From 2103a95a279e7624159b62450e18345b82717385 Mon Sep 17 00:00:00 2001
From: Anders <6058745+ddabble@users.noreply.github.com>
Date: Mon, 24 Apr 2023 20:02:08 +0200
Subject: [PATCH] Reorganized URL patterns in all apps

...to comply with the style guide.
The path segments (i.e. the text between the forward slashes) now have a more consistent structure,
including being prefixed by `admin/` and `api/` - as described in `CONTRIBUTING.md` - by placing the `path()` calls
inside "custom `urlpatterns` lists", like `adminpatterns` and `apipatterns` - also described in `CONTRIBUTING.md`.

Of the views whose paths have been changed, the ones that I deemed as relevant, have been added to the "Old URLs"
in `web/urls.py` to (permanently) redirect from the old to the new path.

Also added permission checks for all admin URLs (indlucing admin API URLs) that require the requesting user to have
the `internal.is_internal` permission.

Also:
* Reordered the tests in all apps' `test_urls.py` to match the order of the paths listed in each app's `urls.py`
* Improved some of the parts in `CONTRIBUTING.md` on things related to path naming and organization
* Added some missing `ContentBox` tests to `internal/tests/test_urls.py`,
  as well as all the member GET URLs, as it's useful to have all URLs listed in one place, even if it duplicates some testing
* Added some missing tests for the `event_ticket_cancel` URL in `news/tests/test_urls.py`
---
 CHANGELOG.md                                  |  30 ++--
 CONTRIBUTING.md                               |  48 +++++--
 src/announcements/tests/test_urls.py          |   5 +-
 src/announcements/urls.py                     |  17 ++-
 src/checkin/local_scanner.py                  |   5 +-
 src/checkin/tests/test_urls.py                |   3 +
 src/checkin/urls.py                           |  30 ++--
 src/docs/tests/test_urls.py                   |  14 +-
 src/docs/urls.py                              |  34 ++---
 src/faq/tests/test_urls.py                    |  19 ++-
 src/faq/urls.py                               |  40 ++++--
 src/groups/tests/test_urls.py                 |   5 +-
 src/groups/urls.py                            |   7 +-
 src/internal/tests/test_urls.py               |  70 ++++++++--
 src/internal/urls.py                          |  72 +++++-----
 src/internal/views.py                         |   3 +-
 .../static/make_queue/js/admin_quota_panel.js |   2 +-
 .../static/make_queue/js/calendar.js          |   5 +-
 .../make_queue/js/printer_3d_course_form.js   |   2 +-
 .../static/make_queue/js/reservation_form.js  |  10 +-
 .../templates/make_queue/machine_detail.html  |   1 +
 .../make_queue/reservation_form.html          |   2 +-
 src/make_queue/tests/test_urls.py             |  92 +++++++------
 .../tests/views/test_machine_views.py         |   2 +-
 .../tests/views/test_quota_views.py           |   2 +-
 .../views/test_reservation_reservation.py     |  30 ++--
 src/make_queue/urls.py                        | 130 ++++++++++++------
 src/make_queue/views/api/reservation.py       |   3 +-
 .../views/reservation/reservation.py          |  12 +-
 src/makerspace/tests/test_urls.py             |  14 +-
 src/makerspace/urls.py                        |  31 +++--
 src/news/tests/test_urls.py                   |  77 +++++++----
 src/news/tests/views/test_article_views.py    |   8 +-
 .../views/test_event_time_place_views.py      |  10 +-
 src/news/urls.py                              |  38 +++--
 src/news/views.py                             |   6 +-
 src/users/tests/test_urls.py                  |   1 +
 src/users/urls.py                             |   4 +-
 src/web/admin_urls.py                         |   5 +-
 src/web/tests/test_urls.py                    |  17 ++-
 src/web/tests/test_views.py                   |   3 +
 src/web/urls.py                               |  52 +++++--
 42 files changed, 639 insertions(+), 322 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7d5489058..234a09e2c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,15 +21,20 @@ A summary of changes made to the codebase, grouped per deployment.
   - This is only visible to users who have permission to modify those content boxes through Django admin
 - Changed cropping of images in article and event lists so that they always have equal proportions
 - Added a title to the quota admin panel, and switched out the "Add new quota" button for a green plus button, like other admin panel pages
+- Added an additional permission check for all admin pages (incl. API endpoints), that requires the user to have the `internal.is_internal` permission
 
 ### Fixes
 
 - Fixed board members not being allowed to add, change and delete reservation rules
-  (e.g. [the reservation rules for 3D printers](https://makentnu.no/reservation/machinetypes/1/rules/))
+  (e.g. [the reservation rules for 3D printers](https://makentnu.no/reservation/machinetypes/1/reservationrules/))
 
 ### Other changes
 
 - Enabled automated code quality checks from [Code Climate](https://codeclimate.com/quality)
+- Restructured lots of URLs to comply with the style guide
+  - The path segments (i.e. `/the-text-between-the-forward-slashes/`) now all have a more consistent structure,
+    including prefixing all admin pages' paths with `admin/` and all API endpoints with `api/`
+  - Permanent redirects have been added for the URLs deemed most relevant, to redirect from the old to the new URL
 - Renamed lots of views, forms and templates to comply with
   [the style guides](https://github.com/MAKENTNU/web/blob/2826b57a6c6fe27446c88edb19ca167a728b5eb4/CONTRIBUTING.md#code-style-guides)
 - Changed multiple pages' URLs to use [query parameters](https://en.wikipedia.org/wiki/Query_string),
@@ -78,8 +83,8 @@ A summary of changes made to the codebase, grouped per deployment.
 - Made the red "Canceled" ribbon on tickets transparent when clicking / hovering over it, to be able to read the text behind it
 - Added a "help text" yellow question mark icon next to the "Discord username" field in member info forms
   (displayed when clicked / hovered over)
-- Made the user dropdowns on both [the quota admin page](https://makentnu.no/reservation/quota/) and
-  [the quota form page](https://makentnu.no/reservation/quota/add/), function equally
+- Made the user dropdowns on both [the quota admin page](https://makentnu.no/admin/reservation/quotas/) and
+  [the quota form page](https://makentnu.no/admin/reservation/quotas/add/), function equally
 - When changing machine type in the reservation creation form, made the first machine of that type be automatically selected
 - Place files uploaded through CKEditor in a separate folder for each model
 - Made all pages have a consistent (browser tab) title format
@@ -154,12 +159,12 @@ A summary of changes made to the codebase, grouped per deployment.
 ### New features
 
 - Added a URL which always links to the current week for a machine reservation calendar
-  - This URL can be copied by right-clicking the "View in calendar" button for a machine on [the machine list page](https://makentnu.no/reservation/),
-    and selecting "Copy link address"
+  - This URL can be copied by right-clicking the "View in calendar" button for a machine on
+    [the machine list page](https://makentnu.no/reservation/machines/), and selecting "Copy link address"
 - Made machine streams work with the new Raspberry Pi setup
   - Also, only the visible streams are connected to;
     once the page is scrolled so that a stream image is no longer rendered, the stream for that machine is disconnected,
-    which makes [the machine list page](https://makentnu.no/reservation/) use considerably less data (depending on how the page is scrolled)
+    which makes [the machine list page](https://makentnu.no/reservation/machines/) use considerably less data (depending on how the page is scrolled)
     - This does not apply to the machine detail (calendar) page, as there is always only one stream on the page
 
 ### Improvements
@@ -168,7 +173,7 @@ A summary of changes made to the codebase, grouped per deployment.
 - Renamed a lot of templates (and CSS and JavaScript files) to comply with the style guide
 - Improved word breaking (splitting a word between two lines, often using a hyphen) multiple places, like in titles and descriptions
 - Added translations to the spreadsheet containing course registrations, that can be downloaded from
-  [the course registrations page](https://makentnu.no/reservation/course/)
+  [the course registrations page](https://makentnu.no/admin/reservation/courses/)
 - Improved the permission check for [the admin panel](https://makentnu.no/admin/)
 - Added edit and delete buttons on the machine detail (calendar) page
 - On the history page for a documentation page (on [docs.makentnu.no](https://docs.makentnu.no/)),
@@ -246,7 +251,7 @@ A summary of changes made to the codebase, grouped per deployment.
 ### Improvements
 
 - Significantly improved page performance when watching streams that fail to connect
-  (most notably on [the machine list](https://makentnu.no/reservation/))
+  (most notably on [the machine list](https://makentnu.no/reservation/machines/))
 - Added warning message when there are gaps between the reservation rules of a machine type
 - Reordered [admin panel](https://makentnu.no/admin/) buttons
 - The code that reduces the size of uploaded images, now does not use the "reduced" image if it's not actually smaller -
@@ -339,7 +344,7 @@ A summary of changes made to the codebase, grouped per deployment.
 
 ### New features
 
-- Added an [admin page for FAQ categories](https://makentnu.no/faq/admin/categories/)
+- Added an [admin page for FAQ categories](https://makentnu.no/admin/faq/categories/)
 - For machines with streams: Added a new "no stream" image, in addition to images that are shown when the stream is down *and* the machine has either
   status "Maintenance" or "Out of order"
 
@@ -399,13 +404,14 @@ A summary of changes made to the codebase, grouped per deployment.
 ### New features
 
 - Added a "Special 3D printers" machine type
-  - This is listed on [the machine list (reservations) page](https://makentnu.no/reservation/) when one or more machines of this type have been added
+  - This is listed on [the machine list (reservations) page](https://makentnu.no/reservation/machines/) when one or more machines of this type
+    have been added
 - Added an "Advanced course" checkbox to course registrations
   - Checking this checkbox will grant users permission to create reservations for the special 3D printers
 - The course registration form now checks whether the submitted card number is actually (by accident) the phone number of NTNU's Building security
 - Changed the URL for the email lists from [/email](https://makentnu.no/email/) to [/about/contact](https://makentnu.no/about/contact/)
 - Added a counter at the bottom of [the member list](https://i.makentnu.no/members/)
-  and [course registration list](https://makentnu.no/reservation/course/), that shows how many members and course registrations are displayed,
+  and [course registration list](https://makentnu.no/admin/reservation/courses/), that shows how many members and course registrations are displayed,
   respectively
 - Articles, events, profile pictures and other things you can upload images for, now support GIFs
 
@@ -451,7 +457,7 @@ A summary of changes made to the codebase, grouped per deployment.
 ### New features
 
 - Added an [internal home page](https://i.makentnu.no/) (currently blank)
-- Added an [FAQ page](https://makentnu.no/faq/), including the ability to [add questions through the admin page](https://makentnu.no/faq/admin/)
+- Added an [FAQ page](https://makentnu.no/faq/), including the ability to [add questions through the admin page](https://makentnu.no/admin/faq/)
 
 ### Fixes
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 53bb83ad6..90b5b9a20 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -356,14 +356,16 @@ Sort the contents of a class in the following order:
 In general, names of views related to model objects should comply with one of the following patterns:
 * `<Model name><Noun or verb>View` - in most cases;
 * `Admin<Model name><Noun or verb>View` - for views that only admins should have access to;
-* `API<Model name><Noun or verb>View` - for views responding with JSON;
-* `AdminAPI<Model name><Noun or verb>View` - for views responding with JSON that only admins should have access to;
+* `API<Model name><Noun or verb>View` - for views responding exclusively with JSON;
+* `AdminAPI<Model name><Noun or verb>View` - for views responding exclusively with JSON that only admins should have access to;
 * where:
   * `<Model name>` is the name of the model class that the view is related to.
   * `<Noun or verb>` is a word concisely outlining the contents of the view.
     * If the view inherits from one of Django's top-level generic views (`ListView`, `DetailView`, `CreateView`, `UpdateView` or `DeleteView`),
       the word should be the name of the generic view - without the `View` suffix.
 
+(Note that the `Admin`/`API`/`AdminAPI` prefixes correspond with the path prefixes mentioned in [Path prefixes](#path-prefixes).)
+
 #### View class order
 
 Sort views in the same order as they appear in the app's `urls.py` (see [Path order](#path-order)).
@@ -400,6 +402,17 @@ or `test_get_related_events_returns_expected_events()` (for a model method named
 
 In general, try to make paths as [RESTful](https://hackernoon.com/restful-api-designing-guidelines-the-best-practices-60e1d954e7c9) as possible.
 
+Let all paths end with a `/`
+(except if the first argument to `path()` would have been just `"/"`, in which case the argument should be an empty string).
+
+###### Path naming conventions:
+
+Use `kebab-case`, and concatenate compound nouns - as long as it's still fairly legible.
+Examples:
+* `machinetypes/` is preferable over `machine-types/`;
+* `softwareengineers/` is preferable over `software-engineers/` - even if there's a double E, which makes it slightly less legible;
+* `find-free-slots/` is preferable over `findfreeslots/`.
+
 For paths that refer to views inheriting from one of the following
 [generic views](https://docs.djangoproject.com/en/stable/ref/class-based-views/flattened-index/),
 the path specified is encouraged:
@@ -416,15 +429,26 @@ This makes the paths consistent with the ones used by the
 [Django admin site](https://docs.djangoproject.com/en/stable/ref/contrib/admin/#reversing-admin-urls),
 and the names of the corresponding [default model permissions](https://docs.djangoproject.com/en/stable/topics/auth/default/#default-permissions).
 
