Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.78 diff -u -r1.78 form.inc --- includes/form.inc 15 Mar 2006 08:57:37 -0000 1.78 +++ includes/form.inc 15 Mar 2006 18:48:04 -0000 @@ -59,18 +59,23 @@ * */ function drupal_get_form($form_id, &$form, $callback = NULL) { - global $form_values, $form_submitted; + global $form_values, $form_submitted, $user; $form_values = array(); $form_submitted = FALSE; $form['#type'] = 'form'; if (isset($form['#token'])) { - // Make sure that a private key is set: - if (!variable_get('drupal_private_key', '')) { - variable_set('drupal_private_key', mt_rand()); + if (variable_get('cache', 0) && !$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET') { + unset($form['#token']); } + else { + // Make sure that a private key is set: + if (!variable_get('drupal_private_key', '')) { + variable_set('drupal_private_key', mt_rand()); + } - $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))); + $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))); + } } if (isset($form_id)) { $form['form_id'] = array('#type' => 'hidden', '#value' => $form_id); Index: modules/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment.module,v retrieving revision 1.440 diff -u -r1.440 comment.module --- modules/comment.module 6 Mar 2006 20:52:55 -0000 1.440 +++ modules/comment.module 15 Mar 2006 19:34:54 -0000 @@ -10,6 +10,11 @@ * a forum topic, weblog post, story, collaborative book page, etc. */ +/** + * Constant to define default number of allowed comments per hour + */ +define('COMMENT_HOURLY_THRESHOLD', 6); + /* * Constants to define a comment's published state */ @@ -65,6 +70,11 @@ define('COMMENT_PREVIEW_REQUIRED', 1); /** + * Constants to define whether or not to use tokens on comment submissions + */ +define('COMMENT_FORM_TOKEN_DISABLED', 0); + +/** * Implementation of hook_help(). */ function comment_help($section) { @@ -390,6 +400,14 @@ '#collapsed' => TRUE, ); + $form['posting_settings']['comment_hourly_threshold'] = array( + '#type' => 'select', + '#title' => t('Hourly threshold'), + '#default_value' => variable_get('comment_hourly_threshold', COMMENT_HOURLY_THRESHOLD), + '#options' => drupal_map_assoc(array(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 30, 50, 60, 100, 125, 250, 3600)), + '#description' => t('Limit the number of comments users are allowed to post per hour.') + ); + $form['posting_settings']['comment_anonymous'] = array( '#type' => 'radios', '#title' => t('Anonymous commenting'), @@ -426,6 +444,14 @@ '#options' => array(t('Display on separate page'), t('Display below post or comments')), ); + $form['posting_settings']['comment_form_token'] = array( + '#type' => 'radios', + '#title' => t('Enable tokens for anonymous users'), + '#default_value' => variable_get('comment_form_token', COMMENT_FORM_TOKEN_DISABLED), + '#options' => array(t('Disabled'), t('Enabled')), + '#description' => t('Comment submissions use tokens when content caching is turned off. Tokens are hidden form fields with unique strings that must be submitted for comments to be saved. When forms are submitted correctly, the token is automatically generated and passed between the authoring, preview, and submit pages. It adds one more step of complexity for spammers by requiring them to have the unique token from a previous page load.') + ); + return system_settings_form('comment_settings_form', $form); } @@ -555,7 +581,9 @@ // Allow modules to respond to the updating of a comment. comment_invoke_comment($edit, 'update'); - + if(!$user->uid || isset($edit['is_anonymous'])) { + flood_register_event('comment'); + } // Add an entry to the watchdog log. watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); @@ -572,7 +600,7 @@ $users = serialize(array(0 => $score)); - // Here we are building the thread field. See the comment + // Here we are building the thread field. See the comment // in comment_render(). if ($edit['pid'] == 0) { // This is a comment with no parent comment (depth 0): we start @@ -629,6 +657,9 @@ // Tell the other modules a new comment has been submitted. comment_invoke_comment($edit, 'insert'); + if(!$user->uid || isset($edit['is_anonymous'])) { + flood_register_event('comment'); + } // Add an entry to the watchdog log. watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); @@ -1162,6 +1193,9 @@ // Check validity of name, mail and homepage (if given) if (!$user->uid || isset($edit['is_anonymous'])) { if (variable_get('comment_anonymous', COMMENT_ANONYMOUS_MAYNOT_CONTACT) > COMMENT_ANONYMOUS_MAYNOT_CONTACT) { + if (!flood_is_allowed('comment', variable_get('comment_hourly_threshold', COMMENT_HOURLY_THRESHOLD))) { + form_set_error('nid', t('You cannot leave more than %number comments per hour. Please try again later.', array('%number' => variable_get('comment_hourly_threshold', 20)))); + } if ($edit['name']) { $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); @@ -1323,7 +1357,9 @@ $form['uid'] = array('#type' => 'value', '#value' => $edit['uid']); $form['preview'] = array('#type' => 'button', '#value' => t('Preview comment'), '#weight' => 19); - $form['#token'] = 