Ensure mutable uploads are not cached without revalidation

2017-02-22 19:30:53 +01:00 · 2017-02-22 19:30:53 +01:00 · f7cd5fd79a
commit f7cd5fd79a
parent 29b59456d0
3 changed files with 88 additions and 0 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -14,6 +14,8 @@ class UploadsController < ApplicationController
    end

    disposition = uploader.image? ? 'inline' : 'attachment'
+
+    expires_in 0.seconds, must_revalidate: true, private: true
    send_file uploader.file.path, disposition: disposition
  end

--- a/changelogs/unreleased/27936-make-all-uploads-require-revalidation-on-each-browser-fetch.yml
+++ b/changelogs/unreleased/27936-make-all-uploads-require-revalidation-on-each-browser-fetch.yml
@ -0,0 +1,4 @@
+---
+title: Uploaded files which content can change now require revalidation on each page load
+merge_request: 9453
+author:
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@ -1,4 +1,9 @@
 require 'spec_helper'
+shared_examples 'content not cached without revalidation' do
+  it 'ensures content will not be cached without revalidation' do
+    expect(subject['Cache-Control']).to eq('max-age=0, private, must-revalidate')
+  end
+end

 describe UploadsController do
  let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
@ -50,6 +55,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'user', mounted_as: 'avatar', id: user.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@ -59,6 +71,13 @@ describe UploadsController do

          expect(response).to have_http_status(200)
        end
+
+        it_behaves_like 'content not cached without revalidation' do
+          subject do
+            get :show, model: 'user', mounted_as: 'avatar', id: user.id, filename: 'image.png'
+            response
+          end
+        end
      end
    end

@ -76,6 +95,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'project', mounted_as: 'avatar', id: project.id, filename: 'image.png'
+              response
+            end
+          end
        end

        context "when signed in" do
@ -88,6 +114,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'project', mounted_as: 'avatar', id: project.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@ -133,6 +166,13 @@ describe UploadsController do

                expect(response).to have_http_status(200)
              end
+
+              it_behaves_like 'content not cached without revalidation' do
+                subject do
+                  get :show, model: 'project', mounted_as: 'avatar', id: project.id, filename: 'image.png'
+                  response
+                end
+              end
            end
          end

@ -157,6 +197,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'group', mounted_as: 'avatar', id: group.id, filename: 'image.png'
+              response
+            end
+          end
        end

        context "when signed in" do
@ -169,6 +216,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'group', mounted_as: 'avatar', id: group.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@ -205,6 +259,13 @@ describe UploadsController do

                expect(response).to have_http_status(200)
              end
+
+              it_behaves_like 'content not cached without revalidation' do
+                subject do
+                  get :show, model: 'group', mounted_as: 'avatar', id: group.id, filename: 'image.png'
+                  response
+                end
+              end
            end
          end

@ -234,6 +295,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+              response
+            end
+          end
        end

        context "when signed in" do
@ -246,6 +314,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@ -291,6 +366,13 @@ describe UploadsController do

                expect(response).to have_http_status(200)
              end
+
+              it_behaves_like 'content not cached without revalidation' do
+                subject do
+                  get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+                  response
+                end
+              end
            end
          end