Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.

2 files changed, 20 insertions, 2 deletions

diff --git a/django/contrib/auth/middleware.py b/django/contrib/auth/middleware.py
index 297a8a83b2..df4c0d41da 100644
--- a/django/contrib/auth/middleware.py
+++ b/django/contrib/auth/middleware.py
@@ -51,10 +51,10 @@ class LoginRequiredMiddleware(MiddlewareMixin):
     redirect_field_name = REDIRECT_FIELD_NAME
 
     def process_view(self, request, view_func, view_args, view_kwargs):
-        if request.user.is_authenticated:
+        if not getattr(view_func, "login_required", True):
             return None
 
-        if not getattr(view_func, "login_required", True):
+        if request.user.is_authenticated:
             return None
 
         return self.handle_no_permission(request, view_func)
diff --git a/tests/auth_tests/test_middleware.py b/tests/auth_tests/test_middleware.py
index e7e5d3b4dc..5e106d40f7 100644
--- a/tests/auth_tests/test_middleware.py
+++ b/tests/auth_tests/test_middleware.py
@@ -206,3 +206,21 @@ class TestLoginRequiredMiddleware(TestCase):
     def test_get_redirect_field_name_default(self):
         redirect_field_name = self.middleware.get_redirect_field_name(lambda: None)
         self.assertEqual(redirect_field_name, REDIRECT_FIELD_NAME)
+
+    def test_public_view_logged_in_performance(self):
+        """
+        Public views don't trigger fetching the user from the database.
+        """
+        self.client.force_login(self.user)
+        with self.assertNumQueries(0):
+            response = self.client.get("/public_view/")
+        self.assertEqual(response.status_code, 200)
+
+    def test_protected_view_logged_in_performance(self):
+        """
+        Protected views do trigger fetching the user from the database.
+        """
+        self.client.force_login(self.user)
+        with self.assertNumQueries(2):  # session and user
+            response = self.client.get("/protected_view/")
+        self.assertEqual(response.status_code, 200)