Attached patch introduces a separate setting to also allow enabling captcha challenges on administrative forms. That might sound awkward in the first place, but it's badly needed for public demonstration sites.

The Drupal Administration Menu showcase site is a popular example of a public demonstration that allows untrusted users to access certain areas of Drupal's administration pages. As you can see there, the patch is already implemented and doing a good job.

CommentFileSizeAuthor
#5 229710_admin_too.patch1.06 KBsoxofaan
#4 captcha-DRUPAL-5--3.patch1.15 KBsun
captcha-DRUPAL-5--3.admin_.patch3 KBsun

Comments

soxofaan’s picture

soxofaan commented
Status: Needs review » Needs work

I'm not really convinced that it would be a good idea to add this to the "official" version.

If you let untrusted user poke around in administrative pages, I don't know what CAPTCHA could protect, as will only keep bots out, while evil human are not stopped. It could only prevent automated nuking of the demosite.

There are some usability issues with the current CAPTCHA admin, generally people not getting the concept of the CAPTCHA adminstrative links. Adding this patch would only make the admin interface harder and more bloated. So I think the patch would make it worse for more people than it would be good for the (only the exotic use case of demo sites).

Moreover I think the elseif condition in the patch is wrong and should be something like

  elseif (user_access('administer CAPTCHA settings') && (variable_get('captcha_administration_admin_mode', FALSE) || variable_get('captcha_administration_mode', FALSE) && arg(0) != 'admin')) {
sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Needs work » Active

Understood. How about a direct integration of both modules? Would you be open to implement a module_invoke(), so Demo is able to alter Captcha's settings form and add this optional setting?

soxofaan’s picture

soxofaan commented
Assigned: sun » soxofaan

There is actually already sort of a workaround.
It's only the CAPTCHA administration links that do not show up on the admin pages. If a challenge is however is set on an admin page, it will show up for untrusted users. The only tricky thing is how to enable a challenge on an admin page if there are no adminsitration links. It's possible, but not obvious. You need at least the form_id of the form you want to add a CAPTCHA to. Then you have two options (for version 5.x-3.x):

  • Add it to the database in the captcha_point table (this could be done programmatically in the Demo module). For example, in captcha.install:
      $form_ids = array('comment_form', 'contact_mail_user', 'contact_mail_page',  'user_register', 'user_pass', 'user_login', 'user_login_block');
  foreach ($form_ids as $form_id) {
    db_query("INSERT INTO {captcha_points} (form_id, module, type) VALUES ('%s', NULL, NULL)", $form_id);
  }
  • visit ?q=admin/user/captcha/$form_id/enable on your site with $form_id replaced with the actual form_id and the form_id will also be added to the captcha_points table.

in the 6.x-1.x and HEAD version there is also an extra form for adding arbitrary form_id's (see http://drupal.org/node/214557).

Hope this gives some inspiration on how to solve this

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
StatusFileSize
new captcha-DRUPAL-5--3.patch1.15 KB

Sorry, but that does not help users of Demo who want to guard their site. While Demo could support a single option to "Enable CAPTCHA administration links on administrative forms" (instead of CAPTCHA), it certainly won't support a form selection/storage mechanism. Implementing support for Form controller in CAPTCHA would be an option, but that's a completely different topic.

Currently, I can only imagine to add variable_get('captcha_administration_admin_mode', FALSE) to the condition you already mentioned in #1 (like in the patch) as a hidden setting, without providing a configurable option in CAPTCHA's settings.

soxofaan’s picture

soxofaan commented
StatusFileSize
new 229710_admin_too.patch1.06 KB

Another solution I can think of is that the demo module adds the CAPTCHA administration links to the admin forms.
To make this easier, I could refactor the CAPTCHA administration link adding code into a function so you only need to call one function.

I still think you forgot a check for arg(0) != 'admin' in the patch from #4
see attached patch

soxofaan’s picture

soxofaan commented

FYI
the patches at http://drupal.org/node/214557#comment-777749 make it possible to add arbitrary form_id's with a simple form (http://drupal.org/files/issues/captcha_point_add_snapshot6.png)

would this be of any help or is obtaining a form_id from a form too difficult for your intended users?

soxofaan’s picture

soxofaan commented
Status: Active » Closed (duplicate)

duplicate of #287907: admin CAPTCHA preview, CAPTCHAs for admins, demo site CAPTCHAs and #445026: Allow CAPTCHAs on Admin Pages