Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-16 02:06:04 +01:00
Code Issues Packages Projects Releases Activity

Mark sensitive user forms with Cache-Control: no-store (#42998).

Browse Source 
Patch by Holger Just (user:hjust).

git-svn-id: https://svn.redmine.org/redmine/trunk@23942 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2025-09-07 06:15:43 +00:00
parent 5f4ce0fe0e
commit e67680a694
2 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
app/controllers/users_controller.rb
View File

@@ -121,6 +121,8 @@ class UsersController < ApplicationController
:mail_notification => Setting.default_notification_option) :mail_notification => Setting.default_notification_option)
@user.safe_attributes = params[:user] @user.safe_attributes = params[:user]
@auth_sources = AuthSource.all @auth_sources = AuthSource.all
no_store
end end
def create def create
@@ -157,8 +159,14 @@ class UsersController < ApplicationController
@user.password = @user.password_confirmation = nil @user.password = @user.password_confirmation = nil
respond_to do |format| respond_to do |format|
format.html {render :action => 'new'} format.html do
format.api {render_validation_errors(@user)} no_store
render :action => 'new'
end
format.api do
render_validation_errors(@user)
end
end end
end end
end end
@@ -166,6 +174,8 @@ class UsersController < ApplicationController
def edit def edit
@auth_sources = AuthSource.all @auth_sources = AuthSource.all
@membership ||= Member.new @membership ||= Member.new
no_store
end end
def update def update
@@ -203,8 +213,13 @@ class UsersController < ApplicationController
@user.password = @user.password_confirmation = nil @user.password = @user.password_confirmation = nil
respond_to do |format| respond_to do |format|
format.html {render :action => :edit} format.html do
format.api {render_validation_errors(@user)} no_store
render :action => :edit
end
format.api do
render_validation_errors(@user)
end
end end
end end
end end

8
test/functional/users_controller_test.rb
View File

@@ -438,6 +438,8 @@ class UsersControllerTest < Redmine::ControllerTest
def test_new def test_new
get :new get :new
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select 'input[name=?]', 'user[login]' assert_select 'input[name=?]', 'user[login]'
assert_select 'label[for=?]>span.required', 'user_password', 1 assert_select 'label[for=?]>span.required', 'user_password', 1
end end
@@ -554,6 +556,8 @@ class UsersControllerTest < Redmine::ControllerTest
post :create, :params => {:user => {:login => 'foo'}} post :create, :params => {:user => {:login => 'foo'}}
end end
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select_error /Email cannot be blank/ assert_select_error /Email cannot be blank/
end end
@@ -640,6 +644,8 @@ class UsersControllerTest < Redmine::ControllerTest
end end
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select 'h2>a+img.gravatar' assert_select 'h2>a+img.gravatar'
assert_select 'input[name=?][value=?]', 'user[login]', 'jsmith' assert_select 'input[name=?][value=?]', 'user[login]', 'jsmith'
assert_select 'label[for=?]>span.required', 'user_password', 0 assert_select 'label[for=?]>span.required', 'user_password', 0
@@ -695,6 +701,8 @@ class UsersControllerTest < Redmine::ControllerTest
} }
end end
assert_response :success assert_response :success
assert_includes @response.headers['Cache-Control'], 'no-store'
assert_select_error /First name cannot be blank/ assert_select_error /First name cannot be blank/
end end