Set cache headers only when anonymous (fixes #449)

cliquet/resource/__init__.py

@@ -609,7 +609,8 @@ def _add_cache_header(self, response):
         resource_name = self.context.resource_name if self.context else ''
         setting_key = '%s_cache_expires_seconds' % resource_name
         collection_expires = self.request.registry.settings.get(setting_key)
-        if collection_expires is not None:
+        is_anonymous = self.request.prefixed_userid is None
+        if collection_expires is not None and is_anonymous:
             response.cache_expires(seconds=int(collection_expires))
 
     def _raise_400_if_invalid_id(self, record_id):

cliquet/tests/resource/test_cache_expires.py

@@ -9,6 +9,11 @@ def get_context(self):
         context.resource_name = 'test'
         return context
 
+    def get_request(self):
+        request = super(CacheExpires, self).get_request()
+        request.prefixed_userid = None  # Anonymous.
+        return request
+
     def test_no_cache_expires_by_default(self):
         settings = self.resource.request.registry.settings
         settings.pop(self.setting, None)

cliquet/tests/resource/test_views.py

@@ -596,17 +596,28 @@ def test_409_error_gives_detail_about_field_and_record(self):
 
 
 class CacheControlTest(BaseWebTest, unittest.TestCase):
-    def test_cache_control_headers_are_set(self):
-        with mock.patch.dict(self.app.app.registry.settings,
-                             [('_cache_expires_seconds', 3600)]):
-            resp = self.app.get(self.collection_url, headers=self.headers)
+    collection_url = '/toadstools'
+
+    def get_app_settings(self, extras=None):
+        settings = super(CacheControlTest, self).get_app_settings(extras)
+        settings['toadstool_cache_expires_seconds'] = 3600
+        settings['psilo_cache_expires_seconds'] = 0
+        settings['toadstool_read_principals'] = 'system.Everyone'
+        return settings
+
+    def test_cache_control_headers_are_set_if_anonymous(self):
+        resp = self.app.get(self.collection_url)
         self.assertIn('Expires', resp.headers)
         self.assertIn('Cache-Control', resp.headers)
 
+    def test_cache_control_headers_are_not_set_if_authenticated(self):
+        resp = self.app.get(self.collection_url, headers=self.headers)
+        # XXX: See other PR #522 - merge test here.
+        self.assertNotIn('Expires', resp.headers)
+        self.assertNotIn('Cache-Control', resp.headers)
+
     def test_cache_control_headers_set_no_cache_if_zero(self):
-        with mock.patch.dict(self.app.app.registry.settings,
-                             [('_cache_expires_seconds', 0)]):
-            resp = self.app.get(self.collection_url, headers=self.headers)
+        resp = self.app.get('/psilos')
         self.assertIn('Expires', resp.headers)
         self.assertIn('Cache-Control', resp.headers)
         self.assertIn('Pragma', resp.headers)

cliquet/tests/support.py

@@ -12,7 +12,7 @@
 
 from cornice import errors as cornice_errors
 from pyramid.url import parse_url_overrides
-from pyramid.security import IAuthorizationPolicy, Authenticated
+from pyramid.security import IAuthorizationPolicy, Authenticated, Everyone
 from zope.interface import implementer
 
 from cliquet import DEFAULT_SETTINGS
@@ -164,6 +164,8 @@ class AllowAuthorizationPolicy(object):
     def permits(self, context, principals, permission):
         if permission == PRIVATE:
             return Authenticated in principals
+        if Everyone in principals:
+            return True
         # Cliquet default authz policy uses prefixed_userid.
         prefixed = [getattr(context, 'prefixed_userid', None)]
         return USER_PRINCIPAL in (principals + prefixed)