Do not show salaries in the table - Django permissions

Question

I've had a table in which different expenses are displaying which are bills, rents, salaries, etc, and I want to hide salaries from my staff, so I'm adding new filter to my queryset which needs to restrict that to them, but when I test it with different users, it is still there.

I'm not entirely sure why is this happening, so can someone please explain me what am I doing wrong here. Thanks!

This is my custom permission:

@staticmethod
def can_view_salaries(user):
    return user.is_staff and user.has_perm('cms_expenses.can_view_salaries')

You can see my restapi views in which I'm doing the filtering.

class ExpenseViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        only_recurrent = self.request.query_params.get('recurrent', False)
        queryset = models.Expense.objects.get_expenses_list(self.request.user)
        if only_recurrent:
            queryset = queryset.exclude(scheduled_recurrence__isnull=True)
        if self.check_object_permissions(self.request.user, queryset):
            queryset = ExpenseAccessService.can_view_salaries(self.request.user)
        return queryset

    serializer_class = ExpenseSerializer
    filter_backends = (
        filters.DjangoFilterBackend,
        filters.SearchFilter,
        filters.OrderingFilter
    )

    filter_fields = ('paid', 'generated',)
    ordering_fields = (
        'value', 'currency', 'category', 'attachment', 'created', 'scheduled_recurrence', 'paid',
        'scheduled_recurrence__interval', 'scheduled_recurrence__next_occurrence', 'payment_proof',
        'description')
    search_fields = (
        'value', 'currency', 'category', 'attachment', 'created', 'paid',
        'scheduled_recurrence__interval', 'scheduled_recurrence__next_occurrence', 'payment_proof',
        'description')

    pagination_class = StandardResultsOffsetPagination

    permission_classes = [
        permissions.IsAuthenticated,
        expenses_permissions.ExpensesPermissions
    ]

Answer 1

Actually, check_object_permissions() doesn't check multi objects permissions

def check_object_permissions(self, request, obj):
    """
    Check if the request should be permitted for a given object.
    Raises an appropriate exception if the request is not permitted.
    """
    for permission in self.get_permissions():
        if not permission.has_object_permission(request, self, obj):
            self.permission_denied(
                request, message=getattr(permission, 'message', None)
            )

And, if you want to custom response.data , you'd better to override get_serializer_class like this:

def get_serializer_class(self):
    if self.request.user.is_staff:
        return StaffExpenseSerializer
    if self.request.user.is_superuser:
        return AdminExpenseSerializer

Answer 2

I'm a bit late posting the answer to this question, but someone may find it useful so, after talking to my friend and reading Daniela Roseman hint on the custom permissions that I wanted so setup for stuff, I've come up with this solutions:

class ExpenseViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        only_recurrent = self.request.query_params.get('recurrent', False)
        queryset = models.Expense.objects.get_expenses_list(self.request.user)
        if only_recurrent:
            queryset = queryset.exclude(scheduled_recurrence__isnull=True)
        if not ExpenseAccessService.can_view_salaries_and_commissions(self.request.user):
            queryset = queryset.exclude(category__in=["salary", "commissions"])
        return queryset

With django exclude I've restricted my stuff in future viewing of salaries and commissions, I've also come up with a solution using complex lookups with Q objects, but exclude is easier to read.