Only cache public attachments in the browser and CDNs.

The browser might overrule it anyway, if it's really obvious that it should be cached.
This is mainly so Cloudflare, etc. don't serve sensitive documents to guests.

common/thaw.go

@@ -1,7 +1,6 @@
 package common
 
 import (
-	"sync"
 	"sync/atomic"
 )
 
@@ -41,7 +40,6 @@ func (thaw *SingleServerThaw) Thaw() {
 
 type DefaultThaw struct {
 	thawed int64
-	sync.Mutex
 }
 
 func NewDefaultThaw() *DefaultThaw {
@@ -52,8 +50,6 @@ func NewDefaultThaw() *DefaultThaw {
 
 // Decrement the thawed counter once a second until it goes cold
 func (thaw *DefaultThaw) Tick() error {
-	thaw.Lock()
-	defer thaw.Unlock()
 	prior := thaw.thawed
 	if prior > 0 {
 		atomic.StoreInt64(&thaw.thawed, prior-1)

routes/misc.go

@@ -140,6 +140,21 @@ func ShowAttachment(w http.ResponseWriter, r *http.Request, user common.User, fi
 		return common.LocalError("Unknown origin", w, r, user)
 	}
 
+	if !user.Loggedin {
+		w.Header().Set("Cache-Control", "max-age="+strconv.Itoa(int(common.Year)))
+	} else {
+		guest := common.GuestUser
+		_, ferr := common.SimpleForumUserCheck(w, r, &guest, sectionID)
+		if ferr != nil {
+			return ferr
+		}
+		if guest.Perms.ViewTopic {
+			w.Header().Set("Cache-Control", "max-age="+strconv.Itoa(int(common.Year)))
+		} else {
+			w.Header().Set("Cache-Control", "private")
+		}
+	}
+
 	// TODO: Fix the problem where non-existent files aren't greeted with custom 404s on ServeFile()'s side
 	http.ServeFile(w, r, "./attachs/"+filename)
 	return nil