diff --git a/esap/accounts/api/serializers.py b/esap/accounts/api/serializers.py
index 61995e373634d8ad6e36160544febf0b4ff5757d..0338d0dce5a1af62a7730027a52525829f0f99d6 100644
--- a/esap/accounts/api/serializers.py
+++ b/esap/accounts/api/serializers.py
@@ -36,6 +36,51 @@ class EsapShoppingItemSerializer(serializers.HyperlinkedModelSerializer):
 
 
 class EsapUserProfileSerializer(serializers.HyperlinkedModelSerializer):
+    shopping_cart = EsapShoppingItemSerializer(
+        many=True,
+        # view_name="shopping-items",
+        read_only=False,
+        # queryset=EsapShoppingItem.objects.all(),
+    )
+
+    def update(self, instance, validated_data):
+        # Do not allow the user name to be updated - it is the primary key
+        _ = validated_data.pop("user_name", None)
+
+        for m2m_field in [
+            "software_repositories",
+            "compute_resources",
+            "shopping_cart",
+        ]:
+            field_data = validated_data.pop(m2m_field, None)
+            if field_data is not None:
+                if len(field_data[0]) == 0:
+                    raise RuntimeError(f"WTF! {validated_data}")
+                field_instances = [
+                    getattr(instance, m2m_field).model.objects.create(
+                        item_data=str(dict(field_datum))
+                    )
+                    for field_datum in field_data
+                ]
+                getattr(instance, m2m_field).add(*field_instances)
+
+        for key, value in validated_data.items():
+            setattr(instance, key, value)
+        instance.save()
+        return instance
+
+    def to_internal_value(self, data):
+        internal_value = super().to_internal_value(data)
+        for m2m_field in [
+            "software_repositories",
+            "compute_resources",
+            "shopping_cart",
+        ]:
+            field_data = data.get(m2m_field, None)
+            if field_data is not None:
+                internal_value.update({m2m_field: field_data})
+        return internal_value
+
     class Meta:
         model = EsapUserProfile
         fields = [
diff --git a/esap/accounts/api/views.py b/esap/accounts/api/views.py
index 7d9372981ecd1b86fab7b0f2a0299c6ed50f2f0d..e832aa79708b00f6a0f41936994ad1ba9661cd23 100644
--- a/esap/accounts/api/views.py
+++ b/esap/accounts/api/views.py
@@ -1,4 +1,5 @@
 from rest_framework import viewsets
+from rest_framework import permissions
 from .serializers import *
 from ..models import *
 
@@ -10,7 +11,7 @@ class EsapQuerySchemaViewSet(viewsets.ModelViewSet):
 
     queryset = EsapQuerySchema.objects.all().order_by("schema_name")
     serializer_class = EsapQuerySchemaSerializer
-    permission_classes = []
+    permission_classes = [permissions.AllowAny]
 
 
 class EsapComputeResourceViewSet(viewsets.ModelViewSet):
@@ -20,7 +21,7 @@ class EsapComputeResourceViewSet(viewsets.ModelViewSet):
 
     queryset = EsapComputeResource.objects.all().order_by("resource_name")
     serializer_class = EsapComputeResourceSerializer
-    permission_classes = []
+    permission_classes = [permissions.AllowAny]
 
 
 class EsapSoftwareRepositoryViewSet(viewsets.ModelViewSet):
@@ -30,7 +31,7 @@ class EsapSoftwareRepositoryViewSet(viewsets.ModelViewSet):
 
     queryset = EsapSoftwareRepository.objects.all().order_by("repository_name")
     serializer_class = EsapSoftwareRepositorySerializer
-    permission_classes = []
+    permission_classes = [permissions.AllowAny]
 
 
 class EsapShoppingItemViewSet(viewsets.ModelViewSet):
@@ -40,7 +41,7 @@ class EsapShoppingItemViewSet(viewsets.ModelViewSet):
 
     queryset = EsapShoppingItem.objects.all()
     serializer_class = EsapShoppingItemSerializer
-    permission_classes = []
+    permission_classes = [permissions.AllowAny]
 
 
 class EsapUserProfileViewSet(viewsets.ModelViewSet):
@@ -50,9 +51,9 @@ class EsapUserProfileViewSet(viewsets.ModelViewSet):
 
     queryset = EsapUserProfile.objects.all().order_by("user_name")
     serializer_class = EsapUserProfileSerializer
-    permission_classes = []
+    permission_classes = [permissions.AllowAny]
 
-    def get_queryset(self):
-        # Returns nothing if no user_name supplied instead of all
-        user_name = self.request.query_params.get("user_name", None)
-        return EsapUserProfile.objects.filter(user_name=user_name)
+    # def get_queryset(self):
+    #     # Returns nothing if no user_name supplied instead of all
+    #     user_name = self.request.query_params.get("user_name", None)
+    #     return EsapUserProfile.objects.filter(user_name=user_name)
diff --git a/esap/accounts/models.py b/esap/accounts/models.py
index c6d14ce8b1d5b06dac6433440af9f544fda9c06b..57b5b361c6e02ea1565094e21e541088cd16674e 100644
--- a/esap/accounts/models.py
+++ b/esap/accounts/models.py
@@ -69,7 +69,7 @@ class EsapShoppingItem(models.Model):
 
 
 class EsapUserProfile(models.Model):
-    user_name = models.CharField("Username", max_length=50)
+    user_name = models.CharField("Username", max_length=50, primary_key=True)
     full_name = models.CharField("Full Name", max_length=100, null=True)
     user_email = models.EmailField("User Email")
     query_schema = models.ForeignKey(
@@ -86,7 +86,7 @@ class EsapUserProfile(models.Model):
         to=EsapComputeResource, verbose_name="Compute Resources", blank=True
     )
     shopping_cart = models.ManyToManyField(
-        to=EsapShoppingItem, verbose_name="Shopping Cart", blank=True
+        to=EsapShoppingItem, verbose_name="Shopping Cart", blank=True,
     )
 
     def __unicode__(self):