diff --git a/server/app/apis/alternatives.py b/server/app/apis/alternatives.py
index d4a3ad544103b21b602d148620d3539f538a0ada..0ce74d53b0a742ea31689d826f898e1b12f33b41 100644
--- a/server/app/apis/alternatives.py
+++ b/server/app/apis/alternatives.py
@@ -17,7 +17,7 @@ question_alternative_parser.add_argument("value", type=int, default=None, locati
 @api.route("")
 @api.param("competition_id, slide_id, question_id")
 class QuestionAlternativeList(Resource):
-    @protect_route(allowed_roles=["*"], allowed_views=["Team", "Judge"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def get(self, competition_id, slide_id, question_id):
         items = dbc.get.question_alternative_list(competition_id, slide_id, question_id)
         return list_response(list_schema.dump(items))
@@ -32,7 +32,7 @@ class QuestionAlternativeList(Resource):
 @api.route("/<alternative_id>")
 @api.param("competition_id, slide_id, question_id, alternative_id")
 class QuestionAlternatives(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def get(self, competition_id, slide_id, question_id, alternative_id):
         items = dbc.get.question_alternative(competition_id, slide_id, question_id, alternative_id)
         return item_response(schema.dump(items))
diff --git a/server/app/apis/auth.py b/server/app/apis/auth.py
index 8fc1c1f3f8d94d6d2caa0bdef2a7d6ac8b73c15a..9c9ed24a876a9b130c385194bb8cc322bef65c9d 100644
--- a/server/app/apis/auth.py
+++ b/server/app/apis/auth.py
@@ -12,6 +12,8 @@ from flask_jwt_extended import (
 )
 from flask_restx import Resource
 from flask_restx import inputs, reqparse
+from datetime import timedelta
+from app.core import sockets
 
 api = AuthDTO.api
 schema = AuthDTO.schema
@@ -90,11 +92,16 @@ class AuthLoginCode(Resource):
         code = args["code"]
 
         if not verify_code(code):
-            api.abort(codes.BAD_REQUEST, "Invalid code")
+            api.abort(codes.UNAUTHORIZED, "Invalid code")
 
         item_code = dbc.get.code_by_code(code)
 
-        access_token = create_access_token(item_code.id, user_claims=get_code_claims(item_code))
+        if item_code.competition_id not in sockets.presentations:
+            api.abort(codes.UNAUTHORIZED, "Competition not active")
+
+        access_token = create_access_token(
+            item_code.id, user_claims=get_code_claims(item_code), expires_delta=timedelta(hours=8)
+        )
 
         response = {
             "competition_id": item_code.competition_id,
@@ -107,11 +114,11 @@ class AuthLoginCode(Resource):
 
 @api.route("/logout")
 class AuthLogout(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def post(self):
         jti = get_raw_jwt()["jti"]
         dbc.add.blacklist(jti)
-        return text_response("User logout")
+        return text_response("Logout")
 
 
 @api.route("/refresh")
diff --git a/server/app/apis/components.py b/server/app/apis/components.py
index f988bce7fe9f632bfc9e32537ae9f46ae99fbca7..c22ce4ad671329538e05a6a6ee7bb5fd9026ca38 100644
--- a/server/app/apis/components.py
+++ b/server/app/apis/components.py
@@ -27,7 +27,7 @@ component_create_parser.add_argument("type_id", type=int, required=True, locatio
 @api.route("/<component_id>")
 @api.param("competition_id, slide_id, component_id")
 class ComponentByID(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def get(self, competition_id, slide_id, component_id):
         item = dbc.get.component(competition_id, slide_id, component_id)
         return item_response(schema.dump(item))
@@ -50,7 +50,7 @@ class ComponentByID(Resource):
 @api.route("")
 @api.param("competition_id, slide_id")
 class ComponentList(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def get(self, competition_id, slide_id):
         items = dbc.get.component_list(competition_id, slide_id)
         return list_response(list_schema.dump(items))
diff --git a/server/app/apis/media.py b/server/app/apis/media.py
index c6e88ce0df9608c0ba359b11f5c5fbded2df6f70..c7de8c4d4c1cbd3f482d386e654a9bfd0063370b 100644
--- a/server/app/apis/media.py
+++ b/server/app/apis/media.py
@@ -48,7 +48,7 @@ class ImageList(Resource):
 @api.route("/images/<ID>")
 @api.param("ID")
 class ImageList(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def get(self, ID):
         item = dbc.get.one(Media, ID)
         return item_response(schema.dump(item))
diff --git a/server/app/apis/misc.py b/server/app/apis/misc.py
index 904210a5657d1d98cfee504656681ef58758a68b..20a84e4c17c138b3a94ea6e3902e67154036cabc 100644
--- a/server/app/apis/misc.py
+++ b/server/app/apis/misc.py
@@ -23,7 +23,7 @@ name_parser.add_argument("name", type=str, required=True, location="json")
 
 @api.route("/types")
 class TypesList(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
     def get(self):
         result = {}
         result["media_types"] = media_type_schema.dump(dbc.get.all(MediaType))
diff --git a/server/app/database/controller/add.py b/server/app/database/controller/add.py
index a83f5b95e8988a3d0024ca6d2f3b9601426147cc..57e41705cb06f500c8678510ac1ba0629eb9c0e7 100644
--- a/server/app/database/controller/add.py
+++ b/server/app/database/controller/add.py
@@ -151,9 +151,13 @@ def competition(name, year, city_id):
 
     # Add code for Judge view
     code(2, item_competition.id)
+
     # Add code for Audience view
     code(3, item_competition.id)
 
+    # Add code for Operator view
+    code(4, item_competition.id)
+
     item_competition = utils.refresh(item_competition)
     return item_competition
 
diff --git a/server/tests/test_app.py b/server/tests/test_app.py
index 79b73e22f3434f2b60a6b5b71c40da84f74d2001..d59428a6380b74abe8853c6c09c4df0bafc031e0 100644
--- a/server/tests/test_app.py
+++ b/server/tests/test_app.py
@@ -5,6 +5,7 @@ This file tests the api function calls.
 import app.core.http_codes as codes
 from app.database.controller.add import competition
 from app.database.models import Slide
+from app.core import sockets
 
 from tests import app, client, db
 from tests.test_helpers import add_default_values, change_order_test, delete, get, post, put
@@ -391,6 +392,9 @@ def test_question_api(client):
 def test_authorization(client):
     add_default_values()
 
+    # Fake that competition 1 is active
+    sockets.presentations[1] = {}
+
     #### TEAM ####
     # Login in with team code
     response, body = post(client, "/api/auth/login/code", {"code": "111111"})