.make_form(fields=['one', 'two', 'three', 'four'])
         self.assertEqual(form.fields, ['one', 'two', 'three', 'four'])
@@ -163,14 +157,6 @@ class TestForm(TestCase):
         self.assertIs(form.validators['foo'], validate2)
         self.assertIs(schema['foo'].validator, validate2)
 
-    def test_set_default(self):
-        form = self.make_form(fields=['foo', 'bar'])
-        self.assertEqual(form.defaults, {})
-
-        # basic
-        form.set_default('foo', 42)
-        self.assertEqual(form.defaults['foo'], 42)
-
     def test_get_schema(self):
         model = self.app.model
         form = self.make_form()
@@ -218,18 +204,6 @@ class TestForm(TestCase):
         self.assertIn('name', schema)
         self.assertIn('value', schema)
 
-        # ColanderAlchemy schema still has *all* requested fields
-        form = self.make_form(model_instance=model.Setting(name='uhoh'),
-                              fields=['name', 'value', 'foo', 'bar'])
-        self.assertEqual(form.fields, ['name', 'value', 'foo', 'bar'])
-        self.assertIsNone(form.schema)
-        schema = form.get_schema()
-        self.assertEqual(len(schema.children), 4)
-        self.assertIn('name', schema)
-        self.assertIn('value', schema)
-        self.assertIn('foo', schema)
-        self.assertIn('bar', schema)
-
         # schema nodes are required by default
         form = self.make_form(fields=['foo', 'bar'])
         schema = form.get_schema()
@@ -259,12 +233,6 @@ class TestForm(TestCase):
         schema = form.get_schema()
         self.assertIs(schema.validator, validate)
 
-        # default value overrides are honored
-        form = self.make_form(model_class=model.Setting)
-        form.set_default('name', 'foo')
-        schema = form.get_schema()
-        self.assertEqual(schema['name'].default, 'foo')
-
     def test_get_deform(self):
         model = self.app.model
         schema = self.make_schema()
@@ -454,41 +422,6 @@ class TestForm(TestCase):
         # nb. no error message
         self.assertNotIn('message', html)
 
-    def test_get_vue_field_value(self):
-        schema = self.make_schema()
-        form = self.make_form(schema=schema)
-
-        # TODO: yikes what a hack (?)
-        dform = form.get_deform()
-        dform.set_appstruct({'foo': 'one', 'bar': 'two'})
-
-        # null for missing field
-        value = form.get_vue_field_value('doesnotexist')
-        self.assertIsNone(value)
-
-        # normal value is returned
-        value = form.get_vue_field_value('foo')
-        self.assertEqual(value, 'one')
-
-        # but not if we remove field from deform
-        # TODO: what is the use case here again?
-        dform.children.remove(dform['foo'])
-        value = form.get_vue_field_value('foo')
-        self.assertIsNone(value)
-
-    def test_get_vue_model_data(self):
-        schema = self.make_schema()
-        form = self.make_form(schema=schema)
-
-        # 2 fields by default (foo, bar)
-        data = form.get_vue_model_data()
-        self.assertEqual(len(data), 2)
-
-        # still just 2 fields even if we request more
-        form.set_fields(['foo', 'bar', 'baz'])
-        data = form.get_vue_model_data()
-        self.assertEqual(len(data), 2)
-
     def test_get_field_errors(self):
         schema = self.make_schema()
         form = self.make_form(schema=schema)
diff --git a/tests/forms/test_schema.py b/tests/forms/test_schema.py
index aef3432..3d2492b 100644
--- a/tests/forms/test_schema.py
+++ b/tests/forms/test_schema.py
@@ -197,58 +197,3 @@ class TestPersonRef(DataTestCase):
         sorted_query = typ.sort_query(query)
         self.assertIsInstance(sorted_query, orm.Query)
         self.assertIsNot(sorted_query, query)
-
-
-class TestRoleRefs(DataTestCase):
-
-    def setUp(self):
-        self.setup_db()
-        self.request = testing.DummyRequest(wutta_config=self.config)
-
-    def test_widget_maker(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        admin = auth.get_role_administrator(self.session)
-        authed = auth.get_role_authenticated(self.session)
-        anon = auth.get_role_anonymous(self.session)
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        self.session.commit()
-
-        # default values for widget includes all but: authed, anon
-        typ = mod.RoleRefs(self.request, session=self.session)
-        widget = typ.widget_maker()
-        self.assertEqual(len(widget.values), 2)
-        self.assertEqual(widget.values[0][1], "Administrator")
-        self.assertEqual(widget.values[1][1], "Blokes")
-
-
-class TestPermissions(DataTestCase):
-
-    def setUp(self):
-        self.setup_db()
-        self.request = testing.DummyRequest(wutta_config=self.config)
-
-    def test_widget_maker(self):
-
-        # no supported permissions
-        permissions = {}
-        typ = mod.Permissions(self.request, permissions)
-        widget = typ.widget_maker()
-        self.assertEqual(len(widget.values), 0)
-
-        # supported permissions are morphed to values
-        permissions = {
-            'widgets': {
-                'label': "Widgets",
-                'perms': {
-                    'widgets.polish': {
-                        'label': "Polish the widgets",
-                    },
-                },
-            },
-        }
-        typ = mod.Permissions(self.request, permissions)
-        widget = typ.widget_maker()
-        self.assertEqual(len(widget.values), 1)
-        self.assertEqual(widget.values[0], ('widgets.polish', "Polish the widgets"))
diff --git a/tests/forms/test_widgets.py b/tests/forms/test_widgets.py
index 7c55769..d131410 100644
--- a/tests/forms/test_widgets.py
+++ b/tests/forms/test_widgets.py
@@ -4,19 +4,12 @@ import colander
 import deform
 from pyramid import testing
 
-from wuttaweb.forms import widgets as mod
-from wuttaweb.forms.schema import PersonRef, RoleRefs, Permissions
+from wuttaweb.forms import widgets
+from wuttaweb.forms.schema import PersonRef
 from tests.util import WebTestCase
 
-
 class TestObjectRefWidget(WebTestCase):
 
-    def make_field(self, node, **kwargs):
-        # TODO: not sure why default renderer is in use even though
-        # pyramid_deform was included in setup?  but this works..
-        kwargs.setdefault('renderer', deform.Form.default_renderer)
-        return deform.Field(node, **kwargs)
-
     def test_serialize(self):
         model = self.app.model
         person = model.Person(full_name="Betty Boop")
@@ -25,91 +18,15 @@ class TestObjectRefWidget(WebTestCase):
 
         # standard (editable)
         node = colander.SchemaNode(PersonRef(self.request, session=self.session))
-        widget = mod.ObjectRefWidget(self.request)
-        field = self.make_field(node)
+        widget = widgets.ObjectRefWidget(self.request)
+        field = deform.Field(node)
         html = widget.serialize(field, person.uuid)
-        self.assertIn('<b-select ', html)
+        self.assertIn('<select ', html)
 