+###### Path prefixes:
+
+Prefix all endpoints' paths with the following patterns:
+* `admin/` - if the endpoint/webpage should only be accessed by admins;
+* `api/` - if the endpoint responds exclusively with JSON;
+* `api/admin/` - if the endpoint responds exclusively with JSON **and** should only be accessed by admins.
+
+See [`urlpatterns` for admin/API view paths](#urlpatterns-for-adminapi-view-paths) for how to manage this with `urlpatterns`.
+
+_The language path prefix is not affected by the above rules,
+so e.g. the English version of `/api/admin/some-path/` being `/en/api/admin/some-path/` is perfectly fine._
+
+###### Other path grouping:
+
 If a model is conceptually subordinated another model (e.g. an event occurrence model that is connected to an event model),
 the paths for the views related to that "sub-model" should be relative to the paths of the "super-model" -
 while still complying with the guidelines above.
 For example: `event/<int:pk>/occurrences/<int:occurrence_pk>/change/`.
 
-Lastly, let all paths end with a `/`
-(except if the first argument to `path()` would have been `"/"`, in which case it should be an empty string).
-
-#### Path name
+#### Path `name` (the argument of `path()`)
 
 Use `snake_case`.
 
@@ -471,13 +495,11 @@ event_occurrence_urlpatterns = [
     path("", ..., name='event_occurrence_list'),
     path("<int:pk>/", ..., name='event_occurrence_detail'),
 ]
-
 specific_event_urlpatterns = [
     path("", ..., name='event_detail'),
     path("change/", ..., name='event_update'),
     path("occurrences/", include(event_occurrence_urlpatterns)),
 ]
-
 event_urlpatterns = [
     path("", ..., name='event_list'),
     path("add/", ..., name='event_create'),
@@ -493,15 +515,17 @@ urlpatterns = [
 
 For each app's `urls.py` file, place paths inside lists with the following names:
 * `adminpatterns` - if they refer to a view that only admins should have access to;
-* `apipatterns` - if they refer to a view responding with JSON;
-* `adminapipatterns` - if they refer to a view responding with JSON that only admins should have access to.
+* `apipatterns` - if they refer to a view responding exclusively with JSON;
+* `adminapipatterns` - if they refer to a view responding exclusively with JSON that only admins should have access to.
 
-Each of these lists should now only contain paths referring to views with the corresponding prefixes listed in [View class name](#view-class-name).
+_Each of these lists should now only contain paths referring to views with the corresponding class name prefixes listed in
+[View class name](#view-class-name)._
 
