4 files changed, 40 insertions, 3 deletions

diff --git a/rest_framework/authtoken/views.py b/rest_framework/authtoken/views.py
index 3ac674e2..cfaacbe9 100644
--- a/rest_framework/authtoken/views.py
+++ b/rest_framework/authtoken/views.py
@@ -18,7 +18,7 @@ class ObtainAuthToken(APIView):
         if serializer.is_valid():
             token, created = Token.objects.get_or_create(user=serializer.object['user'])
             return Response({'token': token.key})
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+        return Response(serializer.errors, status=status.HTTP_401_UNAUTHORIZED)
 
 
 obtain_auth_token = ObtainAuthToken.as_view()
diff --git a/rest_framework/request.py b/rest_framework/request.py
index a1827ba4..39c64321 100644
--- a/rest_framework/request.py
+++ b/rest_framework/request.py
@@ -169,6 +169,15 @@ class Request(object):
             self._user, self._auth = self._authenticate()
         return self._user
 
+    @user.setter
+    def user(self, value):
+         """
+         Sets the user on the current request. This is necessary to maintain
+         compatilbility with django.contrib.auth where the user proprety is
+         set in the login and logout functions.
+         """
+         self._user = value
+
     @property
     def auth(self):
         """
diff --git a/rest_framework/tests/authentication.py b/rest_framework/tests/authentication.py
index 96ca9f52..802bc6c1 100644
--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@@ -167,14 +167,14 @@ class TokenAuthTests(TestCase):
         client = Client(enforce_csrf_checks=True)
         response = client.post('/auth-token/login/', 
                                json.dumps({'username': self.username, 'password': "badpass"}), 'application/json')
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 401)
 
     def test_token_login_json_missing_fields(self):
         """Ensure token login view using JSON POST fails if missing fields."""
         client = Client(enforce_csrf_checks=True)
         response = client.post('/auth-token/login/', 
                                json.dumps({'username': self.username}), 'application/json')
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 401)
 
     def test_token_login_form(self):
         """Ensure token login view using form POST works."""
diff --git a/rest_framework/tests/request.py b/rest_framework/tests/request.py
index ff48f3fa..2850992d 100644
--- a/rest_framework/tests/request.py
+++ b/rest_framework/tests/request.py
@@ -3,6 +3,8 @@ Tests for content parsing, and form-overloaded content parsing.
 """
 from django.conf.urls.defaults import patterns
 from django.contrib.auth.models import User
+from django.contrib.auth import authenticate, login, logout
+from django.contrib.sessions.middleware import SessionMiddleware
 from django.test import TestCase, Client
 from django.utils import simplejson as json
 
@@ -276,3 +278,29 @@ class TestContentParsingWithAuthentication(TestCase):
 
     #     response = self.csrf_client.post('/', content)
     #     self.assertEqual(status.OK, response.status_code, "POST data is malformed")
+
+
+class TestUserSetter(TestCase):
+
+    def setUp(self):
+        # Pass request object through session middleware so session is
+        # available to login and logout functions
+        self.request = Request(factory.get('/'))
+        SessionMiddleware().process_request(self.request)
+
+        User.objects.create_user('ringo', 'starr@thebeatles.com', 'yellow')
+        self.user = authenticate(username='ringo', password='yellow')
+
+    def test_user_can_be_set(self):
+        self.request.user = self.user
+        self.assertEqual(self.request.user, self.user)
+
+    def test_user_can_login(self):
+        login(self.request, self.user)
+        self.assertEqual(self.request.user, self.user)
+
+    def test_user_can_logout(self):
+        self.request.user = self.user
+        self.assertFalse(self.request.user.is_anonymous())
+        logout(self.request)
+        self.assertTrue(self.request.user.is_anonymous())