Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Based on discussion here: #1901936: Create only a minimum amount (TBD) of repeats and set the rest to be created on successive cron runs
The repeating field should be limited to some safe value.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | many_repeats_problem-date-2051033-6.patch | 4.12 KB | MiroslavBanov |
Comments
Comment #1
Honza Pobořil CreditAttribution: Honza Pobořil commentedComment #2
klonosWhile this will prevent bad things from happening, it must be stressed that whatever fix we come up with here (possibly a hard-coded safe value) will only be temporary and should be reverted once #1901936: Create only a minimum amount (TBD) of repeats and set the rest to be created on successive cron runs is actually implemented. We should consider making this value configurable either through the UI or by exposing a variable for it.
Comment #3
MiroslavBanov CreditAttribution: MiroslavBanov commentedAdding a patch to have the option to limit the date repeats for a date repeat field.
Comment #5
klonosComment #6
MiroslavBanov CreditAttribution: MiroslavBanov commentedThe errors were because of missing default value for the settings. Corrected this problem, and did some adjustments to the UI.
BTW, I notice that the "years_back_and_forward" fieldset is no longer used, and should have been removed in in revision 6d10f0e, back in 2011.
Comment #7
klonos...remember to hide old patches when uploading new ones ;)
Comment #8
vijaycs85I'm not very sure about this option/requirement, however if we need to take it in, we might need to add test(with test-only fail patch)for the new functionalities by this patch.
Comment #9
MiroslavBanov CreditAttribution: MiroslavBanov commented@vijaycs85
Then I guess issue needs more work.
@ Next person
Along with your patches, please provide some convincing arguments the change is needed :p .
Comment #10
Michael_Lessard_micles.biz CreditAttribution: Michael_Lessard_micles.biz commentedPersonally, I would feel safer with a Permission for Repeating Dates.
If this were possible, I would allow only recognized users (specific Role) to set Repeating dates on my media, in order to avoid an "Authenticated" abuser posting 100 times on the calendar in one single post.
On the other hand, the superuser or admins can delete the entire thing with one post also.
Just my two cents. I presume adding a Permission is an easy tweak.
Comment #11
Michael_Lessard_micles.biz CreditAttribution: Michael_Lessard_micles.biz commentedTo the maintainers of this very useful module :
I am a bit taken aback that we would need to add arguments about how critical this issue is or that it is not solved since. If it is somewhat fixed or fixable now, sorry, I have not noticed.
EXAMPLES :
a) Typical abuse with just nodes : a person hides her IP and attempts to post many nodes or comments. This is a somewhat "complicated" abuse (requires scripts, etc.) and most webmasters have many systems set-up in Drupal to avoid this (CAPTCHA, Honeypot, etc.).
b) Easiest abuse ever : a person hides her IP and creates one single event repeating itself daily for many months or more. It is also easy to remove, but your calendar or your media looks rather bad and amateurish for a while. There is practically no way of stopping this type of abuse where an actual person post just one event. There isn't even a permission set-up to use Date Repeat (the permission that exist now is to allow users to see the repeat rules).
Also note that this abuse can be a simple error by an honest user !
nb: I avoid adding patches that are more or less tested, so this vulnerability persist.