Problem/Motivation
It is possible to get a situation when the Mollom error message asks user to enter a CAPTCHA, but there is no Mollom on the form.
STR (fresh Drupal 7 installation + core Contact module + default Mollom settings):
1. Submit a form with a spammy texts.
2. Fill in wrong CAPTCHA code.
3. Submit the form.
4. Fill in correct CAPTCHA code.
5. Submit the form.
Result: Mollom form does not appear on the form, error message asks to complete the word verification.
What happened:
1. mollom_validate_captcha() validates that a CAPTCHA has beed solved, and saves this info.
2. mollom_validate_analysis() performs text analysis, and shows the error message.
3. mollom_pre_render_mollom() checks that a CAPTCHA has beed solved, and hides the Mollom's "captcha" form element.
Proposed resolution
I believe, if a CAPTCHA has beed solved, the text should not be analysed again.
Comment | File | Size | Author |
---|---|---|---|
#1 | mollom-do_not_analyse_text_if_captcha_is_solved-2422957-1.patch | 509 bytes | Leksat |
Comments
Comment #1
Leksat CreditAttribution: Leksat commentedAttached patch solves the problem for me. However I'm not sure if this approach is correct.
Comment #3
Nick_vhThat's not quite correct no. It could be that Mollom detected it as pure spam and then even a Captcha won't help you. I do agree it is weird the captcha didn't show. Do you have a way to reproduce it by any chance? Eg, by tweaking the code such that it fails? Best thing would be to write a test for it.
You can use dev.mollom.com as your endpoint and send it "spam", "ham" or "unsure" and it will respond as such.
Comment #4
eshta CreditAttribution: eshta commentedYou can get that same "ham", "spam", "unsure" behavior without messing with the code or endpoints by just setting Mollom to testing mode from the configuration settings page.
Comment #5
Leksat CreditAttribution: Leksat commentedI just can't understand... If solving a captcha does nothing (mollom still thinks that it is a spam submission), why mollom shows captcha? In my opinion, solving a captcha should prevent all further checks. Am I wrong?
Comment #6
DigitalFrontiersMediaI believe #2425953: Captcha fails to show after form validation errors is a duplicate of this issue. Changing this issue to D8 branch and if vetted, the D7 patch above can be used as the backport version as the code is moved forward on the latest D8 branch.
I don't have the ability to assign this to Wim but I'm guessing eshta will do so.
Comment #7
eshta CreditAttribution: eshta commentedMollom actually re-runs the analysis check for each posting of the form because the contents of the form could change. So while the initial comment could look innocent enough, upon preview the spammer could change the message to be a spam message. While I understand that this isn't the exact scenario here, I think that it is the same logic coming into play.
It sounds like the actual statement throughout this thread is: once a user enters a CAPTCHA correctly, it doesn't matter what they change the content to because we have determined that they are a human. I think this could still open us up to spam from humans taking advantage of this hole and that we should continue to re-analyze the content. I'm interested in other opinions, however, and will bring it up with the Mollom engineers internally as well. In either case, we should at least make it that you don't see a message to fill out a captcha without seeing the captcha. So either we allow the text to be re-analyzed and clear out the "solved" flag, or we check the "solved" flag and don't re-analyze.
Comment #8
eshta CreditAttribution: eshta at Acquia commentedI am not able to reproduce this in version 7 (and have specifically tested for it while working on the 8 port). Please confirm the steps to reproduce.
Comment #9
eshta CreditAttribution: eshta at Acquia commented