diff --git a/ckan/new_authz.py b/ckan/new_authz.py
index fefd0d70e90..6a28efa13fb 100644
--- a/ckan/new_authz.py
+++ b/ckan/new_authz.py
@@ -14,26 +14,33 @@
 class AuthFunctions:
     _functions = {}
 
-def is_authorized(action, context, data_dict=None):
-    if context.get('ignore_auth'):
-        return {'success': True}
-
-    # sysadmins can do anything
-    user = context.get('user')
+def is_sysadmin(username):
+    ''' returns True is username is a sysadmin '''
+    if not username:
+        return False
     # see if we can authorise without touching the database
-    admin_tested = False
     try:
-        if user and c.userobj and c.userobj.name == user:
+        if c.userobj and c.userobj.name == username:
             if c.userobj.sysadmin:
-                return {'success': True}
-            admin_tested = True
+                return True
+            return False
     except TypeError:
         # c is not available
         pass
-    if user and not admin_tested:
-        u = model.User.get(user)
-        if u and u.sysadmin:
-            return {'success': True}
+    # get user from the database
+    u = model.User.get(username)
+    if u and u.sysadmin:
+        return True
+    return False
+
+
+def is_authorized(action, context, data_dict=None):
+    if context.get('ignore_auth'):
+        return {'success': True}
+
+    # sysadmins can do anything
+    if is_sysadmin(context.get('user')):
+        return {'success': True}
 
     auth_function = _get_auth_function(action)
     if auth_function: