don't assume request.user (#34)

* don't assume request.user * actually test that it worked

Author: Peter Bengtsson

session_csrf/__init__.py

@@ -39,10 +39,13 @@ def prep_key(key):
 
 
 def is_user_authenticated(request):
+ user = getattr(request, 'user', None)
+ if not user:
+ return False
  if DJANGO_VERSION < (1, 10, 0):
- return request.user.is_authenticated()
+ return user.is_authenticated()
  else:
- return request.user.is_authenticated
+ return user.is_authenticated
 
 # Inherit from deprecation.MiddlewareMixin to ensure it works
 # with the new style middleware in Django 1.10 - see

session_csrf/tests.py

@@ -163,6 +163,13 @@ def test_csrf_token_context_processor(self):
  ctx.update(processor(request))
  self.assertEqual(ctx['csrf_token'], self.token)
 
+ def test_process_view_without_authentication_middleware(self):
+ # No request.user
+ # Same as would happen if you never use the built-in
+ # AuthenticationMiddleware.
+ request = self.rf.get('/')
+ self.assertEqual(self.mw.process_request(request), None)
+
 
 class TestAnonymousCsrf(django.test.TestCase):
  urls = 'session_csrf.tests'