Fixed #36560 -- Prevented UpdateCacheMiddleware from caching responses with Cache-Control 'no-cache' or 'no-store'.

2025-08-25 03:09:15 +00:00 · 2025-08-19 15:40:37 +08:00 · 2025-08-19 15:40:37 +08:00 · ed7c1a5640
commit ed7c1a5640
parent d3cf24e9b4
2 changed files with 26 additions and 12 deletions
--- a/django/middleware/cache.py
+++ b/django/middleware/cache.py
@ -100,8 +100,17 @@ class UpdateCacheMiddleware(MiddlewareMixin):
        ):
            return response

-        # Don't cache a response with 'Cache-Control: private'
-        if "private" in response.get("Cache-Control", ()):
+        # Don't cache responses when the Cache-Control header is set to
+        # private, no-cache, or no-store.
+        cache_control = response.get("Cache-Control", ())
+        if any(
+            directive in cache_control
+            for directive in (
+                "private",
+                "no-cache",
+                "no-store",
+            )
+        ):
            return response

        # Page timeout takes precedence over the "max-age" and the default
--- a/tests/cache/tests.py
+++ b/tests/cache/tests.py
@ -2731,16 +2731,21 @@ class CacheMiddlewareTest(SimpleTestCase):
                )
            cache.clear()

-    def test_cached_control_private_not_cached(self):
-        """Responses with 'Cache-Control: private' are not cached."""
-        view_with_private_cache = cache_page(3)(
-            cache_control(private=True)(hello_world_view)
-        )
-        request = self.factory.get("/view/")
-        response = view_with_private_cache(request, "1")
-        self.assertEqual(response.content, b"Hello World 1")
-        response = view_with_private_cache(request, "2")
-        self.assertEqual(response.content, b"Hello World 2")
+    def test_cache_control_not_cached(self):
+        """
+        Responses with 'Cache-Control: private/no-cache/no-store' are
+        not cached.
+        """
+        for cc in ("private", "no-cache", "no-store"):
+            with self.subTest(cache_control=cc):
+                view_with_cache = cache_page(3)(
+                    cache_control(**{cc: True})(hello_world_view)
+                )
+                request = self.factory.get("/view/")
+                response = view_with_cache(request, "1")
+                self.assertEqual(response.content, b"Hello World 1")
+                response = view_with_cache(request, "2")
+                self.assertEqual(response.content, b"Hello World 2")

    def test_sensitive_cookie_not_cached(self):
        """