Based on the results from the poll "Should captcha support challenges for multiple roles or just for anonymous users", implement a "skip captcha" access permission (admin/user/access) to make it so that the captcha form is not only presented anonymous users, but untrusted authenticated users as well.

It should be "skip captcha" instead of "captcha required" because the administrator role (user/1) has all access permissions checked. So, by default, only the administrator will be able to "skip captcha" when submitting forms.

CommentFileSizeAuthor
#12 anonymous_to_untrusted.patch6.13 KBsoxofaan
#2 skip_captcha.patch9.41 KBsoxofaan

Comments

wundo’s picture

wundo commented
Assigned: Unassigned » wundo
soxofaan’s picture

soxofaan commented
StatusFileSize
new skip_captcha.patch9.41 KB

patch for adding the 'skip captcha' permission and the related changes in code/documentation/UI strings.
This patch is against revision 75 of my rewrite (http://drupal.org/node/153395#comment-272465)

robloach’s picture

robloach
he/him
commented

I did some brainstorming and thought of an elegant way to change the visibility of captcha, on a per role basis, for each form that captcha is set to be visible on. While this would still be in the user access section (admin/user/access), it would allow you to choose which forms the role can skip the captcha authentication. This would make it so that a moderator account could then have a captcha form presented when they create a new node, but not have captcha presented when they make a new comment. You couldn't do this with the simple "skip captcha" solution.

How It Works
Instead of just having "skip captcha", have "skip [form] captcha", where [form] represents every form that captcha is suppose to be visible on. So, for example, if you visit admin/user/access, in the captcha section, it could present you with "skip user_pass captcha", "skip user_register captcha" and "comment_form". You'd select which roles could skip the captcha in those specific forms and then you'd have role-based captcha settings, instead of just the ability to have the role skip the captcha all together. This brings the "skip captcha" ideology one step further.

wundo’s picture

wundo commented

@soxofaan,
could you please patch it against DRUPAL-5--3?

cheers,
fabiano

wundo’s picture

wundo commented
Assigned: wundo » Unassigned

@soxofaan,
And please note that sometimes someone assigned the task to itself, than would be polited to contact the person before working on it :P

@Rob Loach,
Great idea, but I think it could polute the User Access page, maybe if there is a captcha option where you could enable/disable it. and the default it to come disabled.

robloach’s picture

robloach
he/him
commented

That's a very neat idea. We could provide the "skip captcha" permission by default, and then the seperate forms solution if they have a special option set in the captcha settings page. "Seperate Captcha access permissions", maybe?

soxofaan’s picture

soxofaan commented

@soxofaan,
And please note that sometimes someone assigned the task to itself, than would be polited to contact the person before working on it :P

Yes, I understand completely, but I implemented that before I saw this feature issue. I hope I didn't void a lot of your time. Sorry.

soxofaan’s picture

soxofaan commented

This would make it so that a moderator account could then have a captcha form presented when they create a new node, but not have captcha presented when they make a new comment. You couldn't do this with the simple "skip captcha" solution.

I can't imagine why you would want this or in which real life scenario this would happen. Captcha is for keeping spam bots out, not for annoying humans. So why would you prevent a spam bot posting a node, but let it post comments freely? For a spammer it doesn't matter if they put their garbage in a node body or in a comment, as long as they get it on your site.

In short: you trust a user not being a spammer or you don't.
Being a spammer or not is a property of the *user*, the content type/form they are offered does not matter.

So I still think one permission 'skip captcha' should cut it and diversification based on form_id is unneeded overkill/overhead.

cheers

robloach’s picture

robloach
he/him
commented

I can't imagine why you would want this or in which real life scenario this would happen.

Here's a real life scenario for you: You're working on a large website which you yourself can't moderate. You have thousands of users and hundreds of replies going on at once. You have Captcha enabled so that you don't get spam bot postings. But even still, you have to moderate it so that you don't get human spammers. In order to do this, you create a "moderator" role and assign some users the role.

Since you somewhat trust these "moderators", you allow them to skip the captcha in some forms. You could have them skip captcha for the comment form, but require them to input the captcha for when they create a page node. All in all, this just adds more functionality to the captcha system. And if we provide the functionality only when the specific permissions setting is switched on in settings form, like wundo suggested, it wouldn't bloat or confuse the system.

As for its implementation, I think starting with the "skip captcha" functionality is a good start. We can look at different permissions for each form later on if it's a requested feature.

soxofaan’s picture

soxofaan commented

Since you somewhat trust these "moderators", you allow them to skip the captcha in some forms. You could have them skip captcha for the comment form, but require them to input the captcha for when they create a page node.

This seems to imply that you (want to) use captcha to annoy humans.

Moreover, how would that setup prevent your site from getting spammed? If you have a 'moderator' X that is a spammer, he can't easily submit spam page nodes, but there is no barrier to submit spam comments. So you still get spam. The only difference is that page nodes are typically more visible to normal users (e.g. front page) than comments. But spam is meant for search bots, which will crawl your complete site including the spam comments. The end result is that the spammer obtained its goal, which probably will attract more spammers.

I think that captcha is just *a* tool for fighting spam, not *the* tool. It is one of Drupal's philosophies to not duplicate efforts and thus keep modules small but functional and as orthogonal as possible. So I think that the captcha module should just be about determining if a user is 'human' or not based on a challenge. What you seem to need is a (separate) module that tracks users behaviour and could for example block them if they expose spam behaviour. I guess there exists already such modules.

so i'm still not convinced ;)

But I have a proposition: what if we would make an 'API' for determining if a captcha should be added to a form (based on form_id, userid)? Then you could make a separate module that implements the "Seperate Captcha access permissions" stuff or even the original role based stuff on top of the base captcha module, while keeping the base captcha module 'light'.

robloach’s picture

robloach
he/him
commented
Version: 6.x-2.x-dev » 5.x-3.x-dev
Assigned: Unassigned » robloach
Status: Active » Fixed

There was a major issue with the permissions and I just committed a patch to make it work with the "skip captcha challenge" permission in admin/user/access:

 function captcha_form_alter($form_id, &$form) {
   global $user;
 
-  if ($user->uid == 0) {
-    // Visitor is anonymous user: add a captcha to the form if needed
+  if (!user_access('skip captcha challenges')) {
+    // Visitor does not have permission to skip the captcha challenge
 
     // Do not present captcha if not captcha-persistent and user has already solved a captcha for this form
     if(!variable_get('captcha_persistence', TRUE) && ($_SESSION['captcha'][$form_id]['success'] === TRUE)) {

The captcha form now isn't presented if they have permission to skip the captcha challenges.

I'm setting this to fixed. If it's requested, we'll start a new issue on splitting the forms into different permissions via "Seperate Captcha form access permissions".

soxofaan’s picture

soxofaan commented
Status: Fixed » Needs review
StatusFileSize
new anonymous_to_untrusted.patch6.13 KB

This additional patch also updates documentation and UI strings caused by the change from 'captcha for anonymous visitors only' to the 'skip captcha permission' stuff.
e.g. "anonymous visitor" is replaced with "untrusted user".

robloach’s picture

robloach
he/him
commented
Status: Needs review » Reviewed & tested by the community

Looks good to me.

robloach’s picture

robloach
he/him
commented
Status: Reviewed & tested by the community » Fixed

Commit 73909 applies this patch.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)