testing purchase_email but getting 401 with AllowAny

products/views.py

@@ -11,7 +11,7 @@ from django.contrib.auth import get_user_model
 from rest_framework import status
 from rest_framework import viewsets
 from rest_framework.response import Response
-from rest_framework.permissions import IsAuthenticatedOrReadOnly, IsAdminUser, IsAuthenticated
+from rest_framework.permissions import IsAuthenticatedOrReadOnly, IsAdminUser, IsAuthenticated, AllowAny
 from rest_framework.decorators import api_view, permission_classes, action
 from rest_framework.filters import OrderingFilter
 
@@ -247,6 +247,7 @@ class CategoryTagAutocomplete(autocomplete.Select2QuerySetView):
         return qs       # [x.label for x in qs]
 
 
+@permission_classes([AllowAny,])
 @api_view(['POST'])
 def purchase_email(request):
     """Notify coop manager and user about item purchase
@@ -275,7 +276,7 @@ def purchase_email(request):
     if not manager and manager.role != 'COOP_MANAGER':
         return Response({"error": "Company has no managing user"}, status=status.HTTP_406_NOT_ACCEPTABLE)
     # get product
-    product = Product.objects.filter(id=data['product']).first()
+    product = Product.objects.filter(id=data['product'], company=company).first()
     if not product:
         return Response({"error": "Invalid value for product"}, status=status.HTTP_406_NOT_ACCEPTABLE)