id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4988	assertRedirects potentially breaks authentication	alex@…	Russell Keith-Magee	"Because assertRedirects always uses self.client for getting the redirect_response, sessions/authentication etc. will break when the original request was not made using self.client. example:

{{{
# views.py:
from django import http
from django.contrib.auth.decorators import login_required

@login_required
def stuff(request):
    return http.HttpResponseRedirect(""/morestuff/"")

@login_required
def morestuff(request):
    return http.HttpResponse(""more stuff"")

# tests.py:
from django.test import TestCase, Client
from django.contrib.auth.models import User

class LoginTest(TestCase):
    def testRedirect(self):
        joe = User()
        joe.username = 'joe'
        joe.set_password('test')
        joe.save()

        c = Client()
        self.assertTrue(c.login(username='joe',
            password='test'))

        resp = c.get(""/stuff/"")
        self.assertRedirects(resp, ""/morestuff/"")
}}}

fails with:

{{{AssertionError: Couldn't retrieve redirection page '/morestuff/': response code was 302 (expected 200)}}}

because self.client isn't logged in and gets redirected to /accounts/login/. This should be documented or assertRedirects should use the Client which was used to obtain the original response. A naive patch is attached."		closed	Testing framework	dev		fixed			Accepted	1	1	1	0	0	0