Django：user.has_perm始终为true，用户不是超级用户。为什么？

I assigned a permission of a user in my Django 1.5 app. When I list all user permissions with

我在Django 1.5应用程序中分配了用户的权限。当我列出所有用户权限时

In [1]: user.get_all_permissions()
Out[1]: set([u'profile.change_profile'])

I can see one permission (which is correct and wanted). The user is also not a superuser, not an admin.

我可以看到一个权限（这是正确的和想要的）。用户也不是超级用户，不是管理员。

In [2]: user.is_superuser
Out[2]: False

However, if I try to use user.has_perm, I always get True as a return for any submitted permission request.

但是，如果我尝试使用user.has_perm，我总是得到True作为任何提交的权限请求的返回。

In [3]: user.has_perm('random_permission')
Out[3]: True

A behaviour I would expect if the user is a superuser/admin. Why is a non-superuser getting always True for every request? Did I miss any setting?

如果用户是超级用户/管理员，我期望的行为。为什么非超级用户对每个请求都始终为True？我错过了任何设置吗？

1 个解决方案

#1

As mentioned in comment by Thane Brimhall you should check your authentication backends. You can find this comment on has_perm method of User model in django sources:

正如Thane Brimhall在评论中提到的那样，您应该检查您的身份验证后端。你可以在django sources中找到关于用户模型的has_perm方法的评论：

Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single auth backend is assumed to have permission in general.

如果用户具有指定的权限，则返回True。此方法查询所有可用的auth后端，但如果任何后端返回True，则立即返回。因此，假定具有来自单个认证后端的许可的用户通常具有许可。

Also don't forget to check user groups. Default backend checks for user groups permissions thus it may be connected.

另外不要忘记检查用户组。默认后端检查用户组权限，因此可以连接。

#1