I based my final solution off of the answer from @JamesO. The issue with his answer was it was written for an older version of django-tastypie before the Authorization
class was rewritten. Here is my code for future reference:
from tastypie.authorization import Authorization
from django.contrib.auth.models import Group
from extendedusers.models import ExtendedUser
class CustomAuthorization(Authorization):
def read_list(self, object_list, bundle):
clinician_group = Group.objects.get(name='clinician')
if bundle.request and hasattr(bundle.request, 'user'):
if clinician_group in bundle.request.user.groups.all():
patients = ExtendedUser.objects.filter(clinician_id=bundle.request.user.id)
object_list = object_list.filter(author__id__in=patients)
else:
object_list = object_list.filter(author=bundle.request.user)
return object_list
else:
return object_list.none()