diff --git a/InvenTree/InvenTree/api_tester.py b/InvenTree/InvenTree/api_tester.py
index eb92bd80c1..f0f33ad1a5 100644
--- a/InvenTree/InvenTree/api_tester.py
+++ b/InvenTree/InvenTree/api_tester.py
@@ -73,22 +73,50 @@ class InvenTreeAPITestCase(APITestCase):
                 ruleset.save()
                 break
 
-    def get(self, url, data={}, code=200):
+    def get(self, url, data={}, expected_code=200):
         """
         Issue a GET request
         """
 
         response = self.client.get(url, data, format='json')
 
-        self.assertEqual(response.status_code, code)
+        if expected_code is not None:
+            self.assertEqual(response.status_code, expected_code)
 
         return response
 
-    def post(self, url, data):
+    def post(self, url, data, expected_code=None):
         """
         Issue a POST request
         """
 
         response = self.client.post(url, data=data, format='json')
 
+        if expected_code is not None:
+            self.assertEqual(response.status_code, expected_code)
+
+        return response
+
+    def delete(self, url, expected_code=None):
+        """
+        Issue a DELETE request
+        """
+
+        response = self.client.delete(url)
+
+        if expected_code is not None:
+            self.assertEqual(response.status_code, expected_code)
+
+        return response
+
+    def patch(self, url, data, expected_code=None):
+        """
+        Issue a PATCH request
+        """
+
+        response = self.client.patch(url, data=data, format='json')
+
+        if expected_code is not None:
+            self.assertEqual(response.status_code, expected_code)
+
         return response
diff --git a/InvenTree/order/api.py b/InvenTree/order/api.py
index 6661bd568b..5933bf9ab8 100644
--- a/InvenTree/order/api.py
+++ b/InvenTree/order/api.py
@@ -157,7 +157,7 @@ class POList(generics.ListCreateAPIView):
     ordering = '-creation_date'
 
 
-class PODetail(generics.RetrieveUpdateAPIView):
+class PODetail(generics.RetrieveUpdateDestroyAPIView):
     """ API endpoint for detail view of a PurchaseOrder object """
 
     queryset = PurchaseOrder.objects.all()
diff --git a/InvenTree/order/serializers.py b/InvenTree/order/serializers.py
index 9efbf947bb..aaed0fa134 100644
--- a/InvenTree/order/serializers.py
+++ b/InvenTree/order/serializers.py
@@ -93,8 +93,10 @@ class POSerializer(InvenTreeModelSerializer):
         ]
 
         read_only_fields = [
-            'reference',
             'status'
+            'issue_date',
+            'complete_date',
+            'creation_date',
         ]
 
 
diff --git a/InvenTree/order/test_api.py b/InvenTree/order/test_api.py
index ee77f429e1..e4851efedc 100644
--- a/InvenTree/order/test_api.py
+++ b/InvenTree/order/test_api.py
@@ -110,6 +110,84 @@ class PurchaseOrderTest(OrderTest):
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_po_create(self):
+        """
+        Test that we can create and delete a PurchaseOrder via the API
+        """
+
+        n = PurchaseOrder.objects.count()
+
+        url = reverse('api-po-list')
+
+        # Initially we do not have "add" permission for the PurchaseOrder model,
+        # so this POST request should return 403
+        response = self.post(
+            url,
+            {
+                'supplier': 1,
+                'reference': '123456789-xyz',
+                'description': 'PO created via the API',
+            },
+            expected_code=403
+        )
+
+        # And no new PurchaseOrder objects should have been created
+        self.assertEqual(PurchaseOrder.objects.count(), n)
+
+        # Ok, now let's give this user the correct permission
+        self.assignRole('purchase_order.add')
+
+        # Initially we do not have "add" permission for the PurchaseOrder model,
+        # so this POST request should return 403
+        response = self.post(
+            url,
+            {
+                'supplier': 1,
+                'reference': '123456789-xyz',
+                'description': 'PO created via the API',
+            },
+            expected_code=201
+        )
+
+        self.assertEqual(PurchaseOrder.objects.count(), n+1)
+
+        pk = response.data['pk']
+
+        # Try to create a PO with identical reference (should fail!)
+        response = self.post(
+            url,
+            {
+                'supplier': 1,
+                'reference': '123456789-xyz',
+                'description': 'A different description',
+            },
+            expected_code=400
+        )
+
+        self.assertEqual(PurchaseOrder.objects.count(), n+1)
+
+        url = reverse('api-po-detail', kwargs={'pk': pk})
+
+        # Get detail info!
+        response = self.get(url)
+        self.assertEqual(response.data['pk'], pk)
+        self.assertEqual(response.data['reference'], '123456789-xyz')
+
+        # Now, let's try to delete it!
+        # Initially, we do *not* have the required permission!
+        response = self.delete(url, expected_code=403)
+
+        # Now, add the "delete" permission!
+        self.assignRole("purchase_order.delete")
+
+        response = self.delete(url, expected_code=204)
+
+        # Number of PurchaseOrder objects should have decreased
+        self.assertEqual(PurchaseOrder.objects.count(), n)
+
+        # And if we try to access the detail view again, it has gone
+        response = self.get(url, expected_code=404)
+
 
 class SalesOrderTest(OrderTest):
     """