Permissions do not implement has_object_permission

[sg2002]

Hello. Really like your package. Here's a problem I've ran into while implementing an api based on it.
I have a user REST API and I wanted to allow updating user only for the user himself or an apikey. I wrote a simple permission called IsTheSameUser, but chaining it using OR with HasAPIKey didn't work - requests were passing.
Looking into it, I noticed that permissions provided by this project don't implement has_object_permission and my permission class cannot implement has_permission, since it's only becomes aware at has_object_permission level.
So, may I suggest adding has_object_permission method that wraps has_permisison:

    def has_object_permission(self, request, view, obj):
        return self.has_permission(request, view)

I subclassed for now, don't see any harm that can be done with this addition.

[florimondmanca]

Absolutely, sounds good to me. I don't have the means to send a fix currently, so feel free to throw together a PR based on the fix you found.

Note — there are a few caveats documented in the DRF docs. Notably, one needs to manually check object permissions unless they use generic views. Have you made sure that this is what you did when "requests were passing"?

[florimondmanca]

Released in 0.4 🎉 https://pypi.org/project/djangorestframework-api-key/0.4.0/