Mark sensitive repository forms with Cache-Control: no-store (#42998).

Patch by Holger Just (user:hjust). git-svn-id: https://svn.redmine.org/redmine/trunk@23944 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-02-01 03:57:15 +00:00 · 2025-09-07 06:16:45 +00:00 · 2025-09-07 06:16:45 +00:00 · 686f5b15c0
commit 686f5b15c0
parent ddc61d80d7
2 changed files with 12 additions and 0 deletions
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@ -41,17 +41,20 @@ class RepositoriesController < ApplicationController

  def new
    @repository.is_default = @project.repository.nil?
+    no_store
  end

  def create
    if @repository.save
      redirect_to settings_project_path(@project, :tab => 'repositories')
    else
+      no_store
      render :action => 'new'
    end
  end

  def edit
+    no_store
  end

  def update
@ -59,6 +62,7 @@ class RepositoriesController < ApplicationController
    if @repository.save
      redirect_to settings_project_path(@project, :tab => 'repositories')
    else
+      no_store
      render :action => 'edit'
    end
  end
--- a/test/functional/repositories_controller_test.rb
+++ b/test/functional/repositories_controller_test.rb
@ -34,6 +34,8 @@ class RepositoriesControllerTest < Redmine::RepositoryControllerTest
      }
    )
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select 'select[name=?]', 'repository_scm' do
      assert_select 'option[value=?][selected=selected]', 'Subversion'
    end
@ -110,6 +112,8 @@ class RepositoriesControllerTest < Redmine::RepositoryControllerTest
      )
    end
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select_error /URL is invalid/
    assert_select 'select[name=?]', 'repository_scm' do
      assert_select 'option[value=?][selected=selected]', 'Subversion'
@ -120,6 +124,8 @@ class RepositoriesControllerTest < Redmine::RepositoryControllerTest
    @request.session[:user_id] = 1
    get(:edit, :params => {:id => 11})
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select 'input[name=?][value=?][disabled=disabled]', 'repository[url]', 'svn://localhost/test'
  end

@ -150,6 +156,8 @@ class RepositoriesControllerTest < Redmine::RepositoryControllerTest
      }
    )
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+
    assert_select_error /Password is too long/
  end