diff --git a/core/lib/permissions.py b/core/lib/permissions.py
index 662cbbbf632cf76d03d8670cbbec11fae6260171..7dbf52059aaca04c6b1ab912845eb9601c91b274 100644
--- a/core/lib/permissions.py
+++ b/core/lib/permissions.py
@@ -45,8 +45,8 @@ class IsAdminOrStudent(permissions.BasePermission):
             student = obj.student
         else:
             raise APIException(
-                "Checking student permission on object {} not associated with carrier"
-                .format(type(obj.__name__))
+                "Checking student permission on object {} not associated with Student"
+                    .format(type(obj.__name__))
             )
 
         return hasattr(user, "student") and user.student == student
@@ -67,7 +67,7 @@ class IsAdminOrSupervisor(permissions.BasePermission):
             supervisor = obj.supervisor
         else:
             raise APIException(
-                "Checking supervisor permission on object {} not associated with carrier"
+                "Checking supervisor permission on object {} not associated with Supervisor"
                     .format(type(obj.__name__))
             )
 
@@ -89,9 +89,8 @@ class IsAdminOrCompany(permissions.BasePermission):
             company = obj.company
         else:
             raise APIException(
-                "Checking company permission on object {} not associated with carrier"
+                "Checking company permission on object {} not associated with Company"
                     .format(type(obj.__name__))
             )
 
         return hasattr(user, "company") and user.company == company
-
diff --git a/core/views/accounts.py b/core/views/accounts.py
index de96c6dcd0f05e6d9e64501eea15293077f9f144..a77ad83b7a30cbc5e6e730c1e5e5567ce83496a6 100644
--- a/core/views/accounts.py
+++ b/core/views/accounts.py
@@ -1,19 +1,17 @@
 from django.contrib.auth.models import User
-from django.shortcuts import get_object_or_404
-from rest_framework import status
 from rest_framework import viewsets
-from rest_framework.decorators import list_route, detail_route
-from rest_framework.exceptions import ValidationError
+from rest_framework.decorators import list_route
 from rest_framework.response import Response
 
-from core.models import Vacancy
-from core.models.accounts import Student, Company, Supervisor, get_display_name
+from core.lib.permissions import IsAdminOrStudent, IsAdminOrSelfOrReadOnly, IsAdminOrCompany, IsAdminOrSupervisor
+from core.models.accounts import Student, Company, Supervisor
 from core.serializers.accounts import UserSerializer, StudentSerializer, CompanySerializer, SupervisorSerializer
 
 
 class UserViewSet(viewsets.ModelViewSet):
     queryset = User.objects.all()
     serializer_class = UserSerializer
+    permission_classes = [IsAdminOrSelfOrReadOnly]
 
     @list_route(methods=['get'])
     def me(self, request):
@@ -25,34 +23,19 @@ class UserViewSet(viewsets.ModelViewSet):
 class StudentViewSet(viewsets.ModelViewSet):
     queryset = Student.objects.all()
     serializer_class = StudentSerializer
-
-    @detail_route(methods=['post'], url_path='bookmarked-vacancies')
-    def bookmark_vacancies(self, request, pk):
-        user = self.request.user
-        vacancy = get_object_or_404(Vacancy.objects.all(), pk=request.data['vacancy_id'])
-        student = get_object_or_404(Student.objects.all(), pk=pk)
-        if student != user.student and not user.is_staff:
-            raise ValidationError('You must be a student'
-                                  )
-        student.bookmarked_vacancies.add(vacancy)
-        return Response(vacancy, status=status.HTTP_200_OK)
-
-    @detail_route(methods=['delete'], url_path='bookmarked-vacancies')
-    def unbookmark_vacancies(self, request, pk):
-        vacancy = get_object_or_404(Vacancy.objects.all(), pk=request.data['vacancy_id'])
-        student = self.request.user.student
-        student.bookmarked_vacancies.remove(vacancy)
-        return Response(vacancy, status=status.HTTP_200_OK)
+    permission_classes = [IsAdminOrStudent]
 
 
 class CompanyViewSet(viewsets.ModelViewSet):
     queryset = Company.objects.all()
     serializer_class = CompanySerializer
+    permission_classes = [IsAdminOrCompany]
 
 
 class SupervisorViewSet(viewsets.ModelViewSet):
     queryset = Supervisor.objects.all()
     serializer_class = SupervisorSerializer
+    permission_classes = [IsAdminOrSupervisor]
 
