diff --git a/src/endpoints/default.py b/src/endpoints/default.py
index 1b8dc61..6a70a0d 100644
--- a/src/endpoints/default.py
+++ b/src/endpoints/default.py
@@ -33,14 +33,14 @@ async def health():
 
 
 @default_router.get("/user/active", summary="Check if the user is active and can use the tool.")
-# TODO: reorder db dependencies to after auth
 async def active(
     user: UserState = Depends(get_user_state),
 ) -> schemas.ActiveUser:
     return {"active": user.active}
 
 
-@default_router.get("/permissions")
+# TODO: test
+@default_router.get("/user/permissions", summary="Get the user's global 'all' permissions and the permissions for each group they belong to.")
 def get_user_permissions(
     user: UserState = Depends(get_user_state),
 ) -> Dict[str, GroupPermissions]:
diff --git a/src/web/main.py b/src/web/main.py
index 37f6839..f2020f0 100644
--- a/src/web/main.py
+++ b/src/web/main.py
@@ -53,6 +53,7 @@ def app_factory(settings = get_settings()):
     # prometheus exposed in /metrics with authentication
     Instrumentator(should_group_status_codes=False, excluded_handlers=["/metrics", "/health", "/openapi.json", "/favicon.ico"]).instrument(app).expose(app, dependencies=[Depends(token_api_key_auth)])
 
+    # TODO: recheck this for security, currently only needed for when local_storage is used
     local_dir = settings.SERVE_LOCAL_ARCHIVE
     if not os.path.isdir(local_dir) and os.path.isdir(local_dir.replace("/app", ".")):
         local_dir = local_dir.replace("/app", ".")