         # readonly
         node = colander.SchemaNode(PersonRef(self.request, session=self.session))
         node.model_instance = person
-        widget = mod.ObjectRefWidget(self.request)
-        field = self.make_field(node)
+        widget = widgets.ObjectRefWidget(self.request)
+        field = deform.Field(node)
         html = widget.serialize(field, person.uuid, readonly=True)
-        self.assertEqual(html.strip(), '<span>Betty Boop</span>')
-
-
-class TestRoleRefsWidget(WebTestCase):
-
-    def make_field(self, node, **kwargs):
-        # TODO: not sure why default renderer is in use even though
-        # pyramid_deform was included in setup?  but this works..
-        kwargs.setdefault('renderer', deform.Form.default_renderer)
-        return deform.Field(node, **kwargs)
-
-    def test_serialize(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        admin = auth.get_role_administrator(self.session)
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        self.session.commit()
-
-        # nb. we let the field construct the widget via our type
-        node = colander.SchemaNode(RoleRefs(self.request, session=self.session))
-        field = self.make_field(node)
-        widget = field.widget
-
-        # readonly values list includes admin
-        html = widget.serialize(field, {admin.uuid, blokes.uuid}, readonly=True)
-        self.assertIn(admin.name, html)
-        self.assertIn(blokes.name, html)
-
-        # editable values list *excludes* admin (by default)
-        html = widget.serialize(field, {admin.uuid, blokes.uuid})
-        self.assertNotIn(admin.uuid, html)
-        self.assertIn(blokes.uuid, html)
-
-        # but admin is included for root user
-        self.request.is_root = True
-        html = widget.serialize(field, {admin.uuid, blokes.uuid})
-        self.assertIn(admin.uuid, html)
-        self.assertIn(blokes.uuid, html)
-
-
-class TestPermissionsWidget(WebTestCase):
-
-    def make_field(self, node, **kwargs):
-        # TODO: not sure why default renderer is in use even though
-        # pyramid_deform was included in setup?  but this works..
-        kwargs.setdefault('renderer', deform.Form.default_renderer)
-        return deform.Field(node, **kwargs)
-
-    def test_serialize(self):
-        permissions = {
-            'widgets': {
-                'label': "Widgets",
-                'perms': {
-                    'widgets.polish': {
-                        'label': "Polish the widgets",
-                    },
-                },
-            },
-        }
-
-        # nb. we let the field construct the widget via our type
-        node = colander.SchemaNode(Permissions(self.request, permissions, session=self.session))
-        field = self.make_field(node)
-        widget = field.widget
-
-        # readonly output does *not* include the perm by default
-        html = widget.serialize(field, set(), readonly=True)
-        self.assertNotIn("Polish the widgets", html)
-
-        # readonly output includes the perm if set
-        html = widget.serialize(field, {'widgets.polish'}, readonly=True)
-        self.assertIn("Polish the widgets", html)
-
-        # editable output always includes the perm
-        html = widget.serialize(field, set())
-        self.assertIn("Polish the widgets", html)
+        self.assertEqual(html, '<span>Betty Boop</span>')
diff --git a/tests/grids/test_base.py b/tests/grids/test_base.py
index c3e8f7b..96bb8d3 100644
--- a/tests/grids/test_base.py
+++ b/tests/grids/test_base.py
@@ -69,37 +69,12 @@ class TestGrid(TestCase):
         self.assertEqual(grid.columns, ['name', 'value'])
         self.assertEqual(grid.get_columns(), ['name', 'value'])
 
-    def test_append(self):
-        grid = self.make_grid(columns=['one', 'two'])
-        self.assertEqual(grid.columns, ['one', 'two'])
-        grid.append('one', 'two', 'three')
-        self.assertEqual(grid.columns, ['one', 'two', 'three'])
-
     def test_remove(self):
         grid = self.make_grid(columns=['one', 'two', 'three', 'four'])
         self.assertEqual(grid.columns, ['one', 'two', 'three', 'four'])
         grid.remove('two', 'three')
         self.assertEqual(grid.columns, ['one', 'four'])
 
-    def test_set_renderer(self):
-        grid = self.make_grid(columns=['foo', 'bar'])
-        self.assertEqual(grid.renderers, {})
-
-        def render1(record, key, value):
-            pass
-
-        # basic
-        grid.set_renderer('foo', render1)
-        self.assertIs(grid.renderers['foo'], render1)
-
-        def render2(record, key, value, extra=None):
-            return extra
-
-        # can pass kwargs to get a partial
-        grid.set_renderer('foo', render2, extra=42)
-        self.assertIsNot(grid.renderers['foo'], render2)
-        self.assertEqual(grid.renderers['foo'](None, None, None), 42)
-
     def test_linked_columns(self):
         grid = self.make_grid(columns=['foo', 'bar'])
         self.assertEqual(grid.linked_columns, [])
@@ -168,11 +143,6 @@ class TestGrid(TestCase):
         self.assertIsNot(data, mydata)
         self.assertEqual(data, [{'foo': 'bar', '_action_url_view': '/blarg'}])
 
-        # also can override value rendering
-        grid.set_renderer('foo', lambda record, key, value: "blah blah")
-        data = grid.get_vue_data()
-        self.assertEqual(data, [{'foo': 'blah blah', '_action_url_view': '/blarg'}])
-
 
 class TestGridAction(TestCase):
 
@@ -190,10 +160,9 @@ class TestGridAction(TestCase):
         html = action.render_icon()
         self.assertIn('<i class="fas fa-blarg">', html)
 
-        # oruga has different output
+        # oruga not yet supported
         self.request.use_oruga = True
-        html = action.render_icon()
-        self.assertIn('<o-icon icon="blarg">', html)
+        self.assertRaises(NotImplementedError, action.render_icon)
 
     def test_render_label(self):
 
diff --git a/tests/test_auth.py b/tests/test_auth.py
index aa77280..5d6c406 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -7,7 +7,6 @@ from pyramid import testing
 
 from wuttjamaican.conf import WuttaConfig
 from wuttaweb import auth as mod
-from tests.util import WebTestCase
 
 
 class TestLoginUser(TestCase):
@@ -144,26 +143,3 @@ class TestWuttaSecurityPolicy(TestCase):
         self.assertFalse(self.policy.permits(self.request, None, 'some-root-perm'))
         self.request.is_root = True
         self.assertTrue(self.policy.permits(self.request, None, 'some-root-perm'))
-
-
-class TestAddPermissionGroup(WebTestCase):
-
-    def test_basic(self):
-        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
-        self.assertNotIn('widgets', permissions)
-        self.pyramid_config.add_wutta_permission_group('widgets')
-        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
-        self.assertIn('widgets', permissions)
-        self.assertEqual(permissions['widgets']['label'], "Widgets")
-
-
-class TestAddPermission(WebTestCase):
-
-    def test_basic(self):
-        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
-        self.assertNotIn('widgets', permissions)
-        self.pyramid_config.add_wutta_permission('widgets', 'widgets.polish')
-        permissions = self.pyramid_config.get_settings().get('wutta_permissions', {})
-        self.assertIn('widgets', permissions)
-        self.assertEqual(permissions['widgets']['label'], "Widgets")
-        self.assertIn('widgets.polish', permissions['widgets']['perms'])
diff --git a/tests/test_menus.py b/tests/test_menus.py
index c3244bc..27d45b9 100644
--- a/tests/test_menus.py
+++ b/tests/test_menus.py
@@ -3,15 +3,20 @@
 from unittest import TestCase
 from unittest.mock import patch, MagicMock
 
+from wuttjamaican.conf import WuttaConfig
+
+from pyramid import testing
+
 from wuttaweb import menus as mod
-from tests.util import WebTestCase
 
 
-class TestMenuHandler(WebTestCase):
+class TestMenuHandler(TestCase):
 
     def setUp(self):
-        self.setup_web()
+        self.config = WuttaConfig()
+        self.app = self.config.get_app()
         self.handler = mod.MenuHandler(self.config)
+        self.request = testing.DummyRequest()
 
     def test_make_admin_menu(self):
         menus = self.handler.make_admin_menu(self.request)
@@ -22,27 +27,7 @@ class TestMenuHandler(WebTestCase):
         self.assertIsInstance(menus, list)
 
     def test_is_allowed(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-
-        # user with perms
-        barney = model.User(username='barney')
-        self.session.add(barney)
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        barney.roles.append(blokes)
-        auth.grant_permission(blokes, 'appinfo.list')
-        self.request.user = barney
-
-        # perm not granted to user
-        item = {'perm': 'appinfo.configure'}
-        self.assertFalse(self.handler._is_allowed(self.request, item))
-
-        # perm *is* granted to user
-        item = {'perm': 'appinfo.list'}
-        self.assertTrue(self.handler._is_allowed(self.request, item))
-
-        # perm not required
+        # TODO: this should test auth/perm handling
         item = {}
         self.assertTrue(self.handler._is_allowed(self.request, item))
 
diff --git a/tests/test_subscribers.py b/tests/test_subscribers.py
index 09d7437..5fd4167 100644
--- a/tests/test_subscribers.py
+++ b/tests/test_subscribers.py
@@ -2,7 +2,7 @@
 
 import json
 from unittest import TestCase
-from unittest.mock import MagicMock, patch
+from unittest.mock import MagicMock
 
 from wuttjamaican.conf import WuttaConfig
 
@@ -210,137 +210,6 @@ class TestNewRequestSetUser(TestCase):
         self.assertTrue(self.request.is_admin)
         self.assertTrue(self.request.is_root)
 
