From fba66ebafb56ac40fa0f070e307693c6e1406465 Mon Sep 17 00:00:00 2001
From: Matijs van Zuijlen <matijs@matijs.net>
Date: Sun, 10 Oct 2021 18:31:04 +0200
Subject: [PATCH] Tell the browser not to cache the admin pages

After logging out, it should not be possible to view the admin pages
without reloading.
---
 .../app/controllers/admin/base_controller.rb  |  6 ++++++
 .../spec/requests/admin/dashboard_spec.rb     | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 publify_core/spec/requests/admin/dashboard_spec.rb

diff --git a/publify_core/app/controllers/admin/base_controller.rb b/publify_core/app/controllers/admin/base_controller.rb
index fbbb119048..ed50d7ee1a 100644
--- a/publify_core/app/controllers/admin/base_controller.rb
+++ b/publify_core/app/controllers/admin/base_controller.rb
@@ -10,6 +10,7 @@ class Admin::BaseController < BaseController
   layout "administration"
 
   before_action :login_required, except: [:login, :signup]
+  before_action :no_caching
 
   private
 
@@ -24,4 +25,9 @@ def destroy_a(klass_to_destroy)
                             name: controller_name.humanize)
     redirect_to action: "index"
   end
+
+  def no_caching
+    response.cache_control[:extras] =
+      ["no-cache", "max-age=0", "must-revalidate", "no-store"]
+  end
 end
diff --git a/publify_core/spec/requests/admin/dashboard_spec.rb b/publify_core/spec/requests/admin/dashboard_spec.rb
new file mode 100644
index 0000000000..7b2395a526
--- /dev/null
+++ b/publify_core/spec/requests/admin/dashboard_spec.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "Admin::Dashboard", type: :request do
+  before do
+    create(:blog)
+    henri = create(:user, :as_admin)
+    sign_in henri
+  end
+
+  describe "GET /admin" do
+    it "tells the browser not to cache" do
+      get admin_dashboard_path
+      expect(response.headers["Cache-Control"]).
+        to eq "private, no-cache, max-age=0, must-revalidate, no-store"
+    end
+  end
+end