- Issue created by @berdir
- @berdir opened merge request.
- 🇮🇱Israel jsacksick
The change looks ok to me, and the tests are passing. Tempted to commit this, but wondering if we should wait a bit until this has been running on production for a while.
- 🇮🇱Israel jsacksick
What if... (really hypothetical scenario), a customer temporarily cannot access the order (for example, the order is "locked" and then unlocked), would the 403 page be cached and the save wouldn't invalidate that cached page?
Also, I've always wondered whether we shouldn't force not caching the checkout pages.
- 🇨🇭Switzerland berdir Switzerland
Makes sense to wait a bit, I do plan to use this patch.
> What if... (really hypothetical scenario), a customer temporarily cannot access the order (for example, the order is "locked" and then unlocked), would the 403 page be cached and the save wouldn't invalidate that cached page?
For a regular Drupal site (excluding API/decoupled/... which is very different anyway), you always have a session. As soon as you have a session, pages are no longer cached externally or with internal page cache. The only thing that could possibly cache it is dynamic page cache.
Testing locally, dynamic page cache gives me a
x-drupal-dynamic-cache: UNCACHEABLE (poor cacheability)This is because the response object has user and session cache context. It is possible to configure this and cache stuff like this anyway but not recommended as you'd create a huge amount of cached pages that will likely never be used again.
If you access an existing page, then that page includes cache tags. For example, if I manually request a checkout URL for an existing order with a known ID without the necessary session as anonymous user, then I'm getting a 403 and that also can be cached in page cache. But that response contains the commerce_order:ID cache tag, so if the access denied is because of the order state, any change to that order will invalidate this 403 page. So that should all be fine.