Mark sensitive user forms with Cache-Control: no-store (#42998).

Patch by Holger Just (user:hjust). git-svn-id: https://svn.redmine.org/redmine/trunk@23942 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-14 17:26:06 +01:00 · 2025-09-07 06:15:43 +00:00
parent 5f4ce0fe0e
commit e67680a694
2 changed files with 27 additions and 4 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -121,6 +121,8 @@ class UsersController < ApplicationController
                     :mail_notification => Setting.default_notification_option)
    @user.safe_attributes = params[:user]
    @auth_sources = AuthSource.all
+
+    no_store
  end

  def create
@@ -157,8 +159,14 @@ class UsersController < ApplicationController
      @user.password = @user.password_confirmation = nil

      respond_to do |format|
-        format.html {render :action => 'new'}
-        format.api  {render_validation_errors(@user)}
+        format.html do
+          no_store
+          render :action => 'new'
+        end
+
+        format.api do
+          render_validation_errors(@user)
+        end
      end
    end
  end
@@ -166,6 +174,8 @@ class UsersController < ApplicationController
  def edit
    @auth_sources = AuthSource.all
    @membership ||= Member.new
+
+    no_store
  end

  def update
@@ -203,8 +213,13 @@ class UsersController < ApplicationController
      @user.password = @user.password_confirmation = nil

      respond_to do |format|
-        format.html {render :action => :edit}
-        format.api  {render_validation_errors(@user)}
+        format.html do
+          no_store
+          render :action => :edit
+        end
+        format.api do
+          render_validation_errors(@user)
+        end
      end
    end
  end
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -438,6 +438,8 @@ class UsersControllerTest < Redmine::ControllerTest
  def test_new
    get :new
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select 'input[name=?]', 'user[login]'
    assert_select 'label[for=?]>span.required', 'user_password', 1
  end
@@ -554,6 +556,8 @@ class UsersControllerTest < Redmine::ControllerTest
      post :create, :params => {:user => {:login => 'foo'}}
    end
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select_error /Email cannot be blank/
  end

@@ -640,6 +644,8 @@ class UsersControllerTest < Redmine::ControllerTest
    end

    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select 'h2>a+img.gravatar'
    assert_select 'input[name=?][value=?]', 'user[login]', 'jsmith'
    assert_select 'label[for=?]>span.required', 'user_password', 0
@@ -695,6 +701,8 @@ class UsersControllerTest < Redmine::ControllerTest
      }
    end
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select_error /First name cannot be blank/
  end