Django: user.has_perm is always true, and the user is not superuser. What for?

Question

Django: user.has_perm is always true, and the user is not superuser. What for?

I assigned user permission in a Django 1.5 application. When I list all user permissions with

In [1]: user.get_all_permissions() Out[1]: set([u'profile.change_profile'])

I see one resolution (which is correct and necessary). The user is also not a superuser, not an administrator.

 In [2]: user.is_superuser Out[2]: False

However, if I try to use user.has_perm , I always get True as a return for any permission request sent.

 In [3]: user.has_perm('random_permission') Out[3]: True

The behavior that I would expect if the user is superuser / administrator. Why does a non-superuser always get True for every request? Am I missing any settings?

+6

django permissions django-1.5

neurix May 07, '13 at 21:25

source share

1 answer

sepulchered · Answer 1 · 2013-12-16T13:05:39+0000

As mentioned in a Thane Brimhall comment, you should check your authentication servers. You can find this comment on the has_perm method of the user model in django sources :

Returns True if the user has the specified permission. This method requests all available auth servers, but returns immediately, if any, backend returns True. Thus, a user having permission from one is assumed that auth backend has permission at all.

Also be sure to check user groups. The backend by default checks the permissions of user groups, so it can be connected.

Django: user.has_perm is always true, and the user is not superuser. What for?

More articles: