Forms can be cached. When Honeypot's settings are changed, the cached forms are not invalidated. This means, for example, that if a form did not have honeypot protection prior to the settings being changed, the unprotected cached version of the form can still be used. Similarly, if honeypot settings are changed or protection is removed from (a category of) forms, cached and outdated versions with honeypot protection might still linger.

Making sure cached forms are invalidated is as easy as adding the 'config:honeypot.settings' cache tag to the forms. Note that the tag should be added to *all* forms, not just to honeypot protected forms, so that when protection is enabled, unprotected cached forms are invalidated, and honeypot protected is evaluated again for those forms.

Patch attached.

CommentFileSizeAuthor
honeypot-form-caching.patch1.52 KBmr.baileys
honeypot-form-caching-test-only.patch807 bytesmr.baileys
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mr.baileys created an issue. See original summary.

geerlingguy’s picture

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented
Status: Needs review » Reviewed & tested by the community

Good catch! I haven't used Honeypot in a scenario where I enabled it after the site was up and running, so I haven't run into this scenario, but the test makes it pretty obvious. This looks good for a quick merge.

geerlingguy’s picture

geerlingguy CreditAttribution: geerlingguy at Midwestern Mac, LLC commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.