i want to use the rest permissions to check access. it works via the rest admin page but i want to restrict it beyond the "is_staff" section somehow.