[TYPO3-commerce] SVN version of commerce disables page cache completely

Dmitry Dulepov [typo3] dmitry at typo3.org
Thu Oct 11 09:46:33 CEST 2007 

Hi!

Ingo Schmitt wrote:
> Yes, it was already discussed in the list and I don't really have a 
> solution that will work for me. If you look in the Code, the 

Easiest solution would be USER_INT. At the moment if there are 20 USER objects on the page, they all will have to render. All GIFBUILDER images too, all menus, everything, all the time.

> $TSFE->set_no_cache()  is only called, if someone tries to display a 
> product which is not under your staring point of your commerce plugin. 

I afraid this is not so. It appears that set_no_cache() is always called. At least in SVN version. I have a page with product list. Absolutely normal legal page. I click on the link that leads to this page from the news record. I see set_no_cache() called every time. Here is the code:

if (!$this->conf['singleProduct']) {
	if (is_array($categorySubproducts))
 		if (!in_array($this->piVars['showUid'],$categorySubproducts)) {
			$categoryAllSubproducts = $this->category-> getAllProducts(9999999999);
			if (!in_array($this->piVars['showUid'],$categoryAllSubproducts)) {
				$this->handle='listView';
				$this->piVars['showUid']=false;
				$GLOBALS['TSFE']->set_no_cache();
			}
		}

I have no singleProduct. I have no tx_commerce_pi1[showUid] as it is list view. So set_no_cache() is executed and it happens every time for list view. Later:

if($this->piVars['catUid']){
	/**
	 * Validate given CAT UID, if is below master_cat
	 **/
	$this->masterCategoryObj = t3lib_div::makeinstance('tx_commerce_category');
	$this->masterCategoryObj -> init($this->master_cat,$GLOBALS['TSFE']->tmpl->setup['config.']['sys_language_uid']);
	$this->masterCategoryObj -> load_data();
	$masterCategorySubCategories = $this->masterCategoryObj->get_rec_child_categories_uidlist();
				
	if (in_array($this->piVars['catUid'],$masterCategorySubCategories)) {
		$this->cat = (int)$this->piVars['catUid'];
	}else{
		 /**
		  * Wrong UID, so start with default UID
		  **/
		$this->cat = (int)$this->master_cat;
		$GLOBALS['TSFE']->set_no_cache();
	}

I do not have tx_commerce_pi1[catUid] in the URL when I click on the page. And I have no categories selected in pi1 plugin at all. It allowed me to save pi1 instance without selecting categories, so it is valid configuration. If categories are required, pi1 must have warned me.

I added link to page in RTE and I want to show the whole product list on a page. I get set_no_cache(). Why? I am not faking anything, I am doing perfectly legal thing: displaying full product list.

> So, I think he or she tries to fake product ids or categories ids, which 
> might not be correct or try to hack the extension. This was the case in 
> one of our installations.

Than show a message about bad user behavior! You should not try to recover from this but stop attacker right away! See how Amazon does it.

> So I think, normally these code parts won't be executed anyway, and if 
> it executed, it's totally correct to set no_cache to be shure to display 
>  the right content and to be shure that it's not cached or indexed.

No, it is incorrect to use set_no_cache() from extensions because it prevents caching of all other objects too. Use pi_checkChash or make your extension USER_INT. But do not force other extensions to render if you think something is wrong! Commerce is only one piece, it cannot dictate everyone that they must not be cached! It is not the key thing in the system to force other abort caching.

> Do you have an other solution for my problem above? I'm willing to 
> change it, but currently I don't have a better solution.

Use pi_checkChash, it is specially designed to solve this kind of peroblems. Display error message instead of normal output if you think user tries to fake something. Since cHash check will fail, caching will be disabled automatically by core and no one else will see error.

> We do want to improve commerce. And I personally like some feedback 
> about our code and please do share the thinks you are discovering with 
> us. But maybe not so strong the next time, or just skype me, I maybe 
> could help you with your problems in the code faster...

Ok. I just got really frusturated by those set_no_cache(). They really kill performance. And I see them actually *added* in SVN.

These are actually not *my* problems in the code ;) I am trying only to point out that that code must not be there at all.

-- 
Dmitry Dulepov
TYPO3 freelancer / TYPO3 core team member
Web: http://typo3bloke.net/
Skype: callto:liels_bugs

More information about the TYPO3-project-commerce mailing list