 These lists should then be imported in [`web/urls.py`](src/web/urls.py), and `include()`d in
 `admin_urlpatterns`, `api_urlpatterns` and `admin_api_urlpatterns`, respectively -
 with the same path route argument as the app's other paths.
-(This ensures that all paths start with the relevant `admin/`, `api/` or `api/admin/` prefix.)
+(This ensures that all paths start with the relevant `admin/`, `api/` or `api/admin/` prefix;
+see [Path prefixes](#path-prefixes).)
 For example:
 ```python
 from django.urls import include, path
diff --git a/src/announcements/tests/test_urls.py b/src/announcements/tests/test_urls.py
index 43bcdf59d..b220f33c1 100644
--- a/src/announcements/tests/test_urls.py
+++ b/src/announcements/tests/test_urls.py
@@ -20,9 +20,12 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
+            # specific_announcement_adminpatterns
+            Get(reverse('announcement_update', args=[self.announcement1.pk]), public=False),
+
+            # adminpatterns
             Get(reverse('admin_announcement_list'), public=False),
             Get(reverse('announcement_create'), public=False),
-            Get(reverse('announcement_update', args=[self.announcement1.pk]), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
diff --git a/src/announcements/urls.py b/src/announcements/urls.py
index f30f4d95c..e5cc3e1ac 100644
--- a/src/announcements/urls.py
+++ b/src/announcements/urls.py
@@ -1,11 +1,20 @@
-from django.urls import path
+from django.urls import include, path
 
 from . import views
 
 
 urlpatterns = [
-    path("admin/", views.AdminAnnouncementListView.as_view(), name='admin_announcement_list'),
+]
+
+# --- Admin URL patterns (imported in `web/urls.py`) ---
+
+specific_announcement_adminpatterns = [
+    path("change/", views.AnnouncementUpdateView.as_view(), name='announcement_update'),
+    path("delete/", views.AnnouncementDeleteView.as_view(), name='announcement_delete'),
+]
+
+adminpatterns = [
+    path("", views.AdminAnnouncementListView.as_view(), name='admin_announcement_list'),
     path("add/", views.AnnouncementCreateView.as_view(), name='announcement_create'),
-    path("<int:pk>/change/", views.AnnouncementUpdateView.as_view(), name='announcement_update'),
-    path("<int:pk>/delete/", views.AnnouncementDeleteView.as_view(), name='announcement_delete'),
+    path("<int:pk>/", include(specific_announcement_adminpatterns)),
 ]
diff --git a/src/checkin/local_scanner.py b/src/checkin/local_scanner.py
index 059a9ae66..c86969dcb 100644
--- a/src/checkin/local_scanner.py
+++ b/src/checkin/local_scanner.py
@@ -1,4 +1,5 @@
 import requests
+from django.urls import reverse
 
 """
 Module for testing the RFID functionality on makentnu.no when running locally and/or without an RFID scanner.
@@ -15,8 +16,8 @@ def _card(path, card_id, secret):
 
 
 def register(card_id="0123456789", secret=""):
-    return _card("checkin/register/card/", card_id, secret)
+    return _card(reverse('admin_register_card'), card_id, secret)
 
 
 def check(card_id="0123456789", secret=""):
-    return _card("checkin/post/", card_id, secret)
+    return _card(reverse('admin_check_in'), card_id, secret)
diff --git a/src/checkin/tests/test_urls.py b/src/checkin/tests/test_urls.py
index 7306b20e2..185a34a7e 100644
--- a/src/checkin/tests/test_urls.py
+++ b/src/checkin/tests/test_urls.py
@@ -31,8 +31,11 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
+            # urlpatterns
             Get(reverse('user_skill_list'), public=True),
             Get(reverse('profile_detail'), public=False),
+
+            # adminpatterns
             Get(reverse('admin_suggest_skill'), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
diff --git a/src/checkin/urls.py b/src/checkin/urls.py
index 0369919c2..828a68b19 100644
--- a/src/checkin/urls.py
+++ b/src/checkin/urls.py
@@ -1,5 +1,5 @@
 from django.contrib.auth.decorators import login_required
-from django.urls import path
+from django.urls import include, path
 
 from . import views
 
@@ -7,11 +7,25 @@
 urlpatterns = [
     path("", views.UserSkillListView.as_view(), name='user_skill_list'),
     path("profile/", login_required(views.ProfileDetailView.as_view()), name='profile_detail'),
-    path("profile/change/image/", login_required(views.AdminProfilePictureUpdateView.as_view()), name='admin_profile_picture_update'),
-    path("post/", views.AdminCheckInView.as_view()),
-    path("register/card/", views.AdminRegisterCardView.as_view()),
-    path("register/profile/", login_required(views.AdminAPIRegisterProfileView.as_view()), name='admin_api_register_profile'),
-    path("suggest/", login_required(views.AdminSuggestSkillView.as_view()), name='admin_suggest_skill'),
-    path("suggest/vote/", login_required(views.AdminAPISuggestSkillVoteView.as_view()), name='admin_api_suggest_skill_vote'),
-    path("suggest/<int:pk>/delete/", login_required(views.AdminAPISuggestSkillDeleteView.as_view()), name='admin_api_suggest_skill_delete'),
+]
+
+# --- Admin URL patterns (imported in `web/urls.py`) ---
+
+adminpatterns = [
+    path("profile/change/image/", views.AdminProfilePictureUpdateView.as_view(), name='admin_profile_picture_update'),
+    path("post/", views.AdminCheckInView.as_view(), name='admin_check_in'),
+    path("register/card/", views.AdminRegisterCardView.as_view(), name='admin_register_card'),
+    path("suggest/", views.AdminSuggestSkillView.as_view(), name='admin_suggest_skill'),
+]
+
+# --- Admin API URL patterns (imported in `web/urls.py`) ---
+
+suggest_skill_adminapipatterns = [
+    path("vote/", views.AdminAPISuggestSkillVoteView.as_view(), name='admin_api_suggest_skill_vote'),
+    path("<int:pk>/delete/", views.AdminAPISuggestSkillDeleteView.as_view(), name='admin_api_suggest_skill_delete'),
+]
+
+adminapipatterns = [
+    path("register/profile/", views.AdminAPIRegisterProfileView.as_view(), name='admin_api_register_profile'),
+    path("suggest/", include(suggest_skill_adminapipatterns)),
 ]
diff --git a/src/docs/tests/test_urls.py b/src/docs/tests/test_urls.py
index f520d1e58..89c25dfe7 100644
--- a/src/docs/tests/test_urls.py
+++ b/src/docs/tests/test_urls.py
@@ -37,18 +37,24 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
-            Get(self.reverse('home'), public=False),
+            # urlpatterns
+            Get('/robots.txt', public=True, translated=False),
+            Get('/.well-known/security.txt', public=True, translated=False),
+
+            # specific_documentation_page_urlpatterns
             Get(self.reverse('documentation_page_detail', self.page1.pk), public=False),
             Get(self.reverse('documentation_page_history_detail', self.page1.pk), public=False),
             Get(self.reverse('documentation_page_content_detail', self.page1.pk, self.content1.pk), public=False),
             Get(self.reverse('documentation_page_content_detail', self.page1.pk, self.content2.pk), public=False),
-            Get(self.reverse('documentation_page_create'), public=False),
             Get(self.reverse('documentation_page_update', self.page1.pk), public=False),
+            # documentation_page_urlpatterns
+            Get(self.reverse('documentation_page_create'), public=False),
+
+            # unsafe_urlpatterns
+            Get(self.reverse('home'), public=False),
             Get(self.reverse('documentation_page_search'), public=False),
             Get(f"{self.reverse('documentation_page_search')}?query=lorem", public=False),
             Get(f"{self.reverse('documentation_page_search')}?query=lorem&page=2", public=False),
-            Get('/robots.txt', public=True, translated=False),
-            Get('/.well-known/security.txt', public=True, translated=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates, 'docs')
 
diff --git a/src/docs/urls.py b/src/docs/urls.py
index 5ef65dd1f..5282878f9 100644
--- a/src/docs/urls.py
+++ b/src/docs/urls.py
@@ -2,7 +2,7 @@
 from django.conf import settings
 from django.conf.urls.i18n import i18n_patterns
 from django.conf.urls.static import static
-from django.urls import path, register_converter
+from django.urls import include, path, register_converter
 from django.views.generic import TemplateView
 
 from util.url_utils import ckeditor_uploader_urls, debug_toolbar_urls, logout_urls, permission_required_else_denied
@@ -16,34 +16,34 @@
     path(".well-known/security.txt", TemplateView.as_view(template_name='web/security.txt', content_type='text/plain')),
 
     *debug_toolbar_urls(),
-    path("i18n/", decorator_include(
-        permission_required_else_denied('docs.view_page'),
-        'django.conf.urls.i18n'
-    )),
+    path("i18n/", decorator_include(permission_required_else_denied('docs.view_page'), 'django.conf.urls.i18n')),
     *static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT),  # For development only; Nginx is used in production
 
     *ckeditor_uploader_urls(),
 ]
 urlpatterns += logout_urls()
 
+specific_documentation_page_urlpatterns = [
+    path("", views.DocumentationPageDetailView.as_view(), name='documentation_page_detail'),
+    path("history/", views.DocumentationPageHistoryDetailView.as_view(), name='documentation_page_history_detail'),
+    path("history/change/", views.DocumentationPageVersionUpdateView.as_view(), name='documentation_page_version_update'),
+    path("history/<int:content_pk>/", views.DocumentationPageContentDetailView.as_view(), name='documentation_page_content_detail'),
+    path("change/", views.DocumentationPageUpdateView.as_view(), name='documentation_page_update'),
+    path("delete/", views.DocumentationPageDeleteView.as_view(), name='documentation_page_delete'),
+]
+documentation_page_urlpatterns = [
+    path("add/", views.DocumentationPageCreateView.as_view(), name='documentation_page_create'),
+    path("<PageTitle:title>/", include(specific_documentation_page_urlpatterns)),
+]
+
 unsafe_urlpatterns = [
     path("", views.DocumentationPageDetailView.as_view(is_main_page=True), name='home'),
-    path("page/add/", views.DocumentationPageCreateView.as_view(), name='documentation_page_create'),
-    path("page/<PageTitle:title>/", views.DocumentationPageDetailView.as_view(), name='documentation_page_detail'),
-    path("page/<PageTitle:title>/history/", views.DocumentationPageHistoryDetailView.as_view(), name='documentation_page_history_detail'),
-    path("page/<PageTitle:title>/history/change/", views.DocumentationPageVersionUpdateView.as_view(), name='documentation_page_version_update'),
-    path("page/<PageTitle:title>/history/<int:content_pk>/", views.DocumentationPageContentDetailView.as_view(),
-         name='documentation_page_content_detail'),
-    path("page/<PageTitle:title>/change/", views.DocumentationPageUpdateView.as_view(), name='documentation_page_update'),
-    path("page/<PageTitle:title>/delete/", views.DocumentationPageDeleteView.as_view(), name='documentation_page_delete'),
+    path("page/", include(documentation_page_urlpatterns)),
     path("search/", views.DocumentationPageSearchView.as_view(), name='documentation_page_search'),
 ]
 
 urlpatterns += i18n_patterns(
-    path("", decorator_include(
-        permission_required_else_denied('docs.view_page'),
-        unsafe_urlpatterns
-    )),
+    path("", decorator_include(permission_required_else_denied('docs.view_page'), unsafe_urlpatterns)),
 
     prefix_default_language=False,
 )
diff --git a/src/faq/tests/test_urls.py b/src/faq/tests/test_urls.py
index 23d938ab7..9ea1d4b99 100644
--- a/src/faq/tests/test_urls.py
+++ b/src/faq/tests/test_urls.py
@@ -21,20 +21,29 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
+            # urlpatterns
             Get(reverse('faq_list'), public=True),
-            Get(reverse('admin_faq_panel'), public=False),
-            Get(reverse('admin_question_list'), public=False),
-            Get(reverse('question_create'), public=False),
+
+            # specific_question_adminpatterns
             *[
                 Get(reverse('question_update', args=[question.pk]), public=False)
                 for question in self.questions
             ],
-            Get(reverse('admin_category_list'), public=False),
-            Get(reverse('category_create'), public=False),
+            # question_adminpatterns
+            Get(reverse('admin_question_list'), public=False),
+            Get(reverse('question_create'), public=False),
+
+            # specific_category_adminpatterns
             *[
                 Get(reverse('category_update', args=[category.pk]), public=False)
                 for category in self.categories
             ],
+            # category_adminpatterns
+            Get(reverse('admin_category_list'), public=False),
+            Get(reverse('category_create'), public=False),
+
+            # adminpatterns
+            Get(reverse('admin_faq_panel'), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
diff --git a/src/faq/urls.py b/src/faq/urls.py
index 8c3c1d90f..54e7f0b35 100644
--- a/src/faq/urls.py
+++ b/src/faq/urls.py
@@ -1,18 +1,36 @@
-from django.contrib.auth.decorators import login_required
-from django.urls import path
+from django.urls import include, path
 
 from . import views
 
 
 urlpatterns = [
     path("", views.FAQListView.as_view(), name='faq_list'),
-    path("admin/", login_required(views.AdminFAQPanelView.as_view()), name='admin_faq_panel'),
-    path("admin/questions/", login_required(views.AdminQuestionListView.as_view()), name='admin_question_list'),
-    path("admin/questions/add/", login_required(views.QuestionCreateView.as_view()), name='question_create'),
-    path("admin/questions/<int:pk>/change/", login_required(views.QuestionUpdateView.as_view()), name='question_update'),
-    path("admin/questions/<int:pk>/delete/", login_required(views.QuestionDeleteView.as_view()), name='question_delete'),
-    path("admin/categories/", login_required(views.AdminCategoryListView.as_view()), name='admin_category_list'),
-    path("admin/categories/add/", login_required(views.CategoryCreateView.as_view()), name='category_create'),
-    path("admin/categories/<int:pk>/change/", login_required(views.CategoryUpdateView.as_view()), name='category_update'),
-    path("admin/categories/<int:pk>/delete/", login_required(views.CategoryDeleteView.as_view()), name='category_delete'),
+]
+
+# --- Admin URL patterns (imported in `web/urls.py`) ---
+
+specific_question_adminpatterns = [
+    path("change/", views.QuestionUpdateView.as_view(), name='question_update'),
+    path("delete/", views.QuestionDeleteView.as_view(), name='question_delete'),
+]
+question_adminpatterns = [
+    path("", views.AdminQuestionListView.as_view(), name='admin_question_list'),
+    path("add/", views.QuestionCreateView.as_view(), name='question_create'),
+    path("<int:pk>/", include(specific_question_adminpatterns)),
+]
+
+specific_category_adminpatterns = [
+    path("change/", views.CategoryUpdateView.as_view(), name='category_update'),
+    path("delete/", views.CategoryDeleteView.as_view(), name='category_delete'),
+]
+category_adminpatterns = [
+    path("", views.AdminCategoryListView.as_view(), name='admin_category_list'),
+    path("add/", views.CategoryCreateView.as_view(), name='category_create'),
+    path("<int:pk>/", include(specific_category_adminpatterns)),
+]
+
+adminpatterns = [
+    path("", views.AdminFAQPanelView.as_view(), name='admin_faq_panel'),
+    path("questions/", include(question_adminpatterns)),
