Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.

Author: adamchainz

django/contrib/auth/middleware.py

@@ -51,10 +51,10 @@ class LoginRequiredMiddleware(MiddlewareMixin):
     redirect_field_name = REDIRECT_FIELD_NAME
 
     def process_view(self, request, view_func, view_args, view_kwargs):
-        if request.user.is_authenticated:
+        if not getattr(view_func, "login_required", True):
             return None
 
-        if not getattr(view_func, "login_required", True):
+        if request.user.is_authenticated:
             return None
 
         return self.handle_no_permission(request, view_func)

tests/auth_tests/test_middleware.py

@@ -206,3 +206,21 @@ def test_login_url_resolve_logic(self):
     def test_get_redirect_field_name_default(self):
         redirect_field_name = self.middleware.get_redirect_field_name(lambda: None)
         self.assertEqual(redirect_field_name, REDIRECT_FIELD_NAME)
+
+    def test_public_view_logged_in_performance(self):
+        """
+        Public views don't trigger fetching the user from the database.
+        """
+        self.client.force_login(self.user)
+        with self.assertNumQueries(0):
+            response = self.client.get("/public_view/")
+        self.assertEqual(response.status_code, 200)
+
+    def test_protected_view_logged_in_performance(self):
+        """
+        Protected views do trigger fetching the user from the database.
+        """
+        self.client.force_login(self.user)
+        with self.assertNumQueries(2):  # session and user
+            response = self.client.get("/protected_view/")
+        self.assertEqual(response.status_code, 200)