Does that mean either django.contrib.auth.authenticate and django.contrib.auth.login saves the auth backend that was used in the user’s session?
Also, when does the auth backend get reused? Isn’t a session ID saved in the database when the user logs in so that we don’t have to authenticate every time?
The permissions given to the user will be the superset of all permissions returned by all backends. That is, Django grants a permission to a user that any one backend grants.
Does that mean an authenticated user has all the possible permissions set in each backend? When BackendA matches the user but BackendB sets PermissionA, will the user have the PermissionA? If yes, I thought processing backends during authentication stops when a user is authenticated or PermissionDenied is returned?
Also, how is permission checked? Does Django go straight to the auth backends?
And, when are permissions cached? Is it for the very first time we check for a permission of a user and it caches all the possible permissions? If no, then why do we have to refetch the user if we add a new permission to it?