'comment' . $edit['nid'] . $edit['pid']; + if(variable_get('comment_form_token', COMMENT_FORM_TOKEN_DISABLED)) { + $form['#token'] = 'comment' . $edit['nid'] . $edit['pid']; + } // Only show post button if preview is optional or if we are in preview mode. // We show the post button in preview mode even if there are form errors so that Index: modules/contact.module =================================================================== RCS file: /cvs/drupal/drupal/modules/contact.module,v retrieving revision 1.43 diff -u -r1.43 contact.module --- modules/contact.module 27 Feb 2006 17:02:53 -0000 1.43 +++ modules/contact.module 15 Mar 2006 20:09:30 -0000 @@ -7,6 +7,11 @@ */ /** + * Default hourly submission threshold + */ +define('CONTACT_HOURLY_THRESHOLD', 3); + +/** * Implementation of hook_help(). */ function contact_help($section) { @@ -281,8 +286,8 @@ ); $form['contact_hourly_threshold'] = array('#type' => 'select', '#title' => t('Hourly threshold'), - '#options' => drupal_map_assoc(array(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 30, 40, 50)), - '#default_value' => variable_get('contact_hourly_threshold', 3), + '#options' => drupal_map_assoc(array(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 30, 40, 50)), + '#default_value' => variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD), '#description' => t('The maximum number of contact form submissions a user can perform per hour.'), ); $form['submit'] = array('#type' => 'submit', @@ -330,8 +335,8 @@ else if (!valid_email_address($user->mail)) { $output = t('You need to provide a valid e-mail address to contact other users. Please update your user information and try again.', array('%url' => url("user/$user->uid/edit"))); } - else if (!flood_is_allowed('contact', variable_get('contact_hourly_threshold', 3))) { - $output = t('You cannot contact more than %number users per hour. Please try again later.', array('%number' => variable_get('contact_hourly_threshold', 3))); + else if (!flood_is_allowed('contact', variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD))) { + $output = t('You cannot contact more than %number users per hour. Please try again later.', array('%number' => variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD))); } else { drupal_set_title($account->name); @@ -377,43 +382,50 @@ function contact_mail_user_submit($form_id, $edit) { global $user; - $account = user_load(array('uid' => arg(1), 'status' => 1)); - // Compose the body: - $message[] = "$account->name,"; - $message[] = t("%name (%name-url) has sent you a message via your contact form (%form-url) at %site.", array('%name' => $user->name, '%name-url' => url("user/$user->uid", NULL, NULL, TRUE), '%form-url' => url($_GET['q'], NULL, NULL, TRUE), '%site' => variable_get('site_name', 'drupal'))); - $message[] = t("If you don't want to receive such e-mails, you can change your settings at %url.", array('%url' => url("user/$account->uid", NULL, NULL, TRUE))); - $message[] = t('Message:'); - $message[] = $edit['message']; + if (!$user->uid && !flood_is_allowed('contact', variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD))) { + drupal_set_message(t('Your message was not sent. You cannot contact more than %number users per hour. Please try again later.', array('%number' => variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD)))); + } else { - // Tidy up the body: - foreach ($message as $key => $value) { - $message[$key] = wordwrap($value); - } + $account = user_load(array('uid' => arg(1), 'status' => 1)); + // Compose the body: + $message[] = "$account->name,"; + $message[] = t("%name (%name-url) has sent you a message via your contact form (%form-url) at %site.", array('%name' => $user->name, '%name-url' => url("user/$user->uid", NULL, NULL, TRUE), '%form-url' => url($_GET['q'], NULL, NULL, TRUE), '%site' => variable_get('site_name', 'drupal'))); + $message[] = t("If you don't want to receive such e-mails, you can change your settings at %url.", array('%url' => url("user/$account->uid", NULL, NULL, TRUE))); + $message[] = t('Message:'); + $message[] = $edit['message']; + + // Tidy up the body: + foreach ($message as $key => $value) { + $message[$key] = wordwrap($value); + } - // Prepare all fields: - $to = $account->mail; - $from = $user->mail; + // Prepare all fields: + $to = $account->mail; + $from = $user->mail; - // Format the subject: - $subject = '['. variable_get('site_name', 'drupal') .'] '. $edit['subject']; + // Format the subject: + $subject = '['. variable_get('site_name', 'drupal') .'] '. $edit['subject']; - // Prepare the body: - $body = implode("\n\n", $message); + // Prepare the body: + $body = implode("\n\n", $message); - // Send the e-mail: - user_mail($to, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); + // Send the e-mail: + user_mail($to, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); - // Send a copy if requested: - if ($edit['copy']) { - user_mail($from, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); - } + // Send a copy if requested: + if ($edit['copy']) { + user_mail($from, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); + } - // Log the operation: - flood_register_event('contact'); - watchdog('mail', t('%name-from sent %name-to an e-mail.', array('%name-from' => theme('placeholder', $user->name), '%name-to' => theme('placeholder', $account->name)))); + // Log the operation: + if(!