Problem/Motivation

HttpExceptionNormalizer sets the response's cache max age to 0 if the error reporting level is verbose, presumable to avoid caching the exception trace. However, the trace and the verbose information is only added if the error level is verbose and the user has access to the site reports. If the latter is not the case the cache max age is still set to 0 for (as far as I can tell) no reason.

Note that currently the cache max age does not bubble correctly to the page cache (not only, but also) for 404 or 403 responses, see #2352009: Bubbling of elements' max-age to the page's headers and the page cache.

Steps to reproduce

Access the JSON:API resource of an entity that references an entity that the user does not have access to with a user that does not have the access site reports permission and inspect the X-Drupal-Cache-Max-Age debug cache header. It will be 0, but it should be -1.

Proposed resolution

Only set the cache max age to 0 if the user has the access site reports permission.

Remaining tasks

User interface changes

-

Introduced terminology

-

API changes

-

Data model changes

-

Release notes snippet

Issue fork drupal-3555974

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

tstoeckler created an issue. See original summary.

tstoeckler’s picture

Status: Active » Needs review

Created an MR with a fix

bbrala’s picture

This looks goodf and makes sense. Only thing i might be sligtly worries about is the increase in variation on the cache because of user.permissions. But I think it should be fine.

bbrala’s picture

Status: Needs review » Reviewed & tested by the community
longwave’s picture

Version: 11.x-dev » 11.3.x-dev
Status: Reviewed & tested by the community » Fixed

Agree this makes sense, had the same concern as #4 when I read the changes but I think given this is for an error condition that it is acceptable.

Backported to 11.3.x as an eligible bug fix. This could go to 10.6.x as well but the patch doesn't apply, so leaving that for now.

Committed and pushed e1e87688c70 to 11.x and 3624059ee55 to 11.3.x. Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

  • longwave committed 3624059e on 11.3.x
    fix: #3555974 HttpExceptionNormalizer sets cache-max to 0 unnecessarily...

  • longwave committed e1e87688 on 11.x
    fix: #3555974 HttpExceptionNormalizer sets cache-max to 0 unnecessarily...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.