Client.logout() also cancels any existing force_authenticate.

rest_framework/test.py

@@ -204,6 +204,11 @@ def options(self, path, data=None, format=None, content_type=None,
 
     def logout(self):
         self._credentials = {}
+
+        # Also clear any `force_authenticate`
+        self.handler._force_user = None
+        self.handler._force_token = None
+
         return super(APIClient, self).logout()
 
 

tests/test_testing.py

@@ -1,15 +1,13 @@
-# -- coding: utf-8 --
-
+# encoding: utf-8
 from __future__ import unicode_literals
 from django.conf.urls import patterns, url
-from io import BytesIO
-
 from django.contrib.auth.models import User
 from django.shortcuts import redirect
 from django.test import TestCase
 from rest_framework.decorators import api_view
 from rest_framework.response import Response
 from rest_framework.test import APIClient, APIRequestFactory, force_authenticate
+from io import BytesIO
 
 
 @api_view(['GET', 'POST'])
@@ -109,7 +107,7 @@ def test_explicitly_enforce_csrf_checks(self):
 
     def test_can_logout(self):
         """
-        `logout()` reset stored credentials
+        `logout()` resets stored credentials
         """
         self.client.credentials(HTTP_AUTHORIZATION='example')
         response = self.client.get('/view/')
@@ -118,6 +116,18 @@ def test_can_logout(self):
         response = self.client.get('/view/')
         self.assertEqual(response.data['auth'], b'')
 
+    def test_logout_resets_force_authenticate(self):
+        """
+        `logout()` resets any `force_authenticate`
+        """
+        user = User.objects.create_user('example', '[email protected]', 'password')
+        self.client.force_authenticate(user)
+        response = self.client.get('/view/')
+        self.assertEqual(response.data['user'], 'example')
+        self.client.logout()
+        response = self.client.get('/view/')
+        self.assertEqual(response.data['user'], '')
+
     def test_follow_redirect(self):
         """
         Follow redirect by setting follow argument.