auth: drop unused AuthUser.is_authenticated It seems like other ways of tracking authentication state are better. AuthUser is a *potentially* authenticated user. We prefer to keep it as that, without modifying the AuthUser object if the user actually should be authenticated. The primariy indicator that a user is authenticated is when the AuthUser is set as request.authuser . (Alternatively, we could create an AuthenticatedUser sub-class and move things like access control checks there. That would help ensuring it is used correctly, without having to check an is_authenticated flag.)