I had to modify this slightly: Since the 'filter' method cannot filter on OR clauses on individual properties (e.g. prop1=value1 OR prop2=value2), I'm now returning a list of filter arguments from a Permission.filter method. This also solves the case that the filter detects early on that the user should not have any permissions which happens in one or two of my new filter methods in my application.

Preliminary performance measure: A query that ran for about 10 Minutes before (and often longer depending on the user running into an uwsgi timeout of 10 minutes occasionally) now runs in 3 seconds. It still does a lot of filtering but this is in SQL now.