get_current_user does not check session validity
The get_current_user()
function suggests that the returend user is currently logged in and therefor the current session is valid (it returns None
if the user is not logged in). But the function also returns a valid user object if the session timed out. The behaviour should be more consistent (behaviour on logout vs. on timeout) and/or better documented.
See also test test_session.TestSession.test_timeout
.