Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.78 diff -u -r1.78 form.inc --- includes/form.inc 15 Mar 2006 08:57:37 -0000 1.78 +++ includes/form.inc 16 Mar 2006 06:10:12 -0000 @@ -59,18 +59,25 @@ * */ function drupal_get_form($form_id, &$form, $callback = NULL) { - global $form_values, $form_submitted; + global $form_values, $form_submitted, $user; $form_values = array(); $form_submitted = FALSE; $form['#type'] = 'form'; if (isset($form['#token'])) { - // Make sure that a private key is set: - if (!variable_get('drupal_private_key', '')) { - variable_set('drupal_private_key', mt_rand()); + // displaying tokens on cached pages breaks the form for + // every user except the first one who generates the cache + if (variable_get('cache', 0) && !$user->uid && $_SERVER['REQUEST_METHOD'] == 'GET') { + unset($form['#token']); } + else { + // Make sure that a private key is set: + if (!variable_get('drupal_private_key', '')) { + variable_set('drupal_private_key', mt_rand()); + } - $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))); + $form['form_token'] = array('#type' => 'hidden', '#default_value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))); + } } if (isset($form_id)) { $form['form_id'] = array('#type' => 'hidden', '#value' => $form_id); Index: modules/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment.module,v retrieving revision 1.440 diff -u -r1.440 comment.module --- modules/comment.module 6 Mar 2006 20:52:55 -0000 1.440 +++ modules/comment.module 16 Mar 2006 05:49:45 -0000 @@ -65,6 +65,11 @@ define('COMMENT_PREVIEW_REQUIRED', 1); /** + * Constants to define whether or not to use tokens on comment submissions + */ +define('COMMENT_FORM_TOKEN_ENABLED', FALSE); + +/** * Implementation of hook_help(). */ function comment_help($section) { @@ -426,6 +431,14 @@ '#options' => array(t('Display on separate page'), t('Display below post or comments')), ); + $form['posting_settings']['comment_form_token'] = array( + '#type' => 'radios', + '#title' => t('Enable tokens for anonymous users'), + '#default_value' => variable_get('comment_form_token', COMMENT_FORM_TOKEN_ENABLED), + '#options' => array(t('Disabled'), t('Enabled')), + '#description' => t('Comment submissions use tokens when content caching is turned off. Tokens are hidden form fields with unique strings that must be submitted for comments to be saved. When forms are submitted correctly, the token is automatically generated and passed between the authoring, preview, and submit pages. It adds one more step of complexity for spammers by requiring them to have the unique token from a previous page load.') + ); + return system_settings_form('comment_settings_form', $form); } @@ -1323,7 +1336,9 @@ $form['uid'] = array('#type' => 'value', '#value' => $edit['uid']); $form['preview'] = array('#type' => 'button', '#value' => t('Preview comment'), '#weight' => 19); - $form['#token'] = 'comment' . $edit['nid'] . $edit['pid']; + if(variable_get('comment_form_token', COMMENT_FORM_TOKEN_ENABLED)) { + $form['#token'] = 'comment' . $edit['nid'] . $edit['pid']; + } // Only show post button if preview is optional or if we are in preview mode. // We show the post button in preview mode even if there are form errors so that