#8158 Add antispam measures to login page



  • Kenton Taylor - 2017-07-13


    branch kt/antispam_login

  • Dave Brondsema

    Dave Brondsema - 2017-07-14
    • status: open --> in-progress
  • Dave Brondsema

    Dave Brondsema - 2017-07-14
    • if g.antispam probably doesn't need to be checked
    • # ahh i'm dead here
    • can just keep antispam = utils.AntiSpam() in AntiSpamTestApppost instead of making an __init__
    • with audits('Honeypot login' doesn't pair up with any actual audit log. I think the ValueError is being raised so with with audits doesn't have a chance to check. So just remove that line I guess
    • if the login overlay is used (e.g. /p/add_project) then the CSS to hide honeypot fields isn't working. see login_fragment.html

    I noticed that as long as you have a valid spinner & timestamp, you can submit the form with "regular" field names, e.g. username & password instead of the encoded names. I think this is a general limitation of how the AntiSpam class is set up right now since it updates the params dict instead of making a new one. We could explore the idea of deleting all other params. But that might have some adverse affects if we have a non-encoded param like return_to (would have to make sure everything is encoded on all antispam forms)

  • Kenton Taylor - 2017-07-17

    Good feedback; fixups pushed.

  • Dave Brondsema

    Dave Brondsema - 2017-07-17
    • status: in-progress --> closed
    • Reviewer: Dave Brondsema
  • Dave Brondsema

    Dave Brondsema - 2018-02-05
    • Milestone: unreleased --> v1.8.0

Log in to post a comment.