BasePermission returning True for has_permission and has_object_permission is a huge gotcha

[jzwick-narmi]

When using the negation of a permission, for example an implementation of ~IsOAuthAuthentication, that BasePermission. has_object_permission returs a static True is a very tricky gotcha.

Where I would expect this permission to be False, the negation turning the condition to True, it winds up being False when checking object_permissions, so the negation that swaps it back to False, which ultimately fails the boolean evaluation.

BasePermission should look like this;

class BasePermission(metaclass=BasePermissionMetaclass):
    def has_permission(self, request, view):
        return True

    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)

This will behave as one would intuitively expect both in the negated permission scenario, and the unnegated. It still returns True by "default", and if has_permission is ever False, it's likely not undesirable for has_object_permission to also be False.