Django: user.has_perm always true and user is not superuser. Why?

About

Asked 7/5, 2013 at 21:25 Answered 16/12, 2013 at 13:5

I assigned a permission of a user in my Django 1.5 app. When I list all user permissions with

In [1]: user.get_all_permissions()
Out[1]: set([u'profile.change_profile'])

I can see one permission (which is correct and wanted). The user is also not a superuser, not an admin.

In [2]: user.is_superuser
Out[2]: False

However, if I try to use user.has_perm, I always get True as a return for any submitted permission request.

In [3]: user.has_perm('random_permission')
Out[3]: True

A behaviour I would expect if the user is a superuser/admin. Why is a non-superuser getting always True for every request? Did I miss any setting?

Taiwan answered 7/5, 2013 at 21:25 Comment(1)

Are you using a custom User model or Authentication Backend? Maybe read up on the docs here: docs.djangoproject.com/en/dev/topics/auth/customizing/… – Pub 7/5, 2013 at 21:36

As mentioned in comment by Thane Brimhall you should check your authentication backends. You can find this comment on has_perm method of User model in django sources:

Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single auth backend is assumed to have permission in general.

Also don't forget to check user groups. Default backend checks for user groups permissions thus it may be connected.

Pemberton answered 16/12, 2013 at 13:5 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags