Bug Report: deny Effect Always Returns True Regardless of Conditions

[AlexandrVasilchuk]

Description:

I encountered a bug where the deny effect always returns True regardless of the conditions and their evaluations.

According to the documentation:

• Statement Elements
• View Set Usage

The deny effect should deny access to a method if at least one of the deny conditions returns True. However, in my case, the deny effect seems to trigger and deny access regardless of whether the conditions evaluate to True or False.

Reproduction:

Dependencies:

rest-framework-integration = ["djangorestframework (>=3.9,<4.0)"]
django = ">=2.2"

Here is a code snippet to reproduce the issue:

from rest_framework.request import Request
from myapp.models import Profile
from rest_access_policy import AccessPolicy

class GlobalRiskRoleAccessPolicy(AccessPolicy):
    def some_condition(
        self,
        request: Request,
        _view: "RisksGlobalRoleViewSet",
        _action: str,
    ) -> bool:
        self.message = "Opps...denied"
        return Profile.objects.get(pk=request.data.get("profile")).user.is_superuser

    statements = [
        {
            "action": ["list", "retrieve"],
            "principal": ["*"],
            "condition": some_condition.__name__,
            "effect": "deny",
        },
    ]

Actual Result:

The API returns a 403 Forbidden response regardless of whether profile_id.is_superuser is True or False.

Expected Result:

200 OK if is_superuser is False.
403 Forbidden if is_superuser is True.
Additional Information:

While troubleshooting this issue, I referred to the example provided in the documentation:

View Set Usage Example
However, the example also always returns a 403 error, similar to the issue I'm facing.

---

I really appreciate your library; it has greatly helped in organizing access controls in our project. I hope you can return to developing and maintaining this fantastic tool!

---