Remove security problem with returning last-modified headers when logged in

git-svn-id: http://scm.dspace.org/svn/repo/trunk@2769 9c30dcfa-912a-0410-8fc2-9e0234be79fd

dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/DSpaceObjectServlet.java

@@ -73,17 +73,28 @@ public class DSpaceObjectServlet extends DSpaceServlet
         {
             Item item = (Item) dso;
 
-            response.setDateHeader("Last-Modified", item
+            // Only use last-modified if this is an anonymous access
-                    .getLastModified().getTime());
+            // - caching content that may be generated under authorisation
-
+            //   is a security problem
-            // Check for if-modified-since header
+            if (context.getCurrentUser() == null)
-            long modSince = request.getDateHeader("If-Modified-Since");
-
-            if (modSince != -1 && item.getLastModified().getTime() < modSince)
             {
-                // Item has not been modified since requested date,
+                response.setDateHeader("Last-Modified", item
-                // hence bitstream has not; return 304
+                        .getLastModified().getTime());
-                response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
+
+                // Check for if-modified-since header
+                long modSince = request.getDateHeader("If-Modified-Since");
+
+                if (modSince != -1 && item.getLastModified().getTime() < modSince)
+                {
+                    // Item has not been modified since requested date,
+                    // hence bitstream has not; return 304
+                    response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
+                }
+                else
+                {
+                    // Display the item page
+                    displayItem(context, request, response, item);
+                }
             }
             else
             {