# HG changeset patch
# User Søren Løvborg <sorenl@unity3d.com>
# Date 2015-09-03 17:08:19
# Node ID 3598e2a4e0511b71eba9a23f74b91f923c923a45
# Parent  a041321d2aa1debf81cb0c38ba52dbd83837d4bd

auth: remove redundant is_authenticated check

It turns out the user.is_authenticated check is redundant, since it's
True for both anonymous users and logged in users, and API key users
are handled prior to the check.

diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -763,10 +763,10 @@ class LoginRequired(object):
         # CSRF protection: Whenever a request has ambient authority (whether
         # through a session cookie or its origin IP address), it must include
         # the correct token, unless the HTTP method is GET or HEAD (and thus
-        # guaranteed to be side effect free.
-        # Note that the 'is_authenticated' flag is True for anonymous users too,
-        # but not when the user is authenticated by API key.
-        if user.is_authenticated and request.method not in ['GET', 'HEAD']:
+        # guaranteed to be side effect free. In practice, the only situation
+        # where we allow side effects without ambient authority is when the
+        # authority comes from an API key; and that is handled above.
+        if request.method not in ['GET', 'HEAD']:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')