-    def test_user_permissions(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        event = MagicMock(request=self.request)
-
-        # anonymous user
-        self.assertFalse(hasattr(self.request, 'user_permissions'))
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertEqual(self.request.user_permissions, set())
-
-        # reset
-        del self.request.user_permissions
-
-        # add user to role with perms
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        auth.grant_permission(blokes, 'appinfo.list')
-        self.user.roles.append(blokes)
-        self.session.commit()
-
-        # authenticated user, with perms
-        self.request.user = self.user
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertEqual(self.request.user_permissions, {'appinfo.list'})
-
-    def test_has_perm(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        event = MagicMock(request=self.request)
-
-        # anonymous user
-        self.assertFalse(hasattr(self.request, 'has_perm'))
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertFalse(self.request.has_perm('appinfo.list'))
-
-        # reset
-        del self.request.user_permissions
-        del self.request.has_perm
-        del self.request.has_any_perm
-
-        # add user to role with perms
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        auth.grant_permission(blokes, 'appinfo.list')
-        self.user.roles.append(blokes)
-        self.session.commit()
-
-        # authenticated user, with perms
-        self.request.user = self.user
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertTrue(self.request.has_perm('appinfo.list'))
-
-        # reset
-        del self.request.user_permissions
-        del self.request.has_perm
-        del self.request.has_any_perm
-
-        # drop user from role, no more perms
-        self.user.roles.remove(blokes)
-        self.session.commit()
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertFalse(self.request.has_perm('appinfo.list'))
-
-        # reset
-        del self.request.user_permissions
-        del self.request.has_perm
-        del self.request.has_any_perm
-        del self.request.is_admin
-        del self.request.is_root
-
-        # root user always has perms
-        admin = auth.get_role_administrator(self.session)
-        self.user.roles.append(admin)
-        self.session.commit()
-        self.request.session['is_root'] = True
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertTrue(self.request.has_perm('appinfo.list'))
-
-    def test_has_any_perm(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        event = MagicMock(request=self.request)
-
-        # anonymous user
-        self.assertFalse(hasattr(self.request, 'has_any_perm'))
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertFalse(self.request.has_any_perm('appinfo.list'))
-
-        # reset
-        del self.request.user_permissions
-        del self.request.has_perm
-        del self.request.has_any_perm
-
-        # add user to role with perms
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        auth.grant_permission(blokes, 'appinfo.list')
-        self.user.roles.append(blokes)
-        self.session.commit()
-
-        # authenticated user, with perms
-        self.request.user = self.user
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertTrue(self.request.has_any_perm('appinfo.list', 'appinfo.view'))
-
-        # reset
-        del self.request.user_permissions
-        del self.request.has_perm
-        del self.request.has_any_perm
-
-        # drop user from role, no more perms
-        self.user.roles.remove(blokes)
-        self.session.commit()
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertFalse(self.request.has_any_perm('appinfo.list'))
-
-        # reset
-        del self.request.user_permissions
-        del self.request.has_perm
-        del self.request.has_any_perm
-        del self.request.is_admin
-        del self.request.is_root
-
-        # root user always has perms
-        admin = auth.get_role_administrator(self.session)
-        self.user.roles.append(admin)
-        self.session.commit()
-        self.request.session['is_root'] = True
-        subscribers.new_request_set_user(event, db_session=self.session)
-        self.assertTrue(self.request.has_any_perm('appinfo.list'))
-
 
 class TestBeforeRender(TestCase):
 
diff --git a/tests/test_util.py b/tests/test_util.py
index f0f04af..6fd94b7 100644
--- a/tests/test_util.py
+++ b/tests/test_util.py
@@ -442,14 +442,6 @@ class TestGetModelFields(TestCase):
         self.config = WuttaConfig()
         self.app = self.config.get_app()
 
-    def test_empty_model_class(self):
-        fields = util.get_model_fields(self.config)
-        self.assertIsNone(fields)
-
-    def test_unknown_model_class(self):
-        fields = util.get_model_fields(self.config, TestCase)
-        self.assertIsNone(fields)
-
     def test_basic(self):
         model = self.app.model
         fields = util.get_model_fields(self.config, model.Setting)
diff --git a/tests/util.py b/tests/util.py
index ab31dd4..59bffab 100644
--- a/tests/util.py
+++ b/tests/util.py
@@ -46,23 +46,20 @@ class WebTestCase(DataTestCase):
 
     def setup_web(self):
         self.setup_db()
-        self.request = self.make_request()
+        self.request = testing.DummyRequest()
         self.pyramid_config = testing.setUp(request=self.request, settings={
             'wutta_config': self.config,
             'mako.directories': ['wuttaweb:templates'],
-            'pyramid_deform.template_search_path': 'wuttaweb:templates/deform',
+            # TODO: have not need this yet, but will?
+            # 'pyramid_deform.template_search_path': 'wuttaweb:templates/deform',
         })
 
         # init web
-        self.pyramid_config.include('pyramid_deform')
         self.pyramid_config.include('pyramid_mako')
-        self.pyramid_config.add_directive('add_wutta_permission_group',
-                                          'wuttaweb.auth.add_permission_group')
-        self.pyramid_config.add_directive('add_wutta_permission',
-                                          'wuttaweb.auth.add_permission')
+        self.pyramid_config.include('wuttaweb.static')
+        self.pyramid_config.include('wuttaweb.views.essential')
         self.pyramid_config.add_subscriber('wuttaweb.subscribers.before_render',
                                            'pyramid.events.BeforeRender')
-        self.pyramid_config.include('wuttaweb.static')
 
         # setup new request w/ anonymous user
         event = MagicMock(request=self.request)
@@ -78,9 +75,6 @@ class WebTestCase(DataTestCase):
         testing.tearDown()
         self.teardown_db()
 
-    def make_request(self):
-        return testing.DummyRequest()
-
 
 class NullMenuHandler(MenuHandler):
     """
diff --git a/tests/views/test___init__.py b/tests/views/test___init__.py
index 6da63f0..0132cff 100644
--- a/tests/views/test___init__.py
+++ b/tests/views/test___init__.py
@@ -1,10 +1,14 @@
 # -*- coding: utf-8; -*-
 
-from tests.util import WebTestCase
+from unittest import TestCase
+
+from pyramid import testing
 
 
-class TestIncludeMe(WebTestCase):
+class TestIncludeMe(TestCase):
 
     def test_basic(self):
-        # just ensure no error happens when included..
-        self.pyramid_config.include('wuttaweb.views')
+        with testing.testConfig() as pyramid_config:
+
+            # just ensure no error happens when included..
+            pyramid_config.include('wuttaweb.views')
diff --git a/tests/views/test_auth.py b/tests/views/test_auth.py
index 4fd5413..d10e759 100644
--- a/tests/views/test_auth.py
+++ b/tests/views/test_auth.py
@@ -1,88 +1,90 @@
 # -*- coding: utf-8; -*-
 
-from unittest.mock import MagicMock, patch
+from unittest import TestCase
+from unittest.mock import MagicMock
 
+from pyramid import testing
 from pyramid.httpexceptions import HTTPFound, HTTPForbidden
 
+from wuttjamaican.conf import WuttaConfig
 from wuttaweb.views import auth as mod
-from tests.util import WebTestCase
+from wuttaweb.auth import WuttaSecurityPolicy
+from wuttaweb.subscribers import new_request
 
 
-class TestAuthView(WebTestCase):
+class TestAuthView(TestCase):
 
     def setUp(self):
-        self.setup_web()
-        self.pyramid_config.include('wuttaweb.views.common')
+        self.config = WuttaConfig(defaults={
+            'wutta.db.default.url': 'sqlite://',
+        })
 
