Problem/Motivation
Drupal allows for forms to be submitted programatically through \Drupal\Core\Form\FormBuilderInterface::submitForm
. Currently, honeypot fields and validation applies to forms that are submitted in that way. Since these form submissions are triggered from within the site itself, they should be implicitly trusted, and there is no need to apply honeypot's logic.
First patch attached shows how Honeypot is currently applied to those types of form submissions. Second patch contains tests + fix.
Proposed resolution
Allow programmatically submitted forms to pass without Honeypot protection.
Remaining tasks
Review.
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#14 | honeypot_should_not_be-2677126-14.patch | 3.43 KB | mr.baileys |
| |||
#10 | interdiff.txt | 475 bytes | mr.baileys |
#10 | honeypot_should_not_be-2677126-10.patch | 4.38 KB | mr.baileys |
| |||
#7 | honeypot_should_not_be-2677126-7.patch | 4.35 KB | mr.baileys |
| |||
#7 | interdiff.txt | 1.06 KB | mr.baileys |
Comments
Comment #3
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedJust out of curiosity... is there any equivalent to
$form_state->isProgrammed()
in Drupal 7? I haven't seen one, and this looks like a handy feature in D8. Will review patch in depth later, when I get some time to also finish up the installation bug #2676888: Installing Honeypot via UI results in unexpected error due to unavailable honeypot.config route.Comment #4
mr.baileysIn Drupal 7 the equivalent is
drupal_form_submit()
, prior to D7 it was calleddrupal_execute()
. Probably makes sense to consider backporting to D7 if this lands.Comment #5
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedBut how can you detect if those functions were used? Maybe resort to PHP's backtrace functionality, or is there an API method/form array key?
Comment #6
mr.baileysAh, sorry, I misread your question. In D7, I think the $form_state has a 'programmed' property set to true for programmatic submissions:
From
drupal_build_form
:Comment #7
mr.baileysOn second thought, we only need to bypass the time protection on the submitted form, not the hidden field protection. Amended patch attached.
Comment #8
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedLooks good to me, and it looks like we can probably get things working well for D7 too, then!
Comment #9
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedLet's make it more explicit this is not a module to be enabled under normal circumstances—e.g. "Honeypot test module used for internal testing purposes. This module shouldn't normally be enabled."
Comment #10
mr.baileysI tweaked the description a bit to be more like the descriptions on Core's own test modules ("Support module for..."), and moved the module to package "Testing", which is where all the other test modules reside.
Note though that you cannot enable or see this module (not even through drush), unless you explicitly make all test modules visible through
$settings['extension_discovery_scan_tests'] = TRUE;
, which normally is the case in development environments ony, and only for people who know what they are doing.Comment #11
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedBack to RTBC, will merge soon.
Comment #13
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedReady for 7.x-1.x now. Hopefully things are as straightforward there. Seems like it would be about the same, architecturally.
Comment #14
mr.baileysThanks!
D7 backport attached.
Comment #15
geerlingguy CreditAttribution: geerlingguy as a volunteer commentedComment #16
geerlingguy CreditAttribution: geerlingguy as a volunteer commented