couple problems with that. one: we've learned from the upload script that you can't use the $ENV{REFERRER}. Not only that, but even if I were to use a form, it could easily be bypassed by anyone who viewed this topic.
I could do a password, but I don't wanna have to set up a cookie system.
So I'm back with checking permissions the normal way.