We're building an open source policy engine for adding access control (permissions, roles, etc.) to apps, called oso. oso policies are declarative, and enable users to cleanly separate authorization logic from the rest of their application code.
In our latest release of django-oso, we added functionality to enforce authorization policies directly on Django QuerySets. The declarative policy is translated into filters that can be understood by the Django ORM, in a way that is fully abstracted from the library user. In the future, we'll be adding support for SQLAlchemy and other Python ORMs.
We wrote about it in this blog post: https://www.osohq.com/post/django-list-view
Cleanly separating an authorization policy from other application code can be challenging, especially when authorizing a collection of objects, often necessary in list views. This feature makes it possible to enforce authorization as a filter when querying the application data store while still taking full advantage of the declarative policy provided by oso.
This functionality is in preview in the 0.3.0 release of django-oso: https://pypi.org/project/django-oso/
Install via pip: pip install django-oso
Let us know what you think in our Slack channel or on this thread! https://app.slack.com/client/T017ZS940LR