don't assume request.user (#34)

* don't assume request.user * actually test that it worked
2016-10-05 03:53:02 -04:00 · 2016-10-05 03:53:02 -04:00 · 88d1b14c7e
--- a/session_csrf/init.py
+++ b/session_csrf/init.py
@ -39,10 +39,13 @@ def prep_key(key):


 def is_user_authenticated(request):
+    user = getattr(request, 'user', None)
+    if not user:
+        return False
    if DJANGO_VERSION < (1, 10, 0):
-        return request.user.is_authenticated()
+        return user.is_authenticated()
    else:
-        return request.user.is_authenticated
+        return user.is_authenticated

 # Inherit from deprecation.MiddlewareMixin to ensure it works
 # with the new style middleware in Django 1.10 - see
--- a/session_csrf/tests.py
+++ b/session_csrf/tests.py
@ -163,6 +163,13 @@ class TestCsrfMiddleware(django.test.TestCase):
            ctx.update(processor(request))
        self.assertEqual(ctx['csrf_token'], self.token)

+    def test_process_view_without_authentication_middleware(self):
+        # No request.user
+        # Same as would happen if you never use the built-in
+        # AuthenticationMiddleware.
+        request = self.rf.get('/')
+        self.assertEqual(self.mw.process_request(request), None)
+

 class TestAnonymousCsrf(django.test.TestCase):
    urls = 'session_csrf.tests'