diff --git a/program/views.py b/program/views.py
index baa92773c90ac945045248952576024316a8d706..25047f81141acca21f9ea78f057683121eb5c596 100644
--- a/program/views.py
+++ b/program/views.py
@@ -406,7 +406,10 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
         if not request.user.is_superuser:
             return Response(status=status.HTTP_401_UNAUTHORIZED)
 
-        serializer = ShowSerializer(data=request.data)
+        serializer = ShowSerializer(
+            context={"request": request},  # the serializer needs the request in the context
+            data=request.data,
+        )
 
         if serializer.is_valid():
             serializer.save()
@@ -428,7 +431,12 @@ class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
 
         partial = kwargs.get("partial", False)
         show = self.get_object()
-        serializer = ShowSerializer(show, data=request.data, partial=partial)
+        serializer = ShowSerializer(
+            context={"request": request},  # the serializer needs the request in the context
+            data=request.data,
+            instance=show,
+            partial=partial,
+        )
 
         if serializer.is_valid():
             # Common users mustn't edit the show's name
@@ -773,6 +781,13 @@ class APINoteViewSet(
     pagination_class = LimitOffsetPagination
     filterset_class = filters.NoteFilterSet
 
+    def get_serializer_context(self):
+        # the serializer needs the request in the context
+        context = super().get_serializer_context()
+        context.update({"request": self.request})
+
+        return context
+
     def get_queryset(self):
         qs = super().get_queryset().order_by("slug")
         # Users should always be able to see notes
@@ -899,9 +914,13 @@ class APIHostViewSet(ActiveFilterMixin, viewsets.ModelViewSet):
     queryset = Host.objects.all()
     serializer_class = HostSerializer
     pagination_class = LimitOffsetPagination
+    permission_classes = [permissions.DjangoModelPermissionsOrAnonReadOnly]
 
     def create(self, request, *args, **kwargs):
-        serializer = HostSerializer(data=request.data)
+        serializer = HostSerializer(
+            context={"request": request},  # the serializer needs the request in the context
+            data=request.data,
+        )
         if serializer.is_valid():
             serializer.save()
             return Response(serializer.data, status=status.HTTP_201_CREATED)
@@ -911,7 +930,14 @@ class APIHostViewSet(ActiveFilterMixin, viewsets.ModelViewSet):
     def update(self, request, *args, **kwargs):
         partial = kwargs.get("partial", False)
         host = self.get_object()
-        serializer = HostSerializer(host, data=request.data, partial=partial)
+
+        serializer = HostSerializer(
+            context={"request": request},  # the serializer needs the request in the context
+            data=request.data,
+            instance=host,
+            partial=partial,
+        )
+
         if serializer.is_valid():
             serializer.save()
             return Response(serializer.data, status=status.HTTP_200_OK)