Use Vary header to avoid caching of pages where login is required/possible

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/auth.py b/src/web/auth.py
index 17957145ab60159104564ac907a2ff4501f8f6ae..87cbae04667aad5be57ee0a9ca03970f6d55ee99 100644 (file)
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -64,3 +64,12 @@ class LogoutHandler(AuthenticationMixin, base.BaseHandler):
 
                # Get back to the start page
                self.redirect("/")
+
+
+class CacheMixin(object):
+       def prepare(self):
+               # Mark this as private when someone is logged in
+               if self.current_user:
+                       self.add_header("Cache-Control", "private")
+
+               self.add_header("Vary", "Cookie")

diff --git a/src/web/blog.py b/src/web/blog.py
index eefcf2baf2421582c43aa2206de26f8cc7e6fe03..e02b1afdd873fcf51eee8523725ecb395b4242f9 100644 (file)
--- a/src/web/blog.py
+++ b/src/web/blog.py
@@ -6,19 +6,21 @@ import tornado.web
 
 from . import handlers_base as base
 
+from . import auth
 from . import ui_modules
 
-class IndexHandler(base.BaseHandler):
+class IndexHandler(auth.CacheMixin, base.BaseHandler):
        def get(self):
                posts = self.backend.blog.get_newest(limit=3)
 
                # Allow this to be cached for 5 minutes
-               self.set_expires(300)
+               if not self.current_user:
+                       self.set_expires(300)
 
                self.render("blog/index.html", posts=posts)
 
 
-class AuthorHandler(base.BaseHandler):
+class AuthorHandler(auth.CacheMixin, base.BaseHandler):
        def get(self, uid):
                author = self.accounts.get_by_uid(uid)
                if not author:
@@ -30,7 +32,8 @@ class AuthorHandler(base.BaseHandler):
                        raise tornado.web.HTTPError(404, "User has no posts")
 
                # Allow this to be cached for 10 minutes
-               self.set_expires(600)
+               if not self.current_user:
+                       self.set_expires(600)
 
                self.render("blog/author.html", author=author, posts=posts)
 
@@ -53,7 +56,7 @@ class FeedHandler(base.BaseHandler):
                self.finish(feed)
 
 
-class PostHandler(base.BaseHandler):
+class PostHandler(auth.CacheMixin, base.BaseHandler):
        def get(self, slug):
                post = self.backend.blog.get_by_slug(slug, published=not self.current_user)
                if not post:
@@ -66,7 +69,7 @@ class PostHandler(base.BaseHandler):
                self.render("blog/post.html", post=post)
 
 
-class PublishHandler(base.BaseHandler):
+class PublishHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def post(self, slug):
                post = self.backend.blog.get_by_slug(slug, published=not self.current_user)
@@ -86,7 +89,7 @@ class PublishHandler(base.BaseHandler):
                self.redirect("/post/%s" % post.slug)
 
 
-class DraftsHandler(base.BaseHandler):
+class DraftsHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self):
                drafts = self.backend.blog.get_drafts(author=self.current_user)
@@ -94,7 +97,7 @@ class DraftsHandler(base.BaseHandler):
                self.render("blog/drafts.html", drafts=drafts)
 
 
-class SearchHandler(base.BaseHandler):
+class SearchHandler(auth.CacheMixin, base.BaseHandler):
        def get(self):
                q = self.get_argument("q")
 
@@ -105,7 +108,7 @@ class SearchHandler(base.BaseHandler):
                self.render("blog/search-results.html", q=q, posts=posts)
 
 
-class TagHandler(base.BaseHandler):
+class TagHandler(auth.CacheMixin, base.BaseHandler):
        def get(self, tag):
                posts = self.backend.blog.get_by_tag(tag)
                if not posts:
@@ -117,7 +120,7 @@ class TagHandler(base.BaseHandler):
                self.render("blog/tag.html", posts=list(posts), tag=tag)
 
 
-class YearHandler(base.BaseHandler):
+class YearHandler(auth.CacheMixin, base.BaseHandler):
        def get(self, year):
                posts = self.backend.blog.get_by_year(year)
                if not posts:
@@ -129,7 +132,7 @@ class YearHandler(base.BaseHandler):
                self.render("blog/year.html", posts=posts, year=year)
 
 
-class ComposeHandler(base.BaseHandler):
+class ComposeHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self):
                self.render("blog/compose.html", post=None)
@@ -147,7 +150,7 @@ class ComposeHandler(base.BaseHandler):
                self.redirect("/drafts")
 
 
-class EditHandler(base.BaseHandler):
+class EditHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, slug):
                post = self.backend.blog.get_by_slug(slug, published=False)

diff --git a/src/web/handlers_base.py b/src/web/handlers_base.py
index 26fc43e7b6f06564f67145df88cbdc376422e901..91ad2d728df9ed3eafb69c63a47ce775cc8b665b 100644 (file)
--- a/src/web/handlers_base.py
+++ b/src/web/handlers_base.py
@@ -12,15 +12,6 @@ import tornado.web
 from .. import util
 
 class BaseHandler(tornado.web.RequestHandler):
-       # Indicates if content should always be cached,
-       # even when a user is logged in
-       always_cache = False
-
-       def prepare(self):
-               # Mark this as private when someone is logged in
-               if not self.always_cache and self.current_user:
-                       self.add_header("Cache-Control", "private")
-
        def set_expires(self, seconds):
                # For HTTP/1.1
                self.add_header("Cache-Control", "max-age=%s, must-revalidate" % seconds)

diff --git a/src/web/nopaste.py b/src/web/nopaste.py
index 13917cfc275cb40e06f5565f8cb885b002df9f91..0f8a92e63be68a87b52b71156113e70cd4eb4fc8 100644 (file)
--- a/src/web/nopaste.py
+++ b/src/web/nopaste.py
@@ -2,6 +2,7 @@
 
 import tornado.web
 
+from . import auth
 from . import handlers_base as base
 from . import ui_modules
 
