auth: note that we never emit authuser "cookies" for the default user The only place where we set "authuser" in the session is in log_in_user, which is called only by the internal auth system and by auth plugins. The internal auth system cannot log a user in as the default user, because the default user doesn't have a password (and cannot have a password assigned). Auth plugins cannot log a user in as the default user, because the user doesn't have the right extern_type. As such, it's a bug if log_in_user is ever called with the default user (which this commit documents with an assert). This realization makes the is_authenticated field of the authuser cookie redundant, as it's always True. It also emphasizes that is_default_user and is_authenticated are mutually exclusive.

[tox]
minversion = 1.8
envlist = py{26,27}-{pytest,nose}

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    nose: nose
    pytest: pytest
commands =
    nose: nosetests {posargs}
    pytest: py.test {posargs}