#8158 Add antispam measures to login page

v1.8.0
closed
None
General
2018-02-05
2017-07-13
No

Discussion

  • Kenton Taylor

    Kenton Taylor - 2017-07-13

    QA

    branch kt/antispam_login

     
  • Dave Brondsema

    Dave Brondsema - 2017-07-14
    • status: open --> in-progress
     
  • Dave Brondsema

    Dave Brondsema - 2017-07-14
    • if g.antispam probably doesn't need to be checked
    • # ahh i'm dead here
    • can just keep antispam = utils.AntiSpam() in AntiSpamTestApppost instead of making an __init__
    • with audits('Honeypot login' doesn't pair up with any actual audit log. I think the ValueError is being raised so with with audits doesn't have a chance to check. So just remove that line I guess
    • if the login overlay is used (e.g. /p/add_project) then the CSS to hide honeypot fields isn't working. see login_fragment.html

    I noticed that as long as you have a valid spinner & timestamp, you can submit the form with "regular" field names, e.g. username & password instead of the encoded names. I think this is a general limitation of how the AntiSpam class is set up right now since it updates the params dict instead of making a new one. We could explore the idea of deleting all other params. But that might have some adverse affects if we have a non-encoded param like return_to (would have to make sure everything is encoded on all antispam forms)

     
  • Kenton Taylor

    Kenton Taylor - 2017-07-17

    Good feedback; fixups pushed.

     
  • Dave Brondsema

    Dave Brondsema - 2017-07-17
    • status: in-progress --> closed
    • Reviewer: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2018-02-05
    • Milestone: unreleased --> v1.8.0
     

Log in to post a comment.