allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <>
Subject [allura:tickets] #8158 Add antispam measures to login page
Date Fri, 14 Jul 2017 18:58:31 GMT
- **status**: open --> in-progress
- **Comment**:

* `if g.antispam` probably doesn't need to be checked
* `# ahh i'm dead here`
* can just keep `antispam = utils.AntiSpam()` in `AntiSpamTestApppost` instead of making an
* `with audits('Honeypot login'` doesn't pair up with any actual audit log.  I think the `ValueError`
is being raised so with `with audits` doesn't have a chance to check.  So just remove that
line I guess
* if the login overlay is used (e.g. /p/add_project) then the CSS to hide honeypot fields
isn't working.  see `login_fragment.html`

I noticed that as long as you have a valid spinner & timestamp, you can submit the form
with "regular" field names, e.g. username & password instead of the encoded names.  I
think this is a general limitation of how the AntiSpam class is set up right now since it
updates the params dict instead of making a new one.  We could explore the idea of deleting
all other params.  But that might have some adverse affects if we have a non-encoded param
like return_to (would have to make sure everything is encoded on all antispam forms)


** [tickets:#8158] Add antispam measures to login page**

**Status:** in-progress
**Milestone:** unreleased
**Created:** Thu Jul 13, 2017 07:27 PM UTC by Kenton Taylor
**Last Updated:** Thu Jul 13, 2017 07:28 PM UTC
**Owner:** Kenton Taylor


Sent from because is subscribed to

To unsubscribe from further messages, a project admin can change settings at
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message