$user->uid) { + flood_register_event('contact'); + } + watchdog('mail', t('%name-from sent %name-to an e-mail.', array('%name-from' => theme('placeholder', $user->name), '%name-to' => theme('placeholder', $account->name)))); - // Set a status message: - drupal_set_message(t('The message has been sent.')); + // Set a status message: + drupal_set_message(t('The message has been sent.')); + } // Jump to the user's profile page: return "user/$account->uid"; @@ -428,8 +440,8 @@ $breadcrumb[] = array('path' => 'contact', 'title' => t('contact')); menu_set_location($breadcrumb); - if (!flood_is_allowed('contact', variable_get('contact_hourly_threshold', 3))) { - $output = t("You cannot send more than %number messages per hour. Please try again later.", array('%number' => variable_get('contact_hourly_threshold', 3))); + if (!flood_is_allowed('contact', variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD))) { + $output = t("You cannot send more than %number messages per hour. Please try again later.", array('%number' => variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD))); } else { if ($user->uid) { @@ -525,48 +537,54 @@ * Process the site-wide contact page form submission. */ function contact_mail_page_submit($form_id, $edit) { + global $user; - // Prepare the sender: - $from = $edit['mail']; + if (!$user->uid && !flood_is_allowed('contact', variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD))) { + drupal_set_message(t('Your message was not sent. You cannot contact more than %number users per hour. Please try again later.', array('%number' => variable_get('contact_hourly_threshold', CONTACT_HOURLY_THRESHOLD)))); + } else { - // Compose the body: - $message[] = t("%name sent a message using the contact form at %form.", array('%name' => $edit['name'], '%form' => url($_GET['q'], NULL, NULL, TRUE))); - $message[] = $edit['message']; + // Prepare the sender: + $from = $edit['mail']; - // Tidy up the body: - foreach ($message as $key => $value) { - $message[$key] = wordwrap($value); - } + // Compose the body: + $message[] = t("%name sent a message using the contact form at %form.", array('%name' => $edit['name'], '%form' => url($_GET['q'], NULL, NULL, TRUE))); + $message[] = $edit['message']; - // Load the category information: - $contact = db_fetch_object(db_query("SELECT * FROM {contact} WHERE cid = %d", $edit['cid'])); + // Tidy up the body: + foreach ($message as $key => $value) { + $message[$key] = wordwrap($value); + } - // Format the category: - $subject = t('[%category] %subject', array('%category' => $contact->category, '%subject' => $edit['subject'])); + // Load the category information: + $contact = db_fetch_object(db_query("SELECT * FROM {contact} WHERE cid = %d", $edit['cid'])); - // Prepare the body: - $body = implode("\n\n", $message); + // Format the category: + $subject = t('[%category] %subject', array('%category' => $contact->category, '%subject' => $edit['subject'])); - // Send the e-mail to the recipients: - user_mail($contact->recipients, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); + // Prepare the body: + $body = implode("\n\n", $message); - // If the user requests it, send a copy. - if ($edit['copy']) { - user_mail($from, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); - } + // Send the e-mail to the recipients: + user_mail($contact->recipients, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); - // Send an auto-reply if necessary: - if ($contact->reply) { - user_mail($from, $subject, wordwrap($contact->reply), "From: $contact->recipients\nReply-to: $contact->recipients\nX-Mailer: Drupal\nReturn-path: $contact->recipients\nErrors-to: $contact->recipients"); - } + // If the user requests it, send a copy. + if ($edit['copy']) { + user_mail($from, $subject, $body, "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from"); + } + + // Send an auto-reply if necessary: + if ($contact->reply) { + user_mail($from, $subject, wordwrap($contact->reply), "From: $contact->recipients\nReply-to: $contact->recipients\nX-Mailer: Drupal\nReturn-path: $contact->recipients\nErrors-to: $contact->recipients"); + } - // Log the operation: - flood_register_event('contact'); - watchdog('mail', t('%name-from sent an e-mail regarding %category.', array('%name-from' => theme('placeholder', $edit['name'] ." <$from>"), '%category' => theme('placeholder', $contact->category)))); + // Log the operation: + flood_register_event('contact'); + watchdog('mail', t('%name-from sent an e-mail regarding %category.', array('%name-from' => theme('placeholder', $edit['name'] ." <$from>"), '%category' => theme('placeholder', $contact->category)))); - // Update user: - drupal_set_message(t('Your message has been sent.')); + // Update user: + drupal_set_message(t('Your message has been sent.')); + } // Jump to home page rather than back to contact page to avoid contradictory messages if flood control has been activated. - return(''); + return ''; }