Django resets user permissions
I am building a site using React for the frontend and Django for the backend. The login page sends a request to this view function when the login button is pressed.
@api_view(['POST'])
def api_authenticate_login_view(request):
body = request.data
username = body['username']
password = body['password']
user = authenticate(request, username=username, password=password)
if user is not None:
login(request, user)
content = {"authenticated": True}
return Response(content)
else:
content = {"authenticated": False}
return Response(content)
When trying to access any other page in the site, a request is first sent to this view function to make sure the user is logged in
@api_view(['GET'])
def api_is_authenticated_view(request):
if request.user.is_authenticated:
content = {"authenticated": True}
return Response(content)
else:
content = {"authenticated": False}
return Response(content)
If it returns false they are redirected to the login page.
The issue is that this works great for most of our users, but for a select few, their user permissions in the provided Django admin page are constantly reset. What I mean by that is, in the user section of the Django admin page, you can select a user and see their permissions. On our page this shows a tick box next to the tags Active, Staff status, Superuser, and others(see image link below)
For some of the users, these boxes are unchecked, meaning they cannot login as the user is inactive. Aka the user will come back as None in the api_authenticate_login_view function.
This should be as simple a fix as going in and checking the boxes to give them access. However, when I do that, they will successfully be logged in, but when they try and access the home page immediately after, the authentication check via the api_is_authenticated_view function returns false.
What I've found is happening, is that as soon as they login, their Django permissions are immediately reset by unchecking the Active and Staff status tags.
There is no difference between these users and the other users for whom this works. I've tried making them super users, restarting the Django server, having them try different browsers, checking that they aren't doing anything different with cookies, all to no avail. No matter how many times I set them to Active and give them Staff status, as soon as they try and login they get reset. I can't find anything online to help me figure out why this is happening.
Here is what we have for the authentication backend and middleware in settings.py
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
]
AUTHENTICATION_BACKENDS = [
"django_auth_ldap.backend.LDAPBackend",
"django.contrib.auth.backends.ModelBackend",
]
Thanks so much for your time and help.