-    def make_view(self):
-        return mod.AuthView(self.request)
+        self.request = testing.DummyRequest(wutta_config=self.config, user=None)
+        self.pyramid_config = testing.setUp(request=self.request, settings={
+            'wutta_config': self.config,
+        })
 
-    def test_includeme(self):
-        self.pyramid_config.include('wuttaweb.views.auth')
-
-    def test_login(self):
-        model = self.app.model
+        self.app = self.config.get_app()
         auth = self.app.get_auth_handler()
-        view = self.make_view()
-
-        # until user exists, will redirect
-        self.assertEqual(self.session.query(model.User).count(), 0)
-        response = view.login(session=self.session)
-        self.assertEqual(response.status_code, 302)
-
-        # make a user
-        barney = model.User(username='barney')
-        auth.set_user_password(barney, 'testpass')
-        self.session.add(barney)
+        model = self.app.model
+        model.Base.metadata.create_all(bind=self.config.appdb_engine)
+        self.session = self.app.make_session()
+        self.user = model.User(username='barney')
+        self.session.add(self.user)
+        auth.set_user_password(self.user, 'testpass')
         self.session.commit()
 
-        # now since user exists, form will display
-        context = view.login(session=self.session)
+        self.pyramid_config.set_security_policy(WuttaSecurityPolicy(db_session=self.session))
+        self.pyramid_config.include('wuttaweb.views.auth')
+        self.pyramid_config.include('wuttaweb.views.common')
+
+    def tearDown(self):
+        testing.tearDown()
+
+    def test_login(self):
+        view = mod.AuthView(self.request)
+        context = view.login()
         self.assertIn('form', context)
 
         # redirect if user already logged in
-        with patch.object(self.request, 'user', new=barney):
-            view = self.make_view()
-            response = view.login(session=self.session)
-        self.assertEqual(response.status_code, 302)
+        self.request.user = self.user
+        view = mod.AuthView(self.request)
+        redirect = view.login(session=self.session)
+        self.assertIsInstance(redirect, HTTPFound)
 
         # login fails w/ wrong password
+        self.request.user = None
         self.request.method = 'POST'
         self.request.POST = {'username': 'barney', 'password': 'WRONG'}
-        view = self.make_view()
+        view = mod.AuthView(self.request)
         context = view.login(session=self.session)
         self.assertIn('form', context)
 
         # redirect if login succeeds
         self.request.method = 'POST'
         self.request.POST = {'username': 'barney', 'password': 'testpass'}
-        view = self.make_view()
-        response = view.login(session=self.session)
-        self.assertEqual(response.status_code, 302)
+        view = mod.AuthView(self.request)
+        redirect = view.login(session=self.session)
+        self.assertIsInstance(redirect, HTTPFound)
 
     def test_logout(self):
-        self.pyramid_config.add_route('login', '/login')
-        view = self.make_view()
+        view = mod.AuthView(self.request)
         self.request.session.delete = MagicMock()
-        response = view.logout()
+        redirect = view.logout()
         self.request.session.delete.assert_called_once_with()
-        self.assertEqual(response.status_code, 302)
+        self.assertIsInstance(redirect, HTTPFound)
 
     def test_change_password(self):
-        model = self.app.model
+        view = mod.AuthView(self.request)
         auth = self.app.get_auth_handler()
-        barney = model.User(username='barney')
-        self.session.add(barney)
-        self.session.commit()
-        view = self.make_view()
 
         # unauthenticated user is redirected
         redirect = view.change_password()
         self.assertIsInstance(redirect, HTTPFound)
 
         # now "login" the user, and set initial password
-        self.request.user = barney
-        auth.set_user_password(barney, 'foo')
+        self.request.user = self.user
+        auth.set_user_password(self.user, 'foo')
         self.session.commit()
 
         # view should now return context w/ form
@@ -103,8 +105,9 @@ class TestAuthView(WebTestCase):
         redirect = view.change_password()
         self.assertIsInstance(redirect, HTTPFound)
         self.session.commit()
-        self.assertFalse(auth.check_user_password(barney, 'foo'))
-        self.assertTrue(auth.check_user_password(barney, 'bar'))
+        self.session.refresh(self.user)
+        self.assertFalse(auth.check_user_password(self.user, 'foo'))
+        self.assertTrue(auth.check_user_password(self.user, 'bar'))
 
         # at this point 'foo' is the password, now let's submit some
         # invalid forms and make sure we get back a context w/ form
@@ -144,6 +147,8 @@ class TestAuthView(WebTestCase):
         self.assertEqual(dform['new_password'].errormsg, "New password must be different from old password.")
 
     def test_become_root(self):
+        event = MagicMock(request=self.request)
+        new_request(event)      # add request.get_referrer()
         view = mod.AuthView(self.request)
 
         # GET not allowed
@@ -163,6 +168,8 @@ class TestAuthView(WebTestCase):
         self.assertTrue(self.request.session['is_root'])
 
     def test_stop_root(self):
+        event = MagicMock(request=self.request)
+        new_request(event)      # add request.get_referrer()
         view = mod.AuthView(self.request)
 
         # GET not allowed
diff --git a/tests/views/test_common.py b/tests/views/test_common.py
index be227e3..2b1607b 100644
--- a/tests/views/test_common.py
+++ b/tests/views/test_common.py
@@ -1,95 +1,27 @@
 # -*- coding: utf-8; -*-
 
-from wuttaweb.views import common as mod
-from tests.util import WebTestCase
+from unittest import TestCase
+
+from pyramid import testing
+
+from wuttjamaican.conf import WuttaConfig
+from wuttaweb.views import common
 
 
-class TestCommonView(WebTestCase):
+class TestCommonView(TestCase):
 
-    def make_view(self):
-        return mod.CommonView(self.request)
-
-    def test_includeme(self):
+    def setUp(self):
+        self.config = WuttaConfig()
+        self.app = self.config.get_app()
+        self.request = testing.DummyRequest()
+        self.request.wutta_config = self.config
+        self.pyramid_config = testing.setUp(request=self.request)
         self.pyramid_config.include('wuttaweb.views.common')
 
-    def test_forbidden_view(self):
-        view = self.make_view()
-        context = view.forbidden_view()
-        self.assertEqual(context['index_title'], self.app.get_title())
-
-    def test_notfound_view(self):
-        view = self.make_view()
-        context = view.notfound_view()
-        self.assertEqual(context['index_title'], self.app.get_title())
+    def tearDown(self):
+        testing.tearDown()
 
     def test_home(self):
-        self.pyramid_config.add_route('setup', '/setup')
-        model = self.app.model
-        view = self.make_view()
-
-        # if no users then home page will redirect
-        response = view.home(session=self.session)
-        self.assertEqual(response.status_code, 302)
-
-        # so add a user
-        user = model.User(username='foo')
-        self.session.add(user)
-        self.session.commit()
-
-        # now we see the home page
-        context = view.home(session=self.session)
+        view = common.CommonView(self.request)
+        context = view.home()
         self.assertEqual(context['index_title'], self.app.get_title())
-
-    def test_setup(self):
-        self.pyramid_config.add_route('home', '/')
-        self.pyramid_config.add_route('login', '/login')
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        view = self.make_view()
-
-        # at first, can see the setup page
-        self.assertEqual(self.session.query(model.User).count(), 0)
-        context = view.setup(session=self.session)
-        self.assertEqual(context['index_title'], self.app.get_title())
-
-        # so add a user
-        user = model.User(username='foo')
-        self.session.add(user)
-        self.session.commit()
-
-        # once user exists it will always redirect
-        response = view.setup(session=self.session)
-        self.assertEqual(response.status_code, 302)
-
-        # delete that user
-        self.session.delete(user)
-        self.session.commit()
-
-        # so we can see the setup page again
-        context = view.setup(session=self.session)
-        self.assertEqual(context['index_title'], self.app.get_title())
-
-        # and finally, post data to create admin user
-        self.request.method = 'POST'
-        self.request.POST = {
-            'username': 'barney',
-            '__start__': 'password:mapping',
-            'password': 'testpass',
-            'password-confirm': 'testpass',
-            '__end__': 'password:mapping',
-            'first_name': "Barney",
-            'last_name': "Rubble",
-        }
-        response = view.setup(session=self.session)
-        # nb. redirects on success
-        self.assertEqual(response.status_code, 302)
-        barney = self.session.query(model.User).one()
-        self.assertEqual(barney.username, 'barney')
-        self.assertTrue(auth.check_user_password(barney, 'testpass'))
-        admin = auth.get_role_administrator(self.session)
-        self.assertIn(admin, barney.roles)
-        self.assertIsNotNone(barney.person)
-        person = barney.person
-        self.assertEqual(person.first_name, "Barney")
-        self.assertEqual(person.last_name, "Rubble")
-        self.assertEqual(person.full_name, "Barney Rubble")
diff --git a/tests/views/test_master.py b/tests/views/test_master.py
index 1f00d28..ef338d9 100644
--- a/tests/views/test_master.py
+++ b/tests/views/test_master.py
@@ -6,7 +6,7 @@ from unittest.mock import MagicMock, patch
 
