Cache FetchMiddleware checks cache for auth despite UNAUTH_ONLY=True
|Reported by:||subsume||Owned by:||nobody|
|Component:||Core (Cache system)||Version:|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The Fetch middleware makes no explicit check of its own to settings.CACHE_MIDDLEWARE_UNAUTHENTICATED_ONLY. This results in a check to the cache for the key. Currently, the only way it happens to work is because the key created by django.utils.cache.get_cache_key happens to cause a miss. If you use a simpler key which doesn't take into account the users session, the key will not miss and authenticated users will get a cached version despite the rather unambiguous setting.
Related to #17305 in the sense that this is another stumbling block for people wanting to customize the Cache Middlewares.