 
 
diff --git a/core/views/vacancies.py b/core/views/vacancies.py
index 6b6ba7e99d3d79c15caaca0281bef9961c414d93..7ca742e9abde05c669c0741941a174e131686414 100644
--- a/core/views/vacancies.py
+++ b/core/views/vacancies.py
@@ -1,5 +1,9 @@
 from rest_framework import viewsets
+from rest_framework.generics import get_object_or_404
+from rest_framework.response import Response
 
+from core.lib.permissions import IsAdminOrStudent
+from core.models import Student
 from core.models.vacancies import Vacancy, Application
 from core.serializers.vacancies import VacancySerializer, ApplicationSerializer
 
@@ -14,7 +18,24 @@ class ApplicationViewSet(viewsets.ModelViewSet):
     serializer_class = ApplicationSerializer
 
 
-
-
-
-
+class BookmarkedVacancyByStudentViewSet(viewsets.GenericViewSet):
+    serializer_class = VacancySerializer
+    permission_classes = [IsAdminOrStudent]
+
+    def list(self, request, student_id):
+        student = get_object_or_404(Student.objects.all(), pk=student_id)
+        vacancies = self.serializer_class(student.bookmarked_vacancies, many=True, context={'request': request})
+        return Response(vacancies.data)
+
+    def create(self, request, student_id):
+        print request.data
+        vacancy = get_object_or_404(Vacancy.objects.all(), pk=request.data['vacancy_id'])
+        student = get_object_or_404(Student.objects.all(), pk=student_id)
+        student.bookmarked_vacancies.add(vacancy)
+        return Response(self.serializer_class(student.bookmarked_vacancies, many=True, context={'request': request}).data)
+
+    def destroy(self, request, student_id, pk):
+        vacancy = get_object_or_404(Vacancy.objects.all(), pk=pk)
+        student = get_object_or_404(Student.objects.all(), pk=student_id)
+        student.bookmarked_vacancies.remove(vacancy)
+        return Response(self.serializer_class(student.bookmarked_vacancies, many=True, context={'request': request}).data)
diff --git a/kape/urls.py b/kape/urls.py
index 58a416e791554266a2307eab83ad5fcdabee60ff..133d43c22a18a1b4d86a8a2a185c5c3e6a3e4b79 100755
--- a/kape/urls.py
+++ b/kape/urls.py
@@ -23,12 +23,14 @@ from rest_framework_swagger.views import get_swagger_view
 
 from core import apps
 from core.views.accounts import StudentViewSet, CompanyViewSet, SupervisorViewSet, UserViewSet
-from core.views.vacancies import VacancyViewSet, ApplicationViewSet
+from core.views.vacancies import VacancyViewSet, ApplicationViewSet, BookmarkedVacancyByStudentViewSet
 
 schema_view = get_swagger_view()
 router = routers.DefaultRouter()
 router.register(r'users', UserViewSet)
 router.register(r'students', StudentViewSet)
+router.register(r'students/(?P<student_id>\d+)/bookmarked-vacancies', BookmarkedVacancyByStudentViewSet,
+                base_name='bookmarked-vacancy-list')
 router.register(r'companies', CompanyViewSet)
 router.register(r'supervisors', SupervisorViewSet)
 router.register(r'vacancies', VacancyViewSet)
@@ -43,5 +45,3 @@ urlpatterns += [
     url(r'^admin/', admin.site.urls),
     url(r'', apps.index, name="index"),
 ]
-
-