I was noticing in my Recent log entries a large number of "access denied" entries. In order to see what a user might see, I logged out and pasted one of the access denied URL's into my browser. What I got was the normal access denied page except that Captcha was not present on the page. On all navigation generated pages I have the Captcha text challenge, but not on these forced error pages, just the user login block. The thing is, you get logged in without a challenge.

Here is the format, you can supply any numbers you want:
/admin/reports/access/33230
/admin/reports/event/6894

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

soxofaan’s picture

Category: bug » support

One typical reason for this is that these pages were cached before the CAPTCHA was added to it.
Try clearing your cache: e.g. with the devel module, or with drush, or if you don't use any of these tools, temporarily disabling the page cache (admin > perfomance) will help too.

4.John.v’s picture

Turned out I needed to Allow CAPTCHAs and CAPTCHA administration links on administrative pages. I never thought that anyone would have access to admin pages other than myself, and that only after I had logged in, but they have access to the user-login-form on admin pages even if it is only Access Denied pages.

soxofaan’s picture

Title: Bypass Captcha » No CAPTCHA for user login block on admin pages
Version: 6.x-2.2 » 6.x-2.x-dev
Category: support » bug

Good point.

To reproduce:

  • enable user login block
  • put a CAPTCHA on user login block
  • as anonymous user: go to example.com/admin/foo/bar: result no CAPTCHA

Workarounds:

  • enable the option "Allow CAPTCHAs and CAPTCHA administration links on administrative pages" on CAPTCHA General settings page
  • disable the user-login block on admin pages: go to example.com/admin/build/block/configure/user/0 and set "show block except on": admin/*

Would be nice if we can fix this for the 6.x-2.3 release of CAPTCHA. Not sure what the best solution is at the moment. Some options I can think of right know:

  • make a special case for the user-login block and ignore the "don't show on admin pages" feature
  • Drop the "don't show on admin pages" feature all together and maybe change it to "don't show CAPTCHA administration links on admin pages"
  • other suggestions...?
soxofaan’s picture

FYI, the current flow for adding a CAPTCHA or CAPTCHA administration links is as follows:

function captcha_form_alter(&$form, $form_state, $form_id) {
  if (arg(0) != 'admin' || variable_get('captcha_allow_on_admin_pages', FALSE)) {
    if (!user_access('skip CAPTCHA')) {
      $captcha_point = captcha_get_form_id_setting($form_id);
      if ($captcha_point && $captcha_point->type) {
        // Add CAPTCHA ...
      }
    }
    else if (user_access('administer CAPTCHA settings') && variable_get('captcha_administration_mode', FALSE)) {
      // Add CAPTCHA administration links ...
    }
  }
}

A solution can be changing the flow to:

function captcha_form_alter(&$form, $form_state, $form_id) {
  if (!user_access('skip CAPTCHA')) {
    $captcha_point = captcha_get_form_id_setting($form_id);
    if ($captcha_point && $captcha_point->type) {
      // Add CAPTCHA ...
    }
  }
  else if (
  (arg(0) != 'admin' || variable_get('captcha_allow_on_admin_pages', FALSE)) 
  && user_access('administer CAPTCHA settings') 
  && variable_get('captcha_administration_mode', FALSE)) {
    // Add CAPTCHA administration links ...
  }
}

This implements the idea from #3:

Drop the "don't show on admin pages" feature and change it to "don't show CAPTCHA administration links on admin pages"

soxofaan’s picture

Component: Text Captcha (text_captcha) » Code
Priority: Normal » Major
soxofaan’s picture

Version: 6.x-2.x-dev » 7.x-1.x-dev
Status: Active » Patch (to be ported)
Issue tags: +low-hanging fruit
soxofaan’s picture

FYI: committed patch

soxofaan’s picture

oops made patch in wrong direction :)

soxofaan’s picture

tagged as "D7 stable release blocker" per #1269702: Blockers to a 7.x-1.0 release?

davycw’s picture

I just downloaded the latest DEV version of Captcha and ran into this problem as well. I configured captcha so that when an user submits a certain type of node that they'll be presented with a captcha challenge. I enabled "Allow CAPTCHAs and CAPTCHA administration links on administrative pages" option. The problem is that I have a search block enabled and the Captcha admin links are appearing inside of the block.

soxofaan’s picture

Status: Patch (to be ported) » Needs review
FileSize
2.78 KB

reroll

Daluxz’s picture

Status: Needs review » Reviewed & tested by the community

the patch from #11 works for me.
Thanks!

soxofaan’s picture

Status: Reviewed & tested by the community » Closed (fixed)