Skip to content

fix: add record files restriction option to enable cache-control header #3324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tmorrell wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: add record files restriction option to enable cache-control header #3324

tmorrell wants to merge 1 commit into from

Conversation

@tmorrell
Copy link
Contributor

@tmorrell tmorrell commented Feb 8, 2026

❤️ Thank you for your contribution!

Description

InvenioRDM doesn't currently add cache-control headers to file links, which can result in weird behavior if a cache is put in front of the repo. This is because the cache-control headers are only added by default for non-restricted files (which makes sense) https://github.com/inveniosoftware/invenio-files-rest/blob/616dc34c38006433653211feb5a9e523b0d399e7/invenio_files_rest/helpers.py#L182. But because InvenioRDM doesn't pass this option, the cache-control headers are never added.

This should be reviewed carefully to make sure it doesn't have security implications.

Checklist

Ticks in all boxes and 🟢 on all GitHub actions status checks are required to merge:

Reminder

By using GitHub, you have already agreed to the GitHub’s Terms of Service including that:

  1. You license your contribution under the same terms as the current repository’s license.
  2. You agree that you have the right to license your contribution under the current repository’s license.

@tmorrell tmorrell mentioned this pull request Feb 8, 2026
Open
7 tasks
zzacharo
zzacharo reviewed Feb 9, 2026
View reviewed changes
invenio_app_rdm/records_ui/views/records.py Outdated
emitter(current_app, record=file_item._record, obj=obj, via_api=False)

return file_item.send_file(as_attachment=download)
return file_item.send_file(as_attachment=download, restricted=False)
Copy link
Member

@zzacharo zzacharo Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldt that be assigned to the record resrtiction?

Copy link
Member

@egabancho egabancho Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 By setting restricted=False, we are making send_stream to set the Cache-Control also to public here.

According to MDM

You should add the private directive for user-personalized content, especially for responses received after login and for sessions managed via cookies.

Maybe a good alternative would be to set restricted to the actual record/file restrictions, and then update send_stream/redirect_stream to set Cache-Control to public or private, respectively.

What do y'all think?

egabancho
egabancho approved these changes Feb 10, 2026
View reviewed changes
Copy link
Member

@egabancho egabancho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About the changes required on Invenio-Files-Rest and Invenio-S3, we should check inveniosoftware/invenio-files-rest#283. There was some discussion there about using no-cache instead of private.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@egabancho egabancho egabancho approved these changes

@zzacharo zzacharo zzacharo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tmorrell @egabancho @zzacharo