Django: user.has_perm always true and user is not superuser. Why?

Question

I assigned a permission of a user in my Django 1.5 app. When I list all user permissions with

In [1]: user.get_all_permissions()
Out[1]: set([u'profile.change_profile'])

I can see one permission (which is correct and wanted). The user is also not a superuser, not an admin.

In [2]: user.is_superuser
Out[2]: False

However, if I try to use user.has_perm, I always get True as a return for any submitted permission request.

In [3]: user.has_perm('random_permission')
Out[3]: True

A behaviour I would expect if the user is a superuser/admin. Why is a non-superuser getting always True for every request? Did I miss any setting?

Answer 1

As mentioned in comment by Thane Brimhall you should check your authentication backends. You can find this comment on has_perm method of User model in django sources:

Returns True if the user has the specified permission. This method queries all available auth backends, but returns immediately if any backend returns True. Thus, a user who has permission from a single auth backend is assumed to have permission in general.

Also don't forget to check user groups. Default backend checks for user groups permissions thus it may be connected.