Adds @Cache-Control: no-store@ header to login, lost password, change password and sudo pages (#42998).

Patch by Go MAEDA (user:maeda).

git-svn-id: https://svn.redmine.org/redmine/trunk@23908 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/account_controller.rb

@@ -36,6 +36,7 @@ class AccountController < ApplicationController
         redirect_back_or_default home_url, :referer => true
       end
     end
+    no_store
   rescue AuthSourceException => e
     logger.error "An error occurred when authenticating #{params[:username]}: #{e.message}"
     render_error :message => e.message
@@ -95,6 +96,7 @@ class AccountController < ApplicationController
           end
         end
       end
+      no_store
       render :template => "account/password_recovery"
       return
     else

app/controllers/my_controller.rb

@@ -115,6 +115,7 @@ class MyController < ApplicationController
         end
       end
     end
+    no_store
   end
 
   # Create a new feeds key

lib/redmine/sudo_mode.rb

@@ -124,6 +124,7 @@ module Redmine
         @sudo_form.original_fields = params.slice(*param_names)
         # a simple 'render "sudo_mode/new"' works when used directly inside an
         # action, but not when called from a before_action:
+        no_store
         respond_to do |format|
           format.html {render 'sudo_mode/new'}
           format.js   {render 'sudo_mode/new'}

test/functional/account_controller_test.rb

@@ -27,6 +27,7 @@ class AccountControllerTest < Redmine::ControllerTest
   def test_get_login
     get :login
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
 
     assert_select 'input[name=username][autocomplete=username]'
     assert_select 'input[name=password][autocomplete=current-password]'
@@ -521,6 +522,7 @@ class AccountControllerTest < Redmine::ControllerTest
 
     get :lost_password
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
 
     assert_select 'input[type=hidden][name=token][value=?]', token.value
   end

test/functional/my_controller_test.rb

@@ -599,6 +599,7 @@ class MyControllerTest < Redmine::ControllerTest
   def test_change_password
     get :password
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select 'input[type=password][name=password][autocomplete=current-password]'
     assert_select 'input[type=password][name=new_password][autocomplete=new-password]'
     assert_select 'input[type=password][name=new_password_confirmation][autocomplete=new-password]'

test/integration/sudo_mode_test.rb

@@ -259,6 +259,14 @@ class SudoModeTest < Redmine::IntegrationTest
     end
   end
 
+  def test_sudo_mode_should_include_cache_control_no_store
+    log_user("admin", "admin")
+    expire_sudo_mode!
+    get '/settings'
+    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
+  end
+
   private
 
   # sudo mode is active after sign, let it expire by advancing the time