FIX: ensure we never cache login redirects by mistake

2018-11-09 11:14:35 +11:00 · 2018-11-09 11:14:35 +11:00 · 15991677d4
parent cbd6bd191a
commit 15991677d4
2 changed files with 7 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -692,7 +692,9 @@ class ApplicationController < ActionController::Base
    return if current_user || (request.format.json? && is_api?)

    if SiteSetting.login_required?
+
      flash.keep
+      dont_cache_page

      if SiteSetting.enable_sso?
        # save original URL in a session so we can redirect after login
--- a/spec/requests/application_controller_spec.rb
+++ b/spec/requests/application_controller_spec.rb
@ -13,6 +13,11 @@ RSpec.describe ApplicationController do
      get "/?authComplete=true"
      expect(response).to redirect_to('/login?authComplete=true')
    end
+
+    it "should never cache a login redirect" do
+      get "/"
+      expect(response.headers["Cache-Control"]).to eq("no-cache, no-store")
+    end
  end

  describe 'invalid request params' do