Tell the browser not to cache the admin pages

After logging out, it should not be possible to view the admin pages without reloading.
publify · Oct 10, 2021 · fba66eb · fba66eb
1 parent 243bbba
commit fba66eb
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/publify_core/app/controllers/admin/base_controller.rb b/publify_core/app/controllers/admin/base_controller.rb
@@ -10,6 +10,7 @@ class Admin::BaseController < BaseController
   layout "administration"
 
   before_action :login_required, except: [:login, :signup]
+  before_action :no_caching
 
   private
 
@@ -24,4 +25,9 @@ def destroy_a(klass_to_destroy)
                             name: controller_name.humanize)
     redirect_to action: "index"
   end
+
+  def no_caching
+    response.cache_control[:extras] =
+      ["no-cache", "max-age=0", "must-revalidate", "no-store"]
+  end
 end
diff --git a/publify_core/spec/requests/admin/dashboard_spec.rb b/publify_core/spec/requests/admin/dashboard_spec.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "Admin::Dashboard", type: :request do
+  before do
+    create(:blog)
+    henri = create(:user, :as_admin)
+    sign_in henri
+  end
+
+  describe "GET /admin" do
+    it "tells the browser not to cache" do
+      get admin_dashboard_path
+      expect(response.headers["Cache-Control"]).
+        to eq "private, no-cache, max-age=0, must-revalidate, no-store"
+    end
+  end
+end