Adds @Cache-Control: no-store@ header to login, lost password, change password and sudo pages (#42998).

Patch by Go MAEDA (user:maeda). git-svn-id: https://svn.redmine.org/redmine/trunk@23908 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-10-26 07:46:17 +01:00 · 2025-08-10 13:23:14 +00:00
parent 1a5fb1325b
commit d79fe0df9a
6 changed files with 15 additions and 0 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -36,6 +36,7 @@ class AccountController < ApplicationController
        redirect_back_or_default home_url, :referer => true
      end
    end
+    no_store
  rescue AuthSourceException => e
    logger.error "An error occurred when authenticating #{params[:username]}: #{e.message}"
    render_error :message => e.message
@@ -95,6 +96,7 @@ class AccountController < ApplicationController
          end
        end
      end
+      no_store
      render :template => "account/password_recovery"
      return
    else
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -115,6 +115,7 @@ class MyController < ApplicationController
        end
      end
    end
+    no_store
  end

  # Create a new feeds key
--- a/lib/redmine/sudo_mode.rb
+++ b/lib/redmine/sudo_mode.rb
@@ -124,6 +124,7 @@ module Redmine
        @sudo_form.original_fields = params.slice(*param_names)
        # a simple 'render "sudo_mode/new"' works when used directly inside an
        # action, but not when called from a before_action:
+        no_store
        respond_to do |format|
          format.html {render 'sudo_mode/new'}
          format.js   {render 'sudo_mode/new'}
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -27,6 +27,7 @@ class AccountControllerTest < Redmine::ControllerTest
  def test_get_login
    get :login
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'

    assert_select 'input[name=username][autocomplete=username]'
    assert_select 'input[name=password][autocomplete=current-password]'
@@ -521,6 +522,7 @@ class AccountControllerTest < Redmine::ControllerTest

    get :lost_password
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'

    assert_select 'input[type=hidden][name=token][value=?]', token.value
  end
--- a/test/functional/my_controller_test.rb
+++ b/test/functional/my_controller_test.rb
@@ -599,6 +599,7 @@ class MyControllerTest < Redmine::ControllerTest
  def test_change_password
    get :password
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
    assert_select 'input[type=password][name=password][autocomplete=current-password]'
    assert_select 'input[type=password][name=new_password][autocomplete=new-password]'
    assert_select 'input[type=password][name=new_password_confirmation][autocomplete=new-password]'
--- a/test/integration/sudo_mode_test.rb
+++ b/test/integration/sudo_mode_test.rb
@@ -259,6 +259,14 @@ class SudoModeTest < Redmine::IntegrationTest
    end
  end

+  def test_sudo_mode_should_include_cache_control_no_store
+    log_user("admin", "admin")
+    expire_sudo_mode!
+    get '/settings'
+    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+  end
+
  private

  # sudo mode is active after sign, let it expire by advancing the time