diff --git a/src/account/views.py b/src/account/views.py
index 79ab7de30163a980004e2f16cf5e355befcf2b05..c2ad4ec5b61ff4ae7545845c8b1b9149ec42bba5 100644
--- a/src/account/views.py
+++ b/src/account/views.py
@@ -2,6 +2,7 @@ from rest_framework import viewsets
 from rest_framework import permissions
 from rest_framework.response import Response
 from rest_framework.decorators import list_route
+from common.permissions import IsSafeOrPatch
 
 from . import models
 from . import serializers
@@ -9,11 +10,11 @@ from . import serializers
 
 class ProfileViewSet(viewsets.ModelViewSet):
     serializer_class = serializers.ProfileSerializer
-    permission_classes = (permissions.IsAuthenticated, )
+    permission_classes = (permissions.IsAuthenticated, IsSafeOrPatch)
 
     def get_queryset(self):
         user = self.request.user
-        if user.has_perm(permissions.IsAdminUser):
+        if user.profile.role == 'Staff':
             role = self.request.query_params.get("role", None)
             if role is not None:
                 return models.Profile.objects.filter(role=role)
diff --git a/src/common/permissions.py b/src/common/permissions.py
index 5aac2f078cb7cb6044024c7c29bb01559a8fed64..beaae6f8654fd6dadbf54aa7a74368c5f01515a6 100644
--- a/src/common/permissions.py
+++ b/src/common/permissions.py
@@ -3,27 +3,36 @@ from rest_framework.permissions import SAFE_METHODS
 
 
 class IsStaffOrReadOnly(BasePermission):
-    """
-    The request is authenticated as a staff, or is a read-only request.
-    """
-
     def has_permission(self, request, view):
-        return request.method in SAFE_METHODS or request.user and request.user.is_staff
+        return request.method in SAFE_METHODS or\
+               (request.user.is_authenticated and request.user.profile.role == 'Staff')
 
 
 class IsStaffOrReadOnlyForAuthenticated(BasePermission):
-    """
-    The request is authenticated as a staff, or is a read-only request for authenticated.
-    """
-
     def has_permission(self, request, view):
-        return request.user.is_staff or request.method in SAFE_METHODS and request.user.is_authenticated
+        return request.user.is_authenticated and\
+               (request.method in SAFE_METHODS or request.user.profile.role == 'Staff')
 
 
 class IsStaffUser(BasePermission):
-    """
-    The request is authenticated as a staff
-    """
+    def has_permission(self, request, view):
+        return request.user.is_authenticated and request.user.profile.role == 'Staff'
+
+
+class IsSafeOrPatch(BasePermission):
+    def has_permission(self, request, view):
+        return request.method in SAFE_METHODS or request.method == 'PATCH'
+
+
+class IsStaffOrStudent(BasePermission):
+    def has_permission(self, request, view):
+        return request.user.is_authenticated and\
+               (request.user.profile.role == 'Staff' or request.user.profile.role == 'Student')
+
 
+class StudentJustCreate(BasePermission):
     def has_permission(self, request, view):
-        return request.user.is_staff
+        if request.user.is_authenticated and request.user.profile.role == 'Staff':
+            return True
+        return request.user.is_authenticated and request.user.profile.role == 'Student' and\
+               (request.method in SAFE_METHODS or request.method == 'CREATE')
diff --git a/src/document/views.py b/src/document/views.py
index 70e78a074604bb240aca2930d9325ac31f60d8bc..6a80b18760b2bbb10dfbc1be6b3b4e53d943a8c3 100644
--- a/src/document/views.py
+++ b/src/document/views.py
@@ -8,4 +8,4 @@ from . import serializers
 class DocumentViewSet(viewsets.ModelViewSet):
     queryset = models.Document.objects.all()
     serializer_class = serializers.DocumentSerializer
-    permission_classes = (permissions.IsStaffOrReadOnly, )
+    permission_classes = (permissions.IsStaffOrStudent, )
diff --git a/src/homework/views.py b/src/homework/views.py
index d0762cce1787da4e5e5a6ae0437157752e466fa2..25707861c955b74f8ce34294eb7fb14649635f3b 100755
--- a/src/homework/views.py
+++ b/src/homework/views.py
@@ -1,9 +1,9 @@
 from rest_framework import viewsets
 
-from common import permissions
 from rest_framework.permissions import IsAuthenticated
 from . import serializers
 from . import models
+from common import permissions
 
 
 class TasksViewSet(viewsets.ModelViewSet):
@@ -14,12 +14,12 @@ class TasksViewSet(viewsets.ModelViewSet):
 
 class SolutionsViewSet(viewsets.ModelViewSet):
     serializer_class = serializers.SolutionSerializer
-    permission_classes = (IsAuthenticated, )
+    permission_classes = (permissions.IsStaffOrStudent, permissions.StudentJustCreate)
 
     def get_queryset(self):
         user = self.request.user
         queryset = models.Solution.objects.filter(created_by=user.profile)
-        if user.has_perm(permissions.IsStaffUser):
+        if user.profile.role == 'Staff':
             queryset = models.Solution.objects.all()
             profile_id = self.request.query_params.get('profileID', None)
             if profile_id is not None:
diff --git a/src/stats/migrations/0006_auto_20190114_1913.py b/src/stats/migrations/0006_auto_20190114_1913.py
new file mode 100644
index 0000000000000000000000000000000000000000..545336bafa2da40569687f026c7d855fc0abf877
--- /dev/null
+++ b/src/stats/migrations/0006_auto_20190114_1913.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.0.1 on 2019-01-14 18:13
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('stats', '0005_auto_20190114_1713'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='event',
+            name='visitors',
+            field=models.ManyToManyField(blank=True, related_name='events', to='account.Profile'),
+        ),
+    ]
diff --git a/src/stats/models.py b/src/stats/models.py
index c408a7b9c87b68d880ea10961992b0f284cf2165..ef56adf754430e076b05d9ba64be839da3934577 100644
--- a/src/stats/models.py
+++ b/src/stats/models.py
@@ -12,7 +12,6 @@ class Event(models.Model):
         Profile,
         related_name='events',
         blank=True,
-        null=True,
     )
     created_by = models.ForeignKey(
         Profile,
diff --git a/src/stats/serializers.py b/src/stats/serializers.py
index 5f16191d05e1c907158f43b40fe7562707dee5ec..d18167b37f7fe847681259c569e39d6dbde3bb8c 100644
--- a/src/stats/serializers.py
+++ b/src/stats/serializers.py
@@ -6,7 +6,6 @@ from . import models
 class EventSerializer(serializers.ModelSerializer):
     created_by_name = serializers.SerializerMethodField()
     visitor_number = serializers.SerializerMethodField()
-    # visitors = serializers.SerializerMethodField()
 
     class Meta:
         model = models.Event
@@ -19,9 +18,6 @@ class EventSerializer(serializers.ModelSerializer):
     def get_visitor_number(self, obj):
         return obj.visitors.all().count()
 
-    # def get_visitors(self, obj):
-    #     return obj.visitors.all()
-
 
 class NoteSerializer(serializers.ModelSerializer):
     created_by = serializers.HiddenField(default=CurrentUserProfileDefault())