add test for force_authenticate about cache of user attr

[lexdene]

First, the best way to know whether an OneToOneField field exists is using hasattr.
Second, force_authenticate will cache the user object.

So using force_authenticate will cause a bug as I wrote in the test.
But using client.login will not cause that bug.

[tomchristie]

I cannot see any way we could possible resolve this.

Yes, force_authenticate sets the user on all incoming requests to a given instance, and yes if you mutate that instance, (or eg peform a reverse lookup that's cached) then then yes that'll persist between calls. I assume that Django's force_login has the same issue.

We might want to document this as a limitation, but I don't believe there's any way we can resolve it.

Does that assessment sound correct?

[lexdene]

I assume that Django's force_login has the same issue.

I found that Django's force_login works correctly.

[tomchristie]

Wondering if #5066 resolves this? Is #5016 a duplicate?

[lexdene]

Wondering if #5066 resolves this?

No.
Using deepcopy makes user object stay in the status when calling force_authenticate.
In my code, the user attribute is changed when Hat.objects.create.

Is #5016 a duplicate?

I think so. How does the author of #5016 think?

[rpkilby]

I found that Django's force_login works correctly.

Are you sure? A brief look at the code here and here indicates that the user object would be cached similarly to force_authenticate().

@lexdene - could you rebase the PR? This will re-trigger the travis build which seems to be missing for the second commit with the force_login test.

[lexdene]

@rpkilby
Already rebased.

As travis said:

• test_get_my_hat_with_force_authenticate always failed.
• test_get_my_hat_with_django_force_login always passed except when Django==1.8 because force_login was new in Django 1.9.
• test_get_my_hat_with_login always passed.

[carltongibson]

OK, I have a query here:

• Fix #5016 - Views mutate user object when using force_request #5066 is branded as "Fixes Views mutate user object when using force_request #5016"
• Views mutate user object when using force_request #5016 is said here to a duplicate of this issue.
• Fix #5016 - Views mutate user object when using force_request #5066 is said here not to fix this issue.

Those three things are not consistent.

I'll look again/deeper later. Input/clarification welcome! 🙂

[carltongibson]

Milestoning to keep on my radar.

[lexdene]

@carltongibson
need rebase again?

[carltongibson]

@lexdene Currently yes, that would help.

[lexdene]

@carltongibson
Already rebased. And the result is same with what I commented on 4 May:

test_get_my_hat_with_force_authenticate always failed.
test_get_my_hat_with_django_force_login always passed except when Django==1.8 because force_login was new in Django 1.9.
test_get_my_hat_with_login always passed.

[carltongibson]

Closing this in favour of #5445. You need to call user.refresh_from_db() between tests.