diff --git a/cookbook/helper/permission_helper.py b/cookbook/helper/permission_helper.py
index 1972fac96..4840205ce 100644
--- a/cookbook/helper/permission_helper.py
+++ b/cookbook/helper/permission_helper.py
@@ -93,6 +93,8 @@ class DRFOwnerPermissions(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):
         if not request.user.is_authenticated:
             return False
+        #if request.user.is_superuser:
+        #    return True
         if owner := getattr(obj, 'created_by', None):
             return owner == request.user
         if owner := getattr(obj, 'user', None):
diff --git a/cookbook/urls.py b/cookbook/urls.py
index d7f109398..330c12af1 100644
--- a/cookbook/urls.py
+++ b/cookbook/urls.py
@@ -9,7 +9,7 @@ from cookbook.views import api, import_export
 from cookbook.helper import dal
 
 router = routers.DefaultRouter()
-#router.register(r'user-preference', api.UserPreferenceViewSet)
+router.register(r'user-preference', api.UserPreferenceViewSet)
 router.register(r'recipe', api.RecipeViewSet)
 router.register(r'meal-plan', api.MealPlanViewSet)
 router.register(r'meal-type', api.MealTypeViewSet)
diff --git a/cookbook/views/api.py b/cookbook/views/api.py
index a0a568e50..d6ebd9605 100644
--- a/cookbook/views/api.py
+++ b/cookbook/views/api.py
@@ -13,7 +13,7 @@ from django.utils.translation import gettext as _
 from icalendar import Calendar, Event
 from rest_framework import viewsets, permissions
 from rest_framework.exceptions import APIException
-from rest_framework.mixins import RetrieveModelMixin, UpdateModelMixin
+from rest_framework.mixins import RetrieveModelMixin, UpdateModelMixin, ListModelMixin
 
 from cookbook.helper.permission_helper import group_required, DRFOwnerPermissions
 from cookbook.models import Recipe, Sync, Storage, CookLog, MealPlan, MealType, ViewLog, UserPreference
@@ -24,7 +24,7 @@ from cookbook.serializer import MealPlanSerializer, MealTypeSerializer, RecipeSe
 
 class UserNameViewSet(viewsets.ModelViewSet):
     """
-    list:  
+    list:
     optional parameters
 
     - **filter_list**: array of user id's to get names for
@@ -46,15 +46,17 @@ class UserNameViewSet(viewsets.ModelViewSet):
         return queryset
 
 
-class UserPreferenceViewSet(RetrieveModelMixin, UpdateModelMixin, viewsets.GenericViewSet):
+class UserPreferenceViewSet(RetrieveModelMixin, UpdateModelMixin, ListModelMixin, viewsets.GenericViewSet):
     """
     Update user preference settings
     """
     queryset = UserPreference.objects.all()
     serializer_class = UserPreferenceSerializer
     permission_classes = [DRFOwnerPermissions, ]
-    # TODO disable create view
+
     def get_queryset(self):
+        if self.request.user.is_superuser:
+            return UserPreference.objects.all()
         return UserPreference.objects.filter(user=self.request.user).all()
 
 
diff --git a/recipes/settings.py b/recipes/settings.py
index 5e8c3da9b..646f9a5e2 100644
--- a/recipes/settings.py
+++ b/recipes/settings.py
@@ -94,7 +94,10 @@ REST_FRAMEWORK = {
         'rest_framework.authentication.SessionAuthentication',
         'rest_framework.authentication.TokenAuthentication',
         'rest_framework.authentication.BasicAuthentication',
-    )
+    ),
+    'DEFAULT_PERMISSION_CLASSES': [
+        'rest_framework.permissions.IsAuthenticated',
+    ]
 }
 
 ROOT_URLCONF = 'recipes.urls'