I have modified the protection anti flooding.
Now it is calculated for each user separately or if anonymous based on the sid.

CommentFileSizeAuthor
#2 cumulative_patch_fooding.txt3.2 KBjoglin
#1 feedback-flood.patch.txt1.66 KBkbahey
patch_1371.94 KBjoglin

Comments

kbahey’s picture

kbahey commented
Status: Fixed » Needs work
StatusFileSize
new feedback-flood.patch.txt1.66 KB

Good idea.

I attached a modified patch that centralizes the creation of the flood id, so the code is cleaner.

However, I have one concern about using the session ID. Most crawlers do not accept cookies, and hence there will be no session ID.

Spam crawlers can simply keep sending as they get a new session every GET, and just ignore the cookie.

What will happen in this case? What is a good solution to prevent this?

joglin’s picture

joglin commented
StatusFileSize
new cumulative_patch_fooding.txt3.2 KB

You can deny the use of the service if the cookies are disabled. Drupal set $user->sid if finds in db a
valid session - see sess_read() and sess_write(). The first access to the site create one session and a
cookie is send to browser. To send a feedback to need 2 accesses: step 1 rendering form; step 2 submit
form.
Yuo can check $user->sid during validate form.

Last problem:
If the anonymous user purge cookies the check flooding not work.
I do not have solution.
But the webmaster can authorize the feedback only to authenticated user.

Other fix
Check if email success sended

I attach cumulative patch.

Sorry for my English

kbahey’s picture

kbahey commented

Right now, if a user (or crawler) does not accept cookies, they cannot flood the module.

If I commit this patch, they will be able to flood the module.

Therefore, I will not commit it until you or someone else comes with a better solution (e.g. implement flooding per uid/session, in addition to a limit on anonymous users per hour, like we have now).

joglin’s picture

joglin commented

Ok, no check sid. Only recognize multi autenticated users from same host (e.g. private lan)

function _feedback_get_flood_id($page) {
  global $user;
  return 'feedback:' . md5($page->name . ':uid:' . $user->uid);
}

For anonymous users or if a user does not accept cookies $user->uid is always 0

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Needs work » Closed (won't fix)

Development on Feedback module v1.x has ended. Beginning from 2.x, the Feedback module has been replaced with a completely different module with a different purpose. Please note that Feedback 2.x is not compatible with 1.x. See #279636: Turn Feedback into user feedback module for further information.

There will be a final 5.x-1.1 release with all existing and tested patches in the issue queue applied. If you need the functionality of the Feedback 1.x module, the Contact module in Drupal core as well as the contributed Webform module are recommended replacements. However, there is no migration path to those modules.

Marking as won't fix.