diff --git a/src/c3nav/control/models.py b/src/c3nav/control/models.py
index 8b9932d9..85bc571c 100644
--- a/src/c3nav/control/models.py
+++ b/src/c3nav/control/models.py
@@ -130,9 +130,6 @@ class UserPermissions(models.Model):
         return settings.ENABLE_MESH and self.mesh_control
 
 
-get_permissions_for_user_lazy = lazy(UserPermissions.get_for_user, UserPermissions)
-
-
 class UserSpaceAccess(models.Model):
     """
     User Authorities
diff --git a/src/c3nav/mapdata/api/updates.py b/src/c3nav/mapdata/api/updates.py
index 5b42bace..b7801e8c 100644
--- a/src/c3nav/mapdata/api/updates.py
+++ b/src/c3nav/mapdata/api/updates.py
@@ -125,7 +125,7 @@ def fetch_updates(request, response: HttpResponse):
     }
     if cross_origin is None:
         result.update({
-            'user_data': get_user_data(request),
+            'user_data': request.user_data,
         })
 
     if cross_origin is not None:
diff --git a/src/c3nav/mapdata/utils/user.py b/src/c3nav/mapdata/utils/user.py
index df27c8aa..566b3657 100644
--- a/src/c3nav/mapdata/utils/user.py
+++ b/src/c3nav/mapdata/utils/user.py
@@ -10,6 +10,9 @@ from c3nav.mapdata.schemas.models import DataOverlaySchema
 
 
 def get_user_data(request):
+    """
+    Don't use this unless needed. Use request.user_data to get this cached.
+    """
     permissions = AccessPermission.get_for_request(request) - AccessRestriction.get_all_public()
     result = {
         'logged_in': bool(request.user.is_authenticated),
@@ -46,11 +49,23 @@ def get_user_data(request):
              if request.user.is_superuser or key in request.user_permissions.quests}
         ),
     })
-
+    request.user_data = result
     return result
 
 
-get_user_data_lazy = lazy(get_user_data, dict)
+class CachedGetUserData:
+    def __init__(self, request):
+        self.request = request
+        self.cached = None
+
+    def __call__(self) -> dict:
+        if self.cached is None:
+            self.cached = get_user_data(self.request)
+        return self.cached
+
+
+def get_user_data_lazy(request):
+    return lazy(CachedGetUserData(request), dict)()
 
 
 def can_access_editor(request):
diff --git a/src/c3nav/site/views.py b/src/c3nav/site/views.py
index b810210d..e29ca19c 100644
--- a/src/c3nav/site/views.py
+++ b/src/c3nav/site/views.py
@@ -276,7 +276,7 @@ def close_response(request):
     # todo: use a better way to recognize this
     ajax = request.headers.get('x-requested-with') == 'XMLHttpRequest' or 'ajax' in request.GET
     if ajax:
-        return HttpResponse(json.dumps(get_user_data(request), cls=DjangoJSONEncoder).encode(),
+        return HttpResponse(json.dumps(request.user_data, cls=DjangoJSONEncoder).encode(),
                             content_type='text/plain')
     redirect_path = request.GET['next'] if request.GET.get('next', '').startswith('/') else reverse('site.index')
     return redirect(redirect_path)
@@ -774,7 +774,6 @@ def report_detail(request, pk, secret=None):
 def position_list(request):
     return render(request, 'site/position_list.html', {
         'positions': Position.objects.filter(owner=request.user),
-        'user_data_json': json.dumps(get_user_data(request), cls=DjangoJSONEncoder),
     })
 
 
@@ -866,7 +865,6 @@ def api_secret_list(request):
         return redirect(reverse('site.api_secret_list'))
     return render(request, 'site/api_secret_list.html', {
         'api_secrets': Secret.objects.filter(user=request.user).order_by('-created'),
-        'user_data_json': json.dumps(get_user_data(request), cls=DjangoJSONEncoder),
     })