Drupal 7.53
Captcha 7.x-1.3

If we use the math captcha and a custom external authentication service, users can log into drupal regardless of how they respond to the challenge. Correct answers let us in, of course, but so do incorrect answers (with the message "The answer you entered for the CAPTCHA was not correct.") and blank input (with the message "Math question field is required."). If we disable the external authentication service and just rely on drupal, the issue is not reproducible.

We have a custom module that provides user authentication via an external service. The custom module implements hook_form_FORM_ID_alter() for user_login that only overwrites $form['#validate']:

/**
 * Implements hook_form_FORM_ID_alter()
 */
function think_sso_form_user_login_alter(&$form, &$form_state, $form_id) {
  $form['#validate'] = array(
    'user_login_name_validate',
    'think_sso_login_validate',
    'user_login_final_validate'
  );
}

The default for $form['#validate'] is

[#validate] => Array
    (
        [0] => user_login_name_validate
        [1] => user_login_authenticate_validate
        [2] => user_login_final_validate
    )

So the only thing we're doing is replacing user_login_authenticate_validate with think_sso_login_validate. And, it seems, as long as think_sso_login_validate comes back with an affirmative answer, drupal ignores the captcha.

Captchas configured for the user registration form or any other form (once the user has authenticated) all work as they should: incorrect or blank answers prevent the form from submitting. Also, if we replace the math challenge type with reCAPTCHA, the problem is the same: users can still authentication even if they don't complete the captcha.

Not sure if this is a captcha or core issue, but thought I'd start here.

Comments

dasfuller created an issue. See original summary.

Chris Matthews’s picture

Version: 7.x-1.3 » 7.x-1.x-dev
Priority: Major » Normal

Version change only

Anybody’s picture

Status: Active » Closed (outdated)

5 Y later.