From cc3ab141e576b46f28cf61a77fb1af895d14dbef Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 18 Nov 2022 21:06:53 +0100
Subject: [PATCH] policies: only cache policies for authenticated users

closes #4033

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/policies/process.py | 2 +-
 authentik/policies/types.py   | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/authentik/policies/process.py b/authentik/policies/process.py
index ad999b623..296c5bc9e 100644
--- a/authentik/policies/process.py
+++ b/authentik/policies/process.py
@@ -103,7 +103,7 @@ class PolicyProcess(PROCESS_CLASS):
             LOGGER.debug("P_ENG(proc): error", exc=src_exc)
             policy_result = PolicyResult(False, str(src_exc))
         policy_result.source_binding = self.binding
-        if not self.request.debug:
+        if self.request.should_cache:
             key = cache_key(self.binding, self.request)
             cache.set(key, policy_result, CACHE_TIMEOUT)
         LOGGER.debug(
diff --git a/authentik/policies/types.py b/authentik/policies/types.py
index f09818b44..76653d6c2 100644
--- a/authentik/policies/types.py
+++ b/authentik/policies/types.py
@@ -46,6 +46,15 @@ class PolicyRequest:
             return
         self.context["geoip"] = GEOIP_READER.city(client_ip)
 
+    @property
+    def should_cache(self) -> bool:
+        """Check if this request's result should be cached"""
+        if not self.user.is_authenticated:
+            return False
+        if self.debug:
+            return False
+        return True
+
     def __repr__(self) -> str:
         return self.__str__()