 from pyramid import testing
 from pyramid.response import Response
-from pyramid.httpexceptions import HTTPNotFound
+from pyramid.httpexceptions import HTTPFound, HTTPNotFound
 
 from wuttjamaican.conf import WuttaConfig
 from wuttaweb.views import master
@@ -16,14 +16,12 @@ from tests.util import WebTestCase
 
 class TestMasterView(WebTestCase):
 
-    def make_view(self):
-        return master.MasterView(self.request)
-
     def test_defaults(self):
         with patch.multiple(master.MasterView, create=True,
                             model_name='Widget',
-                            model_key='uuid',
-                            configurable=True):
+                            viewable=False,
+                            editable=False,
+                            deletable=False):
             master.MasterView.defaults(self.pyramid_config)
 
     ##############################
@@ -161,24 +159,6 @@ class TestMasterView(WebTestCase):
                             model_class=MyModel):
             self.assertEqual(master.MasterView.get_route_prefix(), 'trucks')
 
-    def test_get_permission_prefix(self):
-
-        # error by default (since no model class)
-        self.assertRaises(AttributeError, master.MasterView.get_permission_prefix)
-
-        # subclass may specify permission prefix
-        with patch.object(master.MasterView, 'permission_prefix', new='widgets', create=True):
-            self.assertEqual(master.MasterView.get_permission_prefix(), 'widgets')
-
-        # subclass may specify route prefix
-        with patch.object(master.MasterView, 'route_prefix', new='widgets', create=True):
-            self.assertEqual(master.MasterView.get_permission_prefix(), 'widgets')
-
-        # or it may specify model class
-        Truck = MagicMock(__name__='Truck')
-        with patch.object(master.MasterView, 'model_class', new=Truck, create=True):
-            self.assertEqual(master.MasterView.get_permission_prefix(), 'trucks')
-
     def test_get_url_prefix(self):
         
         # error by default (since no model class)
@@ -331,68 +311,7 @@ class TestMasterView(WebTestCase):
     # support methods
     ##############################
 
-    def test_has_perm(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-
-        with patch.multiple(master.MasterView, create=True,
-                            model_name='Setting'):
-            view = self.make_view()
-
-            # anonymous user
-            self.assertFalse(view.has_perm('list'))
-            self.assertFalse(self.request.has_perm('list'))
-
-            # reset
-            del self.request.user_permissions
-
-            # make user with perms
-            barney = model.User(username='barney')
-            self.session.add(barney)
-            blokes = model.Role(name="Blokes")
-            self.session.add(blokes)
-            barney.roles.append(blokes)
-            auth.grant_permission(blokes, 'settings.list')
-            self.session.commit()
-
-            # this user has perms
-            self.request.user = barney
-            self.assertTrue(view.has_perm('list'))
-            self.assertTrue(self.request.has_perm('settings.list'))
-
-    def test_has_any_perm(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-
-        with patch.multiple(master.MasterView, create=True,
-                            model_name='Setting'):
-            view = self.make_view()
-
-            # anonymous user
-            self.assertFalse(view.has_any_perm('list', 'view'))
-            self.assertFalse(self.request.has_any_perm('settings.list', 'settings.view'))
-
-            # reset
-            del self.request.user_permissions
-
-            # make user with perms
-            barney = model.User(username='barney')
-            self.session.add(barney)
-            blokes = model.Role(name="Blokes")
-            self.session.add(blokes)
-            barney.roles.append(blokes)
-            auth.grant_permission(blokes, 'settings.view')
-            self.session.commit()
-
-            # this user has perms
-            self.request.user = barney
-            self.assertTrue(view.has_any_perm('list', 'view'))
-            self.assertTrue(self.request.has_any_perm('settings.list', 'settings.view'))
-
     def test_render_to_response(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('appinfo', '/appinfo/')
 
         def widgets(request): return {}
         self.pyramid_config.add_route('widgets', '/widgets/')
@@ -445,39 +364,10 @@ class TestMasterView(WebTestCase):
             grid = view.make_model_grid(session=self.session)
             self.assertIs(grid.model_class, model.Setting)
 
-        # no actions by default
-        with patch.multiple(master.MasterView, create=True,
-                            model_class=model.Setting):
-            grid = view.make_model_grid(session=self.session)
-            self.assertEqual(grid.actions, [])
-
-        # now let's test some more actions logic
-        with patch.multiple(master.MasterView, create=True,
-                            model_class=model.Setting,
-                            viewable=True,
-                            editable=True,
-                            deletable=True):
-
-            # should have 3 actions now, but for lack of perms
-            grid = view.make_model_grid(session=self.session)
-            self.assertEqual(len(grid.actions), 0)
-
-            # but root user has perms, so gets 3 actions
-            with patch.object(self.request, 'is_root', new=True):
-                grid = view.make_model_grid(session=self.session)
-            self.assertEqual(len(grid.actions), 3)
-
     def test_get_grid_data(self):
         model = self.app.model
         self.app.save_setting(self.session, 'foo', 'bar')
         self.session.commit()
-        setting = self.session.query(model.Setting).one()
-        view = self.make_view()
-
-        # empty by default
-        self.assertFalse(hasattr(master.MasterView, 'model_class'))
-        data = view.get_grid_data(session=self.session)
-        self.assertEqual(data, [])
 
         # basic logic with Setting model
         with patch.multiple(master.MasterView, create=True,
@@ -485,7 +375,16 @@ class TestMasterView(WebTestCase):
             view = master.MasterView(self.request)
             data = view.get_grid_data(session=self.session)
             self.assertEqual(len(data), 1)
-            self.assertIs(data[0], setting)
+            self.assertEqual(data[0], {'name': 'foo', 'value': 'bar'})
+
+        # error if model not known
+        view = master.MasterView(self.request)
+        self.assertFalse(hasattr(master.MasterView, 'model_class'))
+        def get_query(session=None):
+            session = session or self.session
+            return session.query(model.Setting)
+        with patch.object(view, 'get_query', new=get_query):
+            self.assertRaises(ValueError, view.get_grid_data, session=self.session)
 
     def test_configure_grid(self):
         model = self.app.model
@@ -500,28 +399,6 @@ class TestMasterView(WebTestCase):
             view.configure_grid(grid)
             self.assertNotIn('uuid', grid.columns)
 
-    def test_grid_render_notes(self):
-        model = self.app.model
-        view = self.make_view()
-
-        # null
-        text = None
-        role = model.Role(name="Foo", notes=text)
-        value = view.grid_render_notes(role, 'notes', text)
-        self.assertIsNone(value)
-
-        # short string
-        text = "hello world"
-        role = model.Role(name="Foo", notes=text)
-        value = view.grid_render_notes(role, 'notes', text)
-        self.assertEqual(value, text)
-
-        # long string
-        text = "hello world " * 20
-        role = model.Role(name="Foo", notes=text)
-        value = view.grid_render_notes(role, 'notes', text)
-        self.assertIn('<span ', value)
-
     def test_get_instance(self):
         model = self.app.model
         self.app.save_setting(self.session, 'foo', 'bar')
@@ -548,57 +425,6 @@ class TestMasterView(WebTestCase):
             self.request.matchdict = {'name': 'blarg'}
             self.assertRaises(HTTPNotFound, view.get_instance, session=self.session)
 
