Restrict permissions for notification

emgapi/views.py

@@ -26,7 +26,6 @@
 from django.middleware import csrf
 from django.http import HttpResponse
 from django.views.decorators.clickjacking import xframe_options_exempt
-from django.views.decorators.csrf import csrf_protect
 
 from django_filters.rest_framework import DjangoFilterBackend
 
@@ -112,11 +111,10 @@ def myaccounts(self, request, pk=None):
         serializer = self.get_serializer(submitter, many=True)
         return Response(serializer.data)
 
-    @csrf_protect
     @list_route(
         methods=['get', 'post', ],
         serializer_class=ena_serializers.NotifySerializer,
-        permission_classes=[permissions.AllowAny]
+        permission_classes=[permissions.IsAuthenticated, emg_perms.IsSelf]
     )
     def notify(self, request, pk=None):
         serializer = self.get_serializer(data=request.data)
@@ -135,11 +133,10 @@ def notify(self, request, pk=None):
             )
         return Response(serializer.errors)
 
-    @csrf_protect
     @list_route(
         methods=['get', 'post', ],
         serializer_class=ena_serializers.EmailSerializer,
-        permission_classes=[permissions.AllowAny]
+        permission_classes=[permissions.IsAuthenticated, emg_perms.IsSelf]
     )
     def sendemail(self, request, pk=None):
         serializer = self.get_serializer(data=request.data)