We should enable some sort of authentication check there. Since we are on Sessions here, I think session AUTh should be the easiest.
https://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication should be the place to look. Its funny we use self.request.user there though.