The AuthorizationSession::hasInternalAuthorization() method is implemented in terms of an outdated notion of "internal user". The only callers of the method are two implementations of replAuthentication(), which are essentially trying to provide a runtime check of a programming error. Specifically, the checks try to prevent a command running on behalf of a user (and not the cluster) from establishing a connection to another cluster member as a cluster member. However, this check provides no real safety. The errant programmer could simply pass "true" to the "skipAuthChecks" parameter of replAuthenticate() on the bad code path, or invoke a method that does.