Admittedly, my situation is unusual: I have a site where the Anonymous role does not have the access content (View published content) permission, which is set as the _permission requirement in the friendlycaptcha.api_puzzle route.

It's a site where users are required to log in before viewing any content.

So when I add the CAPTCHA to the user_form (New user registration) form, it fails with an error like the following:

Verification failed
Failed to connect to http://my-site.test/api/v1/puzzle

I'm tempted to submit a patch that removes any access restrictions from the /api/v1/puzzle route, but I'm not sure what the implications of that are. On most sites, Anonymous users have the access content permission, so it wouldn't seem to make much difference.

There's a todo comment in friendlycaptcha.routing.yml that says:

# @todo Implement access control according to Polite::cors()

I'm not sure what that means, but I suspect it's important to somehow protecting that api route.

Any objections to my submitting a patch that removes the route permission requirement?

Issue fork friendlycaptcha-3577769

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

jeffam created an issue. See original summary.

aayushpathak made their first commit to this issue’s fork.

aayushpathak’s picture

aayushpathak commented

working on it .

aayushpathak opened merge request !32

aayushpathak’s picture

aayushpathak commented

The /api/v1/puzzle route currently requires the access content permission.
On sites where anonymous users do not have this permission, the CAPTCHA puzzle endpoint becomes inaccessible and verification fails on forms available to anonymous users .
This patch replaces the permission requirement with _access: TRUE so the endpoint can be accessed by anonymous users.

aayushpathak’s picture

aayushpathak commented
Status: Active » Needs review