[#22397] - Allow form submission when Captcha plugin is not available
- Closed
- 25 Apr 2019
- Medium
- Build: staging
- # 22397
- Diff
- SharkyKZ:captcha
- Success continuous-integration/drone/pr the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
Redo of #20288. This allows submitting forms when selected Captcha plugin is disabled, uninstalled or has a different access level.
Testing Instructions
Select a Captcha plugin in global or component configuration.
Disable the plugin.
Attempt to submit a form that has a Captcha field.
Expected result
Form submitted successfully.
Actual result
Message on form page:
Error
Captcha plugin not set or not found. Please contact a site administrator.
Form submission fails because Captcha field is invalid.
Documentation Changes Required
IDK.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_contact com_content Libraries Templates (site) |
I’m with Brian, if user is guest then forms shouldn’t be submitable. You could if people felt it necessary add in global config option to allow submitting forms even when no valid captcha found. But I don’t think it’s needed.
@HLeithner decision based on above comments?
This makes no sense for me, if I select a captcha it shouldn't be ignored because its disabled or I don't have access rights. Also I still like to remove access level from plugins as michael suggested in another issue.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-04-25 09:44:43 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Removed:
J3 Issue
|
||
@HLeithner until access levels are removed from plugins, this totally makes sense. E.g. if captcha plugin access is set to Guest, captcha should only be required for guests and it should not break the site for everyone else.
Uninstalling or disabling captcha plugin requires to resave every configuration containing captcha option. Otherwise users are left with a broken site. This is not communicated to the user. Editor, for example, does not error in such case. It just defaults to a textarea.
We're talking about a security feature here, not an editor. So yes, if you make security related changes (eg disabling the plugin), you should check all related settings. Otherwise the system must be on the safe side - which is preventing the form from being sent.
Uninstalling or disabling captcha plugin requires to resave every configuration containing captcha option. Otherwise users are left with a broken site. This is not communicated to the user. Editor, for example, does not error in such case. It just defaults to a textarea.
In this scenario can you not do a check to see if the plugin is enabled ?
As an administrator, you won't know that your site is broken until someone actually contacts you as advised in the message or until you try to submit a form containing captcha yourself.
In global/component configurations you won't see anything wrong because disabled/uninstalled plugins aren't shown. The field defaults to global or None Selected option but whatever was previously set is actually used.
until you try to submit a form containing captcha yourself.
I hope you try it after you make such changes.
My gut feeling is that this is not a good idea and the current behaviour is correct - others may disagree.