+    path("categories/", include(category_adminpatterns)),
 ]
diff --git a/src/groups/tests/test_urls.py b/src/groups/tests/test_urls.py
index 1d6019f2a..b5978cdef 100644
--- a/src/groups/tests/test_urls.py
+++ b/src/groups/tests/test_urls.py
@@ -22,10 +22,13 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
+            # urlpatterns
             Get(reverse('committee_list'), public=True),
             Get(reverse('committee_detail', args=[self.committee1.pk]), public=True),
-            Get(reverse('committee_update', args=[self.committee1.pk]), public=False),
+
+            # adminpatterns
             Get(reverse('admin_committee_list'), public=False),
+            Get(reverse('committee_update', args=[self.committee1.pk]), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
diff --git a/src/groups/urls.py b/src/groups/urls.py
index e58442ffa..eca0de3c0 100644
--- a/src/groups/urls.py
+++ b/src/groups/urls.py
@@ -6,6 +6,11 @@
 urlpatterns = [
     path("", views.CommitteeListView.as_view(), name='committee_list'),
     path("<int:pk>/", views.CommitteeDetailView.as_view(), name='committee_detail'),
+]
+
+# --- Admin URL patterns (imported in `web/urls.py`) ---
+
+adminpatterns = [
+    path("", views.AdminCommitteeListView.as_view(), name='admin_committee_list'),
     path("<int:pk>/change/", views.CommitteeUpdateView.as_view(), name='committee_update'),
-    path("admin/", views.AdminCommitteeListView.as_view(), name='admin_committee_list'),
 ]
diff --git a/src/internal/tests/test_urls.py b/src/internal/tests/test_urls.py
index 1521f6a65..69860f0d2 100644
--- a/src/internal/tests/test_urls.py
+++ b/src/internal/tests/test_urls.py
@@ -43,6 +43,17 @@ def setUp(self):
         self.member_editor_client.login(username=member_editor_user, password=password)
 
         self.home_content_box = ContentBox.objects.create(url_name='home')
+        self.dev_board_content_box = ContentBox.objects.create(url_name='dev-board')
+        self.event_board_content_box = ContentBox.objects.create(url_name='event-board')
+        self.mentor_board_content_box = ContentBox.objects.create(url_name='mentor-board')
+        self.pr_board_content_box = ContentBox.objects.create(url_name='pr-board')
+        self.MAKE_history_content_box = ContentBox.objects.create(url_name='make-history')
+        self.content_boxes = (
+            self.home_content_box,
+            self.dev_board_content_box, self.event_board_content_box, self.mentor_board_content_box, self.pr_board_content_box,
+            self.MAKE_history_content_box,
+        )
+
         self.secret1 = Secret.objects.create(title="Key storage box", content="Code: 1234")
         self.secret2 = Secret.objects.create(title="YouTube account", content="<p>Email: make@gmail.com</p><p>Password: password</p>")
         self.secrets = (self.secret1, self.secret2)
@@ -134,23 +145,64 @@ def test_permissions(self):
         self._test_internal_url('POST', reverse_internal('set_language'), {'language': 'en'}, expected_redirect_path="/en/")
         self._test_internal_url('POST', reverse_internal('set_language'), {'language': 'nb'}, expected_redirect_path="/")
 
-    def test_all_non_member_get_request_paths_succeed(self):
+    def test_all_get_request_paths_succeed(self):
         path_predicates = [
-            Get(reverse_internal(self.home_content_box.url_name), public=False),
-            Get(reverse_internal('content_box_update', self.home_content_box.pk), public=False),
+            # urlpatterns
+            Get('/robots.txt', public=True, translated=False),
+            Get('/.well-known/security.txt', public=True, translated=False),
 
-            Get(reverse_internal('secret_list'), public=False),
-            Get(reverse_internal('secret_create'), public=False),
+            # committee_bulletin_urlpatterns
+            Get(reverse_internal(self.dev_board_content_box.url_name), public=False),
+            Get(reverse_internal(self.event_board_content_box.url_name), public=False),
+            Get(reverse_internal(self.mentor_board_content_box.url_name), public=False),
+            Get(reverse_internal(self.pr_board_content_box.url_name), public=False),
+
+            # internal_content_box_urlpatterns
+            *[
+                Get(reverse_internal('content_box_update', content_box.pk), public=False)
+                for content_box in self.content_boxes
+            ],
+
+            # change_status_of_specific_member_urlpatterns
+            *[
+                Get(reverse_internal('member_quit', member.pk), public=False)
+                for member in self.members
+            ],
+            *[
+                Get(reverse_internal('member_retire', member.pk), public=False)
+                for member in self.members
+            ],
+            # change_specific_member_urlpatterns
+            *[
+                Get(reverse_internal('member_update', member.pk), public=False)
+                for member in self.members
+            ],
+            # specific_member_urlpatterns
+            *[
+                Get(reverse_internal('member_detail', member.pk), public=False)
+                for member in self.members
+            ],
+            # member_urlpatterns
+            Get(reverse_internal('member_list'), public=False),
+            Get(reverse_internal('member_create'), public=False),
+
+            # specific_secret_urlpatterns
             Get(reverse_internal('secret_update', self.secret1.pk), public=False),
             Get(reverse_internal('secret_update', self.secret2.pk), public=False),
+            # secret_urlpatterns
+            Get(reverse_internal('secret_list'), public=False),
+            Get(reverse_internal('secret_create'), public=False),
 
-            Get(reverse_internal('quote_list'), public=False),
-            Get(reverse_internal('quote_create'), public=False),
+            # specific_quote_urlpatterns
             Get(reverse_internal('quote_update', self.quote1.pk), public=False),
             Get(reverse_internal('quote_update', self.quote2.pk), public=False),
+            # quote_urlpatterns
+            Get(reverse_internal('quote_list'), public=False),
+            Get(reverse_internal('quote_create'), public=False),
 
-            Get('/robots.txt', public=True, translated=False),
-            Get('/.well-known/security.txt', public=True, translated=False),
+            # internal_urlpatterns
+            Get(reverse_internal(self.home_content_box.url_name), public=False),
+            Get(reverse_internal(self.MAKE_history_content_box.url_name), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates, 'internal')
 
diff --git a/src/internal/urls.py b/src/internal/urls.py
index 8222d7667..33fc36665 100644
--- a/src/internal/urls.py
+++ b/src/internal/urls.py
@@ -14,10 +14,7 @@
     path(".well-known/security.txt", TemplateView.as_view(template_name='web/security.txt', content_type='text/plain')),
 
     *debug_toolbar_urls(),
-    path("i18n/", decorator_include(
-        permission_required_else_denied('internal.is_internal'),
-        'django.conf.urls.i18n'
-    )),
+    path("i18n/", decorator_include(permission_required_else_denied('internal.is_internal'), 'django.conf.urls.i18n')),
     *static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT),  # For development only; Nginx is used in production
 
     *ckeditor_uploader_urls(),
@@ -35,29 +32,44 @@
     path("<int:pk>/change/", views.InternalContentBoxUpdateView.as_view(), name='content_box_update'),
 ]
 
+change_status_of_specific_member_urlpatterns = [
+    path("", views.MemberStatusUpdateView.as_view(), name='member_status_update'),
+    path("quit/", views.MemberQuitView.as_view(), name='member_quit'),
+    path("retire/", views.MemberRetireView.as_view(), name='member_retire'),
+]
+change_specific_member_urlpatterns = [
+    path("", views.MemberUpdateView.as_view(), name='member_update'),
+    path("status/", include(change_status_of_specific_member_urlpatterns)),
+]
+specific_member_urlpatterns = [
+    path("", views.MemberListView.as_view(), name='member_detail'),
+    path("change/", include(change_specific_member_urlpatterns)),
+    path("access/<int:system_access_pk>/change/", views.SystemAccessUpdateView.as_view(), name='system_access_update'),
+]
 member_urlpatterns = [
-    path("members/", views.MemberListView.as_view(), name='member_list'),
-    path("members/<int:pk>/", views.MemberListView.as_view(), name='member_detail'),
-    path("members/add/", views.MemberCreateView.as_view(), name='member_create'),
-    path("members/<int:pk>/change/", views.MemberUpdateView.as_view(), name='member_update'),
-    path("members/<int:pk>/change/status/", views.MemberStatusUpdateView.as_view(), name='member_status_update'),
-    path("members/<int:pk>/change/status/quit/", views.MemberQuitView.as_view(), name='member_quit'),
-    path("members/<int:pk>/change/status/retire/", views.MemberRetireView.as_view(), name='member_retire'),
-    path("members/<int:member_pk>/access/<int:pk>/change/", views.SystemAccessUpdateView.as_view(), name='system_access_update'),
+    path("", views.MemberListView.as_view(), name='member_list'),
+    path("add/", views.MemberCreateView.as_view(), name='member_create'),
+    path("<int:pk>/", include(specific_member_urlpatterns)),
 ]
 
+specific_secret_urlpatterns = [
+    path("change/", views.SecretUpdateView.as_view(), name='secret_update'),
+    path("delete/", views.SecretDeleteView.as_view(), name='secret_delete'),
+]
 secret_urlpatterns = [
-    path("secrets/", views.SecretListView.as_view(), name='secret_list'),
-    path("secrets/add/", views.SecretCreateView.as_view(), name='secret_create'),
-    path("secrets/<int:pk>/change/", views.SecretUpdateView.as_view(), name='secret_update'),
-    path("secrets/<int:pk>/delete/", views.SecretDeleteView.as_view(), name='secret_delete'),
+    path("", views.SecretListView.as_view(), name='secret_list'),
+    path("add/", views.SecretCreateView.as_view(), name='secret_create'),
+    path("<int:pk>/", include(specific_secret_urlpatterns)),
 ]
 
+specific_quote_urlpatterns = [
+    path("change/", views.QuoteUpdateView.as_view(), name='quote_update'),
+    path("delete/", views.QuoteDeleteView.as_view(), name='quote_delete'),
+]
 quote_urlpatterns = [
-    path("quotes/", views.QuoteListView.as_view(), name='quote_list'),
-    path("quotes/add/", views.QuoteCreateView.as_view(), name='quote_create'),
-    path("quotes/<int:pk>/change/", views.QuoteUpdateView.as_view(), name='quote_update'),
-    path("quotes/<int:pk>/delete/", views.QuoteDeleteView.as_view(), name='quote_delete'),
+    path("", views.QuoteListView.as_view(), name='quote_list'),
+    path("add/", views.QuoteCreateView.as_view(), name='quote_create'),
+    path("<int:pk>/", include(specific_quote_urlpatterns)),
 ]
 
 internal_urlpatterns = [
@@ -67,25 +79,13 @@
     views.InternalContentBoxDetailView.get_path('make-history'),
     path("contentbox/", include(internal_content_box_urlpatterns)),
 
-    path("", decorator_include(
-        permission_required_else_denied('internal.view_member'),
-        member_urlpatterns
-    )),
-    path("", decorator_include(
-        permission_required_else_denied('internal.view_secret'),
-        secret_urlpatterns
-    )),
-    path("", decorator_include(
-        permission_required_else_denied('internal.view_quote'),
-        quote_urlpatterns
-    )),
+    path("members/", decorator_include(permission_required_else_denied('internal.view_member'), member_urlpatterns)),
+    path("secrets/", decorator_include(permission_required_else_denied('internal.view_secret'), secret_urlpatterns)),
+    path("quotes/", decorator_include(permission_required_else_denied('internal.view_quote'), quote_urlpatterns)),
 ]
 
 urlpatterns += i18n_patterns(
-    path("", decorator_include(
-        permission_required_else_denied('internal.is_internal'),
-        internal_urlpatterns
-    )),
+    path("", decorator_include(permission_required_else_denied('internal.is_internal'), internal_urlpatterns)),
 
     prefix_default_language=False,
 )
diff --git a/src/internal/views.py b/src/internal/views.py
index 8a1f3f790..d846bb07e 100644
--- a/src/internal/views.py
+++ b/src/internal/views.py
@@ -215,10 +215,11 @@ def get_success_url(self):
 
 class SystemAccessUpdateView(PermissionRequiredMixin, PreventGetRequestsMixin, UpdateView):
     model = SystemAccess
+    pk_url_kwarg = 'system_access_pk'
     form_class = SystemAccessValueForm
 
     def get_queryset(self):
-        return get_object_or_404(Member, pk=self.kwargs['member_pk']).system_accesses
+        return get_object_or_404(Member, pk=self.kwargs['pk']).system_accesses
 
     def has_permission(self):
         system_access: SystemAccess = self.get_object()
diff --git a/src/make_queue/static/make_queue/js/admin_quota_panel.js b/src/make_queue/static/make_queue/js/admin_quota_panel.js
index f00bc98d6..781012d9b 100644
--- a/src/make_queue/static/make_queue/js/admin_quota_panel.js
+++ b/src/make_queue/static/make_queue/js/admin_quota_panel.js
@@ -9,7 +9,7 @@ $userDropdown.dropdown({
     fullTextSearch: true,
     forceSelection: true,
     onChange: function (userPK, text, $choice) {
-        $.ajax(`${LANG_PREFIX}/reservation/quota/user/${userPK}/`, {
+        $.ajax(`${LANG_PREFIX}/admin/reservation/quotas/users/${userPK}/`, {
             success: function (data, textStatus) {
                 $("#user-quotas").html(data);
                 setUpDeleteModal();
diff --git a/src/make_queue/static/make_queue/js/calendar.js b/src/make_queue/static/make_queue/js/calendar.js
index ce4bb8ca7..1bc8e2bb8 100644
--- a/src/make_queue/static/make_queue/js/calendar.js
+++ b/src/make_queue/static/make_queue/js/calendar.js
@@ -20,6 +20,7 @@ function ReservationCalendar($element, properties) {
     this.informationHeaders = $element.find("thead th").toArray();
     this.days = $element.find("tbody .day .reservations").toArray();
     this.$element = $element;
+    this.machineType = properties.machineType;
     this.machine = properties.machine;
     this.machineReservationURL = properties.machineReservationURL;
     this.selection = properties.selection;
@@ -384,12 +385,12 @@ ReservationCalendar.prototype.update = function () {
     this.updateInformationHeaders();
     const calendar = this;
 
-    $.get(`${window.location.origin}/reservation/calendar/${this.machine}/reservations/`, {
+    $.get(`${window.location.origin}/api/reservation/machines/${this.machine}/reservations/`, {
         start_date: this.date.djangoFormat(),
         end_date: this.date.nextWeek().djangoFormat(),
     }, (data) => calendar.updateReservations.apply(calendar, [data]), "json");
 
-    $.get(`${window.location.origin}/reservation/calendar/${this.machine}/rules/`, {}, (data) => {
+    $.get(`${window.location.origin}/api/reservation/machinetypes/${this.machineType}/reservationrules/`, {}, (data) => {
         calendar.reservationRules = data.rules;
     });
 };
diff --git a/src/make_queue/static/make_queue/js/printer_3d_course_form.js b/src/make_queue/static/make_queue/js/printer_3d_course_form.js
index a3e580c85..37880d75a 100644
--- a/src/make_queue/static/make_queue/js/printer_3d_course_form.js
+++ b/src/make_queue/static/make_queue/js/printer_3d_course_form.js
@@ -5,7 +5,7 @@ $(".clear-dropdown").click(function () {
 });
 
 $("input[name='username']").focusout((event) => {
-    $.ajax(`${LANG_PREFIX}/users/username/${$(event.target).val()}/`, {
