diff --git a/csharp/App/Backend/Controllers/Controller.cs b/csharp/App/Backend/Controllers/Controller.cs
index 46d6d67ad..10a569953 100644
--- a/csharp/App/Backend/Controllers/Controller.cs
+++ b/csharp/App/Backend/Controllers/Controller.cs
@@ -176,23 +176,6 @@ public class Controller
             : user.AccessibleFolders();
     }
     
-    // [Returns<Folder[]>]  // assuming swagger knows about arrays but not lists (JSON)
-    // [Returns(Unauthorized)]
-    // [HttpGet($"{nameof(GetUsersOfFolder)}/")]
-    // public Object GetUsersOfFolder(Int64 folderId)
-    // {
-    //     var caller = GetCaller();
-    //     if (caller == null)
-    //         return new HttpResponseMessage(Unauthorized);
-    //
-    //     var folder = Db.GetFolderById(folderId);
-    //
-    //     if (folder is null || !caller.HasAccessTo(folder))
-    //         return new HttpResponseMessage(Unauthorized);
-    //     
-    //     return descendantUsers;  
-    // }
-
     [Returns<TreeNode[]>]  // assuming swagger knows about arrays but not lists (JSON)
     [Returns(Unauthorized)]
     [HttpGet($"{nameof(GetAllFoldersAndInstallations)}/")]
@@ -281,7 +264,7 @@ public class Controller
         var user = id is not null ? Db.GetUserById(id) : session?.User;
 
         
-        return session.RevokeAccessTo(user, Db.GetInstallationById(installationId)) 
+        return session.RevokeUserAccessTo(user, Db.GetInstallationById(installationId)) 
             ? _Ok
             : _Unauthorized;
     }
@@ -294,8 +277,7 @@ public class Controller
         var session = GetSession();
         var user = id is not null ? Db.GetUserById(id) : session?.User;
 
-        
-        return session.RevokeAccessTo(user, Db.GetFolderById(folderId)) 
+        return session.RevokeUserAccessTo(user, Db.GetFolderById(folderId)) 
             ? _Ok
             : _Unauthorized;
     }
diff --git a/csharp/App/Backend/DataTypes/Methods/Session.cs b/csharp/App/Backend/DataTypes/Methods/Session.cs
index 7d76b1f0b..9bcdd2295 100644
--- a/csharp/App/Backend/DataTypes/Methods/Session.cs
+++ b/csharp/App/Backend/DataTypes/Methods/Session.cs
@@ -44,16 +44,16 @@ public static class SessionMethods
     public static Boolean Create(this Session? session, Installation? installation)
     {
         var user = session?.User;
-        
-        //Note: keep generation of access _after_ generation of object to prevent "zombie" access-rights.
-        
+
         return user is not null
             && installation is not null
             && user.HasWriteAccess
-            && user.HasAccessTo(installation.Parent()) 
+            && user.HasAccessTo(installation.Parent())
             && Db.Create(installation)
-            && installation.CreateBucket().Result  // TODO: await?
-            && Db.Create(new InstallationAccess { UserId = user.Id, InstallationId = installation.Id });
+            && Db.Create(new InstallationAccess { UserId = user.Id, InstallationId = installation.Id })
+            && installation.CreateBucket().Result         // TODO: await?
+            && installation.RenewS3BucketUrl().Result;   // generation of access _after_ generation of  
+                                                          // bucket to prevent "zombie" access-rights.   
     }
 
     public static Boolean Update(this Session? session, Installation? installation)
@@ -77,7 +77,7 @@ public static class SessionMethods
             && installation is not null
             && user.HasWriteAccess
             && user.HasAccessTo(installation)
-//            && installation.DeleteBucket().Result  // TODO: await?
+       //   && installation.DeleteBucket().Result  // TODO: await?
             && Db.Delete(installation);
     }
     
@@ -98,13 +98,11 @@ public static class SessionMethods
         var sessionUser = session?.User;
         if (editedUser == null || sessionUser == null) return false;
         
