From 958fb8e7347e9e957e309ea0aeec9c47361f76c7 Mon Sep 17 00:00:00 2001
From: "Md. Al-Amin" <alamin.opu10@gmail.com>
Date: Mon, 10 Apr 2017 12:31:47 +0600
Subject: [PATCH] Fix #5016 - Views mutate user object when using force_request

---
 rest_framework/test.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rest_framework/test.py b/rest_framework/test.py
index 87255bca0..4f3396f47 100644
--- a/rest_framework/test.py
+++ b/rest_framework/test.py
@@ -4,6 +4,7 @@
 # to make it harder for the user to import the wrong thing without realizing.
 from __future__ import unicode_literals
 
+import copy
 import io
 
 from django.conf import settings
@@ -22,7 +23,7 @@ from rest_framework.settings import api_settings
 
 
 def force_authenticate(request, user=None, token=None):
-    request._force_auth_user = user
+    request._force_auth_user = copy.deepcopy(user)
     request._force_auth_token = token
 
 
@@ -268,7 +269,7 @@ class APIClient(APIRequestFactory, DjangoClient):
         Forcibly authenticates outgoing requests with the given
         user and/or token.
         """
-        self.handler._force_user = user
+        self.handler._force_user = copy.deepcopy(user)
         self.handler._force_token = token
         if user is None:
             self.logout()  # Also clear any possible session info if required