When an authenticated user violates the required submission time, an entry is made in the honeypot_users table. Each entry that is created for a given user increases that user's required submission time exponentially. Entries in honeypot_users that are older than honeypot_expire are cleared only when honeypot_cron() runs. Until that happens, authenticated users are stuck with required submission times that can easily grow to ridiculous proportions.
There is a similar mechanism for increasing the submission time of anonymous users using entries in the flood table. These entries, however, are ignored if they are older than honeypot_expire.
Here is the count that is performed for authenticated users:
$number = db_query("SELECT COUNT(*) FROM {honeypot_user} WHERE uid = :uid", array(':uid' => $user->uid))->fetchField();
Here is the count that is performed for anonymous users:
$number = db_query("SELECT COUNT(*) FROM {flood} WHERE event = :event AND identifier = :hostname AND timestamp > :time", array(
':event' => 'honeypot',
':hostname' => ip_address(),
':time' => time() - variable_get('honeypot_expire', 300),
))->fetchField();
Can we make the count for authenticated users behave like the count for anonymous users with respect to honeypot_expire?
Comment | File | Size | Author |
---|---|---|---|
#10 | check_honeypot_expire-2491723-10.patch | 1.3 KB | geerlingguy |
#4 | check_honeypot_expire-2491723-4.patch | 1.25 KB | geerlingguy |
Comments
Comment #1
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedYes; this was an oversight on my part, and is more of a bug than a feature request. I'll try to write a patch for this soon, but might take me a little while since I'm in my post-DrupalCon/need-to-focus-on-other-stuff slump right now :)
It'd also be nice to add a test which tests the expire time by setting a sleep() and then running cron, or at least emulating a cron run, both for authenticated and anonymous users, so we can make sure we verify and never break the expiration behavior.
Comment #2
markdatter CreditAttribution: markdatter commentedComment #3
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedComment #4
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedCompletely untested, but this seems like what's needed here.
Comment #5
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedAdding appropriate tags... someday I won't have to maintain three separate versions of this module :P
Comment #6
JuliaKoelsch CreditAttribution: JuliaKoelsch at Spry Digital, LLC commentedI tested the patch, and the behavior is consistent for both anonymous and authenticated users. Thanks!
Comment #7
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedThanks so much! I'll commit to Drupal 7 then reassign to D8 after that's done.
Comment #8
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedFixed in 7.x-1.x. Moving to 8.x-1.x next.
Comment #10
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedPatch for Drupal 8 attached.
Comment #12
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedNext up is 6.x-1.x.
Comment #14
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedAll done! Completed as part of #DCSTL (DrupalCamp St. Louis 2015).