-        
-        //Password change is only allowed for oneself
-        if ( editedUser.Id != sessionUser.Id) editedUser.Password = sessionUser.Password;
-        else
-        {
-            editedUser.Password = sessionUser.SaltAndHashPassword(editedUser.Password);
-        }
+        // TODO: make specific method for changing user account settings like pwd   
+        // Password change is only allowed for oneself
+        editedUser.Password = editedUser.Id != sessionUser.Id 
+                            ? sessionUser.Password 
+                            : sessionUser.SaltAndHashPassword(editedUser.Password);
 
         return sessionUser.HasWriteAccess 
                && sessionUser.HasAccessTo(editedUser)
@@ -150,7 +148,7 @@ public static class SessionMethods
             && Db.Create(new FolderAccess { UserId = user.Id, FolderId = folder.Id });
     }
     
-    public static Boolean RevokeAccessTo(this Session? session, User? user, Installation? installation)
+    public static Boolean RevokeUserAccessTo(this Session? session, User? user, Installation? installation)
     {
         var sessionUser = session?.User;
         
@@ -163,7 +161,7 @@ public static class SessionMethods
             && Db.InstallationAccess.Delete(a => a.UserId == user.Id && a.InstallationId == installation.Id) > 0;
     }
     
-    public static Boolean RevokeAccessTo(this Session? session, User? user, Folder? folder)
+    public static Boolean RevokeUserAccessTo(this Session? session, User? user, Folder? folder)
     {
         var sessionUser = session?.User;
         
diff --git a/csharp/App/Backend/DataTypes/Methods/User.cs b/csharp/App/Backend/DataTypes/Methods/User.cs
index f0d2c347f..410b4680b 100644
--- a/csharp/App/Backend/DataTypes/Methods/User.cs
+++ b/csharp/App/Backend/DataTypes/Methods/User.cs
@@ -32,7 +32,9 @@ public static class UserMethods
 
         // Distinct because the user might have direct access
         // to a child folder of a folder he has already access to
-        // ---TODO shouldn't we prevent doubling permissions? -K"
+        // TODO shouldn't we prevent doubling permissions? -K"
+        // TODO yes we should -ig (still TODO)
+        // however we should leave the distinct, defensive programming...
     }
 
     public static IEnumerable<TreeNode> AccessibleFoldersAndInstallations(this User user)
@@ -81,7 +83,6 @@ public static class UserMethods
 
     public static Boolean IsDescendantOf(this User user, User ancestor)
     {
-        // if (user.Id == ancestor.Id) return true;
         return user
               .Ancestors()
               .Any(u => u.Id == ancestor.Id);
diff --git a/csharp/App/Backend/S3/S3Access.cs b/csharp/App/Backend/S3/S3Access.cs
index 7ef89ca8f..0fe957ad5 100644
--- a/csharp/App/Backend/S3/S3Access.cs
+++ b/csharp/App/Backend/S3/S3Access.cs
@@ -2,6 +2,11 @@ namespace InnovEnergy.App.Backend.S3;
 
 public static class S3Access
 {
+    // TODO: put these into Json files in /Resources and read them from
+    // there so they can be changed without recompiling
+    // they should be read from disk on each use,
+    // so the backend does not need to be restarted on change
+    
     public static S3Cmd ReadOnly { get; } = new S3Cmd
     (
         key   : "EXO44d2979c8e570eae81ead564", 
diff --git a/csharp/App/Backend/S3/S3Cmd.cs b/csharp/App/Backend/S3/S3Cmd.cs
index fd1442f74..b8bd8f890 100644
--- a/csharp/App/Backend/S3/S3Cmd.cs
+++ b/csharp/App/Backend/S3/S3Cmd.cs
@@ -9,7 +9,7 @@ public class S3Cmd
     private static readonly Command Python = Cli.Wrap("python3");
     
     private const String S3CmdPath    = "Resources/s3cmd.py";
-    private const String BucketPrefix = "s3://";
+    private const String S3Prefix = "s3://";
     
     private String[] DefaultArgs { get; }
 
@@ -52,7 +52,7 @@ public class S3Cmd
     {
         var args = DefaultArgs
                   .Append(operation)
-                  .Append(bucketName.EnsureStartsWith(BucketPrefix))
+                  .Append(bucketName.EnsureStartsWith(S3Prefix))
                   .Concat(optionalArgs);
 
         return Python