issue involving django admin rights for non superuser accounts

Question

I'm currently experiencing an issue with a project using django 1.3.1 and it's admin interface (just your friendly neighborhood django.contrib.admin). The project's been going on for a while, and the only accounts with staff status have always been superuser accounts.

This has changed. The customer requested accounts with more granular permission settings. I tried setting this up by disabling the superuser status for the specified accounts, and manually setting the appropriate rights. The admin interface seems to completely ignore the manually specified rights when the user logs in. Even with all rights specified, the user is denied access to any content (though he can still log in to the admin interface).

this issue doesn't seem to be related to the django version, because i tried a quick temporary upgrade to 1.3.3 and even 1.4. No luck...

I have no problem sharing some of the project code to help trace the issue, but quite frankly I'm at a loss to figure out what the problem could be. I would greatly appreciate some pointers.

Answer 1

Here is an example of solving this issue based on yassam's answer above. The code I had that was causing the problem:

class MyCustomModelBackend(object):

    def authenticate(self, username=None, password=None):
        try:
            user = User.objects.get(username__iexact=username)
            if user.check_password(password):
                return user
        except User.DoesNotExist:
            return None

To solve this issue, update it to to derive from django.contrib.auth.backends.ModelBackend:

from django.contrib.auth.backends import ModelBackend

class MyCustomModelBackend(ModelBackend):

    def authenticate(self, username=None, password=None):
        try:
            user = User.objects.get(username__iexact=username)
            if user.check_password(password):
                return user
        except User.DoesNotExist:
            return None

Answer 2

Are you using your own authentication backend? If so, does your backend class derive from django.contrib.auth.backends.ModelBackend?

I discovered the same problem in my code today, and the problem turned out to be that my backend was derived from object. In particular, my backend didn't implement some of the functions used by the admin code (such as has_module_perms).

Either derive your backend from django.contrib.auth.backends.ModelBackend, or make sure that all the functions needed by the admin code are defined in your backend.