1 files changed, 39 insertions, 0 deletions

diff --git a/tests/auth_tests/test_checks.py b/tests/auth_tests/test_checks.py
index 3d70451e9d..19e9fadded 100644
--- a/tests/auth_tests/test_checks.py
+++ b/tests/auth_tests/test_checks.py
@@ -206,6 +206,45 @@ class UserModelChecksTests(SimpleTestCase):
             ],
         )
 
+    @override_settings(AUTH_USER_MODEL="auth_tests.VulnerableStaticUser")
+    def test_is_anonymous_authenticated_static_methods(self):
+        """
+        <User Model>.is_anonymous/is_authenticated must not be static methods.
+        """
+
+        class VulnerableStaticUser(AbstractBaseUser):
+            username = models.CharField(max_length=30, unique=True)
+            USERNAME_FIELD = "username"
+
+            @staticmethod
+            def is_anonymous():
+                return False
+
+            @staticmethod
+            def is_authenticated():
+                return False
+
+        errors = checks.run_checks(app_configs=self.apps.get_app_configs())
+        self.assertEqual(
+            errors,
+            [
+                checks.Critical(
+                    "%s.is_anonymous must be an attribute or property rather than "
+                    "a method. Ignoring this is a security issue as anonymous "
+                    "users will be treated as authenticated!" % VulnerableStaticUser,
+                    obj=VulnerableStaticUser,
+                    id="auth.C009",
+                ),
+                checks.Critical(
+                    "%s.is_authenticated must be an attribute or property rather "
+                    "than a method. Ignoring this is a security issue as anonymous "
+                    "users will be treated as authenticated!" % VulnerableStaticUser,
+                    obj=VulnerableStaticUser,
+                    id="auth.C010",
+                ),
+            ],
+        )
+
 
 @isolate_apps("auth_tests", attr_name="apps")
 @override_system_checks([check_models_permissions])