Image not available when site is offline for maintenance

This could potentially be a huge problem. Does it still occur? Apply the other user login/user login block patch before testing...

This is indeed a very tricky problem

The image CAPTCHA involves 2 HTTP requests:

• the HTML page itself (e.g. ?q=user) with the CAPTCHA widgets
• a seperate request for the image itself (e.g. ?q=image_captcha/1273811559)

In offline mode only the "?q=user" request is permitted for unauthenticated users.
So it's impossible to generate any image within the same Drupal setup.

The problem is unrelated to the login patches Rob refers to.

The only solution I see is disabling the image CAPTCHA for login forms when in offline mode (and maybe falling back on Math or something)

I'd suggest doing one of two things:

1. Disable Captcha when in offline mode
2. Allow the user to select which Captcha is presented when the system is in offline mode, warning them that it's a bad idea to select one at all

Personally, I'd just disable it when the site is in offline mode. Much easier and would prevent people from locking themselves out of their own site.

I see three options to fix this:

1. Disable CAPTCHA when in offline mode. This makes dictionary attacks to log in possible.
2. Fall back to Math CAPTCHA. This is an easy compromise (e.g. could be done with 5 lines of code or something, no admin configuration needed, no dependency checking needed), but the Math CAPTCHA is relatively easy to game by spammers
3. Let the administrator decide which type to fall back to. Adds more code and administration tasks for something that won't be used much.

I'm not sure yet what would be the best

I think falling back to Math Captcha is the easiest solution when you're using Image Captcha and the site is offline. Not many people will be attempting to log in when a site is offline, since only user/1 has the privileges to log in. If the site is using Image Captcha and it's offline, I think falling back to Math Captcha would provide enough security to stop the majority of attacks. It's also not often that a site goes completely offline. This simple work around should be enough, at least for now.

This patch will make it so that when the site is offline, it falls back to the Math Captcha.

Looks fine.
I would add some documentation though
and I would only fall back to math captcha for unauthenticated users, that way the super user (user 1) still can see the preview/examples of the image captcha.
see attached patch.

new version which removes the $args variable in the patch (where did that come from in the first place, Rob?)

Thought I should put $args in there to pass whatever is left in the _captcha function's arguments onto Math Captcha. Since Math Captcha doesn't take any more arguments, I guess it isn't needed.

This conflicts with the recently committed patches. Needs re-issue.

Conflict is because http://drupal.org/cvs?commit=81498 (about the cleaner persistence widget) included the offline-mode patch from #6. I guess this was not intentional.

updated patch from #8 in attachment.

Yay!... But, should it be:

if ($captcha_type == 'Image') {
        // In offline mode, the image CAPTCHA does not work because the request
        // for the image itself won't succeed (only ?q=user is permitted for
        // unauthenticated users). We fall back to the Math Captcha in that case.
        global $user;
        if (variable_get('site_offline', FALSE) && $user->uid != 1) {
          return captcha_captcha('generate', 'Math');
        }

... $user->uid != 1 instead? I guess it wouldn't really make a difference.

$user->uid != 1 instead? I guess it wouldn't really make a difference.

Makes sense, but no difference ;)
No problem for me to change it.

Sorry, but

1. I don't see which patch is approved yet nor
2. how to use add it.
3. Is there a new version of the module that integrates this fix?

I haven't added a patch yet and don't want to screw up a production site. Any answers to 1, 2 and 3 would be much appreciated.

Thank you.

David

It is already a part of 5.x-3.x-dev.