diff --git a/aleksis/apps/cursus/rules.py b/aleksis/apps/cursus/rules.py
index 45d71df1c75b9cd86957c7c38b01f8f1f02568ce..59443793c21ee7f25da1fc88363c10d4c02d85db 100644
--- a/aleksis/apps/cursus/rules.py
+++ b/aleksis/apps/cursus/rules.py
@@ -15,9 +15,7 @@ view_subjects_predicate = has_person & (
 )
 add_perm("cursus.view_subjects_rule", view_subjects_predicate)
 
-view_subject_predicate = has_person & (
-    has_global_perm("cursus.view_subject") | has_object_perm("cursus.view_subject")
-)
+view_subject_predicate = has_person
 add_perm("cursus.view_subject_rule", view_subject_predicate)
 
 create_subject_predicate = has_person & has_global_perm("cursus.add_subject")
@@ -38,12 +36,15 @@ view_courses_predicate = has_person & (
 )
 add_perm("cursus.view_courses_rule", view_courses_predicate)
 
-view_course_predicate = has_person & (
+view_course_predicate = has_person
+add_perm("cursus.view_course_rule", view_course_predicate)
+
+view_course_details_predicate = has_person & (
     is_course_teacher
     | has_global_perm("cursus.view_course")
     | has_object_perm("cursus.view_course")
 )
-add_perm("cursus.view_course_rule", view_course_predicate)
+add_perm("cursus.view_course_details_rule", view_course_details_predicate)
 
 create_course_predicate = has_person & has_global_perm("cursus.add_course")
 add_perm("cursus.create_course_rule", create_course_predicate)
diff --git a/aleksis/apps/cursus/schema.py b/aleksis/apps/cursus/schema.py
index 711ddd0db21bd72c815dfd93ccfc05c27a678c7a..193ae4c81e78b191f22a2b400c8529dda51a6b54 100644
--- a/aleksis/apps/cursus/schema.py
+++ b/aleksis/apps/cursus/schema.py
@@ -56,7 +56,9 @@ class SubjectType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        return get_objects_for_user(info.context.user, "cursus.view_subject", Subject)
+        if not info.context.user.has_perm("cursus.view_subject_rule"):
+            raise PermissionDenied()
+        return queryset
 
     @staticmethod
     def resolve_courses(root, info, **kwargs):
@@ -127,6 +129,8 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @staticmethod
     def resolve_teachers(root, info, **kwargs):
+        if not info.context.user.has_perm("cursus.view_course_details_rule", root):
+            raise PermissionDenied()
         teachers = get_objects_for_user(info.context.user, "core.view_person", root.teachers.all())
 
         # Fixme: this following code was copied from aleksis/core/schema/group.py so it should work
@@ -139,6 +143,8 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @staticmethod
     def resolve_groups(root, info, **kwargs):
+        if not info.context.user.has_perm("cursus.view_course_details_rule", root):
+            raise PermissionDenied()
         by_permission = get_objects_for_user(
             info.context.user, "core.view_group", root.groups.all()
         )
@@ -151,12 +157,9 @@ class CourseType(PermissionsTypeMixin, DjangoFilterMixin, DjangoObjectType):
 
     @classmethod
     def get_queryset(cls, queryset, info):
-        # FIXME: Permissions... this is just a workaround,
-        # because cursus.view_course would have to be assigned manually
-        if not has_person(info.context.user):
+        if not info.context.user.has_perm("cursus.view_course_rule"):
             raise PermissionDenied()
         return queryset
-        # return get_objects_for_user(info.context.user, "cursus.view_course", Course)
 
 
 class CourseBatchCreateMutation(DjangoBatchCreateMutation):