Code

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#17313 closed Bug (invalid)

Cache FetchMiddleware checks cache for auth despite UNAUTH_ONLY=True

Reported by: subsume Owned by: nobody
Component: Core (Cache system) Version:
Severity: Normal Keywords:
Cc: subsume@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

https://code.djangoproject.com/browser/django/trunk/django/middleware/cache.py#L133

The Fetch middleware makes no explicit check of its own to settings.CACHE_MIDDLEWARE_UNAUTHENTICATED_ONLY. This results in a check to the cache for the key. Currently, the only way it happens to work is because the key created by django.utils.cache.get_cache_key happens to cause a miss. If you use a simpler key which doesn't take into account the users session, the key will not miss and authenticated users will get a cached version despite the rather unambiguous setting.

Related to #17305 in the sense that this is another stumbling block for people wanting to customize the Cache Middlewares.

Attachments (0)

Change History (3)

comment:1 Changed 2 years ago by subsume

  • Cc subsume@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 2 years ago by ptone

  • Resolution set to invalid
  • Status changed from new to closed

I believe the setting you are referring to is: CACHE_MIDDLEWARE_ANONYMOUS_ONLY

If a the content and associated key does not involve any user specific data, then it can be cached as if that user were an anonymous user. The logic for this is actually in UpdateCacheMiddleware._should_update_cache

see discussion and fix associated with: #13283

also note: #15201

comment:3 Changed 2 years ago by subsume

The problem I illustrate above is entirely on the Fetch side.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.