diff --git a/Pipfile b/Pipfile
index 66cc8097..b6e73cf6 100644
--- a/Pipfile
+++ b/Pipfile
@@ -23,7 +23,7 @@ name = "pypi"
 # 5. Run `pipenv install --dev` in your terminal.
 
 [packages]
-codeforlife = {ref = "v0.18.12", git = "https://github.com/ocadotechnology/codeforlife-package-python.git"}
+codeforlife = {ref = "v0.18.13", git = "https://github.com/ocadotechnology/codeforlife-package-python.git"}
 # 🚫 Don't add [packages] below that are inherited from the CFL package.
 pyjwt = "==2.6.0" # TODO: upgrade to latest version
 # TODO: Needed by RR. Remove when RR has moved to new system.
@@ -32,7 +32,7 @@ django-sekizai = "==2.0.0"
 django-classy-tags = "==2.0.0"
 
 [dev-packages]
-codeforlife = {ref = "v0.18.12", git = "https://github.com/ocadotechnology/codeforlife-package-python.git", extras = ["dev"]}
+codeforlife = {ref = "v0.18.13", git = "https://github.com/ocadotechnology/codeforlife-package-python.git", extras = ["dev"]}
 # codeforlife = {file = "../codeforlife-package-python", editable = true, extras = ["dev"]}
 # 🚫 Don't add [dev-packages] below that are inherited from the CFL package.
 
diff --git a/Pipfile.lock b/Pipfile.lock
index b2fd72e6..022fe9f0 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "d1f40b0f11bdf5729238efc6b958681bb1255e31ead6dd34879941e46c172c62"
+            "sha256": "094cbaa84878957f5a102fb688481d111d69087e6cf044b96a38d4689a34e201"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -137,7 +137,7 @@
         },
         "codeforlife": {
             "git": "https://github.com/ocadotechnology/codeforlife-package-python.git",
-            "ref": "d1590f65543ac201b75492100f6c8c781db3bf0d"
+            "ref": "d65d49c9f2bb9c2c6f688c9f645ecfb895f47633"
         },
         "codeforlife-portal": {
             "hashes": [
@@ -563,7 +563,7 @@
                 "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3",
                 "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
             "version": "==2.9.0.post0"
         },
         "pytz": {
@@ -719,7 +719,7 @@
                 "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
                 "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
             "version": "==1.16.0"
         },
         "sqlparse": {
@@ -934,7 +934,7 @@
         },
         "codeforlife": {
             "git": "https://github.com/ocadotechnology/codeforlife-package-python.git",
-            "ref": "d1590f65543ac201b75492100f6c8c781db3bf0d"
+            "ref": "d65d49c9f2bb9c2c6f688c9f645ecfb895f47633"
         },
         "codeforlife-portal": {
             "hashes": [
@@ -1678,7 +1678,7 @@
                 "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3",
                 "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
             "version": "==2.9.0.post0"
         },
         "pytz": {
@@ -1834,7 +1834,7 @@
                 "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
                 "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'",
             "version": "==1.16.0"
         },
         "sqlparse": {
diff --git a/src/api/views/klass.py b/src/api/views/klass.py
index a77c3e88..e7f25c61 100644
--- a/src/api/views/klass.py
+++ b/src/api/views/klass.py
@@ -37,6 +37,17 @@ def get_serializer_class(self):
 
         return ReadClassSerializer
 
+    def get_queryset(self):
+        if self.action in ["retrieve", "list"]:
+            return super().get_queryset()
+
+        teacher = self.request.school_teacher_user.teacher
+        return (
+            teacher.classes
+            if teacher.is_admin
+            else teacher.classes.filter(teacher=teacher)
+        )
+
     def destroy(self, request, *args, **kwargs):
         klass = self.get_object()
 
diff --git a/src/api/views/klass_test.py b/src/api/views/klass_test.py
index caad433c..97581b42 100644
--- a/src/api/views/klass_test.py
+++ b/src/api/views/klass_test.py
@@ -85,9 +85,7 @@ def test_get_permissions__destroy(self):
     def test_get_permissions__list(self):
         """Only admin-teachers and class-teachers can list classes."""
         self.assert_get_permissions(
-            permissions=[
-                OR(IsTeacher(is_admin=True), IsTeacher(in_class=True))
-            ],
+            permissions=[IsTeacher(in_school=True)],
             action="list",
         )
 
@@ -96,12 +94,7 @@ def test_get_permissions__retrieve(self):
         Only students, admin-teachers or class-teachers can retrieve a class.
         """
         self.assert_get_permissions(
-            permissions=[
-                OR(
-                    IsStudent(),
-                    OR(IsTeacher(is_admin=True), IsTeacher(in_class=True)),
-                )
-            ],
+            permissions=[OR(IsStudent(), IsTeacher(in_school=True))],
             action="retrieve",
         )