Skip to content

fix: add record files restriction option to enable cache-control header#3324

Open
tmorrell wants to merge 1 commit intoinveniosoftware:masterfrom
caltechlibrary:cache-control
Open

fix: add record files restriction option to enable cache-control header#3324
tmorrell wants to merge 1 commit intoinveniosoftware:masterfrom
caltechlibrary:cache-control

Conversation

@tmorrell
Copy link
Contributor

@tmorrell tmorrell commented Feb 8, 2026

❤️ Thank you for your contribution!

Description

InvenioRDM doesn't currently add cache-control headers to file links, which can result in weird behavior if a cache is put in front of the repo. This is because the cache-control headers are only added by default for non-restricted files (which makes sense) https://github.com/inveniosoftware/invenio-files-rest/blob/616dc34c38006433653211feb5a9e523b0d399e7/invenio_files_rest/helpers.py#L182. But because InvenioRDM doesn't pass this option, the cache-control headers are never added.

This should be reviewed carefully to make sure it doesn't have security implications.

Checklist

Ticks in all boxes and 🟢 on all GitHub actions status checks are required to merge:

Reminder

By using GitHub, you have already agreed to the GitHub’s Terms of Service including that:

  1. You license your contribution under the same terms as the current repository’s license.
  2. You agree that you have the right to license your contribution under the current repository’s license.

@tmorrell tmorrell mentioned this pull request Feb 8, 2026
Open
7 tasks
zzacharo
zzacharo reviewed Feb 9, 2026
View reviewed changes
invenio_app_rdm/records_ui/views/records.py Outdated
emitter(current_app, record=file_item._record, obj=obj, via_api=False)

return file_item.send_file(as_attachment=download)
return file_item.send_file(as_attachment=download, restricted=False)
Copy link
Member

@zzacharo zzacharo Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldt that be assigned to the record resrtiction?

Copy link
Member

@egabancho egabancho Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 By setting restricted=False, we are making send_stream to set the Cache-Control also to public here.

According to MDM

You should add the private directive for user-personalized content, especially for responses received after login and for sessions managed via cookies.

Maybe a good alternative would be to set restricted to the actual record/file restrictions, and then update send_stream/redirect_stream to set Cache-Control to public or private, respectively.

What do y'all think?

egabancho
egabancho approved these changes Feb 10, 2026
View reviewed changes
Copy link
Member

@egabancho egabancho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About the changes required on Invenio-Files-Rest and Invenio-S3, we should check inveniosoftware/invenio-files-rest#283. There was some discussion there about using no-cache instead of private.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@egabancho egabancho egabancho approved these changes

@zzacharo zzacharo zzacharo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tmorrell @egabancho @zzacharo