+    $.ajax(`${LANG_PREFIX}/api/admin/users/username/${$(event.target).val()}/`, {
         success: function (data) {
             const fullName = data["full_name"];
             if (fullName)
diff --git a/src/make_queue/static/make_queue/js/reservation_form.js b/src/make_queue/static/make_queue/js/reservation_form.js
index 8485495ac..32dc5c4b3 100644
--- a/src/make_queue/static/make_queue/js/reservation_form.js
+++ b/src/make_queue/static/make_queue/js/reservation_form.js
@@ -11,6 +11,7 @@ const reservations = [];
 const reservationRules = [];
 let canIgnoreRules = false;
 
+const $machineTypeDropdown = $("#machine-type-dropdown");
 const $machineNameDropdown = $("#machine-name-dropdown");
 const $startTimeField = $("#start-time");
 const $startTimeFieldInput = $startTimeField.find("input");
@@ -22,7 +23,7 @@ function getFutureReservations(machineID, forceNewTime) {
     /**
      * Retrieves future reservations and all reservation rules from the server.
      */
-    let jsonUrl = `${LANG_PREFIX}/reservation/json/${machineID}/`;
+    let jsonUrl = `${LANG_PREFIX}/api/reservation/machines/${machineID}/data/`;
     const reservationPK = $("#reservation-form").data("reservation");
     if (reservationPK) {
         jsonUrl += `?exclude_reservation=${reservationPK}`;
@@ -226,7 +227,7 @@ $("#special-checkbox").checkbox({
     },
 });
 
-$("#machine-type-dropdown").dropdown({
+$machineTypeDropdown.dropdown({
     onChange: function (selectedMachineType, text, $choice) {
         if (!$("#machine-type-dropdown").is(".disabled")) {
             $machineNameDropdown.toggleClass("disabled", false);
@@ -302,12 +303,17 @@ function timeSelectionPopupHTML() {
     return $button;
 }
 
+function getMachineType() {
+    return $machineTypeDropdown.dropdown("get value");
+}
+
 function getMachine() {
     return $machineNameDropdown.dropdown("get value");
 }
 
 const calendar = new ReservationCalendar($(".reservation-calendar"), {
     date: new Date(),
+    machineType: getMachineType(),
     machine: getMachine(),
     selection: true,
     canIgnoreRules: false,
diff --git a/src/make_queue/templates/make_queue/machine_detail.html b/src/make_queue/templates/make_queue/machine_detail.html
index e0e67aed7..fb274cd80 100644
--- a/src/make_queue/templates/make_queue/machine_detail.html
+++ b/src/make_queue/templates/make_queue/machine_detail.html
@@ -21,6 +21,7 @@
     <script>
         {# These variables are used in `machine_detail.js` #}
         var calendarProperties = {
+            machineType: "{{ machine.machine_type.pk }}",
             machine: "{{ machine.pk }}",
             machineReservationURL: "{% url 'reservation_create' machine.pk %}",
             selection: {% if reservation_denied_message %}false{% else %}true{% endif %},
diff --git a/src/make_queue/templates/make_queue/reservation_form.html b/src/make_queue/templates/make_queue/reservation_form.html
index 864dc3e0a..fe755b7c1 100644
--- a/src/make_queue/templates/make_queue/reservation_form.html
+++ b/src/make_queue/templates/make_queue/reservation_form.html
@@ -53,7 +53,7 @@
         </div>
 
         <form id="reservation-form" class="ui form" method="POST"
-              {% if not new_reservation %}data-reservation="{{ reservation_pk }}"{% endif %}>
+              {% if not new_reservation %}data-reservation="{{ reservation.pk }}"{% endif %}>
             {% csrf_token %}
             <div class="two fields">
                 <div class="field">
diff --git a/src/make_queue/tests/test_urls.py b/src/make_queue/tests/test_urls.py
index abb585a9d..9cf7f4fe2 100644
--- a/src/make_queue/tests/test_urls.py
+++ b/src/make_queue/tests/test_urls.py
@@ -109,11 +109,13 @@ def test_all_get_request_paths_succeed(self):
         })
 
         path_predicates = [
-            # urlpatterns
-            Get(reverse('machine_list'), public=True),
+            # specific_machinetype_urlpatterns
+            Get(reverse('reservation_rule_list', args=[self.printer_machine_type.pk]), public=True),
+            Get(reverse('reservation_rule_list', args=[self.sewing_machine_type.pk]), public=True),
+            Get(reverse('machine_usage_rule_detail', args=[self.printer_machine_type.pk]), public=True),
+            Get(reverse('machine_usage_rule_detail', args=[self.sewing_machine_type.pk]), public=True),
 
-            # machine_urlpatterns
-            Get(reverse('machine_create'), public=False),
+            # specific_machine_urlpatterns
             *[
                 Get(reverse('machine_detail', args=[machine.pk]), public=True)
                 for machine in self.machines
@@ -123,24 +125,27 @@ def test_all_get_request_paths_succeed(self):
                 for machine in self.machines
             ],
             *[
-                Get(reverse('machine_update', args=[machine.pk]), public=False)
+                Get(reverse('reservation_create', args=[machine.pk]), public=False)
                 for machine in self.machines
             ],
+            # machine_urlpatterns
+            Get(reverse('machine_list'), public=True),
 
-            # calendar_urlpatterns
-            *[
-                Get(
-                    f"{reverse('api_reservation_list', args=[machine.pk])}?{api_reservation_list_params}",
-                    public=True,
-                )
-                for machine in self.machines
-            ],
+            # specific_reservation_urlpatterns
             *[
-                Get(reverse('api_reservation_rule_list', args=[machine.pk]), public=True)
-                for machine in self.machines
+                Get(reverse('reservation_update', args=[reservation.pk]), public=False)
+                for reservation in self.reservations if reservation != self.reservation2  # `reservation2` starts in the future
             ],
+            # reservation_urlpatterns
+            Get(f"{reverse('reservation_list')}?owner={ReservationListQueryForm.Owner.ME}", public=False),
+            Get(f"{reverse('reservation_list')}?owner={ReservationListQueryForm.Owner.MAKE}", public=False),
+            Get(reverse('reservation_find_free_slots'), public=False),
 
-            # json_urlpatterns
+            # specific_machinetype_apipatterns
+            Get(reverse('api_reservation_rule_list', args=[self.printer_machine_type.pk]), public=True),
+            Get(reverse('api_reservation_rule_list', args=[self.sewing_machine_type.pk]), public=True),
+
+            # specific_machine_apipatterns
             *[
                 Get(reverse('api_machine_data', args=[machine.pk]), public=False)
                 for machine in self.machines
@@ -149,51 +154,50 @@ def test_all_get_request_paths_succeed(self):
                 Get(f"{reverse('api_machine_data', args=[reservation.machine.pk])}?exclude_reservation={reservation.pk}", public=False)
                 for reservation in self.reservations
             ],
-
-            # Back to urlpatterns
             *[
-                Get(reverse('reservation_create', args=[machine.pk]), public=False)
+                Get(f"{reverse('api_reservation_list', args=[machine.pk])}?{api_reservation_list_params}", public=True)
                 for machine in self.machines
             ],
-            *[
-                Get(reverse('reservation_update', args=[reservation.pk]), public=False)
-                for reservation in self.reservations if reservation != self.reservation2  # `reservation2` starts in the future
-            ],
-            Get(f"{reverse('reservation_list')}?owner={ReservationListQueryForm.Owner.ME}", public=False),
-            Get(f"{reverse('reservation_list')}?owner={ReservationListQueryForm.Owner.MAKE}", public=False),
-            Get(reverse('reservation_find_free_slots'), public=False),
 
-            # rules_urlpatterns
-            Get(reverse('reservation_rule_list', args=[self.printer_machine_type.pk]), public=True),
-            Get(reverse('reservation_rule_list', args=[self.sewing_machine_type.pk]), public=True),
-            Get(reverse('reservation_rule_create', args=[self.printer_machine_type.pk]), public=False),
-            Get(reverse('reservation_rule_create', args=[self.sewing_machine_type.pk]), public=False),
+            # specific_reservation_rule_adminpatterns
             *[
                 Get(reverse('reservation_rule_update', args=[rule.machine_type.pk, rule.pk]), public=False)
                 for rule in self.rules
             ],
-            Get(reverse('machine_usage_rule_detail', args=[self.printer_machine_type.pk]), public=True),
-            Get(reverse('machine_usage_rule_detail', args=[self.sewing_machine_type.pk]), public=True),
+            # reservation_rules_adminpatterns
+            Get(reverse('reservation_rule_create', args=[self.printer_machine_type.pk]), public=False),
+            Get(reverse('reservation_rule_create', args=[self.sewing_machine_type.pk]), public=False),
+            # specific_machinetype_adminpatterns
             Get(reverse('machine_usage_rule_update', args=[self.printer_machine_type.pk]), public=False),
             Get(reverse('machine_usage_rule_update', args=[self.sewing_machine_type.pk]), public=False),
 
-            # quota_urlpatterns
-            Get(reverse('admin_quota_panel'), public=False),
-            Get(reverse('quota_create'), public=False),
+            # specific_machine_adminpatterns
+            *[
+                Get(reverse('machine_update', args=[machine.pk]), public=False)
+                for machine in self.machines
+            ],
+            # machine_adminpatterns
+            Get(reverse('machine_create'), public=False),
+
+            # specific_course_adminpatterns
+            Get(reverse('printer_3d_course_update', args=[self.course1.pk]), public=False),
+            Get(reverse('printer_3d_course_update', args=[self.course2.pk]), public=False),
+            # course_adminpatterns
+            Get(reverse('printer_3d_course_list'), public=False),
+            Get(reverse('printer_3d_course_create'), public=False),
+
+            # specific_quota_adminpatterns
             *[
                 Get(reverse('quota_update', args=[quota.pk]), public=False)
                 for quota in self.quotas
             ],
-            Get(reverse('admin_user_quota_list', args=[self.user1.pk]), public=False),
-            Get(reverse('admin_user_quota_list', args=[self.user2.pk]), public=False),
+            # quota_adminpatterns
+            Get(reverse('admin_quota_panel'), public=False),
             Get(f"{reverse('admin_quota_panel')}?user={self.user1.pk}", public=False),
             Get(f"{reverse('admin_quota_panel')}?user={self.user2.pk}", public=False),
-
-            # course_urlpatterns
-            Get(reverse('printer_3d_course_list'), public=False),
-            Get(reverse('printer_3d_course_create'), public=False),
-            Get(reverse('printer_3d_course_update', args=[self.course1.pk]), public=False),
-            Get(reverse('printer_3d_course_update', args=[self.course2.pk]), public=False),
+            Get(reverse('quota_create'), public=False),
+            Get(reverse('admin_user_quota_list', args=[self.user1.pk]), public=False),
+            Get(reverse('admin_user_quota_list', args=[self.user2.pk]), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
diff --git a/src/make_queue/tests/views/test_machine_views.py b/src/make_queue/tests/views/test_machine_views.py
index 953165e2f..b132cdfe2 100644
--- a/src/make_queue/tests/views/test_machine_views.py
+++ b/src/make_queue/tests/views/test_machine_views.py
@@ -342,7 +342,7 @@ def setUp(self):
         username = "TEST_USER"
         password = "TEST_PASS"
         self.user = User.objects.create_user(username=username, password=password)
-        self.user.add_perms('make_queue.add_machine', 'make_queue.change_machine')
+        self.user.add_perms('internal.is_internal', 'make_queue.add_machine', 'make_queue.change_machine')
         self.client.login(username=username, password=password)
 
     def test_machine_update_has_correct_form_in_context_data(self):
diff --git a/src/make_queue/tests/views/test_quota_views.py b/src/make_queue/tests/views/test_quota_views.py
index eef83b1ae..209d189e6 100644
--- a/src/make_queue/tests/views/test_quota_views.py
+++ b/src/make_queue/tests/views/test_quota_views.py
@@ -13,7 +13,7 @@ class TestAdminUserQuotaListView(TestCase):
 
     def test_get_user_quota(self):
         user = User.objects.create_user("test")
-        user.add_perms('make_queue.change_quota')
+        user.add_perms('internal.is_internal', 'make_queue.change_quota')
         user2 = User.objects.create_user("test2")
         machine_type = MachineType.objects.first()
         Quota.objects.create(all=True, user=user, machine_type=machine_type, number_of_reservations=2)
diff --git a/src/make_queue/tests/views/test_reservation_reservation.py b/src/make_queue/tests/views/test_reservation_reservation.py
index eaa3eeb9e..28e7ec195 100644
--- a/src/make_queue/tests/views/test_reservation_reservation.py
+++ b/src/make_queue/tests/views/test_reservation_reservation.py
@@ -158,8 +158,8 @@ def test_get_context_data_reservation(self):
             end_time=now + timedelta(hours=2),
             event=self.timeplace, comment="Comment",
         )
-        view = self.get_view(ReservationUpdateView, reservation_pk=reservation.pk)
-        context_data = view.get_context_data(reservation_pk=reservation.pk)
+        view = self.get_view(ReservationUpdateView, pk=reservation.pk)
+        context_data = view.get_context_data(pk=reservation.pk)
         context_data["machine_types"] = set(context_data["machine_types"])
 
         self.assertDictEqual(context_data, {
@@ -179,7 +179,7 @@ def test_get_context_data_reservation(self):
             "special_text": "",
             "maximum_days_in_advance": Reservation.FUTURE_LIMIT.days,
             "comment": "Comment",
-            "reservation_pk": reservation.pk,
+            "reservation": reservation,
         })
 
     def test_get_context_data_non_reservation(self):
@@ -358,9 +358,9 @@ def create_reservation(self, form):
 
     def test_post_changeable_reservation(self):
         reservation = self.create_reservation(self.create_form(start_time_delta=timedelta(hours=1), end_time_delta=timedelta(hours=2)))
-        view = self.get_view(reservation_pk=reservation.pk)
+        view = self.get_view(pk=reservation.pk)
         view.request.method = 'POST'
-        response = view.dispatch(view.request, reservation_pk=reservation.pk)
+        response = view.dispatch(view.request, pk=reservation.pk)
         # Response should be the edit page for the reservation, as no form is posted with the data
         self.assertEqual(response.status_code, HTTPStatus.OK)
         self.assertListEqual(response.template_name, ['make_queue/reservation_form.html'])
@@ -373,9 +373,9 @@ def test_post_unchangeable_reservation(self, now_mock):
 
         now_mock.return_value = timezone.localtime() + timedelta(hours=2, minutes=1)
 
-        view = self.get_view(reservation_pk=reservation.pk)
+        view = self.get_view(pk=reservation.pk)
         view.request.method = 'POST'
-        response = view.dispatch(view.request, reservation_pk=reservation.pk)
+        response = view.dispatch(view.request, pk=reservation.pk)
         # An unchangeable reservation should have redirect
         self.assertEqual(response.status_code, HTTPStatus.FOUND)
 
@@ -386,8 +386,8 @@ def test_form_valid_normal_reservation(self, now_mock):
         reservation = self.create_reservation(self.create_form(start_time_delta=timedelta(hours=1), end_time_delta=timedelta(hours=2)))
         form = self.create_form(start_time_delta=timedelta(hours=1), end_time_delta=timedelta(hours=3))
         self.assertTrue(form.is_valid())
-        view = self.get_view(reservation_pk=reservation.pk)
-        response = view.form_valid(form, reservation_pk=reservation.pk)
+        view = self.get_view(pk=reservation.pk)
+        response = view.form_valid(form)
         self.assertEqual(Reservation.objects.count(), 1)
         self.assertEqual(response.status_code, HTTPStatus.FOUND)
         self.assertEqual(Reservation.objects.first().end_time, timezone.localtime() + timedelta(hours=3))
@@ -401,8 +401,8 @@ def test_form_valid_changed_machine(self, now_mock):
         self.machine = Machine.objects.create(name="M1", machine_model="Generic", machine_type=self.sewing_machine_type)
         form = self.create_form(start_time_delta=timedelta(hours=1), end_time_delta=timedelta(hours=3))
         self.assertTrue(form.is_valid())
-        view = self.get_view(reservation_pk=reservation.pk)
-        response = view.form_valid(form, reservation_pk=reservation.pk)
+        view = self.get_view(pk=reservation.pk)
+        response = view.form_valid(form)
         self.assertEqual(response.status_code, HTTPStatus.FOUND)
         self.assertEqual(Reservation.objects.count(), 1)
         self.assertEqual(Reservation.objects.first().end_time, timezone.localtime() + timedelta(hours=2))
@@ -425,8 +425,8 @@ def test_form_valid_event_reservation(self, now_mock):
                                                   end_time=now + timedelta(hours=2))
         form = self.create_form(start_time_delta=timedelta(hours=1), end_time_delta=timedelta(hours=2), event=self.timeplace)
         self.assertTrue(form.is_valid())
-        view = self.get_view(reservation_pk=reservation.pk)
-        response = view.form_valid(form, reservation_pk=reservation.pk)
+        view = self.get_view(pk=reservation.pk)
+        response = view.form_valid(form)
         self.assertEqual(Reservation.objects.count(), 1)
         self.assertEqual(response.status_code, HTTPStatus.FOUND)
         self.assertEqual(Reservation.objects.first().event, self.timeplace)
@@ -445,8 +445,8 @@ def test_form_valid_special_reservation(self, now_mock):
         )
         form = self.create_form(start_time_delta=timedelta(hours=1), end_time_delta=timedelta(hours=2), special=True, special_text="Test2")
         self.assertTrue(form.is_valid())
-        view = self.get_view(reservation_pk=reservation.pk)
-        response = view.form_valid(form, reservation_pk=reservation.pk)
+        view = self.get_view(pk=reservation.pk)
+        response = view.form_valid(form)
         self.assertEqual(Reservation.objects.count(), 1)
         self.assertEqual(response.status_code, HTTPStatus.FOUND)
         self.assertEqual(Reservation.objects.first().special_text, "Test2")
diff --git a/src/make_queue/urls.py b/src/make_queue/urls.py
index 2088d7835..4ea2f7a08 100644
--- a/src/make_queue/urls.py
+++ b/src/make_queue/urls.py
@@ -1,3 +1,4 @@
+from decorator_include import decorator_include
 from django.contrib.auth.decorators import login_required
 from django.urls import include, path
 
@@ -7,64 +8,107 @@
 from .views.reservation import calendar, machine, reservation, rules
 
 
+specific_machinetype_urlpatterns = [
+    path("reservationrules/", rules.ReservationRuleListView.as_view(), name='reservation_rule_list'),
+    path("usagerules/", rules.MachineUsageRuleDetailView.as_view(), name='machine_usage_rule_detail'),
+]
+
+specific_machine_urlpatterns = [
+    path("", calendar.MachineDetailView.as_view(), name='machine_detail'),
+    path("reservations/add/", login_required(reservation.ReservationCreateView.as_view()), name='reservation_create'),
+]
 machine_urlpatterns = [
-    path("add/", machine.MachineCreateView.as_view(), name='machine_create'),
-    path("<int:pk>/", calendar.MachineDetailView.as_view(), name='machine_detail'),
-    path("<int:pk>/change/", machine.MachineUpdateView.as_view(), name='machine_update'),
-    path("<int:pk>/delete/", machine.MachineDeleteView.as_view(), name='machine_delete'),
+    path("", machine.MachineListView.as_view(), name='machine_list'),
+    path("<int:pk>/", include(specific_machine_urlpatterns)),
 ]
 
-calendar_urlpatterns = [
-    path("<int:pk>/reservations/", calendar_api.APIReservationListView.as_view(), name='api_reservation_list'),
-    path("<int:pk>/rules/", calendar_api.APIReservationRuleListView.as_view(), name='api_reservation_rule_list'),
+specific_reservation_urlpatterns = [
+    path("change/", login_required(reservation.ReservationUpdateView.as_view()), name='reservation_update'),
+]
+reservation_urlpatterns = [
+    path("", reservation.ReservationListView.as_view(), name='reservation_list'),
+    path("<int:pk>/", include(specific_reservation_urlpatterns)),
+    path("find-free-slots/", reservation.ReservationFindFreeSlotsView.as_view(), name='reservation_find_free_slots'),
 ]
 
-json_urlpatterns = [
-    path("<int:pk>/", login_required(reservation_api.APIMachineDataView.as_view()), name='api_machine_data'),
+urlpatterns = [
+    path("machinetypes/<int:pk>/", include(specific_machinetype_urlpatterns)),
+    path("machines/", include(machine_urlpatterns)),
+    path("reservations/", include(reservation_urlpatterns)),
 ]
 
-rules_urlpatterns = [
-    path("", rules.ReservationRuleListView.as_view(), name='reservation_rule_list'),
-    path("add/", rules.ReservationRuleCreateView.as_view(), name='reservation_rule_create'),
-    path("<int:reservation_rule_pk>/change/", rules.ReservationRuleUpdateView.as_view(), name='reservation_rule_update'),
-    path("<int:reservation_rule_pk>/delete/", rules.ReservationRuleDeleteView.as_view(), name='reservation_rule_delete'),
-    path("usage/", rules.MachineUsageRuleDetailView.as_view(), name='machine_usage_rule_detail'),
-    path("usage/change/", rules.MachineUsageRuleUpdateView.as_view(), name='machine_usage_rule_update'),
+# --- API URL patterns (imported in `web/urls.py`) ---
+
+specific_machinetype_apipatterns = [
+    path("reservationrules/", calendar_api.APIReservationRuleListView.as_view(), name='api_reservation_rule_list'),
 ]
 
-specific_machinetype_urlpatterns = [
-    path("rules/", include(rules_urlpatterns)),
+specific_machine_apipatterns = [
+    path("data/", reservation_api.APIMachineDataView.as_view(), name='api_machine_data'),
+    path("reservations/", calendar_api.APIReservationListView.as_view(), name='api_reservation_list'),
 ]
 
-quota_urlpatterns = [
-    path("", quota.AdminQuotaPanelView.as_view(), name='admin_quota_panel'),
-    path("add/", quota.QuotaCreateView.as_view(), name='quota_create'),
-    path("<int:pk>/change/", quota.QuotaUpdateView.as_view(), name='quota_update'),
-    path("<int:pk>/delete/", quota.QuotaDeleteView.as_view(), name='quota_delete'),
-    path("user/<int:pk>/", user.AdminUserQuotaListView.as_view(), name='admin_user_quota_list'),
+specific_reservation_apipatterns = [
+    path("finish/", reservation.APIReservationMarkFinishedView.as_view(), name='api_reservation_mark_finished'),
+    path("delete/", reservation.APIReservationDeleteView.as_view(), name='api_reservation_delete'),
 ]
 
-course_urlpatterns = [
+apipatterns = [
+    path("machinetypes/<int:pk>/", include(specific_machinetype_apipatterns)),
+    path("machines/<int:pk>/", include(specific_machine_apipatterns)),
+    path("reservations/<int:pk>/", decorator_include(login_required, specific_reservation_apipatterns)),
+]
+
+# --- Admin URL patterns (imported in `web/urls.py`) ---
+
+specific_reservation_rule_adminpatterns = [
+    path("change/", rules.ReservationRuleUpdateView.as_view(), name='reservation_rule_update'),
+    path("delete/", rules.ReservationRuleDeleteView.as_view(), name='reservation_rule_delete'),
+]
+reservation_rules_adminpatterns = [
+    path("add/", rules.ReservationRuleCreateView.as_view(), name='reservation_rule_create'),
+    path("<int:reservation_rule_pk>/", include(specific_reservation_rule_adminpatterns)),
+]
+specific_machinetype_adminpatterns = [
+    path("reservationrules/", include(reservation_rules_adminpatterns)),
+    path("usagerules/change/", rules.MachineUsageRuleUpdateView.as_view(), name='machine_usage_rule_update'),
+]
+
+specific_machine_adminpatterns = [
+    path("change/", machine.MachineUpdateView.as_view(), name='machine_update'),
+    path("delete/", machine.MachineDeleteView.as_view(), name='machine_delete'),
+]
+machine_adminpatterns = [
+    path("add/", machine.MachineCreateView.as_view(), name='machine_create'),
+    path("<int:pk>/", include(specific_machine_adminpatterns)),
+]
+
+specific_course_adminpatterns = [
+    path("change/", course.Printer3DCourseUpdateView.as_view(), name='printer_3d_course_update'),
+    path("delete/", course.Printer3DCourseDeleteView.as_view(), name='printer_3d_course_delete'),
+]
+course_adminpatterns = [
     path("", course.Printer3DCourseListView.as_view(), name='printer_3d_course_list'),
-    path("status/", course.Printer3DCourseStatusBulkUpdateView.as_view(), name='printer_3d_course_status_bulk_update'),
-    path("download/", course.Printer3DCourseXLSXView.as_view(), name='printer_3d_course_xlsx'),
     path("add/", course.Printer3DCourseCreateView.as_view(), name='printer_3d_course_create'),
-    path("<int:pk>/change/", course.Printer3DCourseUpdateView.as_view(), name='printer_3d_course_update'),
-    path("<int:pk>/delete/", course.Printer3DCourseDeleteView.as_view(), name='printer_3d_course_delete'),
+    path("<int:pk>/", include(specific_course_adminpatterns)),
+    path("status/change/", course.Printer3DCourseStatusBulkUpdateView.as_view(), name='printer_3d_course_status_bulk_update'),
+    path("download/xlsx/", course.Printer3DCourseXLSXView.as_view(), name='printer_3d_course_xlsx'),
 ]
 
-urlpatterns = [
-    path("", machine.MachineListView.as_view(), name='machine_list'),
-    path("machines/", include(machine_urlpatterns)),
-    path("calendar/", include(calendar_urlpatterns)),
-    path("json/", include(json_urlpatterns)),
-    path("add/<int:pk>/", login_required(reservation.ReservationCreateView.as_view()), name='reservation_create'),
-    path("<int:reservation_pk>/change/", login_required(reservation.ReservationUpdateView.as_view()), name='reservation_update'),
-    path("<int:pk>/finish/", login_required(reservation.APIReservationMarkFinishedView.as_view()), name='api_reservation_mark_finished'),
-    path("<int:pk>/", login_required(reservation.APIReservationDeleteView.as_view()), name='api_reservation_delete'),
-    path("reservations/", reservation.ReservationListView.as_view(), name='reservation_list'),
-    path("slot/", reservation.ReservationFindFreeSlotsView.as_view(), name='reservation_find_free_slots'),
-    path("machinetypes/<int:pk>/", include(specific_machinetype_urlpatterns)),
-    path("quota/", include(quota_urlpatterns)),
-    path("course/", include(course_urlpatterns)),
+specific_quota_adminpatterns = [
+    path("change/", quota.QuotaUpdateView.as_view(), name='quota_update'),
+    path("delete/", quota.QuotaDeleteView.as_view(), name='quota_delete'),
+]
+quota_adminpatterns = [
+    path("", quota.AdminQuotaPanelView.as_view(), name='admin_quota_panel'),
+    path("add/", quota.QuotaCreateView.as_view(), name='quota_create'),
+    path("<int:pk>/", include(specific_quota_adminpatterns)),
+    path("users/<int:pk>/", user.AdminUserQuotaListView.as_view(), name='admin_user_quota_list'),
+]
+
+adminpatterns = [
+    path("machinetypes/<int:pk>/", include(specific_machinetype_adminpatterns)),
+    path("machines/", include(machine_adminpatterns)),
+    path("courses/", include(course_adminpatterns)),
+    path("quotas/", include(quota_adminpatterns)),
 ]
diff --git a/src/make_queue/views/api/reservation.py b/src/make_queue/views/api/reservation.py
index 8f5d8a56e..eec5a363f 100644
--- a/src/make_queue/views/api/reservation.py
+++ b/src/make_queue/views/api/reservation.py
@@ -1,3 +1,4 @@
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.utils import timezone
 from django.views.generic import TemplateView
 
@@ -8,7 +9,7 @@
 from ...models.reservation import Quota
 
 
-class APIMachineDataView(MachineRelatedViewMixin, QueryParameterFormMixin, TemplateView):
+class APIMachineDataView(LoginRequiredMixin, MachineRelatedViewMixin, QueryParameterFormMixin, TemplateView):
     form_class = APIMachineDataQueryForm
 
     def get_form(self, form_class=None):
diff --git a/src/make_queue/views/reservation/reservation.py b/src/make_queue/views/reservation/reservation.py
index ed47247e5..ce1196239 100644
--- a/src/make_queue/views/reservation/reservation.py
+++ b/src/make_queue/views/reservation/reservation.py
@@ -29,6 +29,7 @@ class ReservationCreateOrUpdateView(TemplateView, ABC):
     template_name = 'make_queue/reservation_form.html'
 
     new_reservation: bool
+    reservation: Reservation = None
 
     def get_error_message(self, form, reservation):
         """
@@ -76,7 +77,7 @@ def validate_and_save(self, reservation, form):
         if not reservation.validate():
             # Hack to "simulate" `ReservationUpdateView`
             self.reservation = reservation
-            context_data = self.get_context_data(reservation_pk=reservation.pk)
+            context_data = self.get_context_data()
             context_data["error"] = self.get_error_message(form, reservation)
             return render(self.request, self.template_name, context_data)
 
@@ -108,12 +109,12 @@ def get_context_data(self, **kwargs):
             "maximum_days_in_advance": Reservation.FUTURE_LIMIT.days,
         }
 
-        # If we are given a reservation, populate the information relevant to that reservation
-        if 'reservation_pk' in kwargs:
+        # If we are updating an existing reservation, populate the information relevant to that reservation
+        if not self.new_reservation or self.reservation:
             # noinspection PyUnresolvedReferences
             reservation = self.reservation  # Defined in `ReservationUpdateView`
             context_data["start_time"] = reservation.start_time
-            context_data["reservation_pk"] = reservation.pk
+            context_data["reservation"] = reservation
             context_data["end_time"] = reservation.end_time
             context_data["selected_machine"] = reservation.machine
             context_data["event"] = reservation.event
@@ -240,7 +241,6 @@ def delete(self, request, *args, **kwargs):
 class ReservationUpdateView(ReservationCreateOrUpdateView):
     """View for changing a reservation (Cannot be UpdateView due to the abstract inheritance of reservations)."""
     new_reservation = False
-
     reservation: Reservation
 
     @property
@@ -250,7 +250,7 @@ def success_url(self):
 
     def setup(self, request, *args, **kwargs):
         super().setup(request, *args, **kwargs)
-        reservation_pk = self.kwargs['reservation_pk']
+        reservation_pk = self.kwargs['pk']
         self.reservation = get_object_or_404(Reservation, pk=reservation_pk)
 
     def dispatch(self, request, *args, **kwargs):
diff --git a/src/makerspace/tests/test_urls.py b/src/makerspace/tests/test_urls.py
index ec91bb4cb..9ca2750c6 100644
