def _assert_cache_anonymous_only(request, response):
"""
Assert that we only do caching for anonymous users.
This is pretty tricky and not everything is being checked.
This is only used by Finda Social which is defunct; so nobody cares.
Good decorators to use:
from django_cache_middleware.decorators import add_cache_headers
from django.views.decorators.cache import never_cache
"""
# We are allowed to access the user here, because the code that calls
# this method only runs when the session has already been accessed
# and/or the Vary: Cookie header was already added.
if request.user.is_authenticated():
# It is tricky to check that a response hasn't been added to the
# cache, but we can check that it hasn't been fetched from there.
assert 'X-From-Cache' not in response, 'You are logged in but it somehow served you a cached page.'
# Ensure that the vary header is there. If not, then the middleware
# is in the wrong order and things will be crazy.
assert has_vary_header(
response, 'Cookie'
), 'The "Vary: Cookie" header was not set, even though your cookie was accessed.'
def _should_update_cache(self, request, response):
"""Copied from Django 1.2.5 with no changes made."""
if not hasattr(request, '_cache_update_cache') or not request._cache_update_cache:
return False
if self.cache_anonymous_only and has_vary_header(response, 'Cookie'):
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django cache middleware with CACHE_MIDDLEWARE_ANONYMOUS_ONLY=True "
"requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES "
"setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' "
"before the CacheMiddleware."
)
if request.user.is_authenticated():
# Don't cache user-variable requests from authenticated users.
return False
return True
def _should_update_cache(self, request, response):
"""Copied from Django 1.2.5 with no changes made."""
if not hasattr(
request,
'_cache_update_cache') or not request._cache_update_cache:
return False
if self.cache_anonymous_only and has_vary_header(response, 'Cookie'):
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django cache middleware with CACHE_MIDDLEWARE_ANONYMOUS_ONLY=True "
"requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES "
"setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' "
"before the CacheMiddleware.")
if request.user.is_authenticated():
# Don't cache user-variable requests from authenticated users.
return False
return True
def _assert_cache_anonymous_only(request, response):
"""
Assert that we only do caching for anonymous users.
This is pretty tricky and not everything is being checked.
This is only used by Finda Social which is defunct; so nobody cares.
Good decorators to use:
from django_cache_middleware.decorators import add_cache_headers
from django.views.decorators.cache import never_cache
"""
# We are allowed to access the user here, because the code that calls
# this method only runs when the session has already been accessed
# and/or the Vary: Cookie header was already added.
if request.user.is_authenticated():
# It is tricky to check that a response hasn't been added to the
# cache, but we can check that it hasn't been fetched from there.
assert 'X-From-Cache' not in response, 'You are logged in but it somehow served you a cached page.'
# Ensure that the vary header is there. If not, then the middleware
# is in the wrong order and things will be crazy.
assert has_vary_header(response, 'Cookie'), 'The "Vary: Cookie" header was not set, even though your cookie was accessed.'
def process_response(self, request, response):
# Some built in django views have no caching headers. Ignore them.
for path in self.ignored_paths:
if request.path.startswith(path):
return response
if response.status_code == 304:
# Not Modified responses don't need to be checked. They will
# sometimes have unwanted headers at this point, which Django
# will remove later on in the base handler.
return response
if not self._typical_get_request(request, response):
# These types of requests/responses should never be cached, and
# thus should not have caching headers in the response.
# If they do have cache headers, then they must be "never cache"
# headers (a max-age of 0).
if get_max_age(response) not in (0, None):
raise InvalidHeadersWarning(
'Only non-secure GET/HEAD requests should have caching headers.'
)
else:
return response
if response.status_code != 200:
# We generally only cache responses with a status code of 200,
# but there are exceptions. As long as the other checks are done
# then this is OK to let through.
return response
# All typical GET requests must have some caching headers defined.
try:
self._assert_has_headers(response)
except AssertionError:
message = (
"This URL does not have the required caching headers. "
"Typical GET requests must return a response with caching headers defined at the view level. "
"The current headers are: %s")
header_list = [
': '.join(header) for header in response._headers.values()
]
headers = ', '.join(header_list)
raise InvalidHeadersWarning(message % headers)
session_was_accessed = hasattr(request,
'session') and request.session.accessed
if session_was_accessed or has_vary_header(response, 'Cookie'):
if settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY:
# When using this setting, all of the requirements for headers
# have changed. This is just for Finda Social, which has very
# different caching rules than the other sites.
try:
self._assert_cache_anonymous_only(request, response)
except AssertionError, error:
raise InvalidHeadersWarning(
'CACHE_MIDDLEWARE_ANONYMOUS_ONLY is enabled and the following occurred: %s'
% error)
else:
return response
if session_was_accessed:
message_info = "accessed the user's session (probably by simply accessing request.user)"
else:
message_info = "returned a response with the Vary: Cookie header"
message = "This URL has %s, but the response still has standard caching headers. You can't do both!" % message_info
# If the session has been accessed and/or the "Vary: Cookie" header
# exists, then the HTTP headers should specify that the response
# is not to be cached.
try:
self._assert_not_cached(response)
except AssertionError:
raise InvalidHeadersWarning(message)
def process_response(self, request, response):
# Some built in django views have no caching headers. Ignore them.
for path in self.ignored_paths:
if request.path.startswith(path):
return response
if response.status_code == 304:
# Not Modified responses don't need to be checked. They will
# sometimes have unwanted headers at this point, which Django
# will remove later on in the base handler.
return response
if not self._typical_get_request(request, response):
# These types of requests/responses should never be cached, and
# thus should not have caching headers in the response.
# If they do have cache headers, then they must be "never cache"
# headers (a max-age of 0).
if get_max_age(response) not in (0, None):
raise InvalidHeadersWarning('Only non-secure GET/HEAD requests should have caching headers.')
else:
return response
if response.status_code != 200:
# We generally only cache responses with a status code of 200,
# but there are exceptions. As long as the other checks are done
# then this is OK to let through.
return response
# All typical GET requests must have some caching headers defined.
try:
self._assert_has_headers(response)
except AssertionError:
message = (
"This URL does not have the required caching headers. "
"Typical GET requests must return a response with caching headers defined at the view level. "
"The current headers are: %s"
)
header_list = [': '.join(header) for header in response._headers.values()]
headers = ', '.join(header_list)
raise InvalidHeadersWarning(message % headers)
session_was_accessed = hasattr(request, 'session') and request.session.accessed
if session_was_accessed or has_vary_header(response, 'Cookie'):
if settings.CACHE_MIDDLEWARE_ANONYMOUS_ONLY:
# When using this setting, all of the requirements for headers
# have changed. This is just for Finda Social, which has very
# different caching rules than the other sites.
try:
self._assert_cache_anonymous_only(request, response)
except AssertionError, error:
raise InvalidHeadersWarning('CACHE_MIDDLEWARE_ANONYMOUS_ONLY is enabled and the following occurred: %s' % error)
else:
return response
if session_was_accessed:
message_info = "accessed the user's session (probably by simply accessing request.user)"
else:
message_info = "returned a response with the Vary: Cookie header"
message = "This URL has %s, but the response still has standard caching headers. You can't do both!" % message_info
# If the session has been accessed and/or the "Vary: Cookie" header
# exists, then the HTTP headers should specify that the response
# is not to be cached.
try:
self._assert_not_cached(response)
except AssertionError:
raise InvalidHeadersWarning(message)