Fixed
Project:
ALTCHA
Version:
1.1.0
Component:
Code
Priority:
Major
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
6 Jul 2026 at 14:09 UTC
Updated:
16 Jul 2026 at 09:41 UTC
Jump to comment: Most recent
ALTCHA is broken without "Access content" (published) permission for Anonymous role!
In a closed application I was wondering why ALTCHA always showed "Verification failed" with a 403 AJAX result.
Finally I found the reason: The route it exposes relies on "Access published content" permission, which definitely makes no sense for exactly this case, where Anonymous roles should never see any content!
See above
Remove the permission for the captcha URLs
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
anybodyComment #3
anybodySame issue in https://www.drupal.org/project/friendlycaptcha/issues/3577769 - for that reason I'm adding the same @todo here for the future. Think that makes sense.
Comment #5
anybodyComment #6
robindh commentedI don't see a direct issue with making the route accessible for everyone - but the added @todo is currently not clear to me. Can you elaborate?
Comment #7
robindh commentedComment #8
anybody@robindh thanks. As written in #3 I copied that from #3577769: Access denied to /api/v1/puzzle
The idea is to only allow access to this route from the same origin, because no external resources should query the altcha route. Technically I'm not sure how to do it.
Any ideas? You decide if we should keep it as hint for the future. The idea behind makes sense to me. Maybe change the comment accordingly?
Comment #10
robindh commentedThanks! I've removed the todo since I think it would be very tricky to make it work on all possible drupal setups (multisite, multi-domain, ..).
Merged the access fix into 1.x and 2.x. Will make a new release soon