Students and Tutors can access /tutor/ endpoint

Summary

Students and Tutors can access the /tutor/ endpoint

Steps to reproduce

Create fresh database, populate with core.tests.data_factories.make_minimal_exam(). Then login as student 'user01':'p' or tutor 'tutor01':'p' (username:password). Log in and got to localhost:8000/api/tutor Also run the tests in core.tests.test_access_rights

What is the current bug behavior?

Tutors and students have access to /api/tutor

What is the expected correct behavior?

They should not!

Possible fixes

The permission class for this View is 'IsReviewer' and the code for this looks good. I don't know what causes this behavior.