Commit f7727e02 authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Type.patches.BaseRequest: Do more right after user authentication.

parent 4f477d68
...@@ -89,6 +89,17 @@ class ERP5CookieCrumblerTests (CookieCrumblerTests): ...@@ -89,6 +89,17 @@ class ERP5CookieCrumblerTests (CookieCrumblerTests):
self.credentials) self.credentials)
self.assertEqual(resp.cookies['__ac']['path'], '/') self.assertEqual(resp.cookies['__ac']['path'], '/')
def testCacheHeaderDisabled(self):
# Cache header is forcibly set on any authenticated user independently from
# CookieCrumbler's presence.
_, cc, req, credentials = self._makeSite()
cc.cache_header_value = ''
req.cookies['__ac'] = credentials
req.traverse('/')
self.assertEqual(
req.response.headers.get('cache-control', ''), 'private')
def test_suite(): def test_suite():
return unittest.makeSuite(ERP5CookieCrumblerTests) return unittest.makeSuite(ERP5CookieCrumblerTests)
......
...@@ -51,6 +51,7 @@ from Products.ERP5Type.patches import FSZSQLMethod ...@@ -51,6 +51,7 @@ from Products.ERP5Type.patches import FSZSQLMethod
from Products.ERP5Type.patches import ActionInformation from Products.ERP5Type.patches import ActionInformation
from Products.ERP5Type.patches import ActionProviderBase from Products.ERP5Type.patches import ActionProviderBase
from Products.ERP5Type.patches import ActionsTool from Products.ERP5Type.patches import ActionsTool
from Products.ERP5Type.patches import BaseRequest
from Products.ERP5Type.patches import CookieCrumbler from Products.ERP5Type.patches import CookieCrumbler
from Products.ERP5Type.patches import PropertySheets from Products.ERP5Type.patches import PropertySheets
from Products.ERP5Type.patches import CMFCoreSkinnable from Products.ERP5Type.patches import CMFCoreSkinnable
......
# -*- coding: utf-8 -*-
from functools import partial
from ZPublisher.BaseRequest import BaseRequest
def setCacheControlPrivateForAuthenticatedUser(request, user, validated_hook_):
# If we are publishing a resource for an authenticated user, forbid shared
# caches from storing it.
# Historially, this was (for some reason) implemented in CookieCrumbler,
# but it does not seem very consistent as it then depends on how the user
# was authenticated. This is a more neutral location.
if user.getUserName() != 'Anonymous User':
request.response.setHeader('Cache-Control', 'private')
if validated_hook_ is not None:
return validated_hook_(request, user)
orig_BaseRequest_traverse = BaseRequest.traverse
def BaseRequest_traverse(self, path, response=None, validated_hook=None):
return orig_BaseRequest_traverse(
self,
path=path,
response=response,
validated_hook=partial(
setCacheControlPrivateForAuthenticatedUser,
validated_hook_=validated_hook,
),
)
BaseRequest.traverse = BaseRequest_traverse
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment