Django Custom ChangeUserForm setting is_active, is_staff, and is_superuser to False

I have a custom ChangeUserForm (ModelForm on User) that allows a user to update their account information.

However, when I save the form, user.is_active, user.is_staff and user.is_superuser all get set to False.

Any thoughts on what's going on here?

forms.py

class UserChangeForm(forms.ModelForm):
    username = forms.RegexField(label="Username", max_length=30, regex=r'^[\w.@+-]+$',
        help_text = "Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.",
        error_messages = {'invalid': "This value may contain only letters, numbers and @/./+/-/_ characters."})
    first_name = forms.CharField(label="First name", max_length=30)
    last_name = forms.CharField(label="Last name", max_length=30)
    email = forms.EmailField(label="E-mail Address")
    new_password1 = forms.CharField(label="New password", widget=forms.PasswordInput, required=False)
    new_password2 = forms.CharField(l开发者_JAVA百科abel="Confirm new password", widget=forms.PasswordInput, required=False)

    class Meta(auth_forms.UserChangeForm):
        model = User
        exclude = ('password', 'last_login', 'date_joined')

    def clean_new_password2(self):
        password1 = self.cleaned_data.get('new_password1')
        password2 = self.cleaned_data.get('new_password2')

        if password1 != password2:
            raise forms.ValidationError("The two password fields didn't match.")
        else:
            if len(password2) > 0 and len(password2) < 8:
                raise forms.ValidationError("Your password must be a minimum of 8 characters.")
        return password2

    def save(self, commit=True):
        user = super(UserChangeForm, self).save(commit=False)
        if len(self.cleaned_data['new_password2']) > 0:
            user.set_password(self.cleaned_data['new_password2'])
        if commit:
            user.save()
        return user

    class UserProfileForm(forms.ModelForm):
        class Meta:
            model = UserProfile
            exclude = ('user')

views.py

@login_required
def profile(request):
    context = {}
    if request.method == 'POST':
        user_form = UserChangeForm(request.POST, instance = request.user)
        user_profile_form = UserProfileForm(request.POST, instance = request.user.profile)
        if user_form.is_valid() and user_profile_form.is_valid():
            user_form.save()
            user_profile_form.save()

            return render_to_response('accounts_profile_complete.html', context_instance=RequestContext(request))
    else:
        user_form = UserChangeForm(instance = request.user)
        user_profile_form = UserProfileForm(instance = request.user.profile)
    context.update(csrf(request))
    context['user_form'] = user_form
    context['user_profile_form'] = user_profile_form

    return render_to_response('accounts_profile.html', context, context_instance=RequestContext(request))

Just a guess: they aren't on the exclusion list in the Meta class so they're being set to false (boolean fields like those use a checkbox, which doesn't show up in POST data when unchecked). The form can't tell the difference between a boolean form field set to false and one that isn't on the page in the first place so you need to explicitly exclude them.