I was noticing in my Recent log entries a large number of "access denied" entries. In order to see what a user might see, I logged out and pasted one of the access denied URL's into my browser. What I got was the normal access denied page except that Captcha was not present on the page. On all navigation generated pages I have the Captcha text challenge, but not on these forced error pages, just the user login block. The thing is, you get logged in without a challenge.

Here is the format, you can supply any numbers you want:
/admin/reports/access/33230
/admin/reports/event/6894

Files: 
CommentFileSizeAuthor
#11 893810-captcha-on-admin-pages-d7-01.patch2.78 KBsoxofaan
PASSED: [[SimpleTest]]: [MySQL] 733 pass(es).
[ View ]
#8 893810-captcha-on-access-denied-admin-pages_02.patch2.71 KBsoxofaan
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 893810-captcha-on-access-denied-admin-pages_02.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.
[ View ]
#7 893810-captcha-on-access-denied-admin-pages_01.patch2.74 KBsoxofaan
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 893810-captcha-on-access-denied-admin-pages_01.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.
[ View ]

Comments

Category:bug» support

One typical reason for this is that these pages were cached before the CAPTCHA was added to it.
Try clearing your cache: e.g. with the devel module, or with drush, or if you don't use any of these tools, temporarily disabling the page cache (admin > perfomance) will help too.

Turned out I needed to Allow CAPTCHAs and CAPTCHA administration links on administrative pages. I never thought that anyone would have access to admin pages other than myself, and that only after I had logged in, but they have access to the user-login-form on admin pages even if it is only Access Denied pages.

Title:Bypass CaptchaNo CAPTCHA for user login block on admin pages
Version:6.x-2.2» 6.x-2.x-dev
Category:support» bug

Good point.

To reproduce:

  • enable user login block
  • put a CAPTCHA on user login block
  • as anonymous user: go to example.com/admin/foo/bar: result no CAPTCHA

Workarounds:

  • enable the option "Allow CAPTCHAs and CAPTCHA administration links on administrative pages" on CAPTCHA General settings page
  • disable the user-login block on admin pages: go to example.com/admin/build/block/configure/user/0 and set "show block except on": admin/*

Would be nice if we can fix this for the 6.x-2.3 release of CAPTCHA. Not sure what the best solution is at the moment. Some options I can think of right know:

  • make a special case for the user-login block and ignore the "don't show on admin pages" feature
  • Drop the "don't show on admin pages" feature all together and maybe change it to "don't show CAPTCHA administration links on admin pages"
  • other suggestions...?

FYI, the current flow for adding a CAPTCHA or CAPTCHA administration links is as follows:

<?php
function captcha_form_alter(&$form, $form_state, $form_id) {
  if (
arg(0) != 'admin' || variable_get('captcha_allow_on_admin_pages', FALSE)) {
    if (!
user_access('skip CAPTCHA')) {
     
$captcha_point = captcha_get_form_id_setting($form_id);
      if (
$captcha_point && $captcha_point->type) {
       
// Add CAPTCHA ...
     
}
    }
    else if (
user_access('administer CAPTCHA settings') && variable_get('captcha_administration_mode', FALSE)) {
     
// Add CAPTCHA administration links ...
   
}
  }
}
?>

A solution can be changing the flow to:

<?php
function captcha_form_alter(&$form, $form_state, $form_id) {
  if (!
user_access('skip CAPTCHA')) {
   
$captcha_point = captcha_get_form_id_setting($form_id);
    if (
$captcha_point && $captcha_point->type) {
     
// Add CAPTCHA ...
   
}
  }
  else if (
  (
arg(0) != 'admin' || variable_get('captcha_allow_on_admin_pages', FALSE))
  &&
user_access('administer CAPTCHA settings')
  &&
variable_get('captcha_administration_mode', FALSE)) {
   
// Add CAPTCHA administration links ...
 
}
}
?>

This implements the idea from #3:

Drop the "don't show on admin pages" feature and change it to "don't show CAPTCHA administration links on admin pages"

Component:Text Captcha (text_captcha)» Code
Priority:Normal» Major

Version:6.x-2.x-dev» 7.x-1.x-dev
Status:Active» Patch (to be ported)
Issue tags:+low-hanging fruit

StatusFileSize
new2.74 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 893810-captcha-on-access-denied-admin-pages_01.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.
[ View ]

FYI: committed patch

StatusFileSize
new2.71 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 893810-captcha-on-access-denied-admin-pages_02.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots.
[ View ]

oops made patch in wrong direction :)

tagged as "D7 stable release blocker" per #1269702: Blockers to a 7.x-1.0 release?

I just downloaded the latest DEV version of Captcha and ran into this problem as well. I configured captcha so that when an user submits a certain type of node that they'll be presented with a captcha challenge. I enabled "Allow CAPTCHAs and CAPTCHA administration links on administrative pages" option. The problem is that I have a search block enabled and the Captcha admin links are appearing inside of the block.

Status:Patch (to be ported)» Needs review
StatusFileSize
new2.78 KB
PASSED: [[SimpleTest]]: [MySQL] 733 pass(es).
[ View ]

reroll

Status:Needs review» Reviewed & tested by the community

the patch from #11 works for me.
Thanks!

Status:Reviewed & tested by the community» Closed (fixed)