Migrating to DRF's DjangoObjectPermission instead of AutoPermissionViewSetMixin

[hirokiky]

My suggestion is to use DRF's DjangoObjectPermission class instead of django-rules' AutoPermissionViewSetMixin.

DjangoRestFramework provides DjangoObjectPermission to check permission for objects on ViewSets.

Asis:

class ArticleViewSet(AutoPermissionViewSetMixin, ModelViewSet):
    ...

ToBe:

class ArticleViewSet(ModelViewSet):
    permission_classes = [DjangoObjectPermission]

For me, applying this permission class for ViewSets is better than injecting AutoPermissionViewSetMixin.

Because...

• The mixin requires us inheriting them rather than using them, and it will cause deep-coupling
• We don't need to maintain the mixin, because DRF provides the same thing

I didn't read all of lines of AutoPermissionViewSetMixin and DjangoObjectPermission, so now I can't guarantee that it's fully compatible.
But at least, we should refer about DRF's general way on rules' document.

[Routhinator]

DjangoObjectPermission does not work if you want Owner level permissions in read views, as mentioned in the very documentation you linked:

Note: If you need object level view permissions for GET, HEAD and OPTIONS requests and are using django-guardian for your object-level permissions backend, you'll want to consider using the DjangoObjectPermissionsFilter class provided by the djangorestframework-guardian package. It ensures that list endpoints only return results including objects for which the user has appropriate view permissions.

Though the note mentions django-guardian, it applies to this as well.

Django does not natively support Owner level permissions for read operations. As soon as you need that, you need AutoPermissionViewSetMixin