Cache hole punching is broken for private blocks, private data is exposed to varnish

[m1klos]

In Magento_PageCache/Observer/ProcessLayoutRenderElement.php when _isScopePrivate is true in a block, wrong block placeholder is generated, it contains private data, which is cached by Varnish. The placeholder should be empty, so it can be populated by ajax.

Steps to reproduce

1. create a new block, and set _isScopePrivate to true (a property from abstract, originally set to false), this way we indicate we want cache hole punch for this block
2. try to get data from customer session (e.g. check if the customer is logged in)
3. place the block (layout xml) in a way to be used in both cached and non-cached pages, in the latter the information will be correct, on cached pages it won't get through.

Expected result

1. The placeholder should be empty, so it can be populated by ajax.

Actual result

1. Wrong block placeholder is generated, it contains private data, which is cached by Varnish

[melnikovi]

Internal ticket created MAGETWO-54528

[tuntisz]

Is there any update on the status of this? I'm also able to recreate this. @melnikovi

[Vinai]

The rendered content has to distinguish if the rendered result will be cached or not. There are several ways to do that (e.g. check if it is an ajax request or check if the customer session is anonymized).

According to the devdocs, the "official" way to create dynamic blocks with private data is to use a UI element private section to display customer data.
Strangely this development related information is not in the developer section, but in the system administrator configuration guide:
http://devdocs.magento.com/guides/v2.1/config-guide/cache/cache-priv-priv.html

The docs where not that easy to follow for me, but I got it working in the end. I prefer to not use the UI element XML and just plop the JSON config in a template myself, but all in all it works pretty nicely.

[misha-kotov]

Update: we've decided to close the open bugs on this issue since the _isScopePrivate property was deprecated in 2.0 and 2.1. Our devdocs describe how to achieve this goal using a newer mechanism (link is above).

[orlangur]

@misha-kotov can this issue and related PR #5084 be closed then?

[okorshenko]

Closing this issues. The functionality is deprecated.