diff --git a/poizonstore/settings.py b/poizonstore/settings.py
index 7fbec4a..4417ca4 100644
--- a/poizonstore/settings.py
+++ b/poizonstore/settings.py
@@ -27,6 +27,7 @@ CDEK_CLIENT_SECRET = '***REMOVED***'
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
+DISABLE_PERMISSIONS = True
 
 ALLOWED_HOSTS = ["crm-poizonstore.ru", "127.0.0.1", "localhost", "45.84.227.72"]
 
@@ -135,6 +136,9 @@ REST_FRAMEWORK = {
     # or allow read-only access for unauthenticated users.
     'DEFAULT_PERMISSION_CLASSES': [
         'rest_framework.permissions.IsAuthenticated'
+        if DISABLE_PERMISSIONS
+        else
+        'rest_framework.permissions.AllowAny'
     ],
 
     'DEFAULT_AUTHENTICATION_CLASSES': (
diff --git a/store/views.py b/store/views.py
index 1c65bbd..2ccfe87 100644
--- a/store/views.py
+++ b/store/views.py
@@ -58,7 +58,7 @@ class LoginAPI(generics.GenericAPIView):
 
 class ChecklistAPI(mixins.ListModelMixin, mixins.CreateModelMixin, mixins.RetrieveModelMixin, generics.GenericAPIView):
     serializer_class = ChecklistSerializer
-    permission_classes = [IsAuthenticated | ReadOnly]
+    permission_classes = [IsAuthenticated | ReadOnly] if not settings.DISABLE_PERMISSIONS else [permissions.AllowAny]
     lookup_field = 'id'
     filterset_fields = ['status', ]
     search_fields = ['id', 'track_id', 'buyer_phone', 'full_price']
@@ -164,7 +164,7 @@ class PricesAPI(generics.GenericAPIView):
 
 class PickupAPI(generics.GenericAPIView):
     serializer_class = GlobalSettingsPickupSerializer
-    permission_classes = [IsAuthenticated | ReadOnly]
+    permission_classes = [IsAuthenticated | ReadOnly] if not settings.DISABLE_PERMISSIONS else [permissions.AllowAny]
 
     def get_object(self):
         return GlobalSettings.load()