diff --git a/apiserver/apiserver/api/serializers.py b/apiserver/apiserver/api/serializers.py
index 1a42ee2..9a01667 100644
--- a/apiserver/apiserver/api/serializers.py
+++ b/apiserver/apiserver/api/serializers.py
@@ -146,29 +146,13 @@ class AdminSearchSerializer(serializers.Serializer):
             queryset = obj.user.cards
         else:
             queryset = models.Card.objects.filter(member_id=obj.id)
-        serializer = AdminCardSerializer(data=queryset, many=True)
+        serializer = CardSerializer(data=queryset, many=True)
         serializer.is_valid()
         return serializer.data
 
 
 
-# member viewing his own cards
 class CardSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = models.Card
-        fields = '__all__'
-        read_only_fields = [
-            'id',
-            'card_number',
-            'member_id',
-            'notes',
-            'last_seen_at',
-            'active_status',
-            'user',
-        ]
-
-# admin viewing member details
-class AdminCardSerializer(CardSerializer):
     card_number = serializers.CharField(validators=[UniqueValidator(
         queryset=models.Card.objects.all(),
         message='Card number already exists.'
diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py
index 8de4220..eafe350 100644
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@@ -1,7 +1,7 @@
 from django.contrib.auth.models import User, Group
 from django.db.models import Max
 from rest_framework import viewsets, views, mixins, generics, exceptions
-from rest_framework.permissions import BasePermission, IsAuthenticated
+from rest_framework.permissions import BasePermission, IsAuthenticated, SAFE_METHODS
 from rest_framework.response import Response
 from rest_auth.views import PasswordChangeView
 from rest_auth.registration.views import RegisterView
@@ -19,11 +19,24 @@ def is_admin_director(user):
 
 class IsOwnerOrAdmin(BasePermission):
     def has_object_permission(self, request, view, obj):
-        return obj.user == request.user or is_admin_director(request.user)
+        return request.user and (obj.user == request.user or is_admin_director(request.user))
+
+class IsAdminOrReadOnly(BasePermission):
+    def has_permission(self, request, view):
+        return bool(
+            request.method in SAFE_METHODS or
+            request.user and
+            is_admin_director(request.user)
+        )
+
+class IsInstructorOrReadOnly(BasePermission):
+    def has_permission(self, request, view):
+        return bool(
+            request.method in SAFE_METHODS or
+            request.user and
+            request.user.member.is_instructor
+        )
 
-class IsInstructor(BasePermission):
-    def has_object_permission(self, request, view, obj):
-        return user.member.is_instructor
 
 
 class RetrieveUpdateViewSet(
@@ -116,18 +129,13 @@ class MemberViewSet(RetrieveUpdateViewSet):
 
 
 class CardViewSet(CreateRetrieveUpdateDeleteViewSet):
-    permission_classes = [AllowMetadata | IsAuthenticated, IsOwnerOrAdmin]
+    permission_classes = [AllowMetadata | IsAuthenticated, IsOwnerOrAdmin, IsAdminOrReadOnly]
     queryset = models.Card.objects.all()
-
-    def get_serializer_class(self):
-        if is_admin_director(self.request.user):
-            return serializers.AdminCardSerializer
-        else:
-            return serializers.CardSerializer
+    serializer_class = serializers.CardSerializer
 
 
 class CourseViewSet(viewsets.ModelViewSet):
-    permission_classes = [AllowMetadata | IsAuthenticated]
+    permission_classes = [AllowMetadata | IsAuthenticated, IsAdminOrReadOnly | IsInstructorOrReadOnly]
     queryset = models.Course.objects.annotate(date=Max('sessions__datetime')).order_by('-date')
 
     def get_serializer_class(self):