- **status**: open --> in-progress
- **Comment**:
* `if g.antispam` probably doesn't need to be checked
* `# ahh i'm dead here`
* can just keep `antispam = utils.AntiSpam()` in `AntiSpamTestApppost` instead
of making an `__init__`
* `with audits('Honeypot login'` doesn't pair up with any actual audit log. I
think the `ValueError` is being raised so with `with audits` doesn't have a
chance to check. So just remove that line I guess
* if the login overlay is used (e.g. /p/add_project) then the CSS to hide
honeypot fields isn't working. see `login_fragment.html`
I noticed that as long as you have a valid spinner & timestamp, you can submit
the form with "regular" field names, e.g. username & password instead of the
encoded names. I think this is a general limitation of how the AntiSpam class
is set up right now since it updates the params dict instead of making a new
one. We could explore the idea of deleting all other params. But that might
have some adverse affects if we have a non-encoded param like return_to (would
have to make sure everything is encoded on all antispam forms)
---
** [tickets:#8158] Add antispam measures to login page**
**Status:** in-progress
**Milestone:** unreleased
**Created:** Thu Jul 13, 2017 07:27 PM UTC by Kenton Taylor
**Last Updated:** Thu Jul 13, 2017 07:28 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
