Contrib.social

Admin features viewable logged out

Open on Drupal.org β†’
Created on 5 January 2024, 6 months ago

Great job on seamlessly setting up Varnish!

We're utilizing the default.vcl file with the settings shown in the attached screenshots, and everything is working smoothly.

However, we've encountered a minor issue related to admin actions. When an admin finishes editing and logs out, navigating to any page they modified still displays the admin features (admin menu, edit links, etc). A simple refresh resolves this, presenting the correct view without the admin elements. Additionally, attempting to click on any edit links leads to the expected "access denied" page.

We're curious if there's a way to address this behavior proactively. Is it possible to force the invalidation of all pages accessed by an admin while logged in, ensuring they display correctly when logged out?

Any assistance or guidance on this matter would be greatly appreciated!

πŸ“Œ Task
Status

Active

Version

4.0

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States glynster

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @glynster
  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States glynster

    Here is some additional information:

    This issue occurs on macOSX with Chrome, Safari, and Arc. Interestingly, it does not manifest in Firefox. Firefox behaves as expected. I'm uncertain if this detail helps in identifying the underlying issue.

  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States glynster

    Adding the following to the default.vcl resolves the issue:

    sub vcl_hash {

    # ... (existing code)

    /** If Bin is set - add it to hash data for this page */
    hash_data(req.http.X-Bin);

    return (lookup);
}

    # Respond to incoming requests.
sub vcl_recv {

    # ... (existing code)

 # Do not cache if the user is logged in as an admin.
    if (req.http.Cookie ~ "^(|.*; ?)S?SESS([a-z0-9]{32}=[^;]+)(;.*|)$" &&
        req.http.Cookie ~ "^(|.*; ?)ADVBIN=administrator(|;.*|)$") {
        set req.http.X-Bin = "role:administrator";
        set req.hash_always_miss = true; # Ensure a cache miss for admin requests
    }

  return (hash);
}

    We have tested this on Arc, Chrome, FireFox, and Safari and it works as expected.

    Perhaps we are doing something wrong initially. Would love some feedback!

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024