Hi John,
I think I have an idea how to formulate the sql checks for better query
performance.
Let's implement this as a method that ultimately returns parameters of a
filter call of the class.

Then when computing a batch we can run the found IDs through another
filter call similar to

new_ids = cls.filter (found_ids, <other filter args computed by method>)

This of course would only work if *all* permissions with check method of
a class do have a method for computing filter args. The downside is that
we repeatedly pass a possibly huge set of IDs to SQL. The upside is that
it works also with non-sql backends.

We would have something like:

new_ids = set (new_ids) # from klass.filter(matches, filterspec, sort, group)
confirmed = set ()

# We *OR* all the result from filtermethods
for perm in permissions:
    result = filter (list (new_ids), *perm.filtermethod (...))
    new_ids = new_ids - result
    confirmed.update (result)
allowed = list (confirmed)

The permissions above would have to be retrieved from *all* roles the
current user has.

Kind regards
Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com