My suggestion is to use DRF's DjangoObjectPermission class instead of django-rules' AutoPermissionViewSetMixin.

DjangoRestFramework provides DjangoObjectPermission to check permission for objects on ViewSets.

Asis:

class ArticleViewSet(AutoPermissionViewSetMixin, ModelViewSet):
    ...

ToBe:

class ArticleViewSet(ModelViewSet):
    permission_classes = [DjangoObjectPermission]

For me, applying this permission class for ViewSets is better than injecting AutoPermissionViewSetMixin.

Because...

• The mixin requires us inheriting them rather than using them, and it will cause deep-coupling
• We don't need to maintain the mixin, because DRF provides the same thing

I didn't read all of lines of AutoPermissionViewSetMixin and DjangoObjectPermission, so now I can't guarantee that it's fully compatible.
But at least, we should refer about DRF's general way on rules' document.

DjangoObjectPermission does not work if you want Owner level permissions in read views, as mentioned in the very documentation you linked:

Note: If you need object level view permissions for GET, HEAD and OPTIONS requests and are using django-guardian for your object-level permissions backend, you'll want to consider using the DjangoObjectPermissionsFilter class provided by the djangorestframework-guardian package. It ensures that list endpoints only return results including objects for which the user has appropriate view permissions.

Though the note mentions django-guardian, it applies to this as well.

Django does not natively support Owner level permissions for read operations. As soon as you need that, you need AutoPermissionViewSetMixin