Django: user.has_perm always true and user is not superuser. Why?
I assigned a permission of a user in my Django 1.5 app. When I list all user permissions with
In [1]: user.get_all_permissions()
Out[1]: set([u'profile.change_profile'])
I can see one permission (which is correct and wanted). The user is also not a superuser, not an admin.
In [2]: user.is_superuser
Out[2]: False
However, if I try to use user.has_perm, I always get True as a return for any submitted permission request.
In [3]: user.has_perm('random_permission')
Out[3]: True
A behaviour I would expect if the user is a superuser/admin. Why is a non-superuser getting always True for every request? Did I miss any setting?
Answer
As mentioned in comment by Thane Brimhall you should check your authentication backends. You can find this comment on has_perm method of User model in django sources:
Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single auth backend is assumed to have permission in general.
Also don't forget to check user groups. Default backend checks for user groups permissions thus it may be connected.