drf-access-policy icon indicating copy to clipboard operation
drf-access-policy copied to clipboard
verified publisher icon rsinger86

Add `access_policy_priority` to control AccessViewSetMixin order

Open J-Hoplin opened this issue 3 weeks ago • 0 comments

Hi @rsinger86! Always thank you for this great project. During operation of some of our services, we ran into issues because we wanted the authentication (and Custom DRF permission checks) to run before applying the access-policy logic. However, in the current structure, the access policy is always evaluated first, which limits flexibility when we need to rely on DRF permissions (or authentication side-effects) before policy enforcement. I’m submitting this PR to introduce a small enhancement

Feature Description

This PR introduces a new, optional access_policy_priority setting on AccessViewSetMixin, giving teams control over the order in which access policies are applied relative to DRF permissions. By default the behavior is unchanged (“first”), but opting into "last" will run DRF permissions first, then the access policy.

Changes

  • Added access_policy_priority config with two allowed values: "first" (default) and "last".
    • The default value is set to "first" in order to preserve backward-compatibility with existing code
  • When set to "last", the evaluation order is changed so that DRF permission checks happen before the access policy.
  • Updated documentation to demonstrate how to configure the setting, and included example scenarios showing when it’s useful to run DRF permissions before the access policy
  • Add related test codes

J-Hoplin avatar Dec 08 '25 07:12 J-Hoplin