Is request.user.is_authenticated() necessary here?

Question

I am writing a view only for staff users.

def my_view(request):
    if request.user.is_staff:
        # show something to staff
    else:
        return my_view_404(request)

It this permission check enough? Any flaw? Or should I check request.user.is_authenticated()?

Answer 1

You do not need to check is_authenticated(). Non-authenticated users will have an AnonymousUser object in request.user, and that type of object should respond False to all is_staff checks without exception.

Answer 2

No need as request.user.is_staff will check both authentication and staff status.