# HG changeset patch
# User Oscar Cortez <om.cortez.2010@gmail.com>
# Date 1674671062 18000
#      Wed Jan 25 13:24:22 2023 -0500
# Node ID 89fffb32473e64276ca1a114bd2291a08e078227
# Parent  839574bf40f57622b92c34d588853645f31a9137
Prevent redirect loop when MAX_DURATION is used - Refs #67

diff --git a/impersonate/middleware.py b/impersonate/middleware.py
--- a/impersonate/middleware.py
+++ b/impersonate/middleware.py
@@ -2,7 +2,7 @@
 from datetime import datetime, timedelta
 
 from django.http import HttpResponseNotAllowed
-from django.shortcuts import redirect
+from django.shortcuts import redirect, reverse
 from django.utils import timezone
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.functional import SimpleLazyObject
@@ -26,6 +26,9 @@
 
         if '_impersonate' in request.session and request.user.is_authenticated:
             if settings.MAX_DURATION:
+                if request.path == reverse('impersonate-stop'):
+                    return
+
                 if '_impersonate_start' not in request.session:
                     return
 
diff --git a/impersonate/tests.py b/impersonate/tests.py
--- a/impersonate/tests.py
+++ b/impersonate/tests.py
@@ -150,6 +150,31 @@
             _impersonate_start=datetime.now(timezone.utc).timestamp()
         )
 
+    @override_settings(IMPERSONATE={'MAX_DURATION': 5, 'REDIRECT_URL': '/foo/'})
+    def test_impersonate_timeout_not_redirect_loop(self):
+        ''' Test to ensure that when MAX_DURATION is reached dont create a redirect loop.
+            See Issue #67
+        '''
+        self._impersonated_request(
+            _impersonate_start=datetime.now(timezone.utc).timestamp()
+        )
+        # new request to see if the redirect to stop
+        request = self.factory.get('/')
+        request.user = self.superuser
+        past_time = datetime.now(timezone.utc) - timedelta(hours=1)
+        request.session = {
+            '_impersonate': self.user,
+            '_impersonate_start': past_time.timestamp(),
+        }
+        request = self.middleware.process_request(request)
+        # Check does the redirect to stop the impersonate
+        self.assertEqual(request.status_code, 302)
+        self.assertEqual(request.url, reverse('impersonate-stop'))
+        # Check impersonate stop redirects to the REDIRECT_URL
+        request = self.client.get(reverse('impersonate-stop'))
+        self.assertEqual(request.status_code, 302)
+        self.assertEqual(request.url, '/foo/')
+
     @override_settings(IMPERSONATE={'MAX_DURATION': 3600})
     def test_reject_without_start_time(self):
         ''' Test to ensure that requests without a start time