Django

How to differentiate access rights in Django?

Added a new user (except for the superuser), created a group, added to this group the rights to view only + 1 model to change. Added this group to the created user. As far as I understand, now this user has only these rights. There is an authorization view:

def userlogin(request):

    form = LoginForm()

    if request.method == 'POST':

        logout(request)

        username = request.POST.get('u')
        password = request.POST.get('p')

        print(username+'    '+password)

        now_user = authenticate(username=username, password=password)
        if now_user is not None:
            if now_user.is_active:
                login(request, now_user)
                print('пользователь успешно залогинелся')
                return redirect('index')

    return render(request, 'mainapp/login.html', {'form': form})

After entering the login and password on the login page, there is a redirect to the main page (when you try to enter Django admin - Django asks you to enter the login and password from the admin - so I understand that the current user is no longer a superuser).
Now, to restrict the user, I added a decorator before the view function:

…
from django.contrib.auth.decorators import login_required
…

@login_required
def edit_question(request, element, element_id):

In this function, changes are made to the model to which the user does not have rights to change. What am I doing wrong?