Hello !

So turning around some permissions packages, for you, which permissions packages "is the best" consider using object level permissions with a large database with mainly Django DRF REST ? Maybe I should consider different way to think about permissions ?

I currently using django-guardian cause my project was initially build on classic django view. Now it's more an REST API only

Django-guardian seem to have performance issues on large database with many object-user permissions ?

Should I consider other alternatives as django-rules or drf-access-policy ?

I feel pretty lost in all theses permissions option

Finaly I want to keep group access permissions for admin on Top of that

Please don't post in multiple channels. Pick one and stick to it.

I would say nothing replaces research on your part and how it relates to your particular use case.
I have only recently Django guardian so have yet to hit limitations but expect to at some point in the future

I think i have to stick to Django guardian... and especially with djangorestframework-guardian2 (djangorestframework-guardian not actively maintained...)

No update for a while on django-guardian too..

In my head, I plan to def get_permissions_map for each serializer for azpply permissions on create/update

Thinking to add permissions to Signals too but not sure about this process

For anyone who search a similar solution, I actually use this inside my Viewset using some Heritage :

For admin using private ADMIN API

READ all users data if there are in correct groups

    filter_backends = [DjangoFilterBackend]

    permission_classes = [
        (HasGroupPermission | permissions.IsAdminUser)
        & permissions.IsAuthenticated
    ]

    # need HasGroupPermission for use
    required_groups = {
        "GET": ["administrator"],
        "POST": ["administrator"],
        "PUT": ["administrator"],
        "DELETE": ["administrator"],
    }

For users using public USER API

READ owner data and set action permissions using ObjectPermissions from django-rest-framework-guardian

user_perms_assign_all() is just a function that assign all perms using from guardian.shortcuts import assign_perm

    """
    Viewset that only list events if user has 'view' permissions => filter_backends

    Only allows operations on individual event if user has appropriate 'view', 'add',
    'change' or 'delete' permissions => ObjectPermissions

    view/create/update/delete permissions are set with perform create using user_perms_assign_all()
    """    

    permission_classes = [
        ObjectPermissions & permissions.IsAuthenticated
    ]

    filter_backends = [filters.ObjectPermissionsFilter]

    def perform_create(self, serializer):
        """
        If API call create multiples objects and want to set perms for each, need to overrite this method to loop inside nested objects
        """
        object_instance = serializer.save()
        user_perms_assign_all(self.request.user, object_instance)

Fell free to show me different approach or correction

I let all permissions for owner but restrict USER public api inside viewset again with :

    http_method_names = [
        "get",
        "post",
        "put",
        "patch",
        "delete",
        "head",
        "options"
    ]