This sounds like a perfect fit for dry-rest-permissions.
So it sounds like your user permissions for objects will be based on the branch and company a user is related to (belongs to).
If that is correct I am assuming that the objects you want to permission are also somehow related to branches and/or companies.
If that is the case you could do something like this:
Let's say you have objectx and you want users who belong to objectx's company to be able to view it.
You can add DRYRestPermissions to the permissions attribute on objectx's view like so:
class ObjectXViewset(viewsets.ModelViewSet):
permission_classes = (DRYPermissions, )
This will tell the system that ObjectX is governed by DRYRestPermissions. Next you can define the retrieve (view) permission on the model for ObjectX.
class ObjectX(models.Model):
company = models.ForeignKey(Company)
@staticmethod
def has_retrieve_permission(request):
"""We will open up table level retrieve permissions because we only care about row level in this example"""
return True
def has_object_retrieve_permission(self, request):
"""make sure the requesting user is part of the company associated to ObjectX"""
return self.company == request.user.branch.company