diff --git a/rowers/serializers.py b/rowers/serializers.py
index 00bc396b..25fdc7f2 100644
--- a/rowers/serializers.py
+++ b/rowers/serializers.py
@@ -170,7 +170,10 @@ class WorkoutSerializer(serializers.ModelSerializer):
 
     def create(self, validated_data):
         print(validated_data)
-        r = Rower.objects.get(user=self.context['request'].user)
+        if self.context['request'].user.is_authenticated:
+            r = Rower.objects.get(user=self.context['request'].user)
+        else:
+            raise PermissionDenied("Not allowed")
         d = validated_data['date']
         t = validated_data['starttime']
         rowdatetime = datetime.datetime(d.year,
diff --git a/rowers/views/racesviews.py b/rowers/views/racesviews.py
index 10f2b4b1..ed264d6f 100644
--- a/rowers/views/racesviews.py
+++ b/rowers/views/racesviews.py
@@ -3127,7 +3127,7 @@ def virtualevent_submit_result_view(request,id=0,workoutid=0):
         workouttype__in=mytypes.rowtypes,
         startdatetime__gte=startdatetime,
         startdatetime__lte=enddatetime,
-        ).order_by("date","startdatetime","id")
+        ).order_by("-date","-startdatetime","id")
 
     if not ws:
         messages.info(
diff --git a/rowsandall_app/settings.py b/rowsandall_app/settings.py
index acdcdf53..052829b9 100644
--- a/rowsandall_app/settings.py
+++ b/rowsandall_app/settings.py
@@ -416,7 +416,7 @@ OAUTH2_PROVIDER = {
     'ACCESS_TOKEN_MODEL': 'oauth2_provider.AccessToken',
     'APPLICATION_MODEL': 'oauth2_provider.Application',
     'REFRESH_TOKEN_MODEL': 'oauth2_provider.RefreshToken',
-    'ACCESS_TOKEN_EXPIRE_SECONDS': 3600,
+    'ACCESS_TOKEN_EXPIRE_SECONDS': 36000,
     #'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore'
 }