diff --git a/api/f.go b/api/f.go
index 987053e332353712e7eec3007f35927b2963a0f3..3745dc57a9ab97c490dc3b3056aebfee539c5deb 100644
--- a/api/f.go
+++ b/api/f.go
@@ -43,7 +43,7 @@ func (s *Server) getUser(context *gin.Context) (*store.User, error) {
 }
 
 func (s *Server) mustGetUser(context *gin.Context) *store.User {
-	if user, err := s.getUser(context); err == store.ErrNoEntry {
+	if user, err := s.getUser(context); err == store.ErrNoEntry || err == store.ErrInvalidInput {
 		context.JSON(http.StatusUnauthorized, ErrUnauthorized)
 		return nil
 	} else if doError(context, err) {
diff --git a/backend/filesystem/image.go b/backend/filesystem/image.go
index 3f2b2e4230e64e34df65881d9f50a01ebeba391f..f1aa541c2cd6b54bdf2a5363003fe762de25c17e 100644
--- a/backend/filesystem/image.go
+++ b/backend/filesystem/image.go
@@ -267,10 +267,10 @@ func (s *Store) ImageAdd(data []byte, flake string) (*store.Image, error) {
 		return nil, err
 	}
 
-	if err := s.link("../images/"+s.ImageHashSplit(info.Hash), s.ImageSnowflakePath(info.Snowflake)); err != nil {
+	if err := s.link("../hashes/"+s.ImageHashSplit(info.Hash), s.ImageSnowflakePath(info.Snowflake)); err != nil {
 		return nil, err
 	}
-	if err := s.link("../../../images/"+s.ImageHashSplit(info.Hash), s.UserImagesPath(flake)+"/"+info.Snowflake); err != nil {
+	if err := s.link("../../../images/hashes/"+s.ImageHashSplit(info.Hash), s.UserImagesPath(flake)+"/"+info.Snowflake); err != nil {
 		return nil, err
 	}
 
@@ -504,7 +504,7 @@ func (s *Store) ImageTagAdd(flake, tag string) error {
 	s.getLock(flake).Lock()
 	defer s.getLock(flake).Unlock()
 
-	if err := s.link("../../snowflakes/"+flake, s.TagPath(tag)+"/"+flake); err != nil {
+	if err := s.link("../../images/snowflakes/"+flake, s.TagPath(tag)+"/"+flake); err != nil {
 		return err
 	}
 	if err := s.link("../../../../tags/"+tag, s.ImageSnowflakePath(flake)+"/tags/"+tag); err != nil {
diff --git a/backend/filesystem/secret.go b/backend/filesystem/secret.go
index 1fc36008ce66e07a4a6f7a0c42d6157f82ff59ea..a98c5ebfc9ae601673d4f8fa6cf18c85bd9223c9 100644
--- a/backend/filesystem/secret.go
+++ b/backend/filesystem/secret.go
@@ -35,7 +35,7 @@ func (s *Store) secretAssociate(secret, flake string) error {
 	if s.file(s.SecretPath(secret)) {
 		return store.ErrAlreadyExists
 	}
-	return s.link("../users/"+flake, s.SecretPath(secret))
+	return s.link("../snowflakes/"+flake, s.SecretPath(secret))
 }
 
 // secretDisassociate disassociates a secret.
diff --git a/backend/filesystem/user.go b/backend/filesystem/user.go
index 5d3958cbd79ccbd2033dbccb1bf4cb375c4bdbb6..9d21c6a0bbd0f95381a642d2e9363ce0efc9aee6 100644
--- a/backend/filesystem/user.go
+++ b/backend/filesystem/user.go
@@ -228,7 +228,7 @@ func (s *Store) UserUsername(username string) (*store.User, error) {
 
 // userUsernameAssociate associates user snowflake with specific username.
 func (s *Store) userUsernameAssociate(flake, username string) error {
-	return s.link("../users/"+flake, s.UsernamePath(username))
+	return s.link("../snowflakes/"+flake, s.UsernamePath(username))
 }
 
 // userUsernameDisassociate disassociates specific username.