As mentioned in comment by Thane Brimhall you should check your authentication backends.
You can find this comment on has_perm method of User model in django sources:
Returns True if the user has the specified permission. This method
queries all available auth backends, but returns immediately if any
backend returns True. Thus, a user who has permission from a single
auth backend is assumed to have permission in general.
Also don’t forget to check user groups. Default backend checks for user groups permissions thus it may be connected.