--- a/src/makerspace/tests/test_urls.py
+++ b/src/makerspace/tests/test_urls.py
@@ -18,13 +18,19 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
-            Get(reverse('makerspace'), public=True),
+            # equipment_urlpatterns
             Get(reverse('equipment_list'), public=True),
-            Get(reverse('admin_equipment_list'), public=False),
-            Get(reverse('equipment_create'), public=False),
-            Get(reverse('equipment_update', args=[self.equipment1.pk]), public=False),
             Get(reverse('equipment_detail', args=[self.equipment1.pk]), public=True),
+
+            # urlpatterns
+            Get(reverse('makerspace'), public=True),
             Get(reverse('rules'), public=True),
+
+            # specific_equipment_adminpatterns
+            Get(reverse('equipment_update', args=[self.equipment1.pk]), public=False),
+            # equipment_adminpatterns
+            Get(reverse('admin_equipment_list'), public=False),
+            Get(reverse('equipment_create'), public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
diff --git a/src/makerspace/urls.py b/src/makerspace/urls.py
index 4d3924a2c..fc24c76d9 100644
--- a/src/makerspace/urls.py
+++ b/src/makerspace/urls.py
@@ -1,17 +1,32 @@
-from django.contrib.auth.decorators import login_required
-from django.urls import path
+from django.urls import include, path
 
 from contentbox.views import ContentBoxDetailView
 from . import views
 
 
+equipment_urlpatterns = [
+    path("", views.EquipmentListView.as_view(), name='equipment_list'),
+    path("<int:pk>/", views.EquipmentDetailView.as_view(), name='equipment_detail'),
+]
+
 urlpatterns = [
     path("", views.MakerspaceView.as_view(url_name='makerspace'), name='makerspace'),
-    path("equipment/", views.EquipmentListView.as_view(), name='equipment_list'),
-    path("equipment/admin/", login_required(views.AdminEquipmentListView.as_view()), name='admin_equipment_list'),
-    path("equipment/admin/add/", login_required(views.EquipmentCreateView.as_view()), name='equipment_create'),
-    path("equipment/admin/<int:pk>/change/", login_required(views.EquipmentUpdateView.as_view()), name='equipment_update'),
-    path("equipment/admin/<int:pk>/delete/", login_required(views.EquipmentDeleteView.as_view()), name='equipment_delete'),
-    path("equipment/<int:pk>/", views.EquipmentDetailView.as_view(), name='equipment_detail'),
+    path("equipment/", include(equipment_urlpatterns)),
     ContentBoxDetailView.get_path('rules'),
 ]
+
+# --- Admin URL patterns (imported in `web/urls.py`) ---
+
+specific_equipment_adminpatterns = [
+    path("change/", views.EquipmentUpdateView.as_view(), name='equipment_update'),
+    path("delete/", views.EquipmentDeleteView.as_view(), name='equipment_delete'),
+]
+equipment_adminpatterns = [
+    path("", views.AdminEquipmentListView.as_view(), name='admin_equipment_list'),
+    path("add/", views.EquipmentCreateView.as_view(), name='equipment_create'),
+    path("<int:pk>/", include(specific_equipment_adminpatterns)),
+]
+
+adminpatterns = [
+    path("equipment/", include(equipment_adminpatterns)),
+]
diff --git a/src/news/tests/test_urls.py b/src/news/tests/test_urls.py
index 1461bc37b..049959f91 100644
--- a/src/news/tests/test_urls.py
+++ b/src/news/tests/test_urls.py
@@ -67,6 +67,7 @@ def init_objs(self):
             user=self.user1, timeplace=self.time_place3, language=EventTicket.Language.NORWEGIAN,
         )
         self.tickets = (self.ticket1, self.ticket2, self.ticket3, self.ticket4, self.ticket5)
+        self.active_tickets = (self.ticket1, self.ticket2, self.ticket4, self.ticket5)
 
 
 class UrlTests(NewsTestBase, TestCase):
@@ -76,52 +77,72 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
-            Get(reverse('admin_article_list'), public=False),
-            Get(reverse('admin_event_list'), public=False),
-            Get(reverse('admin_event_participants_search'), public=False),
-            Get(f"{reverse('admin_event_participants_search')}?search_string={self.user1.username}", public=False),
-            Get(f"{reverse('admin_event_participants_search')}?search_string={self.user2.get_full_name()}", public=False),
-            Get(f"{reverse('admin_event_participants_search')}?search_string=stringthatdoesntmatchanything", public=False),
-            Get(reverse('admin_event_detail', args=[self.event1.pk]), public=False),
-            Get(reverse('admin_event_detail', args=[self.event2.pk]), public=False),
+            # article_urlpatterns
             Get(reverse('article_list'), public=True),
-            Get(reverse('article_create'), public=False),
-            Get(reverse('article_update', args=[self.article1.pk]), public=False),
-            Get(reverse('article_update', args=[self.article2.pk]), public=False),
             Get(reverse('article_detail', args=[self.article1.pk]), public=True),
             Get(reverse('article_detail', args=[self.article2.pk]), public=False),  # This article is private
-            Get(reverse('event_list'), public=True),
-            Get(reverse('event_create'), public=False),
-            Get(reverse('event_update', args=[self.event1.pk]), public=False),
-            Get(reverse('event_update', args=[self.event2.pk]), public=False),
-            Get(reverse('admin_event_ticket_list', args=[self.event2.pk]), public=False),  # Can't test `event1`, as it has no tickets
-            Get(reverse('event_detail', args=[self.event1.pk]), public=True),
-            Get(reverse('event_detail', args=[self.event2.pk]), public=False),  # This event is private
+
+            # specific_time_place_urlpatterns
             Get(reverse('event_ticket_create', args=[self.event1.pk]), public=False),
             Get(reverse('event_ticket_create', args=[self.event2.pk]), public=False),
-            *[
-                Get(reverse('time_place_update', args=[time_place.event.pk, time_place.pk]), public=False)
-                for time_place in self.time_places
-            ],
-            Get(reverse('time_place_create', args=[self.event1.pk]), public=False),
-            Get(reverse('time_place_create', args=[self.event2.pk]), public=False),
-            *[
-                Get(reverse('admin_time_place_ticket_list', args=[time_place.event.pk, time_place.pk]), public=False)
-                for time_place in self.time_places if time_place != self.time_place3  # Can't test `time_place3`, as it has no tickets
-            ],
             *[
                 Get(reverse('time_place_ical', args=[time_place.event.pk, time_place.pk]), public=True)
                 for time_place in self.time_places
             ],
+            # specific_event_urlpatterns
+            Get(reverse('event_detail', args=[self.event1.pk]), public=True),
+            Get(reverse('event_detail', args=[self.event2.pk]), public=False),  # This event is private
             *[
                 Get(reverse('event_ticket_create', args=[time_place.event.pk, time_place.pk]), public=False)
                 for time_place in self.time_places if time_place != self.time_place3  # Can't test `time_place3`, as it has no tickets
             ],
+            # event_urlpatterns
+            Get(reverse('event_list'), public=True),
+
+            # specific_ticket_urlpatterns
             *[
                 Get(reverse('event_ticket_detail', args=[ticket.pk]), public=False)
                 for ticket in self.tickets
             ],
+            *[
+                Get(reverse('event_ticket_cancel', args=[ticket.pk]), public=False)
+                for ticket in self.active_tickets
+            ],
+            # ticket_urlpatterns
             Get(reverse('event_ticket_my_list'), public=False),
+
+            # specific_article_adminpatterns
+            Get(reverse('article_update', args=[self.article1.pk]), public=False),
+            Get(reverse('article_update', args=[self.article2.pk]), public=False),
+            # article_adminpatterns
+            Get(reverse('admin_article_list'), public=False),
+            Get(reverse('article_create'), public=False),
+
+            # specific_time_place_adminpatterns
+            *[
+                Get(reverse('time_place_update', args=[time_place.event.pk, time_place.pk]), public=False)
+                for time_place in self.time_places
+            ],
+            *[
+                Get(reverse('admin_time_place_ticket_list', args=[time_place.event.pk, time_place.pk]), public=False)
+                for time_place in self.time_places if time_place != self.time_place3  # Can't test `time_place3`, as it has no tickets
+            ],
+            # time_place_adminpatterns
+            Get(reverse('time_place_create', args=[self.event1.pk]), public=False),
+            Get(reverse('time_place_create', args=[self.event2.pk]), public=False),
+            # specific_event_adminpatterns
+            Get(reverse('admin_event_detail', args=[self.event1.pk]), public=False),
+            Get(reverse('admin_event_detail', args=[self.event2.pk]), public=False),
+            Get(reverse('event_update', args=[self.event1.pk]), public=False),
+            Get(reverse('event_update', args=[self.event2.pk]), public=False),
+            Get(reverse('admin_event_ticket_list', args=[self.event2.pk]), public=False),  # Can't test `event1`, as it has no tickets
+            # event_adminpatterns
+            Get(reverse('admin_event_list'), public=False),
+            Get(reverse('event_create'), public=False),
+            Get(reverse('admin_event_participants_search'), public=False),
+            Get(f"{reverse('admin_event_participants_search')}?search_string={self.user1.username}", public=False),
+            Get(f"{reverse('admin_event_participants_search')}?search_string={self.user2.get_full_name()}", public=False),
+            Get(f"{reverse('admin_event_participants_search')}?search_string=stringthatdoesntmatchanything", public=False),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
diff --git a/src/news/tests/views/test_article_views.py b/src/news/tests/views/test_article_views.py
index 6a233a804..6cb97a8b5 100644
--- a/src/news/tests/views/test_article_views.py
+++ b/src/news/tests/views/test_article_views.py
@@ -30,7 +30,7 @@ def test_admin_article_list_view(self):
         response = self.client.get(reverse('admin_article_list'))
         self.assertEqual(response.status_code, HTTPStatus.FORBIDDEN)
 
-        self.user.add_perms('news.change_article')
+        self.user.add_perms('internal.is_internal', 'news.change_article')
         response = self.client.get(reverse('admin_article_list'))
         self.assertEqual(response.status_code, HTTPStatus.OK)
 
@@ -38,7 +38,7 @@ def test_article_create_view(self):
         response = self.client.get(reverse('article_create'))
         self.assertEqual(response.status_code, HTTPStatus.FORBIDDEN)
 
-        self.user.add_perms('news.add_article')
+        self.user.add_perms('internal.is_internal', 'news.add_article')
         response = self.client.get(reverse('article_create'))
         self.assertEqual(response.status_code, HTTPStatus.OK)
 
@@ -46,7 +46,7 @@ def test_article_update_view(self):
         response = self.client.get(reverse('article_update', args=[self.article.pk]))
         self.assertEqual(response.status_code, HTTPStatus.FORBIDDEN)
 
-        self.user.add_perms('news.change_article')
+        self.user.add_perms('internal.is_internal', 'news.change_article')
         response = self.client.get(reverse('article_update', args=[self.article.pk]))
         self.assertEqual(response.status_code, HTTPStatus.OK)
 
@@ -56,7 +56,7 @@ def toggle(pk, attr):
             self.assertEqual(response.status_code, HTTPStatus.OK)
             return json.loads(response.content)
 
-        self.user.add_perms('news.change_article')
+        self.user.add_perms('internal.is_internal', 'news.change_article')
         self.assertDictEqual(toggle(self.article.pk, 'non_existent_attr'), {})
 
         self.assertDictEqual(toggle(self.article.pk, 'hidden'), {'is_hidden': True})
diff --git a/src/news/tests/views/test_event_time_place_views.py b/src/news/tests/views/test_event_time_place_views.py
index 83367f7c9..e22770cd0 100644
--- a/src/news/tests/views/test_event_time_place_views.py
+++ b/src/news/tests/views/test_event_time_place_views.py
@@ -36,7 +36,7 @@ def test_event_create_view(self):
         response = self.client.get(reverse('event_create'))
         self.assertEqual(response.status_code, HTTPStatus.FORBIDDEN)
 
-        self.user.add_perms('news.add_event')
+        self.user.add_perms('internal.is_internal', 'news.add_event')
         response = self.client.get(reverse('event_create'))
         self.assertEqual(response.status_code, HTTPStatus.OK)
 
@@ -44,7 +44,7 @@ def test_event_update_view(self):
         response = self.client.get(reverse('event_update', args=[self.event.pk]))
         self.assertEqual(response.status_code, HTTPStatus.FORBIDDEN)
 
-        self.user.add_perms('news.change_event')
+        self.user.add_perms('internal.is_internal', 'news.change_event')
         response = self.client.get(reverse('event_update', args=[self.event.pk]))
         self.assertEqual(response.status_code, HTTPStatus.OK)
 
@@ -54,7 +54,7 @@ def test_time_place_duplicate_create_view(self):
         response = self.client.post(reverse('time_place_duplicate_create', args=[self.event.pk, time_place.pk]))
         self.assertEqual(response.status_code, HTTPStatus.FORBIDDEN)
 
-        self.user.add_perms('news.add_timeplace', 'news.change_timeplace')
+        self.user.add_perms('internal.is_internal', 'news.add_timeplace', 'news.change_timeplace')
         response = self.client.post(reverse('time_place_duplicate_create', args=[self.event.pk, time_place.pk]))
 
         duplicated_time_place = TimePlace.objects.exclude(pk=time_place.pk).latest('pk')
@@ -67,7 +67,7 @@ def test_time_place_duplicate_create_view(self):
         self.assertEqual(duplicated_time_place.end_time, new_end_time)
 
     def test_time_place_duplicate_old(self):
-        self.user.add_perms('news.add_timeplace', 'news.change_timeplace')
+        self.user.add_perms('internal.is_internal', 'news.add_timeplace', 'news.change_timeplace')
 
         start_time = timezone.now() - timedelta(weeks=2, days=3)
         end_time = start_time + timedelta(days=1)
@@ -162,7 +162,7 @@ def assert_context_ticket_emails(self, url_name: str, event: Event | TimePlace,
         """
 
         self.create_tickets_for(event, username_and_ticket_state_tuples)
-        self.user.add_perms('news.change_event')
+        self.user.add_perms('internal.is_internal', 'news.change_event')
 
         url_args = [event.event.pk, event.pk] if isinstance(event, TimePlace) else [event.pk]
         response = self.client.get(reverse(url_name, args=url_args))
diff --git a/src/news/urls.py b/src/news/urls.py
index 7d1ce349e..3dff97e9d 100644
--- a/src/news/urls.py
+++ b/src/news/urls.py
@@ -14,26 +14,26 @@
     path("register/", login_required(views.EventTicketCreateView.as_view()), name='event_ticket_create'),
     path("ical/", SingleTimePlaceFeed(), name='time_place_ical'),
 ]
-
 time_place_urlpatterns = [
     path("<int:time_place_pk>/", include(specific_time_place_urlpatterns)),
 ]
-
 specific_event_urlpatterns = [
     path("", views.EventDetailView.as_view(), name='event_detail'),
     path("register/", login_required(views.EventTicketCreateView.as_view()), name='event_ticket_create'),
