No permissions check before deciding to serve cached page

Permalink 0 0 Browser Info Environment
Description of Problem:
When you have full page caching turned on, it becomes impossible to edit a page unless you first clear the cache. Even then, on a site with high traffic, if someone visits the page after you clear the cache but before you start to edit it, it will be re-cached, again making it impossible to edit.

Problematic Code:
The checkPageCache() function of /src/Application/Application.php provides no check for user permissions before making the decision to serve the cached version of the page.

Recommendation:
I would recommend adding the following code to the checkPageCache() function:

$library = PageCache::getLibrary();
    $c = Page::getByPath($request->getPathInfo());
    $cp = new \Permissions($c);
    if ($cp->canEditPageContents()) {
      $library->purge($c);
      return false;
    }


This code checks to see if the current user can edit the page. If so, it clears the cache of that page and prevents the cached version of the page from being served.


Status: New
jgarcia

concrete5 Environment Information

# concrete5 Version
Core Version - 8.5.1
Version Installed - 8.5.1
Database Version - 20190301133300

# concrete5 Packages
Formify (3.3.2), Mississippi College (1.57)

# concrete5 Overrides
blocks/youtube/templates/right.php, blocks/youtube/templates, blocks/youtube, blocks/page_list/templates/news/view.php, blocks/page_list/templates/news, blocks/page_list/templates/faculty/view.php, blocks/page_list/templates/faculty/view.css, blocks/page_list/templates/faculty, blocks/page_list/templates/events/view.php, blocks/page_list/templates/events, blocks/page_list/templates/image/view.php, blocks/page_list/templates/image/view.css, blocks/page_list/templates/image, blocks/page_list/templates/landing/view.php, blocks/page_list/templates/landing, blocks/page_list/templates/degrees/view.php, blocks/page_list/templates/degrees/view.css, blocks/page_list/templates/degrees, blocks/page_list/templates/list/view.php, blocks/page_list/templates/list, blocks/page_list/templates/list_with_descriptions/view.php, blocks/page_list/templates/list_with_descriptions, blocks/page_list/templates/buttons/view.php, blocks/page_list/templates/buttons, blocks/page_list/templates, blocks/page_list/view.php, blocks/page_list, blocks/image/edit.php, blocks/image/icon.png, blocks/image/templates/left.php, blocks/image/templates/center.php, blocks/image/templates/right_portrait.php, blocks/image/templates/right.php, blocks/image/templates, blocks/image/composer.php, blocks/image/add.php, blocks/image/controller.php, blocks/image/view.js, blocks/image/controller_20190621.php, blocks/image/form.php, blocks/image/tools/composer_save.php, blocks/image/tools/crop_image.php, blocks/image/tools, blocks/image/view.php, blocks/image/db.xml, blocks/image, blocks/content/templates/aside.php, blocks/content/templates/callout.php, blocks/content/templates/clear.php, blocks/content/templates/notification.php, blocks/content/templates/button_center.php, blocks/content/templates/horizontal_line.php, blocks/content/templates/button.php, blocks/content/templates, blocks/content/controller.php, blocks/content, blocks/autonav/templates/main_nav.php, blocks/autonav/templates, blocks/autonav/tools/preview_pane.php, blocks/autonav/tools, blocks/autonav/view.php, blocks/autonav, controllers/page_types/course_list.php, controllers/page_types/landing.php, controllers/page_types/degree.php, controllers/page_types/home.php, controllers/page_types/page_list.php, controllers/page_types/article.php, controllers/page_types/event.php, controllers/page_types/faculty_list.php, controllers/page_types/base.php, controllers/page_types/news.php, controllers/page_types/page.php, controllers/page_types/custom.php, controllers/page_types, controllers/dump.php, controllers/dump