bmispelon, 13 days ago

@kfh not sure if you wanted a reply, or just to rant.

In case it was option 2, feel free to ignore this message 😁

If it was option 1, then superuser doesn't imply staff, the two are independent.

Superuser is about the permission system : user.has_perm(...) will always be True for a superuser.

kfh, 12 days ago

@bmispelon heh, mostly ranting :)

We've got an identity-aware proxy in our k8s cluster which passes user data (i.e. name, e-mail, groups) along to the Django app as request headers. These are used to get_or_create (and log in) an Employee object, which is our user model, in middleware.

is_staff will be set from is_superuser in the save() method of Employee, and I've verified that both fields are are True in the DB, but I'm still denied access...

Works well locally, outside the cluster, though

kfh, 10 days ago

@bmispelon Turns out that my user in the dev cluster evaluated is_active to False, and flipping that solved the issue :)

bmispelon, 9 days ago

@kfh Ah yes, that would do it 😁