Fixed #12233 -- Allowed redirecting authenticated users away from the login view.

contrib.auth.views.login() has a new parameter `redirect_authenticated_user`
to automatically redirect authenticated users visiting the login page.

Thanks to dmathieu and Alex Buchanan for the original code and to Carl Meyer
for the help and review.

tests/auth_tests/test_views.py

@@ -715,6 +715,60 @@ class RedirectToLoginTests(AuthViewsTestCase):
         self.assertEqual(expected, login_redirect_response.url)
 
 
+class LoginRedirectAuthenticatedUser(AuthViewsTestCase):
+    dont_redirect_url = '/login/redirect_authenticated_user_default/'
+    do_redirect_url = '/login/redirect_authenticated_user/'
+
+    def test_default(self):
+        """Stay on the login page by default."""
+        self.login()
+        response = self.client.get(self.dont_redirect_url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_guest(self):
+        """If not logged in, stay on the same page."""
+        response = self.client.get(self.do_redirect_url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_redirect(self):
+        """If logged in, go to default redirected URL."""
+        self.login()
+        response = self.client.get(self.do_redirect_url)
+        self.assertRedirects(response, '/accounts/profile/', fetch_redirect_response=False)
+
+    @override_settings(LOGIN_REDIRECT_URL='/custom/')
+    def test_redirect_url(self):
+        """If logged in, go to custom redirected URL."""
+        self.login()
+        response = self.client.get(self.do_redirect_url)
+        self.assertRedirects(response, '/custom/', fetch_redirect_response=False)
+
+    def test_redirect_param(self):
+        """If next is specified as a GET parameter, go there."""
+        self.login()
+        url = self.do_redirect_url + '?next=/custom_next/'
+        response = self.client.get(url)
+        self.assertRedirects(response, '/custom_next/', fetch_redirect_response=False)
+
+    def test_redirect_loop(self):
+        """
+        Detect a redirect loop if LOGIN_REDIRECT_URL is not correctly set,
+        with and without custom parameters.
+        """
+        self.login()
+        msg = (
+            "Redirection loop for authenticated user detected. Check that "
+            "your LOGIN_REDIRECT_URL doesn't point to a login page"
+        )
+        with self.settings(LOGIN_REDIRECT_URL=self.do_redirect_url):
+            with self.assertRaisesMessage(ValueError, msg):
+                self.client.get(self.do_redirect_url)
+
+            url = self.do_redirect_url + '?bla=2'
+            with self.assertRaisesMessage(ValueError, msg):
+                self.client.get(url)
+
+
 class LogoutTest(AuthViewsTestCase):
 
     def confirm_logged_out(self):

tests/auth_tests/urls.py

@@ -96,6 +96,8 @@ urlpatterns = auth_urlpatterns + [
     url(r'^auth_processor_messages/$', auth_processor_messages),
     url(r'^custom_request_auth_login/$', custom_request_auth_login),
     url(r'^userpage/(.+)/$', userpage, name="userpage"),
+    url(r'^login/redirect_authenticated_user_default/$', views.login),
+    url(r'^login/redirect_authenticated_user/$', views.login, dict(redirect_authenticated_user=True)),
 
     # This line is only required to render the password reset with is_admin=True
     url(r'^admin/', admin.site.urls),