auth: avoid setting AuthUser.is_authenticated for unauthenticated users AuthUser.is_authenticated could be True for three reasons: because the user "was" the default user, because the user was authenticated by session cookie, or because the user was just authenticated by an auth module (including the internal auth module). In the last case, a session cookie is emitted (even when using container auth), so the last two cases are closely related. This commit do that unauthenticated users (the first case) only get the is_default_user attribute set, and that the is_authenticated attribute only is set for authenticated users (for the second and third case). This complicates some expressions, but allows others to be simplified. More importantly, it makes the code more explicit, and makes the "is_authenticated" name mean what it says. (This will temporarily make the is_authenticated session value look even more weird than before.)

[tox]
minversion = 1.8
envlist = py{26,27}-{pytest,nose}

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    nose: nose
    pytest: pytest
commands =
    nose: nosetests {posargs}
    pytest: py.test {posargs}