diff --git a/src/pretix/api/auth/permission.py b/src/pretix/api/auth/permission.py
index b7a4d651eb..05db800c86 100644
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -89,10 +89,38 @@ class EventCRUDPermission(EventPermission):
 class ProfilePermission(BasePermission):
 
     def has_permission(self, request, view):
-        if not request.user.is_authenticated:
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
             return False
 
+        if request.user.is_authenticated:
+            try:
+                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+                assert_session_valid(request)
+            except SessionInvalid:
+                return False
+            except SessionReauthRequired:
+                return False
+
         if isinstance(request.auth, OAuthAccessToken):
             if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS:
                 return False
+
+        return True
+
+
+class AnyAuthenticatedClientPermission(BasePermission):
+
+    def has_permission(self, request, view):
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
+            return False
+
+        if request.user.is_authenticated:
+            try:
+                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+                assert_session_valid(request)
+            except SessionInvalid:
+                return False
+            except SessionReauthRequired:
+                return False
+
         return True
diff --git a/src/pretix/api/views/upload.py b/src/pretix/api/views/upload.py
index 35fe855f77..0913ee3944 100644
--- a/src/pretix/api/views/upload.py
+++ b/src/pretix/api/views/upload.py
@@ -9,6 +9,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from pretix.api.auth.device import DeviceTokenAuthentication
+from pretix.api.auth.permission import AnyAuthenticatedClientPermission
 from pretix.api.auth.token import TeamTokenAuthentication
 from pretix.base.models import CachedFile
 
@@ -25,6 +26,7 @@ class UploadView(APIView):
         SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
     )
     parser_classes = [FileUploadParser]
+    permission_classes = [AnyAuthenticatedClientPermission]
 
     def post(self, request):
         if 'file' not in request.data:
diff --git a/src/pretix/api/views/version.py b/src/pretix/api/views/version.py
index 4ec275397d..4a74518523 100644
--- a/src/pretix/api/views/version.py
+++ b/src/pretix/api/views/version.py
@@ -6,6 +6,7 @@ from rest_framework.views import APIView
 
 from pretix import __version__
 from pretix.api.auth.device import DeviceTokenAuthentication
+from pretix.api.auth.permission import AnyAuthenticatedClientPermission
 from pretix.api.auth.token import TeamTokenAuthentication
 
 
@@ -48,6 +49,7 @@ class VersionView(APIView):
     authentication_classes = (
         SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
     )
+    permission_classes = [AnyAuthenticatedClientPermission]
 
     def get(self, request, format=None):
         return Response({