Merge branch '27936-avatar-has-wrong-cache-settings' into 'master'

Ensure uploads are not cached without revalidation Closes #27936 See merge request !9453

Merge branch '27936-avatar-has-wrong-cache-settings' into 'master'
Ensure uploads are not cached without revalidation Closes #27936 See merge request !9453
a41bff62 · Douwe Maan · 4998f151 · f7cd5fd7 · a41bff62 · a41bff62
3 changed file
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -14,6 +14,8 @@ class UploadsController < ApplicationController
    end

    disposition = uploader.image? ? 'inline' : 'attachment'
+
+    expires_in 0.seconds, must_revalidate: true, private: true
    send_file uploader.file.path, disposition: disposition
  end


--- a/changelogs/unreleased/27936-make-all-uploads-require-revalidation-on-each-browser-fetch.yml
+++ b/changelogs/unreleased/27936-make-all-uploads-require-revalidation-on-each-browser-fetch.yml
+---
+title: Uploaded files which content can change now require revalidation on each page load
+merge_request: 9453
+author:
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
 require 'spec_helper'
+shared_examples 'content not cached without revalidation' do
+  it 'ensures content will not be cached without revalidation' do
+    expect(subject['Cache-Control']).to eq('max-age=0, private, must-revalidate')
+  end
+end

 describe UploadsController do
  let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
@@ -50,6 +55,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'user', mounted_as: 'avatar', id: user.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@@ -59,6 +71,13 @@ describe UploadsController do

          expect(response).to have_http_status(200)
        end
+
+        it_behaves_like 'content not cached without revalidation' do
+          subject do
+            get :show, model: 'user', mounted_as: 'avatar', id: user.id, filename: 'image.png'
+            response
+          end
+        end
      end
    end

@@ -76,6 +95,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'project', mounted_as: 'avatar', id: project.id, filename: 'image.png'
+              response
+            end
+          end
        end

        context "when signed in" do
@@ -88,6 +114,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'project', mounted_as: 'avatar', id: project.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@@ -133,6 +166,13 @@ describe UploadsController do

                expect(response).to have_http_status(200)
              end
+
+              it_behaves_like 'content not cached without revalidation' do
+                subject do
+                  get :show, model: 'project', mounted_as: 'avatar', id: project.id, filename: 'image.png'
+                  response
+                end
+              end
            end
          end

@@ -157,6 +197,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'group', mounted_as: 'avatar', id: group.id, filename: 'image.png'
+              response
+            end
+          end
        end

        context "when signed in" do
@@ -169,6 +216,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'group', mounted_as: 'avatar', id: group.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@@ -205,6 +259,13 @@ describe UploadsController do

                expect(response).to have_http_status(200)
              end
+
+              it_behaves_like 'content not cached without revalidation' do
+                subject do
+                  get :show, model: 'group', mounted_as: 'avatar', id: group.id, filename: 'image.png'
+                  response
+                end
+              end
            end
          end

@@ -234,6 +295,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+              response
+            end
+          end
        end

        context "when signed in" do
@@ -246,6 +314,13 @@ describe UploadsController do

            expect(response).to have_http_status(200)
          end
+
+          it_behaves_like 'content not cached without revalidation' do
+            subject do
+              get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+              response
+            end
+          end
        end
      end

@@ -291,6 +366,13 @@ describe UploadsController do

                expect(response).to have_http_status(200)
              end
+
+              it_behaves_like 'content not cached without revalidation' do
+                subject do
+                  get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+                  response
+                end
+              end
            end
          end