Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.78 diff -u -r1.78 form.inc --- includes/form.inc 15 Mar 2006 08:57:37 -0000 1.78 +++ includes/form.inc 15 Mar 2006 18:48:04 -0000 @@ -59,18 +59,23 @@ * */ function drupal_get_form($form_id, &$form, $callback = NULL) { - global $form_values, $form_submitted; + global $form_values, $form_submitted, $user; $form_values = array(); $form_submitted = FALSE; $form['#type'] = 'form'; if (isset($form['#token'])) { - // Make sure that a private key is set: - if (!variable_get('drupal_private_key', '')) { - variable_set('drupal_private_key', mt_rand()); + if (variable_get('cache', 0) && !$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET') { + unset($form['#token']); } + else { + // Make sure that a private key is set: + if (!variable_get('drupal_private_key', '')) { + variable_set('drupal_private_key', mt_rand()); + } - $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))); + $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))); + } } if (isset($form_id)) { $form['form_id'] = array('#type' => 'hidden', '#value' => $form_id); Index: modules/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment.module,v retrieving revision 1.440 diff -u -r1.440 comment.module --- modules/comment.module 6 Mar 2006 20:52:55 -0000 1.440 +++ modules/comment.module 15 Mar 2006 19:22:08 -0000 @@ -10,6 +10,11 @@ * a forum topic, weblog post, story, collaborative book page, etc. */ +/** + * Constant to define default number of allowed comments per hour + */ +define('COMMENT_HOURLY_THRESHOLD', 6); + /* * Constants to define a comment's published state */ @@ -65,6 +70,11 @@ define('COMMENT_PREVIEW_REQUIRED', 1); /** + * Constants to define whether or not to use tokens on comment submissions + */ +define('COMMENT_FORM_TOKEN_DISABLED', 0); + +/** * Implementation of hook_help(). */ function comment_help($section) { @@ -390,6 +400,14 @@ '#collapsed' => TRUE, ); + $form['posting_settings']['comment_hourly_threshold'] = array( + '#type' => 'select', + '#title' => t('Hourly threshold'), + '#default_value' => variable_get('comment_hourly_threshold', COMMENT_HOURLY_THRESHOLD), + '#options' => drupal_map_assoc(array(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 30, 50, 60, 100, 125, 250)), + '#description' => t('Limit the number of comments users are allowed to post per hour.') + ); + $form['posting_settings']['comment_anonymous'] = array( '#type' => 'radios', '#title' => t('Anonymous commenting'), @@ -426,6 +444,14 @@ '#options' => array(t('Display on separate page'), t('Display below post or comments')), ); + $form['posting_settings']['comment_form_token'] = array( + '#type' => 'radios', + '#title' => t('Enable tokens for anonymous users'), + '#default_value' => variable_get('comment_form_token', COMMENT_FORM_TOKEN_DISABLED), + '#options' => array(t('Disabled'), t('Enabled')), + '#description' => t('Comment submissions use tokens when content caching is turned off. Tokens are hidden form fields with unique strings that must be submitted for comments to be saved. When forms are submitted correctly, the token is automatically generated and passed between the authoring, preview, and submit pages. It adds one more step of complexity for spammers by requiring them to have the unique token from a previous page load.') + ); + return system_settings_form('comment_settings_form', $form); } @@ -555,7 +581,9 @@ // Allow modules to respond to the updating of a comment. comment_invoke_comment($edit, 'update'); - + if(!$user->uid || isset($edit['is_anonymous'])) { + flood_register_event('comment'); + } // Add an entry to the watchdog log. watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); @@ -572,7 +600,7 @@ $users = serialize(array(0 => $score)); - // Here we are building the thread field. See the comment + // Here we are building the thread field. See the comment // in comment_render(). if ($edit['pid'] == 0) { // This is a comment with no parent comment (depth 0): we start @@ -629,6 +657,9 @@ // Tell the other modules a new comment has been submitted. comment_invoke_comment($edit, 'insert'); + if(!$user->uid || isset($edit['is_anonymous'])) { + flood_register_event('comment'); + } // Add an entry to the watchdog log. watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); @@ -1162,6 +1193,9 @@ // Check validity of name, mail and homepage (if given) if (!$user->uid || isset($edit['is_anonymous'])) { if (variable_get('comment_anonymous', COMMENT_ANONYMOUS_MAYNOT_CONTACT) > COMMENT_ANONYMOUS_MAYNOT_CONTACT) { + if (!flood_is_allowed('comment', variable_get('comment_hourly_threshold', COMMENT_HOURLY_THRESHOLD))) { + form_set_error('nid', t('You cannot leave more than %number comments per hour. Please try again later.', array('%number' => variable_get('comment_hourly_threshold', 20)))); + } if ($edit['name']) { $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); @@ -1323,7 +1357,9 @@ $form['uid'] = array('#type' => 'value', '#value' => $edit['uid']); $form['preview'] = array('#type' => 'button', '#value' => t('Preview comment'), '#weight' => 19); - $form['#token'] = 'comment' . $edit['nid'] . $edit['pid']; + if(variable_get('comment_form_token', COMMENT_FORM_TOKEN_DISABLED)) { + $form['#token'] = 'comment' . $edit['nid'] . $edit['pid']; + } // Only show post button if preview is optional or if we are in preview mode. // We show the post button in preview mode even if there are form errors so that