Problem/Motivation
HttpExceptionNormalizer sets the response's cache max age to 0 if the error reporting level is verbose, presumable to avoid caching the exception trace. However, the trace and the verbose information is only added if the error level is verbose and the user has access to the site reports. If the latter is not the case the cache max age is still set to 0 for (as far as I can tell) no reason.
Note that currently the cache max age does not bubble correctly to the page cache (not only, but also) for 404 or 403 responses, see #2352009: Bubbling of elements' max-age to the page's headers and the page cache.
Steps to reproduce
Access the JSON:API resource of an entity that references an entity that the user does not have access to with a user that does not have the access site reports permission and inspect the X-Drupal-Cache-Max-Age debug cache header. It will be 0, but it should be -1.
Proposed resolution
Only set the cache max age to 0 if the user has the access site reports permission.
Remaining tasks
User interface changes
-
Introduced terminology
-
API changes
-
Data model changes
-
Release notes snippet
Issue fork drupal-3555974
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 3555974-jsonapi-exception-cache-max-age
changes, plain diff MR !13672
Comments
Comment #3
tstoecklerCreated an MR with a fix
Comment #4
bbralaThis looks goodf and makes sense. Only thing i might be sligtly worries about is the increase in variation on the cache because of user.permissions. But I think it should be fine.
Comment #5
bbralaComment #6
longwaveAgree this makes sense, had the same concern as #4 when I read the changes but I think given this is for an error condition that it is acceptable.
Backported to 11.3.x as an eligible bug fix. This could go to 10.6.x as well but the patch doesn't apply, so leaving that for now.
Committed and pushed e1e87688c70 to 11.x and 3624059ee55 to 11.3.x. Thanks!