Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
I was noticing in my Recent log entries a large number of "access denied" entries. In order to see what a user might see, I logged out and pasted one of the access denied URL's into my browser. What I got was the normal access denied page except that Captcha was not present on the page. On all navigation generated pages I have the Captcha text challenge, but not on these forced error pages, just the user login block. The thing is, you get logged in without a challenge.
Here is the format, you can supply any numbers you want:
/admin/reports/access/33230
/admin/reports/event/6894
Comment | File | Size | Author |
---|---|---|---|
#11 | 893810-captcha-on-admin-pages-d7-01.patch | 2.78 KB | soxofaan |
#8 | 893810-captcha-on-access-denied-admin-pages_02.patch | 2.71 KB | soxofaan |
#7 | 893810-captcha-on-access-denied-admin-pages_01.patch | 2.74 KB | soxofaan |
Comments
Comment #1
soxofaan CreditAttribution: soxofaan commentedOne typical reason for this is that these pages were cached before the CAPTCHA was added to it.
Try clearing your cache: e.g. with the devel module, or with drush, or if you don't use any of these tools, temporarily disabling the page cache (admin > perfomance) will help too.
Comment #2
4.John.v CreditAttribution: 4.John.v commentedTurned out I needed to Allow CAPTCHAs and CAPTCHA administration links on administrative pages. I never thought that anyone would have access to admin pages other than myself, and that only after I had logged in, but they have access to the user-login-form on admin pages even if it is only Access Denied pages.
Comment #3
soxofaan CreditAttribution: soxofaan commentedGood point.
To reproduce:
example.com/admin/foo/bar
: result no CAPTCHAWorkarounds:
example.com/admin/build/block/configure/user/0
and set "show block except on":admin/*
Would be nice if we can fix this for the 6.x-2.3 release of CAPTCHA. Not sure what the best solution is at the moment. Some options I can think of right know:
Comment #4
soxofaan CreditAttribution: soxofaan commentedFYI, the current flow for adding a CAPTCHA or CAPTCHA administration links is as follows:
A solution can be changing the flow to:
This implements the idea from #3:
Comment #5
soxofaan CreditAttribution: soxofaan commentedComment #6
soxofaan CreditAttribution: soxofaan commentedfixed for 6.x-2.x: http://drupal.org/cvs?commit=503500
Comment #7
soxofaan CreditAttribution: soxofaan commentedFYI: committed patch
Comment #8
soxofaan CreditAttribution: soxofaan commentedoops made patch in wrong direction :)
Comment #9
soxofaan CreditAttribution: soxofaan commentedtagged as "D7 stable release blocker" per #1269702: Blockers to a 7.x-1.0 release?
Comment #10
davycw CreditAttribution: davycw commentedI just downloaded the latest DEV version of Captcha and ran into this problem as well. I configured captcha so that when an user submits a certain type of node that they'll be presented with a captcha challenge. I enabled "Allow CAPTCHAs and CAPTCHA administration links on administrative pages" option. The problem is that I have a search block enabled and the Captcha admin links are appearing inside of the block.
Comment #11
soxofaan CreditAttribution: soxofaan commentedreroll
Comment #12
Daluxz CreditAttribution: Daluxz commentedthe patch from #11 works for me.
Thanks!
Comment #13
soxofaan CreditAttribution: soxofaan commentedcommitted for D7 as well: http://drupalcode.org/project/captcha.git/commit/6c57ed1