Refs #25847 -- Added system check for UserModel.is_anonymous/is_authenticated methods.

2025-08-03 02:23:12 +00:00 · 2016-05-05 12:42:19 -04:00 · 2016-05-05 12:42:19 -04:00 · 03efa304bc
commit 03efa304bc
parent b3acf35f13
3 changed files with 60 additions and 0 deletions
--- a/tests/auth_tests/test_checks.py
+++ b/tests/auth_tests/test_checks.py
@ -83,6 +83,39 @@ class UserModelChecksTests(SimpleTestCase):
                ),
            ])

+    @override_settings(AUTH_USER_MODEL='auth_tests.BadUser')
+    def test_is_anonymous_authenticated_methods(self):
+        """
+        <User Model>.is_anonymous/is_authenticated must not be methods.
+        """
+        class BadUser(AbstractBaseUser):
+            username = models.CharField(max_length=30, unique=True)
+            USERNAME_FIELD = 'username'
+
+            def is_anonymous(self):
+                return True
+
+            def is_authenticated(self):
+                return True
+
+        errors = checks.run_checks(app_configs=self.apps.get_app_configs())
+        self.assertEqual(errors, [
+            checks.Critical(
+                '%s.is_anonymous must be an attribute or property rather than '
+                'a method. Ignoring this is a security issue as anonymous '
+                'users will be treated as authenticated!' % BadUser,
+                obj=BadUser,
+                id='auth.C009',
+            ),
+            checks.Critical(
+                '%s.is_authenticated must be an attribute or property rather '
+                'than a method. Ignoring this is a security issue as anonymous '
+                'users will be treated as authenticated!' % BadUser,
+                obj=BadUser,
+                id='auth.C010',
+            ),
+        ])
+

@isolate_apps('auth_tests', attr_name='apps')
@override_system_checks([check_models_permissions])