-    def test_get_action_url_view(self):
-        model = self.app.model
-        setting = model.Setting(name='foo', value='bar')
-        self.session.add(setting)
-        self.session.commit()
-
-        with patch.multiple(master.MasterView, create=True,
-                            model_class=model.Setting):
-            master.MasterView.defaults(self.pyramid_config)
-            view = self.make_view()
-            url = view.get_action_url_view(setting, 0)
-            self.assertEqual(url, self.request.route_url('settings.view', name='foo'))
-
-    def test_get_action_url_edit(self):
-        model = self.app.model
-        setting = model.Setting(name='foo', value='bar')
-        self.session.add(setting)
-        self.session.commit()
-        with patch.multiple(master.MasterView, create=True,
-                            model_class=model.Setting):
-            master.MasterView.defaults(self.pyramid_config)
-            view = self.make_view()
-
-            # typical
-            url = view.get_action_url_edit(setting, 0)
-            self.assertEqual(url, self.request.route_url('settings.edit', name='foo'))
-
-            # but null if instance not editable
-            with patch.object(view, 'is_editable', return_value=False):
-                url = view.get_action_url_edit(setting, 0)
-                self.assertIsNone(url)
-
-    def test_get_action_url_delete(self):
-        model = self.app.model
-        setting = model.Setting(name='foo', value='bar')
-        self.session.add(setting)
-        self.session.commit()
-        with patch.multiple(master.MasterView, create=True,
-                            model_class=model.Setting):
-            master.MasterView.defaults(self.pyramid_config)
-            view = self.make_view()
-
-            # typical
-            url = view.get_action_url_delete(setting, 0)
-            self.assertEqual(url, self.request.route_url('settings.delete', name='foo'))
-
-            # but null if instance not deletable
-            with patch.object(view, 'is_deletable', return_value=False):
-                url = view.get_action_url_delete(setting, 0)
-                self.assertIsNone(url)
-
     def test_make_model_form(self):
         model = self.app.model
 
@@ -688,38 +514,28 @@ class TestMasterView(WebTestCase):
     ##############################
 
     def test_index(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('settings.create', '/settings/new')
-        self.pyramid_config.add_route('settings.view', '/settings/{name}')
-        self.pyramid_config.add_route('settings.edit', '/settings/{name}/edit')
-        self.pyramid_config.add_route('settings.delete', '/settings/{name}/delete')
         
         # sanity/coverage check using /settings/
-        with patch.multiple(master.MasterView, create=True,
-                            model_name='Setting',
-                            model_key='name',
-                            get_index_url=MagicMock(return_value='/settings/'),
-                            grid_columns=['name', 'value']):
-            view = master.MasterView(self.request)
+        master.MasterView.model_name = 'Setting'
+        master.MasterView.model_key = 'name'
+        master.MasterView.grid_columns = ['name', 'value']
+        view = master.MasterView(self.request)
+        response = view.index()
+        # then again with data, to include view action url
+        data = [{'name': 'foo', 'value': 'bar'}]
+        with patch.object(view, 'get_grid_data', return_value=data):
             response = view.index()
-
-            # then again with data, to include view action url
-            data = [{'name': 'foo', 'value': 'bar'}]
-            with patch.object(view, 'get_grid_data', return_value=data):
-                response = view.index()
+        del master.MasterView.model_name
+        del master.MasterView.model_key
+        del master.MasterView.grid_columns
 
     def test_create(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('settings.view', '/settings/{name}')
         model = self.app.model
 
         # sanity/coverage check using /settings/new
         with patch.multiple(master.MasterView, create=True,
                             model_name='Setting',
                             model_key='name',
-                            get_index_url=MagicMock(return_value='/settings/'),
                             form_fields=['name', 'value']):
             view = master.MasterView(self.request)
 
@@ -763,11 +579,6 @@ class TestMasterView(WebTestCase):
             self.assertEqual(self.app.get_setting(self.session, 'foo.bar'), 'fraggle')
 
     def test_view(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('settings.create', '/settings/new')
-        self.pyramid_config.add_route('settings.edit', '/settings/{name}/edit')
-        self.pyramid_config.add_route('settings.delete', '/settings/{name}/delete')
 
         # sanity/coverage check using /settings/XXX
         setting = {'name': 'foo.bar', 'value': 'baz'}
@@ -775,7 +586,6 @@ class TestMasterView(WebTestCase):
         with patch.multiple(master.MasterView, create=True,
                             model_name='Setting',
                             model_key='name',
-                            get_index_url=MagicMock(return_value='/settings/'),
                             grid_columns=['name', 'value'],
                             form_fields=['name', 'value']):
             view = master.MasterView(self.request)
@@ -783,11 +593,6 @@ class TestMasterView(WebTestCase):
                 response = view.view()
 
     def test_edit(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('settings.create', '/settings/new')
-        self.pyramid_config.add_route('settings.view', '/settings/{name}')
-        self.pyramid_config.add_route('settings.delete', '/settings/{name}/delete')
         model = self.app.model
         self.app.save_setting(self.session, 'foo.bar', 'frazzle')
         self.session.commit()
@@ -804,7 +609,6 @@ class TestMasterView(WebTestCase):
         with patch.multiple(master.MasterView, create=True,
                             model_name='Setting',
                             model_key='name',
-                            get_index_url=MagicMock(return_value='/settings/'),
                             form_fields=['name', 'value']):
             view = master.MasterView(self.request)
             with patch.object(view, 'get_instance', new=get_instance):
@@ -846,11 +650,6 @@ class TestMasterView(WebTestCase):
                 self.assertEqual(self.app.get_setting(self.session, 'foo.bar'), 'froogle')
 
     def test_delete(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('settings.create', '/settings/new')
-        self.pyramid_config.add_route('settings.view', '/settings/{name}')
-        self.pyramid_config.add_route('settings.edit', '/settings/{name}/edit')
         model = self.app.model
         self.app.save_setting(self.session, 'foo.bar', 'frazzle')
         self.session.commit()
@@ -868,7 +667,6 @@ class TestMasterView(WebTestCase):
         with patch.multiple(master.MasterView, create=True,
                             model_name='Setting',
                             model_key='name',
-                            get_index_url=MagicMock(return_value='/settings/'),
                             form_fields=['name', 'value']):
             view = master.MasterView(self.request)
             with patch.object(view, 'get_instance', new=get_instance):
@@ -882,24 +680,15 @@ class TestMasterView(WebTestCase):
                 def delete_instance(setting):
                     self.app.delete_setting(self.session, setting['name'])
 
+                # post request to save settings
                 self.request.method = 'POST'
                 self.request.POST = {}
                 with patch.object(view, 'delete_instance', new=delete_instance):
-
-                    # enforces "instance not deletable" rules
-                    with patch.object(view, 'is_deletable', return_value=False):
-                        response = view.delete()
-                    # nb. should get redirect back to view page
-                    self.assertEqual(response.status_code, 302)
-                    # setting remains in DB
-                    self.assertEqual(self.session.query(model.Setting).count(), 1)
-
-                    # post request to delete setting
                     response = view.delete()
-                    # nb. should get redirect back to view page
-                    self.assertEqual(response.status_code, 302)
-                    # setting should be gone from DB
-                    self.assertEqual(self.session.query(model.Setting).count(), 0)
+                # nb. should get redirect back to view page
+                self.assertEqual(response.status_code, 302)
+                # setting should be gone from DB
+                self.assertEqual(self.session.query(model.Setting).count(), 0)
 
     def test_delete_instance(self):
         model = self.app.model
@@ -916,8 +705,6 @@ class TestMasterView(WebTestCase):
             self.assertEqual(self.session.query(model.Setting).count(), 0)
 
     def test_configure(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
         model = self.app.model
 