copy.php, controllers/single_page/login.php, controllers/single_page/page_not_found.php, controllers/single_page/base.php, controllers/single_page, controllers/content.php, themes/framework.zip, themes/framework/css/style.css, themes/framework/css, themes/framework/default.php, themes/framework/home.php, themes/framework/page_theme.php, themes/framework/elements/header.php, themes/framework/elements/footer.php, themes/framework/elements, themes/framework/scss/templates/_full.scss, themes/framework/scss/templates/_home.scss, themes/framework/scss/templates, themes/framework/scss/theme/_header.scss, themes/framework/scss/theme/_main.scss, themes/framework/scss/theme/_base.scss, themes/framework/scss/theme/_footer.scss, themes/framework/scss/theme/default/_header.scss, themes/framework/scss/theme/default/_main.scss, themes/framework/scss/theme/default/_base.scss, themes/framework/scss/theme/default/_footer.scss, themes/framework/scss/theme/default, themes/framework/scss/theme, themes/framework/scss/core/_reset.scss, themes/framework/scss/core/_functions.scss, themes/framework/scss/core/_easing.scss, themes/framework/scss/core/_mixins.scss, themes/framework/scss/core/_social.scss, themes/framework/scss/core/_utilities.scss, themes/framework/scss/core/_grid.scss, themes/framework/scss/core, themes/framework/scss/elements/_navicon.scss, themes/framework/scss/elements/_buttons.scss, themes/framework/scss/elements/_lists.scss, themes/framework/scss/elements/_overlay.scss, themes/framework/scss/elements/default/_navicon.scss, themes/framework/scss/elements/default/_buttons.scss, themes/framework/scss/elements/default/_lists.scss, themes/framework/scss/elements/default/_overlay.scss, themes/framework/scss/elements/default/_typography.scss, themes/framework/scss/elements/default/_forms.scss, themes/framework/scss/elements/default/_tables.scss, themes/framework/scss/elements/default, themes/framework/scss/elements/_typography.scss, themes/framework/scss/elements/_forms.scss, themes/framework/scss/elements/_tables.scss, themes/framework/scss/elements, themes/framework/scss/blocks/_page-list.scss, themes/framework/scss/blocks/_youtube.scss, themes/framework/scss/blocks/_vimeo.scss, themes/framework/scss/blocks/_content.scss, themes/framework/scss/blocks/_autonav.scss, themes/framework/scss/blocks/_image.scss, themes/framework/scss/blocks, themes/framework/scss/_config.scss, themes/framework/scss/style.scss, themes/framework/scss/pages, themes/framework/scss, themes/framework/config.rb, themes/framework/images/logo.png, themes/framework/images/navicon.svg, themes/framework/images/navicon-on.svg, themes/framework/images, themes/framework/view.php, themes/framework/thumbnail.png, themes/framework/js/main.js, themes/framework/js/sub.js, themes/framework/js/plugins/jquery.onscreen.js, themes/framework/js/plugins/jquery.cycle.js, themes/framework/js/plugins/jquery.sticky.js, themes/framework/js/plugins, themes/framework/js/modernizr.js, themes/framework/js/home.js, themes/framework/js, themes/framework/cwatch.pid, themes/framework

# concrete5 Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - On - If blocks on the particular page allow it.
Full Page Cache Lifetime - Every 6 hours (default setting).

# Server Software
Apache/2.4.6 (CentOS)

# Server API
apache2handler

# PHP Version
7.0.33

# PHP Extensions
apache2handler, bcmath, bz2, calendar, Core, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, json, ldap, libxml, mbstring, mcrypt, mysqli, mysqlnd, openssl, pcre, PDO, pdo_mysql, pdo_sqlite, Phar, posix, Reflection, session, shmop, SimpleXML, sockets, SPL, sqlite3, ssh2, standard, sysvmsg, sysvsem, sysvshm, tidy, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, zlib

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
memory_limit - 128M
post_max_size - 25M
sql.safe_mode - Off
upload_max_filesize - 25M
ldap.max_links - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 7200

Browser User-Agent String

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36