Version 1

[yaffs-website] / web / core / modules / basic_auth / src / PageCache / DisallowBasicAuthRequests.php

diff --git a/web/core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php b/web/core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php
new file mode 100644 (file)
index 0000000..e841469
--- /dev/null
+++ b/web/core/modules/basic_auth/src/PageCache/DisallowBasicAuthRequests.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace Drupal\basic_auth\PageCache;
+
+use Drupal\Core\PageCache\RequestPolicyInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Cache policy for pages served from basic auth.
+ *
+ * This policy disallows caching of requests that use basic_auth for security
+ * reasons. Otherwise responses for authenticated requests can get into the
+ * page cache and could be delivered to unprivileged users.
+ */
+class DisallowBasicAuthRequests implements RequestPolicyInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function check(Request $request) {
+    $username = $request->headers->get('PHP_AUTH_USER');
+    $password = $request->headers->get('PHP_AUTH_PW');
+    if (isset($username) && isset($password)) {
+      return self::DENY;
+    }
+  }
+
+}