@@ -83,7 +84,7 @@ class RawHandler(base.BaseHandler):
                self.finish(content)
 
 
-class ViewHandler(base.BaseHandler):
+class ViewHandler(auth.CacheMixin, base.BaseHandler):
        def get(self, uid):
                entry = self.backend.nopaste.get(uid)
                if not entry:
@@ -95,6 +96,9 @@ class ViewHandler(base.BaseHandler):
                else:
                        content = None
 
+               # Set expiry headers
+               self.set_expires(3600)
+
                self.render("nopaste/view.html", entry=entry, content=content)
 
 

diff --git a/src/web/people.py b/src/web/people.py
index 45955e6b49f0ae860ca658ed71b5e5a45c9e6551..cd6e932f0519bb9765beaf0e45ecb945cd5f911c 100644 (file)
--- a/src/web/people.py
+++ b/src/web/people.py
@@ -6,18 +6,17 @@ import logging
 import sshpubkeys
 import tornado.web
 
+from . import auth
 from . import handlers_base as base
 from . import ui_modules
 
-class IndexHandler(base.BaseHandler):
+class IndexHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self):
                self.render("people/index.html")
 
 
 class AvatarHandler(base.BaseHandler):
-       always_cache = True
-
        def get(self, uid):
                # Get the desired size of the avatar file
                size = self.get_argument("size", 0)
@@ -54,7 +53,7 @@ class AvatarHandler(base.BaseHandler):
                self.finish(avatar)
 
 
-class CallsHandler(base.BaseHandler):
+class CallsHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid, date=None):
                account = self.backend.accounts.get_by_uid(uid)
@@ -72,7 +71,7 @@ class CallsHandler(base.BaseHandler):
                self.render("people/calls.html", account=account, date=date)
 
 
-class CallHandler(base.BaseHandler):
+class CallHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid, uuid):
                account = self.backend.accounts.get_by_uid(uid)
@@ -88,13 +87,13 @@ class CallHandler(base.BaseHandler):
                self.render("people/call.html", account=account, call=call)
 
 
-class ConferencesHandler(base.BaseHandler):
+class ConferencesHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self):
                self.render("people/conferences.html", conferences=self.backend.talk.conferences)
 
 
-class SearchHandler(base.BaseHandler):
+class SearchHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self):
                q = self.get_argument("q")
@@ -110,7 +109,7 @@ class SearchHandler(base.BaseHandler):
                self.render("people/search.html", q=q, accounts=accounts)
 
 
-class SSHKeysIndexHandler(base.BaseHandler):
+class SSHKeysIndexHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid):
                account = self.backend.accounts.get_by_uid(uid)
@@ -120,7 +119,7 @@ class SSHKeysIndexHandler(base.BaseHandler):
                self.render("people/ssh-keys/index.html", account=account)
 
 
-class SSHKeysDownloadHandler(base.BaseHandler):
+class SSHKeysDownloadHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid, hash_sha256):
                account = self.backend.accounts.get_by_uid(uid)
@@ -138,7 +137,7 @@ class SSHKeysDownloadHandler(base.BaseHandler):
                self.finish(key.keydata)
 
 
-class SSHKeysUploadHandler(base.BaseHandler):
+class SSHKeysUploadHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid):
                account = self.backend.accounts.get_by_uid(uid)
@@ -179,7 +178,7 @@ class SSHKeysUploadHandler(base.BaseHandler):
                self.redirect("/users/%s/ssh-keys" % account.uid)
 
 
-class SSHKeysDeleteHandler(base.BaseHandler):
+class SSHKeysDeleteHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid, hash_sha256):
                account = self.backend.accounts.get_by_uid(uid)
@@ -215,7 +214,7 @@ class SSHKeysDeleteHandler(base.BaseHandler):
                self.redirect("/users/%s/ssh-keys" % account.uid)
 
 
-class SIPHandler(base.BaseHandler):
+class SIPHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid):
                account = self.backend.accounts.get_by_uid(uid)
@@ -229,13 +228,13 @@ class SIPHandler(base.BaseHandler):
                self.render("people/sip.html", account=account)
 
 
-class UsersHandler(base.BaseHandler):
+class UsersHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self):
                self.render("people/users.html")
 
 
-class UserHandler(base.BaseHandler):
+class UserHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid):
                account = self.backend.accounts.get_by_uid(uid)
@@ -245,7 +244,7 @@ class UserHandler(base.BaseHandler):
                self.render("people/user.html", account=account)
 
 
-class UserEditHandler(base.BaseHandler):
+class UserEditHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid):
                account = self.backend.accounts.get_by_uid(uid)
@@ -298,7 +297,7 @@ class UserEditHandler(base.BaseHandler):
                self.redirect("/users/%s" % account.uid)
 
 
-class UserPasswdHandler(base.BaseHandler):
+class UserPasswdHandler(auth.CacheMixin, base.BaseHandler):
        @tornado.web.authenticated
        def get(self, uid):
                account = self.backend.accounts.get_by_uid(uid)