From dfcc662cf8fd7f897ddcdfeaf5cb4ae6c963ebf8 Mon Sep 17 00:00:00 2001 From: Harsh Jain <131331439+Hj-codes@users.noreply.github.com> Date: Thu, 6 Nov 2025 03:26:15 +0530 Subject: Fixed #36709 -- Included static methods in system check for UserModel.is_anonymous/is_authenticated methods. --- tests/auth_tests/test_checks.py | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'tests') diff --git a/tests/auth_tests/test_checks.py b/tests/auth_tests/test_checks.py index 3d70451e9d..19e9fadded 100644 --- a/tests/auth_tests/test_checks.py +++ b/tests/auth_tests/test_checks.py @@ -206,6 +206,45 @@ class UserModelChecksTests(SimpleTestCase): ], ) + @override_settings(AUTH_USER_MODEL="auth_tests.VulnerableStaticUser") + def test_is_anonymous_authenticated_static_methods(self): + """ + .is_anonymous/is_authenticated must not be static methods. + """ + + class VulnerableStaticUser(AbstractBaseUser): + username = models.CharField(max_length=30, unique=True) + USERNAME_FIELD = "username" + + @staticmethod + def is_anonymous(): + return False + + @staticmethod + def is_authenticated(): + return False + + errors = checks.run_checks(app_configs=self.apps.get_app_configs()) + self.assertEqual( + errors, + [ + checks.Critical( + "%s.is_anonymous must be an attribute or property rather than " + "a method. Ignoring this is a security issue as anonymous " + "users will be treated as authenticated!" % VulnerableStaticUser, + obj=VulnerableStaticUser, + id="auth.C009", + ), + checks.Critical( + "%s.is_authenticated must be an attribute or property rather " + "than a method. Ignoring this is a security issue as anonymous " + "users will be treated as authenticated!" % VulnerableStaticUser, + obj=VulnerableStaticUser, + id="auth.C010", + ), + ], + ) + @isolate_apps("auth_tests", attr_name="apps") @override_system_checks([check_models_permissions]) -- cgit v1.3