12

I assigned a permission of a user in my Django 1.5 app. When I list all user permissions with 

In [1]: user.get_all_permissions()
Out[1]: set([u'profile.change_profile'])

I can see one permission (which is correct and wanted). The user is also not a superuser, not an admin.

In [2]: user.is_superuser
Out[2]: False

However, if I try to use user.has_perm, I always get True as a return for any submitted permission request. 

In [3]: user.has_perm('random_permission')
Out[3]: True

A behaviour I would expect if the user is a superuser/admin. Why is a non-superuser getting always True for every request? Did I miss any setting?

neurix
  • 4,126
  • 6
  • 46
  • 71
  • 1
    Are you using a custom `User` model or Authentication Backend? Maybe read up on the docs here: https://docs.djangoproject.com/en/dev/topics/auth/customizing/#handling-authorization-in-custom-backends – Thane Brimhall May 07 '13 at 21:36

1 Answers1

6

As mentioned in comment by Thane Brimhall you should check your authentication backends. You can find this comment on has_perm method of User model in django sources:

Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single auth backend is assumed to have permission in general.

Also don't forget to check user groups. Default backend checks for user groups permissions thus it may be connected.

sepulchered
  • 814
  • 7
  • 18