From 864d91ed3e24ba4ccdb21ca46591e52cfe78ae99 Mon Sep 17 00:00:00 2001
From: Ezequiel Victorero <ezequiel.victorero@grafana.com>
Date: Mon, 18 Dec 2023 09:21:57 -0300
Subject: [PATCH] Export: Remove no-store headers in pdf and image previews
 (#78844)

---
 pkg/api/render.go                 |  1 +
 pkg/middleware/middleware.go      |  4 +++-
 pkg/middleware/middleware_test.go | 16 ++++++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/pkg/api/render.go b/pkg/api/render.go
index eb895d3bfa6..6a9811b0fd6 100644
--- a/pkg/api/render.go
+++ b/pkg/api/render.go
@@ -89,5 +89,6 @@ func (hs *HTTPServer) RenderToPng(c *contextmodel.ReqContext) {
 	}
 
 	c.Resp.Header().Set("Content-Type", "image/png")
+	c.Resp.Header().Set("Cache-Control", "private")
 	http.ServeFile(c.Resp, c.Req, result.FilePath)
 }
diff --git a/pkg/middleware/middleware.go b/pkg/middleware/middleware.go
index f87ce728394..074139c493e 100644
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -49,7 +49,9 @@ func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {
 			resourceCachable := resourceURLMatch && allowCacheControl(c.Resp)
 			if !strings.HasPrefix(c.Req.URL.Path, "/public/plugins/") &&
 				!strings.HasPrefix(c.Req.URL.Path, "/avatar/") &&
-				!strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") && !resourceCachable {
+				!strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") &&
+				!strings.HasPrefix(c.Req.URL.Path, "/api/reports/render/") &&
+				!strings.HasPrefix(c.Req.URL.Path, "/render/d-solo/") && !resourceCachable {
 				addNoCacheHeaders(c.Resp)
 			}
 
diff --git a/pkg/middleware/middleware_test.go b/pkg/middleware/middleware_test.go
index 6499c215071..3842f6d519d 100644
--- a/pkg/middleware/middleware_test.go
+++ b/pkg/middleware/middleware_test.go
@@ -190,6 +190,22 @@ func TestMiddlewareContext(t *testing.T) {
 			"X-Other-Header":  "other-test",
 		}
 	})
+
+	middlewareScenario(t, "middleware should not add Cache-Control header for requests to render pdf", func(
+		t *testing.T, sc *scenarioContext) {
+		sc.fakeReq("GET", "/api/reports/render/pdf/").exec()
+		assert.Empty(t, sc.resp.Header().Get("Cache-Control"))
+		assert.Empty(t, sc.resp.Header().Get("Pragma"))
+		assert.Empty(t, sc.resp.Header().Get("Expires"))
+	})
+
+	middlewareScenario(t, "middleware should not add Cache-Control header for requests to render panel as image", func(
+		t *testing.T, sc *scenarioContext) {
+		sc.fakeReq("GET", "/render/d-solo/").exec()
+		assert.Empty(t, sc.resp.Header().Get("Cache-Control"))
+		assert.Empty(t, sc.resp.Header().Get("Pragma"))
+		assert.Empty(t, sc.resp.Header().Get("Expires"))
+	})
 }
 
 func middlewareScenario(t *testing.T, desc string, fn scenarioFunc, cbs ...func(*setting.Cfg)) {