Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.

2025-09-15 21:49:24 +00:00 · 2025-09-11 10:09:53 +01:00 · 2025-09-11 10:09:53 +01:00 · 41bc48ac1e
commit 41bc48ac1e
parent 46fdeb1373
2 changed files with 20 additions and 2 deletions
--- a/django/contrib/auth/middleware.py
+++ b/django/contrib/auth/middleware.py
@ -51,10 +51,10 @@ class LoginRequiredMiddleware(MiddlewareMixin):
    redirect_field_name = REDIRECT_FIELD_NAME

    def process_view(self, request, view_func, view_args, view_kwargs):
-        if request.user.is_authenticated:
+        if not getattr(view_func, "login_required", True):
            return None

-        if not getattr(view_func, "login_required", True):
+        if request.user.is_authenticated:
            return None

        return self.handle_no_permission(request, view_func)
--- a/tests/auth_tests/test_middleware.py
+++ b/tests/auth_tests/test_middleware.py
@ -206,3 +206,21 @@ class TestLoginRequiredMiddleware(TestCase):
    def test_get_redirect_field_name_default(self):
        redirect_field_name = self.middleware.get_redirect_field_name(lambda: None)
        self.assertEqual(redirect_field_name, REDIRECT_FIELD_NAME)
+
+    def test_public_view_logged_in_performance(self):
+        """
+        Public views don't trigger fetching the user from the database.
+        """
+        self.client.force_login(self.user)
+        with self.assertNumQueries(0):
+            response = self.client.get("/public_view/")
+        self.assertEqual(response.status_code, 200)
+
+    def test_protected_view_logged_in_performance(self):
+        """
+        Protected views do trigger fetching the user from the database.
+        """
+        self.client.force_login(self.user)
+        with self.assertNumQueries(2):  # session and user
+            response = self.client.get("/protected_view/")
+        self.assertEqual(response.status_code, 200)