     path("timeplaces/", include(time_place_urlpatterns)),
 ]
-
 event_urlpatterns = [
     path("", views.EventListView.as_view(), name='event_list'),
     path("<int:pk>/", include(specific_event_urlpatterns)),
 ]
 
+specific_ticket_urlpatterns = [
+    path("", views.EventTicketDetailView.as_view(), name='event_ticket_detail'),
+    path("cancel/", login_required(views.EventTicketCancelView.as_view()), name='event_ticket_cancel'),
+]
 ticket_urlpatterns = [
-    path("<uuid:pk>/", login_required(views.EventTicketDetailView.as_view()), name='event_ticket_detail'),
-    path("<uuid:pk>/cancel/", login_required(views.EventTicketCancelView.as_view()), name='event_ticket_cancel'),
-    path("me/", login_required(views.EventTicketMyListView.as_view()), name='event_ticket_my_list'),
+    path("<uuid:pk>/", include(specific_ticket_urlpatterns)),
+    path("me/", views.EventTicketMyListView.as_view(), name='event_ticket_my_list'),
 ]
 
 urlpatterns = [
@@ -47,9 +47,7 @@
 specific_article_adminpatterns = [
     path("change/", views.ArticleUpdateView.as_view(), name='article_update'),
     path("delete/", views.ArticleDeleteView.as_view(), name='article_delete'),
-    path("toggle/", views.AdminAPIArticleToggleView.as_view(), name='admin_api_article_toggle'),
 ]
-
 article_adminpatterns = [
     path("", views.AdminArticleListView.as_view(), name='admin_article_list'),
     path("add/", views.ArticleCreateView.as_view(), name='article_create'),
@@ -60,24 +58,19 @@
     path("change/", views.TimePlaceUpdateView.as_view(), name='time_place_update'),
     path("duplicate/", views.TimePlaceDuplicateCreateView.as_view(), name='time_place_duplicate_create'),
     path("delete/", views.TimePlaceDeleteView.as_view(), name='time_place_delete'),
-    path("toggle/", views.AdminAPITimePlaceToggleView.as_view(), name='admin_api_time_place_toggle'),
     path("tickets/", views.AdminTimePlaceTicketListView.as_view(), name='admin_time_place_ticket_list'),
 ]
-
 time_place_adminpatterns = [
     path("add/", views.TimePlaceCreateView.as_view(), name='time_place_create'),
     path("<int:time_place_pk>/", include(specific_time_place_adminpatterns)),
 ]
-
 specific_event_adminpatterns = [
     path("", views.AdminEventDetailView.as_view(), name='admin_event_detail'),
     path("change/", views.EventUpdateView.as_view(), name='event_update'),
     path("delete/", views.EventDeleteView.as_view(), name='event_delete'),
-    path("toggle/", views.AdminAPIEventToggleView.as_view(), name='admin_api_event_toggle'),
     path("tickets/", views.AdminEventTicketListView.as_view(), name='admin_event_ticket_list'),
     path("timeplaces/", include(time_place_adminpatterns)),
 ]
-
 event_adminpatterns = [
     path("", views.AdminEventListView.as_view(), name='admin_event_list'),
     path("add/", views.EventCreateView.as_view(), name='event_create'),
@@ -89,3 +82,22 @@
     path("articles/", include(article_adminpatterns)),
     path("events/", include(event_adminpatterns)),
 ]
+
+# --- Admin API URL patterns (imported in `web/urls.py`) ---
+
+article_adminapipatterns = [
+    path("<int:pk>/toggle/", views.AdminAPIArticleToggleView.as_view(), name='admin_api_article_toggle'),
+]
+
+specific_event_adminapipatterns = [
+    path("toggle/", views.AdminAPIEventToggleView.as_view(), name='admin_api_event_toggle'),
+    path("timeplaces/<int:time_place_pk>/toggle/", views.AdminAPITimePlaceToggleView.as_view(), name='admin_api_time_place_toggle'),
+]
+event_adminapipatterns = [
+    path("<int:pk>/", include(specific_event_adminapipatterns)),
+]
+
+adminapipatterns = [
+    path("articles/", include(article_adminapipatterns)),
+    path("events/", include(event_adminapipatterns)),
+]
diff --git a/src/news/views.py b/src/news/views.py
index f5e19af11..c4ae69111 100644
--- a/src/news/views.py
+++ b/src/news/views.py
@@ -5,7 +5,7 @@
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.conf import settings
-from django.contrib.auth.mixins import PermissionRequiredMixin
+from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
 from django.core.mail import get_connection, send_mail
 from django.db.models import Count, Max, Min, Prefetch, Q
 from django.db.models.functions import Concat
@@ -614,13 +614,13 @@ def get_success_url(self):
         return self.object.get_absolute_url()
 
 
-class EventTicketDetailView(DetailView):
+class EventTicketDetailView(LoginRequiredMixin, DetailView):
     model = EventTicket
     template_name = 'news/event/ticket/event_ticket_detail.html'
     context_object_name = 'ticket'
 
 
-class EventTicketMyListView(ListView):
+class EventTicketMyListView(LoginRequiredMixin, ListView):
     template_name = 'news/event/ticket/event_ticket_my_list.html'
     context_object_name = 'tickets'
 
diff --git a/src/users/tests/test_urls.py b/src/users/tests/test_urls.py
index 3bf2cecf3..c583d4f05 100644
--- a/src/users/tests/test_urls.py
+++ b/src/users/tests/test_urls.py
@@ -21,6 +21,7 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
+            # adminapipatterns
             Get(reverse('admin_api_basic_user_info', args=[self.user1.username]), public=False),
             Get(reverse('admin_api_basic_user_info', args=[self.user_with_basic_info.username]), public=False),
         ]
diff --git a/src/users/urls.py b/src/users/urls.py
index f994035d4..8a462c84e 100644
--- a/src/users/urls.py
+++ b/src/users/urls.py
@@ -3,6 +3,8 @@
 from . import views
 
 
-urlpatterns = [
+# --- Admin API URL patterns (imported in `web/urls.py`) ---
+
+adminapipatterns = [
     path("username/<str:username>/", views.AdminAPIBasicUserInfoView.as_view(), name='admin_api_basic_user_info'),
 ]
diff --git a/src/web/admin_urls.py b/src/web/admin_urls.py
index 9dfe2c055..df07b43a6 100644
--- a/src/web/admin_urls.py
+++ b/src/web/admin_urls.py
@@ -16,10 +16,7 @@
     path(".well-known/security.txt", TemplateView.as_view(template_name='web/security.txt', content_type='text/plain')),
 
     *debug_toolbar_urls(),
-    path("i18n/", decorator_include(
-        staff_member_required,
-        'django.conf.urls.i18n'
-    )),
+    path("i18n/", decorator_include(staff_member_required, 'django.conf.urls.i18n')),
     *static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT),  # For development only; Nginx is used in production
 
     *ckeditor_uploader_urls(),
diff --git a/src/web/tests/test_urls.py b/src/web/tests/test_urls.py
index 69eae4621..df678dae7 100644
--- a/src/web/tests/test_urls.py
+++ b/src/web/tests/test_urls.py
@@ -36,18 +36,27 @@ def setUp(self):
 
     def test_all_get_request_paths_succeed(self):
         path_predicates = [
+            # urlpatterns
             Get('/robots.txt', public=True, translated=False),
             Get('/.well-known/security.txt', public=True, translated=False),
-            Get(reverse('index_page'), public=True),
+            # ckeditor_uploader_urls()
+            Get(reverse('ckeditor_browse'), public=False, translated=False),
+
+            # admin_urlpatterns
             Get(reverse('admin_panel'), public=False),
+
+            # about_urlpatterns
             Get(reverse('about'), public=True),
             Get(reverse('contact'), public=True),
+
+            # urlpatterns
+            Get(reverse('index_page'), public=True),
             Get(reverse('apply'), public=True),
             Get('/søk/', public=True),
             Get('/sok/', public=True),
             Get(reverse('cookies'), public=True),
             Get(reverse('privacypolicy'), public=True),
-            Get(reverse('ckeditor_browse'), public=False, translated=False),
+            Get(reverse('javascript_catalog'), public=True),
         ]
         assert_requesting_paths_succeeds(self, path_predicates)
 
@@ -92,13 +101,17 @@ def test_all_old_urls_succeed(self):
         path_predicates = [
             Get('/rules/', public=True, redirect=True),
 
+            Get('/reservation/', public=True, redirect=True),
             Get(f'/reservation/2023/16/{machine1.pk}/', public=True, redirect=True),
 
             Get('/reservation/me/', public=False, redirect=True),
             Get('/reservation/admin/', public=False, redirect=True),
+            Get('/reservation/slots/', public=False, redirect=True),
 
             Get('/reservation/rules/1/', public=True, redirect=True),
+            Get('/reservation/machinetypes/1/rules/', public=True, redirect=True),
             Get('/reservation/rules/usage/1/', public=True, redirect=True),
+            Get('/reservation/machinetypes/1/rules/usage/', public=True, redirect=True),
 
             Get(f'/news/article/{self.article1.pk}/', public=True, redirect=True),
             Get(f'/news/event/{self.event1.pk}/', public=True, redirect=True),
diff --git a/src/web/tests/test_views.py b/src/web/tests/test_views.py
index dbab1207f..9ca2331f7 100644
--- a/src/web/tests/test_views.py
+++ b/src/web/tests/test_views.py
@@ -168,5 +168,8 @@ def assert_visiting_page_produces_status_code(expected_status_code: int):
         self.client.force_login(user)
         assert_visiting_page_produces_status_code(HTTPStatus.FORBIDDEN)
 
+        user.add_perms('internal.is_internal')
+        assert_visiting_page_produces_status_code(HTTPStatus.FORBIDDEN)
+
         user.add_perms('news.add_article')
         assert_visiting_page_produces_status_code(HTTPStatus.OK)
diff --git a/src/web/urls.py b/src/web/urls.py
index 29c6c2565..e82b8766c 100644
--- a/src/web/urls.py
+++ b/src/web/urls.py
@@ -3,7 +3,6 @@
 from django.conf.urls.i18n import i18n_patterns
 from django.conf.urls.static import static
 from django.contrib.auth import views as auth_views
-from django.contrib.auth.decorators import login_required
 from django.urls import include, path, re_path
 from django.views import defaults
 from django.views.generic import TemplateView
@@ -11,11 +10,18 @@
 from django.views.i18n import JavaScriptCatalog
 from social_core.utils import setting_name
 
+from announcements import urls as announcements_urls
+from checkin import urls as checkin_urls
 from contentbox.views import ContentBoxDetailView, ContentBoxUpdateView
 from dataporten.views import login_wrapper
+from faq import urls as faq_urls
+from groups import urls as groups_urls
+from make_queue import urls as make_queue_urls
 from make_queue.forms import ReservationListQueryForm
+from makerspace import urls as makerspace_urls
 from news import urls as news_urls
-from util.url_utils import ckeditor_uploader_urls, debug_toolbar_urls, logout_urls
+from users import urls as users_urls
+from util.url_utils import ckeditor_uploader_urls, debug_toolbar_urls, logout_urls, permission_required_else_denied
 from util.view_utils import RedirectViewWithStaticQuery
 from . import views
 
@@ -35,9 +41,33 @@
 
 admin_urlpatterns = [
     path("", views.AdminPanelView.as_view(), name='admin_panel'),
+
+    # App paths, sorted by app label (should have the same path prefixes as the ones in `urlpatterns` below):
+    path("announcements/", include(announcements_urls.adminpatterns)),
+    path("checkin/", include(checkin_urls.adminpatterns)),
+    path("faq/", include(faq_urls.adminpatterns)),
+    path("committees/", include(groups_urls.adminpatterns)),
+    path("reservation/", include(make_queue_urls.adminpatterns)),
+    path("makerspace/", include(makerspace_urls.adminpatterns)),
     path("news/", include(news_urls.adminpatterns)),
 ]
 
+admin_api_urlpatterns = [
+    # App paths, sorted by app label (should have the same path prefixes as the ones in `urlpatterns` below):
+    path("checkin/", include(checkin_urls.adminapipatterns)),
+    path("news/", include(news_urls.adminapipatterns)),
+    path("users/", include(users_urls.adminapipatterns)),
+]
+
+api_urlpatterns = [
+    # This internal permission is only used for base-level access control;
+    # each included path/view should implement its own supplementary access control
+    path("admin/", decorator_include(permission_required_else_denied('internal.is_internal'), admin_api_urlpatterns)),
+
+    # App paths, sorted by app label (should have the same path prefixes as the ones in `urlpatterns` below):
+    path("reservation/", include(make_queue_urls.apipatterns)),
+]
+
 content_box_urlpatterns = [
     path("<int:pk>/change/", ContentBoxUpdateView.as_view(base_template='web/base.html'), name='content_box_update'),
 ]
@@ -49,17 +79,19 @@
 
 urlpatterns += i18n_patterns(
     path("", views.IndexPageView.as_view(), name='index_page'),
-    path("admin/", decorator_include(login_required, admin_urlpatterns)),
+    # This internal permission is only used for base-level access control;
+    # each included path/view should implement its own supplementary access control
+    path("admin/", decorator_include(permission_required_else_denied('internal.is_internal'), admin_urlpatterns)),
+    path("api/", include(api_urlpatterns)),
 
-    # App paths:
+    # App paths, sorted by app label:
     path("announcements/", include('announcements.urls')),
     path("checkin/", include('checkin.urls')),
-    path("committees/", include('groups.urls')),
     path("faq/", include('faq.urls')),
+    path("committees/", include('groups.urls')),
+    path("reservation/", include('make_queue.urls')),
     path("makerspace/", include('makerspace.urls')),
     path("news/", include('news.urls')),
-    path("reservation/", include('make_queue.urls')),
-    path("users/", include('users.urls')),
 
     # ContentBox paths:
     path("contentbox/", include(content_box_urlpatterns)),
@@ -104,18 +136,22 @@
 Owner = ReservationListQueryForm.Owner
 # --- Old URLs ---
 # URLs kept for "backward-compatibility" after paths were changed, so that users are simply redirected to the new URLs.
-# These need only be URLs for pages that are likely to be linked to.
+# These need only be URLs for pages that are likely to have been linked to, and that are deemed important to keep working.
 urlpatterns += i18n_patterns(
     path("rules/", RedirectView.as_view(pattern_name='rules', permanent=True)),
 
+    path("reservation/", RedirectView.as_view(pattern_name='machine_list', permanent=True)),
     path("reservation/<int:year>/<int:week>/<int:pk>/",
          RedirectView.as_view(url='/reservation/machines/%(pk)s/?calendar_year=%(year)s&calendar_week=%(week)s', permanent=True)),
 
     path("reservation/me/", RedirectViewWithStaticQuery.as_view(pattern_name='reservation_list', query={'owner': Owner.ME}, permanent=True)),
     path("reservation/admin/", RedirectViewWithStaticQuery.as_view(pattern_name='reservation_list', query={'owner': Owner.MAKE}, permanent=True)),
+    path("reservation/slots/", RedirectView.as_view(pattern_name='reservation_find_free_slots', permanent=True)),
 
     path("reservation/rules/<int:pk>/", RedirectView.as_view(pattern_name='reservation_rule_list', permanent=True)),
+    path("reservation/machinetypes/<int:pk>/rules/", RedirectView.as_view(pattern_name='reservation_rule_list', permanent=True)),
     path("reservation/rules/usage/<int:pk>/", RedirectView.as_view(pattern_name='machine_usage_rule_detail', permanent=True)),
+    path("reservation/machinetypes/<int:pk>/rules/usage/", RedirectView.as_view(pattern_name='machine_usage_rule_detail', permanent=True)),
 
     path("news/article/<int:pk>/", RedirectView.as_view(pattern_name='article_detail', permanent=True)),
     path("news/event/<int:pk>/", RedirectView.as_view(pattern_name='event_detail', permanent=True)),