From 5f4ce0fe0e6fc2d0c7dc718eb32733013cb6bd14 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Sun, 7 Sep 2025 06:15:09 +0000 Subject: [PATCH] Mark sensitive auth_source forms with Cache-Control: no-store (#42998). Patch by Holger Just (user:hjust). git-svn-id: https://svn.redmine.org/redmine/trunk@23941 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/auth_sources_controller.rb | 4 ++++ test/functional/auth_sources_controller_test.rb | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/app/controllers/auth_sources_controller.rb b/app/controllers/auth_sources_controller.rb index a88d87016..02d069103 100644 --- a/app/controllers/auth_sources_controller.rb +++ b/app/controllers/auth_sources_controller.rb @@ -32,6 +32,7 @@ class AuthSourcesController < ApplicationController end def new + no_store end def create @@ -39,11 +40,13 @@ class AuthSourcesController < ApplicationController flash[:notice] = l(:notice_successful_create) redirect_to auth_sources_path else + no_store render :action => 'new' end end def edit + no_store end def update @@ -52,6 +55,7 @@ class AuthSourcesController < ApplicationController flash[:notice] = l(:notice_successful_update) redirect_to auth_sources_path else + no_store render :action => 'edit' end end diff --git a/test/functional/auth_sources_controller_test.rb b/test/functional/auth_sources_controller_test.rb index 7909ef961..638b0de30 100644 --- a/test/functional/auth_sources_controller_test.rb +++ b/test/functional/auth_sources_controller_test.rb @@ -32,6 +32,7 @@ class AuthSourcesControllerTest < Redmine::ControllerTest def test_new get :new assert_response :success + assert_includes @response.headers['Cache-Control'], 'no-store' assert_select 'form#auth_source_form' do assert_select 'input[name=type][value=AuthSourceLdap]' @@ -88,6 +89,7 @@ class AuthSourcesControllerTest < Redmine::ControllerTest } ) assert_response :success + assert_includes @response.headers['Cache-Control'], 'no-store' end assert_select_error /host cannot be blank/i end @@ -100,6 +102,7 @@ class AuthSourcesControllerTest < Redmine::ControllerTest } ) assert_response :success + assert_includes @response.headers['Cache-Control'], 'no-store' assert_select 'form#auth_source_form' do assert_select 'input[name=?]', 'auth_source[host]' @@ -163,6 +166,8 @@ class AuthSourcesControllerTest < Redmine::ControllerTest } ) assert_response :success + assert_includes @response.headers['Cache-Control'], 'no-store' + assert_select_error /host cannot be blank/i end