The official documentation recommends using a custom get_queryset
method in this use-case, and that's exactly what I would do.
The permission object's has_object_permission
only runs when called on a view for a single object, so that won't work to enforce permissions for list views.
Basically, you are not trying to allow or deny access, you are trying to filter the results. Filtering on a database level is the fastest, easiest and most secure (least error-prone) option. The permission framework is only made to either allow or deny access to an object or a complete object group, it is not made to filter the content of a particular response. The get_queryset
method is made to filter the content of a particular response, and should be used as such.