Django Admin - Permissions Not Picking Up for Staff

Question

I think I'm missing something here. I have one django project (django 1.6, ubuntu box) with several app's in it, and I want one user to manage one specific app. It should be straightforward: select the user, mark him/her as is_staff and add the app's permissions. But that's not working.

It's important to note that I'm using a custom Authentication Middleware to authenticate with our SSO Server. The authentication is working fine. The permissions are not.

In my settings.py I have:

MIDDLEWARE_CLASSES = (
   #[...]
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'middlewares.sso.SsoMiddleware', # My Custom Auth Middleware
    'django.contrib.auth.backends.ModelBackend',
   #[...]
)

Anyway, my problem is:

1. When the user access the first time the application, he/she is added to the User table;
2. I go the Admin Interface and mark that user as is_staff. He is already marked as is_active.
3. The user now can get in the Admin Interface.
4. However, when I add permissions to him, he/she still gets "No permissions" message.
5. The only way that my user have access to the app is when I mark him as super_user, but of course he/she can see and change all apps, which is not what I aim for.

I have a feeling that my custom Auth Middleware is the culprid, but I'm not sure nor know how to fix it.

Any help will be immensely appreciated.

Edit 1: process_request() code:

The process_request() function on my sso.middleware:

def process_request(self, request):
    if not hasattr(request, 'user'):
        raise ImproperlyConfigured();
    if "BBSSOToken" not in request.COOKIES:
        return self.redireciona_login(request)
    else:
        token = request.COOKIES["BBSSOToken"] #check token on cookies
        if token is not None:
            sso_server = "http://address.to.my.sso.server/sso/identity/attributes"
            try:
                opener = urllib2.build_opener()
                resposta = opener.open("%s?subjectid=%s" % (sso_server, token)).read()
                matricula = self.get_atributo(resposta, "userdetails.attribute.name=uid").upper() #user id
                nome = self.get_atributo(resposta, "userdetails.attribute.name=nm-idgl").upper() #name                    

                user = authenticate(username=matricula)
                request.user = user
                login(request, user)
            except urllib2.HTTPError, err:
                if err.code == 401:
                    return self.redireciona_login(request) #redirects to sso login page
        else:
            raise

    return
else:
    return self.redireciona_login(request) #redirects to sso login page

Answer 1

Your problem was this:

'django.contrib.auth.backends.ModelBackend' should not be in MIDDLEWARE_CLASSES

...it should be in AUTHENTICATION_BACKENDS instead.

Since there was no appropriate auth backend in AUTHENTICATION_BACKENDS no permissions for users were being recognised.