Remove security problem with returning last-modified headers when logged in

git-svn-id: http://scm.dspace.org/svn/repo/branches/dspace-1_5_x@2768 9c30dcfa-912a-0410-8fc2-9e0234be79fd

dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/BitstreamServlet.java

@@ -205,20 +205,26 @@ public class BitstreamServlet extends DSpaceServlet
                 "bitstream_id=" + bitstream.getID()));
 
         // Modification date
-        // TODO: Currently the date of the item, since we don't have dates
-        // for files
-        response.setDateHeader("Last-Modified", item.getLastModified()
-                .getTime());
-        
-        // Check for if-modified-since header
-        long modSince = request.getDateHeader("If-Modified-Since");
-
-        if (modSince != -1 && item.getLastModified().getTime() < modSince)
+        // Only use last-modified if this is an anonymous access
+        // - caching content that may be generated under authorisation
+        //   is a security problem
+        if (context.getCurrentUser() == null)
         {
-            // Item has not been modified since requested date,
-            // hence bitstream has not; return 304
-            response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
-            return;
+            // TODO: Currently the date of the item, since we don't have dates
+            // for files
+            response.setDateHeader("Last-Modified", item.getLastModified()
+                    .getTime());
+
+            // Check for if-modified-since header
+            long modSince = request.getDateHeader("If-Modified-Since");
+
+            if (modSince != -1 && item.getLastModified().getTime() < modSince)
+            {
+                // Item has not been modified since requested date,
+                // hence bitstream has not; return 304
+                response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
+                return;
+            }
         }
         
         // Pipe the bits

dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/HandleServlet.java

@@ -156,18 +156,29 @@ public class HandleServlet extends DSpaceServlet
         if (dso.getType() == Constants.ITEM)
         {
             Item item = (Item) dso;
-            
-            response.setDateHeader("Last-Modified", item
-                    .getLastModified().getTime());
-            
-            // Check for if-modified-since header
-            long modSince = request.getDateHeader("If-Modified-Since");
 
-            if (modSince != -1 && item.getLastModified().getTime() < modSince)
+            // Only use last-modified if this is an anonymous access
+            // - caching content that may be generated under authorisation
+            //   is a security problem
+            if (context.getCurrentUser() == null)
             {
-                // Item has not been modified since requested date,
-                // hence bitstream has not; return 304
-                response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
+                response.setDateHeader("Last-Modified", item
+                        .getLastModified().getTime());
+
+                // Check for if-modified-since header
+                long modSince = request.getDateHeader("If-Modified-Since");
+
+                if (modSince != -1 && item.getLastModified().getTime() < modSince)
+                {
+                    // Item has not been modified since requested date,
+                    // hence bitstream has not; return 304
+                    response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
+                }
+                else
+                {
+                    // Display the item page
+                    displayItem(context, request, response, item, handle);
+                }
             }
             else
             {