Django: user.has_perm always true and user is not superuser. Why?
As mentioned in comment by Thane Brimhall you should check your authentication backends. You can find this comment on has_perm method of User model in django sources:
Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single auth backend is assumed to have permission in general.
Also don't forget to check user groups. Default backend checks for user groups permissions thus it may be connected.
neurix
Updated on June 08, 2022Comments
-
neurix about 2 years
I assigned a permission of a user in my Django 1.5 app. When I list all user permissions with
In [1]: user.get_all_permissions() Out[1]: set([u'profile.change_profile'])
I can see one permission (which is correct and wanted). The user is also not a superuser, not an admin.
In [2]: user.is_superuser Out[2]: False
However, if I try to use
user.has_perm
, I always getTrue
as a return for any submitted permission request.In [3]: user.has_perm('random_permission') Out[3]: True
A behaviour I would expect if the user is a superuser/admin. Why is a non-superuser getting always
True
for every request? Did I miss any setting?