diff --git a/apis_bibsonomy/api_views.py b/apis_bibsonomy/api_views.py
index 726fb80..4546e11 100644
--- a/apis_bibsonomy/api_views.py
+++ b/apis_bibsonomy/api_views.py
@@ -2,7 +2,7 @@
 
 from django.contrib.contenttypes.models import ContentType
 from rest_framework import status
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAuthenticated, IsAuthenticatedOrReadOnly
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from rest_framework import viewsets
@@ -130,3 +130,4 @@ def delete(self, request, format=None):
 class ReferenceViewSet(viewsets.ModelViewSet):
     queryset = Reference.objects.all()
     serializer_class = ReferenceSerializer
+    permission_classes = [IsAuthenticatedOrReadOnly]