REST API: Core typically sends nocache headers on all auth'ed responses, as in wp, admin-ajax, etc. Because the REST API infrastructure is hooked in pre-wp, we should be setting this ourselves.

Adds unit tests. Props joehoyle. Fixes #34832. git-svn-id: https://develop.svn.wordpress.org/trunk@35773 602fd350-edb4-49c9-b593-d223f7449a82
2025-10-16 12:05:38 +00:00 · 2015-12-04 23:35:54 +00:00 · 2015-12-04 23:35:54 +00:00 · f89c25a43d
commit f89c25a43d
parent a1f89f4e86
3 changed files with 56 additions and 0 deletions
--- a/src/wp-includes/rest-api/class-wp-rest-server.php
+++ b/src/wp-includes/rest-api/class-wp-rest-server.php
@ -236,6 +236,20 @@ class WP_REST_Server {
 		$this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
 		$this->send_header( 'Access-Control-Allow-Headers', 'Authorization' );

+		/**
+		 * Send nocache headers on authenticated requests.
+		 *
+		 * @since 4.4.0
+		 *
+		 * @param bool $rest_send_nocache_headers Whether to send no-cache headers.
+		 */
+		$send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
+		if ( $send_no_cache_headers ) {
+			foreach ( wp_get_nocache_headers() as $header => $header_value ) {
+				$this->send_header( $header, $header_value );
+			}
+		}
+
 		/**
 		 * Filter whether the REST API is enabled.
 		 *
--- a/tests/phpunit/includes/spy-rest-server.php
+++ b/tests/phpunit/includes/spy-rest-server.php
@ -1,6 +1,10 @@
 <?php

 class Spy_REST_Server extends WP_REST_Server {
+
+	public $sent_headers = array();
+	public $sent_body = '';
+
 	/**
 	 * Get the raw $endpoints data from the server
 	 *
@ -20,4 +24,16 @@ class Spy_REST_Server extends WP_REST_Server {
 	public function __call( $method, $args ) {
 		return call_user_func_array( array( $this, $method ), $args );
 	}
+
+	public function send_header( $header, $value ) {
+		$this->sent_headers[ $header ] = $value;
+	}
+
+	public function serve_request( $path = null ) {
+
+		ob_start();
+		$result = parent::serve_request( $path );
+		$this->sent_body = ob_get_clean();
+		return $result;
+	}
 }
--- a/tests/phpunit/tests/rest-api/rest-server.php
+++ b/tests/phpunit/tests/rest-api/rest-server.php
@ -619,4 +619,30 @@ class Tests_REST_Server extends WP_Test_REST_TestCase {
 		$this->assertContains( 'test/example', $namespaces );
 		$this->assertContains( 'test/another', $namespaces );
 	}
+
+	public function test_nocache_headers_on_authenticated_requests() {
+		$editor = self::factory()->user->create( array( 'role' => 'editor' ) );
+		$request = new WP_REST_Request( 'GET', '/', array() );
+		wp_set_current_user( $editor );
+
+		$result = $this->server->serve_request('/');
+		$headers = $this->server->sent_headers;
+
+		foreach ( wp_get_nocache_headers() as $header => $value ) {
+			$this->assertTrue( isset( $headers[ $header ] ), sprintf( 'Header %s is not present in the response.', $header ) );
+			$this->assertEquals( $value, $headers[ $header ] );
+		}
+	}
+
+	public function test_no_nocache_headers_on_unauthenticated_requests() {
+		$editor = self::factory()->user->create( array( 'role' => 'editor' ) );
+		$request = new WP_REST_Request( 'GET', '/', array() );
+
+		$result = $this->server->serve_request('/');
+		$headers = $this->server->sent_headers;
+
+		foreach ( wp_get_nocache_headers() as $header => $value ) {
+			$this->assertFalse( isset( $headers[ $header ] ) && $headers[ $header ] === $value, sprintf( 'Header %s is set to nocache.', $header ) );
+		}
+	}
 }