Permissions on views
Right now, permissions are handled using Django permissions. But there permissions are only applied to templates and not to views (Django controllers). A user can bypass the current security if he knows the endpoint.
The improvement would be to handle permissions also for views. If a user does an action he shouldn't be able to (delete a cuttable supply), then the request should return an error.