From 352a262866bcb676706d549012015b8ab701dc8f Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Tue, 20 Nov 2018 14:00:32 +1000
Subject: [PATCH] Only cache public attachments in the browser and CDNs.

The browser might overrule it anyway, if it's really obvious that it should be cached.
This is mainly so Cloudflare, etc. don't serve sensitive documents to guests.
---
 common/thaw.go |  4 ----
 routes/misc.go | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/common/thaw.go b/common/thaw.go
index 23c05b5b..635c8d5e 100644
--- a/common/thaw.go
+++ b/common/thaw.go
@@ -1,7 +1,6 @@
 package common
 
 import (
-	"sync"
 	"sync/atomic"
 )
 
@@ -41,7 +40,6 @@ func (thaw *SingleServerThaw) Thaw() {
 
 type DefaultThaw struct {
 	thawed int64
-	sync.Mutex
 }
 
 func NewDefaultThaw() *DefaultThaw {
@@ -52,8 +50,6 @@ func NewDefaultThaw() *DefaultThaw {
 
 // Decrement the thawed counter once a second until it goes cold
 func (thaw *DefaultThaw) Tick() error {
-	thaw.Lock()
-	defer thaw.Unlock()
 	prior := thaw.thawed
 	if prior > 0 {
 		atomic.StoreInt64(&thaw.thawed, prior-1)
diff --git a/routes/misc.go b/routes/misc.go
index 2a0464f3..560abb28 100644
--- a/routes/misc.go
+++ b/routes/misc.go
@@ -140,6 +140,21 @@ func ShowAttachment(w http.ResponseWriter, r *http.Request, user common.User, fi
 		return common.LocalError("Unknown origin", w, r, user)
 	}
 
+	if !user.Loggedin {
+		w.Header().Set("Cache-Control", "max-age="+strconv.Itoa(int(common.Year)))
+	} else {
+		guest := common.GuestUser
+		_, ferr := common.SimpleForumUserCheck(w, r, &guest, sectionID)
+		if ferr != nil {
+			return ferr
+		}
+		if guest.Perms.ViewTopic {
+			w.Header().Set("Cache-Control", "max-age="+strconv.Itoa(int(common.Year)))
+		} else {
+			w.Header().Set("Cache-Control", "private")
+		}
+	}
+
 	// TODO: Fix the problem where non-existent files aren't greeted with custom 404s on ServeFile()'s side
 	http.ServeFile(w, r, "./attachs/"+filename)
 	return nil