diff --git a/symposion/boxes/views.py b/symposion/boxes/views.py
new file mode 100644
index 0000000000000000000000000000000000000000..b314b07e9f40a6c0cac83ef4c467e5647d553045
--- /dev/null
+++ b/symposion/boxes/views.py
@@ -0,0 +1,45 @@
+from django.http import HttpResponseForbidden
+from django.shortcuts import redirect
+from django.views.decorators.http import require_POST
+
+from symposion.boxes.authorization import load_can_edit
+from symposion.boxes.forms import BoxForm
+from symposion.boxes.models import Box
+
+
+# @@@ problem with this is that the box_edit.html and box_create.html won't have domain objects in context
+def get_auth_vars(request):
+    auth_vars = {}
+    if request.method == "POST":
+        keys = [k for k in request.POST.keys() if k.startswith("boxes_auth_")]
+        for key in keys:
+            auth_vars[key.replace("boxes_auth_", "")] = request.POST.get(key)
+        auth_vars["user"] = request.user
+    return auth_vars
+
+
+@require_POST
+def box_edit(request, label):
+    
+    if not load_can_edit()(request, **get_auth_vars(request)):
+        return HttpResponseForbidden()
+    
+    next = request.GET.get("next")
+    
+    try:
+        box = Box.objects.get(label=label)
+    except Box.DoesNotExist:
+        box = None
+    
+    form = BoxForm(request.POST, instance=box, prefix=label)
+
+    if form.is_valid():
+        if box is None:
+            box = form.save(commit=False)
+            box.label = label
+            box.created_by = request.user
+            box.last_updated_by = request.user
+            box.save()
+        else:
+            form.save()
+        return redirect(next)