diff --git a/src/backend/InvenTree/InvenTree/api_version.py b/src/backend/InvenTree/InvenTree/api_version.py
index 1400e67eb4..0b03d4790a 100644
--- a/src/backend/InvenTree/InvenTree/api_version.py
+++ b/src/backend/InvenTree/InvenTree/api_version.py
@@ -1,11 +1,16 @@
 """InvenTree API version information."""
 
 # InvenTree API version
-INVENTREE_API_VERSION = 478
+INVENTREE_API_VERSION = 479
 """Increment this API version number whenever there is a significant change to the API that any clients need to know about."""
 
 INVENTREE_API_TEXT = """
 
+v479 -> 2026-04-11 : https://github.com/inventree/InvenTree/pull/11723
+    - POST /api//notifications/readall/ now requires a POST action
+    - POST /api/admin/email/test/ - now returns a 200 on. a successful test
+    - GET /api/notifications/ - now uses user-centric permissions, not a general read
+
 v478 -> 2026-04-11 : https://github.com/inventree/InvenTree/pull/11073
     - Add OptionalField class for cleaner handling of optional fields in serializers
 
diff --git a/src/backend/InvenTree/common/api.py b/src/backend/InvenTree/common/api.py
index 85f9b10f55..f4d2cd671c 100644
--- a/src/backend/InvenTree/common/api.py
+++ b/src/backend/InvenTree/common/api.py
@@ -395,21 +395,8 @@ class NotificationMessageViewSet(
         queryset = queryset.filter(user=request.user)
         return queryset
 
-    def get_permissions(self):
-        """Override permissions for list view."""
-        if self.action == 'list':
-            return [IsAuthenticatedOrReadScope()]
-        else:
-            return super().get_permissions()
-
-    def list(self, request, *args, **kwargs):
-        """List view for all notifications of the current user."""
-        # TODO @matmair permissions for this are currently being overwritten in get_permissions - this should be moved to a dedicated endpoint
-        return super().list(request, *args, **kwargs)
-
-    # TODO @matmair this should really be a POST
     @action(
-        detail=False, methods=['get'], permission_classes=[IsAuthenticatedOrReadScope]
+        detail=False, methods=['post'], permission_classes=[IsAuthenticatedOrReadScope]
     )
     def readall(self, request, *args, **kwargs):
         """Set all messages for the current user as read."""
@@ -1248,7 +1235,6 @@ class EmailViewSet(BulkDeleteViewsetMixin, RetrieveDestroyModelViewSet):
         'thread_id_key',
     ]
 
-    @extend_schema(responses={201: common.serializers.TestEmailSerializer})
     @action(
         detail=False,
         methods=['post'],
@@ -1270,8 +1256,7 @@ class EmailViewSet(BulkDeleteViewsetMixin, RetrieveDestroyModelViewSet):
             raise serializers.ValidationError(
                 detail=f'Failed to send test email: "{reason}"'
             )  # pragma: no cover
-        # TODO @matmair - breaking change: this should be a 200
-        return Response(serializer.data, status=201)
+        return Response(serializer.data)
 
 
 admin_router.register('email', EmailViewSet, basename='api-email')
diff --git a/src/backend/InvenTree/common/test_emails.py b/src/backend/InvenTree/common/test_emails.py
index 355167d2c5..0ba8b24b9f 100644
--- a/src/backend/InvenTree/common/test_emails.py
+++ b/src/backend/InvenTree/common/test_emails.py
@@ -103,7 +103,9 @@ class EmailTests(InvenTreeAPITestCase):
     )
     def test_email_api(self):
         """Test that the email api endpoints work."""
-        self.post(reverse('api-email-test'), {'email': 'test@example.org'})
+        self.post(
+            reverse('api-email-test'), {'email': 'test@example.org'}, expected_code=200
+        )
 
         response = self.get(reverse('api-email-list'), expected_code=200)
         self.assertIn('subject', response.data[0])
diff --git a/src/backend/InvenTree/common/tests.py b/src/backend/InvenTree/common/tests.py
index bf89f8b6c2..21a9474328 100644
--- a/src/backend/InvenTree/common/tests.py
+++ b/src/backend/InvenTree/common/tests.py
@@ -1332,7 +1332,7 @@ class NotificationTest(InvenTreeAPITestCase):
         self.assertEqual(len(self.get(url, expected_code=200).data), 1)
 
         # Read with readall endpoint
-        self.get(reverse('api-notifications-readall'), {}, expected_code=200)
+        self.post(reverse('api-notifications-readall'), {}, expected_code=200)
 
         self.assertEqual(NotificationMessage.objects.filter(read=True).count(), 1)
         self.assertEqual(len(self.get(url, expected_code=200).data), 1)
diff --git a/src/frontend/src/components/nav/NotificationDrawer.tsx b/src/frontend/src/components/nav/NotificationDrawer.tsx
index b8f93ea8ed..c8d8d890ed 100644
--- a/src/frontend/src/components/nav/NotificationDrawer.tsx
+++ b/src/frontend/src/components/nav/NotificationDrawer.tsx
@@ -137,7 +137,7 @@ export function NotificationDrawer({
 
   const markAllAsRead = useCallback(() => {
     api
-      .get(apiUrl(ApiEndpoints.notifications_readall), {
+      .post(apiUrl(ApiEndpoints.notifications_readall), {
         params: {
           read: false
         }
diff --git a/src/frontend/src/pages/Notifications.tsx b/src/frontend/src/pages/Notifications.tsx
index 0de7c798eb..00656f3889 100644
--- a/src/frontend/src/pages/Notifications.tsx
+++ b/src/frontend/src/pages/Notifications.tsx
@@ -26,7 +26,7 @@ export default function NotificationsPage() {
 
   const markAllAsRead = useCallback(() => {
     api
-      .get(apiUrl(ApiEndpoints.notifications_readall), {
+      .post(apiUrl(ApiEndpoints.notifications_readall), {
         params: {
           read: false
         }