This is not an issue per se, but a consequence of a new behavior and I would like to open up discussions on it.

#6361 recently added support for bitwise not (aka ~) to negate permissions.

Due to how permissions are shared for both view and object checks, relying on calling the correct method (has_permission or has_object_permission), the default value "True" becomes False for any negative check, making the permission extremely restrictive.

Example:

class View(APIView):
    permission_classes = [~IsAuthenticated]
    def retrieve(self, ...):
        return ...

Calling retrieve will call get_object, which in turns calls has_object_permission, returning False (not True), ending the call into a 403.

Im currently circumventing this by specifying which of has_permission or has_object_permission should get negated, but that makes the ~ operator nearly unusable for generic views (it's still very useful if you only need one of the two functions!).

The docs mention that not can be used in the context of an APIView which is what caught me offguard. Maybe a clarification on how it works is needed?

Thanks.