[Fixed]-Django: user.has_perm always true and user is not superuser. Why?


As mentioned in comment by Thane Brimhall you should check your authentication backends.
You can find this comment on has_perm method of User model in django sources:

Returns True if the user has the specified permission. This method
queries all available auth backends, but returns immediately if any
backend returns True. Thus, a user who has permission from a single
auth backend is assumed to have permission in general.

Also don’t forget to check user groups. Default backend checks for user groups permissions thus it may be connected.

Leave a comment