From: Michael Tremer Date: Thu, 25 Oct 2018 18:55:34 +0000 (+0100) Subject: Use Vary header to avoid caching of pages where login is required/possible X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b8ff27d299db8f112ad5be0544f4b2dd8026cec;p=ipfire.org.git Use Vary header to avoid caching of pages where login is required/possible Signed-off-by: Michael Tremer --- diff --git a/src/web/auth.py b/src/web/auth.py index 17957145..87cbae04 100644 --- a/src/web/auth.py +++ b/src/web/auth.py @@ -64,3 +64,12 @@ class LogoutHandler(AuthenticationMixin, base.BaseHandler): # Get back to the start page self.redirect("/") + + +class CacheMixin(object): + def prepare(self): + # Mark this as private when someone is logged in + if self.current_user: + self.add_header("Cache-Control", "private") + + self.add_header("Vary", "Cookie") diff --git a/src/web/blog.py b/src/web/blog.py index eefcf2ba..e02b1afd 100644 --- a/src/web/blog.py +++ b/src/web/blog.py @@ -6,19 +6,21 @@ import tornado.web from . import handlers_base as base +from . import auth from . import ui_modules -class IndexHandler(base.BaseHandler): +class IndexHandler(auth.CacheMixin, base.BaseHandler): def get(self): posts = self.backend.blog.get_newest(limit=3) # Allow this to be cached for 5 minutes - self.set_expires(300) + if not self.current_user: + self.set_expires(300) self.render("blog/index.html", posts=posts) -class AuthorHandler(base.BaseHandler): +class AuthorHandler(auth.CacheMixin, base.BaseHandler): def get(self, uid): author = self.accounts.get_by_uid(uid) if not author: @@ -30,7 +32,8 @@ class AuthorHandler(base.BaseHandler): raise tornado.web.HTTPError(404, "User has no posts") # Allow this to be cached for 10 minutes - self.set_expires(600) + if not self.current_user: + self.set_expires(600) self.render("blog/author.html", author=author, posts=posts) @@ -53,7 +56,7 @@ class FeedHandler(base.BaseHandler): self.finish(feed) -class PostHandler(base.BaseHandler): +class PostHandler(auth.CacheMixin, base.BaseHandler): def get(self, slug): post = self.backend.blog.get_by_slug(slug, published=not self.current_user) if not post: @@ -66,7 +69,7 @@ class PostHandler(base.BaseHandler): self.render("blog/post.html", post=post) -class PublishHandler(base.BaseHandler): +class PublishHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def post(self, slug): post = self.backend.blog.get_by_slug(slug, published=not self.current_user) @@ -86,7 +89,7 @@ class PublishHandler(base.BaseHandler): self.redirect("/post/%s" % post.slug) -class DraftsHandler(base.BaseHandler): +class DraftsHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self): drafts = self.backend.blog.get_drafts(author=self.current_user) @@ -94,7 +97,7 @@ class DraftsHandler(base.BaseHandler): self.render("blog/drafts.html", drafts=drafts) -class SearchHandler(base.BaseHandler): +class SearchHandler(auth.CacheMixin, base.BaseHandler): def get(self): q = self.get_argument("q") @@ -105,7 +108,7 @@ class SearchHandler(base.BaseHandler): self.render("blog/search-results.html", q=q, posts=posts) -class TagHandler(base.BaseHandler): +class TagHandler(auth.CacheMixin, base.BaseHandler): def get(self, tag): posts = self.backend.blog.get_by_tag(tag) if not posts: @@ -117,7 +120,7 @@ class TagHandler(base.BaseHandler): self.render("blog/tag.html", posts=list(posts), tag=tag) -class YearHandler(base.BaseHandler): +class YearHandler(auth.CacheMixin, base.BaseHandler): def get(self, year): posts = self.backend.blog.get_by_year(year) if not posts: @@ -129,7 +132,7 @@ class YearHandler(base.BaseHandler): self.render("blog/year.html", posts=posts, year=year) -class ComposeHandler(base.BaseHandler): +class ComposeHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self): self.render("blog/compose.html", post=None) @@ -147,7 +150,7 @@ class ComposeHandler(base.BaseHandler): self.redirect("/drafts") -class EditHandler(base.BaseHandler): +class EditHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, slug): post = self.backend.blog.get_by_slug(slug, published=False) diff --git a/src/web/handlers_base.py b/src/web/handlers_base.py index 26fc43e7..91ad2d72 100644 --- a/src/web/handlers_base.py +++ b/src/web/handlers_base.py @@ -12,15 +12,6 @@ import tornado.web from .. import util class BaseHandler(tornado.web.RequestHandler): - # Indicates if content should always be cached, - # even when a user is logged in - always_cache = False - - def prepare(self): - # Mark this as private when someone is logged in - if not self.always_cache and self.current_user: - self.add_header("Cache-Control", "private") - def set_expires(self, seconds): # For HTTP/1.1 self.add_header("Cache-Control", "max-age=%s, must-revalidate" % seconds) diff --git a/src/web/nopaste.py b/src/web/nopaste.py index 13917cfc..0f8a92e6 100644 --- a/src/web/nopaste.py +++ b/src/web/nopaste.py @@ -2,6 +2,7 @@ import tornado.web +from . import auth from . import handlers_base as base from . import ui_modules @@ -83,7 +84,7 @@ class RawHandler(base.BaseHandler): self.finish(content) -class ViewHandler(base.BaseHandler): +class ViewHandler(auth.CacheMixin, base.BaseHandler): def get(self, uid): entry = self.backend.nopaste.get(uid) if not entry: @@ -95,6 +96,9 @@ class ViewHandler(base.BaseHandler): else: content = None + # Set expiry headers + self.set_expires(3600) + self.render("nopaste/view.html", entry=entry, content=content) diff --git a/src/web/people.py b/src/web/people.py index 45955e6b..cd6e932f 100644 --- a/src/web/people.py +++ b/src/web/people.py @@ -6,18 +6,17 @@ import logging import sshpubkeys import tornado.web +from . import auth from . import handlers_base as base from . import ui_modules -class IndexHandler(base.BaseHandler): +class IndexHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self): self.render("people/index.html") class AvatarHandler(base.BaseHandler): - always_cache = True - def get(self, uid): # Get the desired size of the avatar file size = self.get_argument("size", 0) @@ -54,7 +53,7 @@ class AvatarHandler(base.BaseHandler): self.finish(avatar) -class CallsHandler(base.BaseHandler): +class CallsHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid, date=None): account = self.backend.accounts.get_by_uid(uid) @@ -72,7 +71,7 @@ class CallsHandler(base.BaseHandler): self.render("people/calls.html", account=account, date=date) -class CallHandler(base.BaseHandler): +class CallHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid, uuid): account = self.backend.accounts.get_by_uid(uid) @@ -88,13 +87,13 @@ class CallHandler(base.BaseHandler): self.render("people/call.html", account=account, call=call) -class ConferencesHandler(base.BaseHandler): +class ConferencesHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self): self.render("people/conferences.html", conferences=self.backend.talk.conferences) -class SearchHandler(base.BaseHandler): +class SearchHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self): q = self.get_argument("q") @@ -110,7 +109,7 @@ class SearchHandler(base.BaseHandler): self.render("people/search.html", q=q, accounts=accounts) -class SSHKeysIndexHandler(base.BaseHandler): +class SSHKeysIndexHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid): account = self.backend.accounts.get_by_uid(uid) @@ -120,7 +119,7 @@ class SSHKeysIndexHandler(base.BaseHandler): self.render("people/ssh-keys/index.html", account=account) -class SSHKeysDownloadHandler(base.BaseHandler): +class SSHKeysDownloadHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid, hash_sha256): account = self.backend.accounts.get_by_uid(uid) @@ -138,7 +137,7 @@ class SSHKeysDownloadHandler(base.BaseHandler): self.finish(key.keydata) -class SSHKeysUploadHandler(base.BaseHandler): +class SSHKeysUploadHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid): account = self.backend.accounts.get_by_uid(uid) @@ -179,7 +178,7 @@ class SSHKeysUploadHandler(base.BaseHandler): self.redirect("/users/%s/ssh-keys" % account.uid) -class SSHKeysDeleteHandler(base.BaseHandler): +class SSHKeysDeleteHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid, hash_sha256): account = self.backend.accounts.get_by_uid(uid) @@ -215,7 +214,7 @@ class SSHKeysDeleteHandler(base.BaseHandler): self.redirect("/users/%s/ssh-keys" % account.uid) -class SIPHandler(base.BaseHandler): +class SIPHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid): account = self.backend.accounts.get_by_uid(uid) @@ -229,13 +228,13 @@ class SIPHandler(base.BaseHandler): self.render("people/sip.html", account=account) -class UsersHandler(base.BaseHandler): +class UsersHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self): self.render("people/users.html") -class UserHandler(base.BaseHandler): +class UserHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid): account = self.backend.accounts.get_by_uid(uid) @@ -245,7 +244,7 @@ class UserHandler(base.BaseHandler): self.render("people/user.html", account=account) -class UserEditHandler(base.BaseHandler): +class UserEditHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid): account = self.backend.accounts.get_by_uid(uid) @@ -298,7 +297,7 @@ class UserEditHandler(base.BaseHandler): self.redirect("/users/%s" % account.uid) -class UserPasswdHandler(base.BaseHandler): +class UserPasswdHandler(auth.CacheMixin, base.BaseHandler): @tornado.web.authenticated def get(self, uid): account = self.backend.accounts.get_by_uid(uid)