SECURITY: theme key should be an anon cache breaker

2025-05-21 18:12:32 +08:00 · 2017-06-15 09:36:27 -04:00
parent 8f48c20598
commit ac1f84d3e1
2 changed files with 26 additions and 1 deletions
--- a/spec/components/middleware/anonymous_cache_spec.rb
+++ b/spec/components/middleware/anonymous_cache_spec.rb
@ -31,6 +31,21 @@ describe Middleware::AnonymousCache::Helper do
    end
  end

+  context "per theme cache" do
+    it "handles theme keys" do
+      theme = Theme.create(name: "test", user_id: -1, user_selectable: true)
+
+      with_bad_theme_key = new_helper("HTTP_COOKIE" => "theme_key=abc").cache_key
+      with_no_theme_key = new_helper().cache_key
+
+      expect(with_bad_theme_key).to eq(with_no_theme_key)
+
+      with_good_theme_key = new_helper("HTTP_COOKIE" => "theme_key=#{theme.key}").cache_key
+
+      expect(with_good_theme_key).not_to eq(with_no_theme_key)
+    end
+  end
+
  context "cached" do
    let!(:helper) do
      new_helper("ANON_CACHE_DURATION" => 10)