diff --git a/kallithea/controllers/admin/auth_settings.py b/kallithea/controllers/admin/auth_settings.py
--- a/kallithea/controllers/admin/auth_settings.py
+++ b/kallithea/controllers/admin/auth_settings.py
@@ -107,6 +107,9 @@ class AuthSettingsController(BaseControl
         try:
             new_enabled_plugins = _auth_plugins_validator.to_python(request.POST.get('auth_plugins'))
         except formencode.Invalid:
+            # User provided an invalid plugin list. Just fall back to
+            # the list of currently enabled plugins. (We'll re-validate
+            # and show an error message to the user, below.)
             pass
         else:
             # Hide plugins that the user has asked to be disabled, but
diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -235,7 +235,7 @@ class LoginController(BaseController):
 
     def authentication_token(self):
         """Return the CSRF protection token for the session - just like it
-        could have been screen scrabed from a page with a form.
+        could have been screen scraped from a page with a form.
         Only intended for testing but might also be useful for other kinds
         of automation.
         """
diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -472,6 +472,8 @@ class AuthUser(object):
     to the default anonymous user (if enabled). It's up to other parts
     of the code to check e.g. if a supplied password is correct, and if
     so, set `is_authenticated` to True.
+
+    However, `AuthUser` does refuse to load a user that is not `active`.
     """
 
     def __init__(self, user_id=None, api_key=None, username=None,
diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py
--- a/kallithea/lib/base.py
+++ b/kallithea/lib/base.py
@@ -378,8 +378,8 @@ class BaseController(WSGIController):
     @staticmethod
     def _determine_auth_user(api_key, session_authuser):
         """
-        Create an `AuthUser` object given the IP address of the request, the
-        API key (if any), and the authuser from the session.
+        Create an `AuthUser` object given the API key (if any) and the
+        value of the authuser session cookie.
         """
 
         # Authenticate by API key
diff --git a/kallithea/model/user.py b/kallithea/model/user.py
--- a/kallithea/model/user.py
+++ b/kallithea/model/user.py
@@ -333,10 +333,8 @@ class UserModel(BaseModel):
 
     def fill_data(self, auth_user, user_id=None, api_key=None, username=None):
         """
-        Fetches auth_user by user_id,or api_key if present.
+        Fetches auth_user by user_id, api_key or username, if present.
         Fills auth_user attributes with those taken from database.
-        Additionally sets is_authenticated if lookup fails
-        present in database
 
         :param auth_user: instance of user to set attributes
         :param user_id: user id to fetch by