CiviCRM Community Forums (archive)

I am wondering if anything has changed in this respect. A client just started complaining about spammers on a profile that has recaptcha set up - when i checked, it wasn't showing - it was linking to /edit - when i change it to /create the captcha kicks in

if this is a change then there could be a lot of profiles out there that are not protected as expected

just spotted this in irc - not sure i have digested it fully in terms of the comment here by lobo but pasting and cleaning up so it is easier to follow

[22:27] <lcdweb> dgg: ok, so 1) the distinction between profile create and profile edit is important, but sometimes not easily understood. and in particular -- we currently suppress user account creation and recaptcha on profile edit -- whcih is not always expected
[22:27] <lcdweb> dgg: I had two clients in the last week very confused because recaptcha wasn't showing up
[22:28] <lcdweb> dgg: I think we should only condition those two elements on whether the user is authenticated or not. both should be allowable for both create and edit forms
[22:29] <dgg> lcdweb: so allow user create on profile/edit if anonymous user?
[22:29] <lcdweb> dgg: yes. and also allow recaptcha if anonymous
[22:29] <dgg> user create seems reasonable
[22:30] <lcdweb> dgg: 2nd is just a terminology thing. somewhere in a recent version we changed the "used for" checkbox in profile settings to "standalone form or directory"
[22:31] <lcdweb> dgg: by that we mean -- the profile is accessed directly, not as embedded in a reg form or something
[22:31] <dgg> right
[22:31] <lcdweb> dgg: but then in the help text for recaptcha we say: Do not enable this feature for stand-alone profile forms. reCAPTCHA requires dynamic page generation. Submitting a stand-alone form with reCAPTCHA included will always result in a reCAPTCHA validation error.
[22:32] <lcdweb> dgg: and by that we mean... as an html snippet
[22:32] <lcdweb> dgg: I think we used to use "standalone" to refer to html snippet. then we started using it to refer to the profile path link.
[22:33] <lcdweb> dgg: so I think we should just adjust the help text in the recaptcha to indicate the html snippet usage rather than standalone
[22:33] <dgg> lcdweb: agreed on that
[22:33] ash4 (~ash4@63.118.57.211) left irc: Ping timeout: 272 seconds
[22:34] <dgg> lcdweb: on profile/edit functionality - how do your users access profile/edit when anonymous? (assume checksum auth is only way)
[22:34] <dgg> in which case they are already authenticated
[22:35] <lcdweb> dgg: no... sometimes it's exposed and has the effect of contact create when not logged in, but with prefilled data when logged in
[22:35] <lcdweb> dgg: which is different than profile create -- which will always be empty regardless of whether you are logged in
[22:36] <lcdweb> dgg: so a subtle but important distinction
[22:36] <lcdweb> dgg: and checksum doesn't actually log the person in. it just connects the contact for the purpose of that one form
[22:37] <lcdweb> dgg: I have to step away. but if you agree re: profile eidt -- i can file an issue and take a look at it
[22:37] <dgg> so side chat w/ lobo
[22:37] <dgg> on profile/edit
[22:37] <dgg> if user is actually anonymous (i.e. form is behaving like profile/create) - then this is a 'bug' - it should follow create rules and include user create / recaptcha if configured for that profile
[22:38] <dgg> so that will cover the client case you're describing
[20:08] <civi-bot> dgg: CRM-11848 If anonymous user accesses profile/edit patch AND profile settings are configured to use reCaptcha and / or provide user registration option - then enable those 'features'. NOTE: checksum authentic... -- http://issues.civicrm.org/jira/browse/CRM-11848