         # mock settings
@@ -938,11 +725,10 @@ class TestMasterView(WebTestCase):
                                     route_prefix='appinfo',
                                     template_prefix='/appinfo',
                                     creatable=False,
-                                    get_index_url=MagicMock(return_value='/appinfo/'),
                                     configure_get_simple_settings=MagicMock(return_value=settings)):
 
                     # get the form page
-                    response = view.configure(session=self.session)
+                    response = view.configure()
                     self.assertIsInstance(response, Response)
 
                     # post request to save settings
@@ -952,9 +738,9 @@ class TestMasterView(WebTestCase):
                         'wutta.foo': 'bar',
                         'wutta.flag': 'true',
                     }
-                    response = view.configure(session=self.session)
+                    response = view.configure()
                     # nb. should get redirect back to configure page
-                    self.assertEqual(response.status_code, 302)
+                    self.assertIsInstance(response, HTTPFound)
 
                     # should now have 5 settings
                     count = self.session.query(model.Setting).count()
@@ -970,9 +756,9 @@ class TestMasterView(WebTestCase):
                     # post request to remove settings
                     self.request.method = 'POST'
                     self.request.POST = {'remove_settings': '1'}
-                    response = view.configure(session=self.session)
+                    response = view.configure()
                     # nb. should get redirect back to configure page
-                    self.assertEqual(response.status_code, 302)
+                    self.assertIsInstance(response, HTTPFound)
 
                     # should now have 0 settings
                     count = self.session.query(model.Setting).count()
diff --git a/tests/views/test_people.py b/tests/views/test_people.py
index d8bd715..4bd748d 100644
--- a/tests/views/test_people.py
+++ b/tests/views/test_people.py
@@ -15,9 +15,6 @@ class TestPersonView(WebTestCase):
     def make_view(self):
         return people.PersonView(self.request)
 
-    def test_includeme(self):
-        self.pyramid_config.include('wuttaweb.views.people')
-
     def test_get_query(self):
         view = self.make_view()
         query = view.get_query(session=self.session)
@@ -40,34 +37,3 @@ class TestPersonView(WebTestCase):
         view.configure_form(form)
         self.assertTrue(form.required_fields)
         self.assertFalse(form.required_fields['middle_name'])
-
-    def test_view_profile(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-        self.pyramid_config.include('wuttaweb.views.auth')
-        self.pyramid_config.add_route('people', '/people/')
-
-        model = self.app.model
-        person = model.Person(full_name="Barney Rubble")
-        self.session.add(person)
-        self.session.commit()
-
-        # sanity check
-        view = self.make_view()
-        self.request.matchdict = {'uuid': person.uuid}
-        response = view.view_profile(session=self.session)
-        self.assertEqual(response.status_code, 200)
-
-    def test_make_user(self):
-        self.pyramid_config.include('wuttaweb.views.common')
-
-        model = self.app.model
-        person = model.Person(full_name="Barney Rubble")
-        self.session.add(person)
-        self.session.commit()
-
-        # sanity check
-        view = self.make_view()
-        self.request.matchdict = {'uuid': person.uuid}
-        response = view.make_user()
-        # nb. this always redirects for now
-        self.assertEqual(response.status_code, 302)
diff --git a/tests/views/test_roles.py b/tests/views/test_roles.py
index 8641d6f..49c6197 100644
--- a/tests/views/test_roles.py
+++ b/tests/views/test_roles.py
@@ -15,9 +15,6 @@ class TestRoleView(WebTestCase):
     def make_view(self):
         return mod.RoleView(self.request)
 
-    def test_includeme(self):
-        self.pyramid_config.include('wuttaweb.views.roles')
-
     def test_get_query(self):
         view = self.make_view()
         query = view.get_query(session=self.session)
@@ -31,63 +28,10 @@ class TestRoleView(WebTestCase):
         view.configure_grid(grid)
         self.assertTrue(grid.is_linked('name'))
 
-    def test_is_editable(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        self.session.commit()
-        view = self.make_view()
-
-        admin = auth.get_role_administrator(self.session)
-        authed = auth.get_role_authenticated(self.session)
-        anon = auth.get_role_anonymous(self.session)
-
-        # editable by default
-        self.assertTrue(view.is_editable(blokes))
-
-        # built-in roles not editable by default
-        self.assertFalse(view.is_editable(admin))
-        self.assertFalse(view.is_editable(authed))
-        self.assertFalse(view.is_editable(anon))
-
-        # reset
-        del self.request.user_permissions
-
-        barney = model.User(username='barney')
-        self.session.add(barney)
-        barney.roles.append(blokes)
-        auth.grant_permission(blokes, 'roles.edit_builtin')
-        self.session.commit()
-
-        # user with perms can edit *some* built-in
-        self.request.user = barney
-        self.assertTrue(view.is_editable(authed))
-        self.assertTrue(view.is_editable(anon))
-        # nb. not this one yet
-        self.assertFalse(view.is_editable(admin))
-
-    def test_is_deletable(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        self.session.commit()
-        view = self.make_view()
-
-        # deletable by default
-        self.assertTrue(view.is_deletable(blokes))
-
-        # built-in roles not deletable
-        self.assertFalse(view.is_deletable(auth.get_role_administrator(self.session)))
-        self.assertFalse(view.is_deletable(auth.get_role_authenticated(self.session)))
-        self.assertFalse(view.is_deletable(auth.get_role_anonymous(self.session)))
-
     def test_configure_form(self):
         model = self.app.model
-        role = model.Role(name="Foo")
         view = self.make_view()
-        form = view.make_form(model_instance=role)
+        form = view.make_form(model_class=model.Person)
         self.assertNotIn('name', form.validators)
         view.configure_form(form)
         self.assertIsNotNone(form.validators['name'])
@@ -111,132 +55,3 @@ class TestRoleView(WebTestCase):
             self.request.matchdict = {'uuid': role.uuid}
             node = colander.SchemaNode(colander.String(), name='name')
             self.assertIsNone(view.unique_name(node, 'Foo'))
-
-    def get_permissions(self):
-        return {
-            'widgets': {
-                'label': "Widgets",
-                'perms': {
-                    'widgets.list': {
-                        'label': "List widgets",
-                    },
-                    'widgets.polish': {
-                        'label': "Polish the widgets",
-                    },
-                    'widgets.view': {
-                        'label': "View widget",
-                    },
-                },
-            },
-        }
-
-    def test_get_available_permissions(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        blokes = model.Role(name="Blokes")
-        auth.grant_permission(blokes, 'widgets.list')
-        self.session.add(blokes)
-        barney = model.User(username='barney')
-        barney.roles.append(blokes)
-        self.session.add(barney)
-        self.session.commit()
-        view = self.make_view()
-        all_perms = self.get_permissions()
-        self.request.registry.settings['wutta_permissions'] = all_perms
-
-        def has_perm(perm):
-            if perm == 'widgets.list':
-                return True
-            return False
-
-        with patch.object(self.request, 'has_perm', new=has_perm, create=True):
-
-            # sanity check; current request has 1 perm
-            self.assertTrue(self.request.has_perm('widgets.list'))
-            self.assertFalse(self.request.has_perm('widgets.polish'))
-            self.assertFalse(self.request.has_perm('widgets.view'))
-
-            # when editing, user sees only the 1 perm
-            with patch.object(view, 'editing', new=True):
-                perms = view.get_available_permissions()
-                self.assertEqual(list(perms), ['widgets'])
-                self.assertEqual(list(perms['widgets']['perms']), ['widgets.list'])
-
-            # but when viewing, same user sees all perms
-            with patch.object(view, 'viewing', new=True):
-                perms = view.get_available_permissions()
-                self.assertEqual(list(perms), ['widgets'])
-                self.assertEqual(list(perms['widgets']['perms']),
-                                 ['widgets.list', 'widgets.polish', 'widgets.view'])
-
-            # also, when admin user is editing, sees all perms
-            self.request.is_admin = True
-            with patch.object(view, 'editing', new=True):
-                perms = view.get_available_permissions()
-                self.assertEqual(list(perms), ['widgets'])
-                self.assertEqual(list(perms['widgets']['perms']),
-                                 ['widgets.list', 'widgets.polish', 'widgets.view'])
-
-    def test_objectify(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        barney = model.User(username='barney')
-        barney.roles.append(blokes)
-        self.session.add(barney)
-        self.session.commit()
-        view = self.make_view()
-        permissions = self.get_permissions()
-
-        # sanity check, role has just 1 perm
-        auth.grant_permission(blokes, 'widgets.list')
-        self.session.commit()
-        self.assertEqual(blokes.permissions, ['widgets.list'])
-
-        # form can update role perms
-        view.editing = True
-        self.request.matchdict = {'uuid': blokes.uuid}
-        with patch.object(view, 'get_available_permissions', return_value=permissions):
-            form = view.make_model_form(model_instance=blokes)
-            form.validated = {'name': 'Blokes',
-                              'permissions': {'widgets.list', 'widgets.polish', 'widgets.view'}}
-            role = view.objectify(form)
-        self.session.commit()
-        self.assertIs(role, blokes)
-        self.assertEqual(blokes.permissions, ['widgets.list', 'widgets.polish', 'widgets.view'])
-
-    def test_update_permissions(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        blokes = model.Role(name="Blokes")
-        auth.grant_permission(blokes, 'widgets.list')
-        self.session.add(blokes)
-        barney = model.User(username='barney')
-        barney.roles.append(blokes)
-        self.session.add(barney)
-        self.session.commit()
-        view = self.make_view()
-        permissions = self.get_permissions()
-
-        with patch.object(view, 'get_available_permissions', return_value=permissions):
-
-            # no error if data is missing perms
-            form = view.make_model_form(model_instance=blokes)
-            form.validated = {'name': 'BloX'}
-            role = view.objectify(form)
-            self.session.commit()
-            self.assertIs(role, blokes)
-            self.assertEqual(blokes.name, 'BloX')
-
-            # sanity check, role has just 1 perm
-            self.assertEqual(blokes.permissions, ['widgets.list'])
-
-            # role perms are updated
-            form = view.make_model_form(model_instance=blokes)
-            form.validated = {'name': 'Blokes',
-                              'permissions': {'widgets.polish', 'widgets.view'}}
-            role = view.objectify(form)
-            self.session.commit()
-            self.assertIs(role, blokes)
-            self.assertEqual(blokes.permissions, ['widgets.polish', 'widgets.view'])
diff --git a/tests/views/test_settings.py b/tests/views/test_settings.py
index 9ede0be..d01857b 100644
--- a/tests/views/test_settings.py
+++ b/tests/views/test_settings.py
@@ -10,10 +10,6 @@ from tests.util import WebTestCase
 
