I'm trying to figure out what's the "best practice" to limit QuerySet
s based on User
s permissions.
For example, there is a table of invoices on the dashboard. User
that has Group
called Admin
can see all invoices but User
that has group Broker
can see only their own invoices. That means only invoices that have user = ...
.
My idea is to create two permissions can_see_all_invoices
and can_see_own_invoices
.
Now when I call the QuerySet
using Django Rest Framework
, I'll check for the permissions and return the filtered QuerySet
.
Or should I filter the QuerySet
on the frontend and if Broker
asks for all invoices I would raise PermissionError?
Which of these approaches are being used or is there a different approach?
IMO, this would be a clean method
Notes
can_see_all_invoices