Django User.is_authenticated may not do what you think
User.is_authenticated may not behave as you expect. When exploring some model relationships, I was surprised
that every user in the system seemed to be authenticated.
>>> from .models import User >>> User.objects.first().is_authenticated True
Initially, I was confused as to why this was the case, thinking this implied the user had a current session within the system.
Looking at the code quickly explained why this was the case:
class AbstractBaseUser(models.Model): ... @property def is_anonymous(self): """ Always return False. This is a way of comparing User objects to anonymous users. """ return False @property def is_authenticated(self): """ Always return True. This is a way to tell if the user has been authenticated in templates. """ return True
This makes sense once you consider the context that this method is expected to be used in: within Django’s session when rendering templates. It is there to determine whether the user has authenticated themself to the system, and proven their identity within that session. Outside of that context, it probably shouldn’t be used.
This is covered in the documentation:
Read-only attribute which is always True (as opposed to AnonymousUser.is_authenticated which is always False). This is a way to tell if the user has been authenticated. This does not imply any permissions and doesn’t check if the user is active or has a valid session.
It serves as a reminder that implementation details may conflict with our initial expectations.