 class TestAppInfoView(WebTestCase):
 
-    def setUp(self):
-        self.setup_web()
-        self.pyramid_config.include('wuttaweb.views.essential')
-
     def make_view(self):
         return settings.AppInfoView(self.request)
 
diff --git a/tests/views/test_users.py b/tests/views/test_users.py
index 54870ba..ea67544 100644
--- a/tests/views/test_users.py
+++ b/tests/views/test_users.py
@@ -15,9 +15,6 @@ class TestUserView(WebTestCase):
     def make_view(self):
         return mod.UserView(self.request)
 
-    def test_includeme(self):
-        self.pyramid_config.include('wuttaweb.views.users')
-
     def test_get_query(self):
         view = self.make_view()
         query = view.get_query(session=self.session)
@@ -33,29 +30,11 @@ class TestUserView(WebTestCase):
 
     def test_configure_form(self):
         model = self.app.model
-        barney = model.User(username='barney')
-        self.session.add(barney)
-        self.session.commit()
         view = self.make_view()
-
-        # person is *not* required
-        with patch.object(view, 'creating', new=True):
-            form = view.make_form(model_class=model.User)
-            self.assertIsNone(form.is_required('person'))
-            view.configure_form(form)
-            self.assertFalse(form.is_required('person'))
-
-        # password removed (always, for now)
-        with patch.object(view, 'viewing', new=True):
-            form = view.make_form(model_instance=barney)
-            self.assertIn('password', form)
-            view.configure_form(form)
-            self.assertNotIn('password', form)
-        with patch.object(view, 'editing', new=True):
-            form = view.make_form(model_instance=barney)
-            self.assertIn('password', form)
-            view.configure_form(form)
-            self.assertNotIn('password', form)
+        form = view.make_form(model_class=model.Person)
+        self.assertIsNone(form.is_required('person'))
+        view.configure_form(form)
+        self.assertFalse(form.is_required('person'))
 
     def test_unique_username(self):
         model = self.app.model
@@ -76,113 +55,3 @@ class TestUserView(WebTestCase):
             self.request.matchdict = {'uuid': user.uuid}
             node = colander.SchemaNode(colander.String(), name='username')
             self.assertIsNone(view.unique_username(node, 'foo'))
-
-    def test_objectify(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        others = model.Role(name="Others")
-        self.session.add(others)
-        barney = model.User(username='barney')
-        auth.set_user_password(barney, 'testpass')
-        barney.roles.append(blokes)
-        self.session.add(barney)
-        self.session.commit()
-        view = self.make_view()
-        view.editing = True
-        self.request.matchdict = {'uuid': barney.uuid}
-
-        # sanity check, user is just in 'blokes' role
-        self.session.refresh(barney)
-        self.assertEqual(len(barney.roles), 1)
-        self.assertEqual(barney.roles[0].name, "Blokes")
-
-        # form can update user password
-        self.assertTrue(auth.check_user_password(barney, 'testpass'))
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barney', 'set_password': 'testpass2'}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertTrue(auth.check_user_password(barney, 'testpass2'))
-
-        # form can update user roles
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barney', 'roles': {others.uuid}}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertEqual(len(user.roles), 1)
-        self.assertEqual(user.roles[0].name, "Others")
-
-    def test_update_roles(self):
-        model = self.app.model
-        auth = self.app.get_auth_handler()
-        admin = auth.get_role_administrator(self.session)
-        authed = auth.get_role_authenticated(self.session)
-        anon = auth.get_role_anonymous(self.session)
-        blokes = model.Role(name="Blokes")
-        self.session.add(blokes)
-        others = model.Role(name="Others")
-        self.session.add(others)
-        barney = model.User(username='barney')
-        barney.roles.append(blokes)
-        self.session.add(barney)
-        self.session.commit()
-        view = self.make_view()
-        view.editing = True
-        self.request.matchdict = {'uuid': barney.uuid}
-
-        # no error if data is missing roles
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barneyx'}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertEqual(barney.username, 'barneyx')
-
-        # sanity check, user is just in 'blokes' role
-        self.session.refresh(barney)
-        self.assertEqual(len(barney.roles), 1)
-        self.assertEqual(barney.roles[0].name, "Blokes")
-
-        # let's test a bunch at once to ensure:
-        # - user roles are updated
-        # - authed / anon roles are not added
-        # - admin role not added if current user is not root
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barney',
-                          'roles': {admin.uuid, authed.uuid, anon.uuid, others.uuid}}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertEqual(len(user.roles), 1)
-        self.assertEqual(user.roles[0].name, "Others")
-
-        # let's test a bunch at once to ensure:
-        # - user roles are updated
-        # - admin role is added if current user is root
-        self.request.is_root = True
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barney',
-                          'roles': {admin.uuid, blokes.uuid, others.uuid}}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertEqual(len(user.roles), 3)
-        role_uuids = set([role.uuid for role in user.roles])
-        self.assertEqual(role_uuids, {admin.uuid, blokes.uuid, others.uuid})
-
-        # admin role not removed if current user is not root
-        self.request.is_root = False
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barney',
-                          'roles': {blokes.uuid, others.uuid}}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertEqual(len(user.roles), 3)
-
-        # admin role is removed if current user is root
-        self.request.is_root = True
-        form = view.make_model_form(model_instance=barney)
-        form.validated = {'username': 'barney',
-                          'roles': {blokes.uuid, others.uuid}}
-        user = view.objectify(form, session=self.session)
-        self.assertIs(user, barney)
-        self.assertEqual(len(user.roles), 2)