From 19a774f97292444a48c5b7521e1b0c0ea48b6502 Mon Sep 17 00:00:00 2001
From: Tom Christie
Date: Fri, 23 Aug 2013 11:21:45 +0100
Subject: force_authenticate(None) also clears session info.

Closes #1055.
---
 docs/topics/release-notes.md         |  1 +
 rest_framework/test.py               |  2 ++
 rest_framework/tests/test_testing.py | 30 ++++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index dfc4bfbb..af90b1ea 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -44,6 +44,7 @@ You can determine your currently installed version using `pip freeze`:
 
 * Support customizable view name and description functions, using the `VIEW_NAME_FUNCTION` and `VIEW_DESCRIPTION_FUNCTION` settings.
 * Bugfix: `required=True` argument fixed for boolean serializer fields.
+* Bugfix: `client.force_authenticate(None)` should also clear session info if it exists.
 
 ### 2.3.7
 
diff --git a/rest_framework/test.py b/rest_framework/test.py
index a18f5a29..234d10a4 100644
--- a/rest_framework/test.py
+++ b/rest_framework/test.py
@@ -134,6 +134,8 @@ class APIClient(APIRequestFactory, DjangoClient):
         """
         self.handler._force_user = user
         self.handler._force_token = token
+        if user is None:
+            self.logout()  # Also clear any possible session info if required
 
     def request(self, **kwargs):
         # Ensure that any credentials set get added to every request.
diff --git a/rest_framework/tests/test_testing.py b/rest_framework/tests/test_testing.py
index 49d45fc2..48b8956b 100644
--- a/rest_framework/tests/test_testing.py
+++ b/rest_framework/tests/test_testing.py
@@ -17,8 +17,18 @@ def view(request):
     })
 
 
+@api_view(['GET', 'POST'])
+def session_view(request):
+    active_session = request.session.get('active_session', False)
+    request.session['active_session'] = True
+    return Response({
+        'active_session': active_session
+    })
+
+
 urlpatterns = patterns('',
     url(r'^view/$', view),
+    url(r'^session-view/$', session_view),
 )
 
 
@@ -46,6 +56,26 @@ class TestAPITestClient(TestCase):
         response = self.client.get('/view/')
         self.assertEqual(response.data['user'], 'example')
 
+    def test_force_authenticate_with_sessions(self):
+        """
+        Setting `.force_authenticate()` forcibly authenticates each request.
+        """
+        user = User.objects.create_user('example', 'example@example.com')
+        self.client.force_authenticate(user)
+
+        # First request does not yet have an active session
+        response = self.client.get('/session-view/')
+        self.assertEqual(response.data['active_session'], False)
+
+        # Subsequant requests have an active session
+        response = self.client.get('/session-view/')
+        self.assertEqual(response.data['active_session'], True)
+
+        # Force authenticating as `None` should also logout the user session.
+        self.client.force_authenticate(None)
+        response = self.client.get('/session-view/')
+        self.assertEqual(response.data['active_session'], False)
+
     def test_csrf_exempt_by_default(self):
         """
         By default, the test client is CSRF exempt.
-- 
cgit v1.2.3