Mark sensitive repository forms with Cache-Control: no-store (#42998).

Patch by Holger Just (user:hjust).

git-svn-id: https://svn.redmine.org/redmine/trunk@23943 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/account_controller.rb

@@ -171,6 +171,8 @@ class AccountController < ApplicationController
         end
       end
     end
+
+    no_store
   end
 
   # Token based account activation

test/functional/account_controller_test.rb

@@ -289,6 +289,7 @@ class AccountControllerTest < Redmine::ControllerTest
     with_settings :self_registration => '3' do
       get :register
       assert_response :success
+      assert_includes @response.headers['Cache-Control'], 'no-store'
 
       assert_select 'input[name=?]', 'user[password]'
       assert_select 'input[name=?]', 'user[password_confirmation]'
@@ -355,6 +356,27 @@ class AccountControllerTest < Redmine::ControllerTest
     end
   end
 
+  def test_post_register_with_failure
+    post(
+      :register,
+      :params => {
+        :user => {
+          :login => 'register',
+          :password => 'secret123',
+          :password_confirmation => 'secret1234567890',
+          :firstname => 'John',
+          :lastname => 'Doe',
+          :mail => 'register@example.com'
+        }
+      }
+    )
+
+    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
+    assert_select_error /Password doesn't match confirmation/i
+  end
+
   def test_post_register_with_registration_off_should_redirect
     with_settings :self_registration => '0' do
       assert_no_difference 'User.count' do