diff options
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/application_controller.rb | 17 | ||||
-rw-r--r-- | app/controllers/sessions_controller.rb | 2 |
2 files changed, 3 insertions, 16 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3af1afab06e..976a9fa5038 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -66,10 +66,6 @@ class ApplicationController < ActionController::Base :manifest_import_enabled?, :phabricator_import_enabled?, :masked_page_url - # Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security - # concerns due to caching private data. - DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store" - def self.endpoint_id_for_action(action_name) "#{self.name}##{action_name}" end @@ -283,10 +279,7 @@ class ApplicationController < ActionController::Base end def default_cache_headers - if current_user - headers['Cache-Control'] = default_cache_control - headers['Pragma'] = 'no-cache' # HTTP 1.0 compatibility - end + headers['Pragma'] = 'no-cache' # HTTP 1.0 compatibility end def stream_csv_headers(csv_filename) @@ -297,14 +290,6 @@ class ApplicationController < ActionController::Base headers['Content-Disposition'] = "attachment; filename=\"#{csv_filename}\"" end - def default_cache_control - if request.xhr? - ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL - else - DEFAULT_GITLAB_CACHE_CONTROL - end - end - def validate_user_service_ticket! return unless signed_in? && session[:service_tickets] diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index bbd7e5d5725..0d8e44656a9 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -84,6 +84,8 @@ class SessionsController < Devise::SessionsController end def destroy + headers['Clear-Site-Data'] = '"*"' + Gitlab::AppLogger.info("User Logout: username=#{current_user.username} ip=#{request.remote_ip}") super # hide the signed_out notice |