I have a basic permission system where I am pretty much hardcoding permissions based on user.profile.user_type, where user.profile is equivalent to user.get_profile().

For example, if a user_type is, say, 1 (property manager), then that user can view all work orders. A user_type of 2 (tenant) means that user can only view work orders that he created.

I am currently simply using a class-based generic view in urls.py like this

url(
    r'^orders/$',
    ListView.as_view(
        model = Order,
        template_name = 'doors/orders/list.html'
    ),
    name = 'orders_list'
),

and therefore I have no permissions control at all.

So to add a permissions system, should I control it in the template like this?

{% for order in order_list %}
    {% if request.user.profile.user_type == 1 %}
        # Show every order
        {{ order.pk }}
    {% else %}
        # Show only work orders created by that user
        {% if order.creator == request.user.pk %}
            {{ order.pk }}
        {% endif %}
    {% endif %}
{% endfor %}

I have a feeling that trying to filter inside the template is a waste of a lot of SQL hits, because no matter what the user_type is, the template will still force Django to call every work order. Is that true?

Or should I control it in the view like this?

def orders_list( request ) :
    if request.user.user_type == 1 :
        order_list = Order.objects.all()
    else :
        order_list = Order.objects.filter( creator = request.user.pk )

    dictionary = {
        'order_list' : order_list,
    }

    return render( request, 'doors/orders/list.html', dictionary )

Obviously if I try to control it inside views.py, then I can’t use the generic views anymore.

And lastly my third option would be to (somehow) control it inside the class-base generic view. I don’t even know if that’s even possible. Maybe somehow with get_context_data? I really like the simplicity of generic views, but I’m not too familiar with the more advanced OO concepts.

What are you guys’s suggestions?