I read the conversation in the thread https://www.drupal.org/node/2421919 that Honeypot will replace the Hidden Captcha in Drupal 8. Is it true?
Because I have a newsletter field which I want to protect from spams and honeypot will fail in this case as there is only 1 textbox which will hardly take 2-3 seconds to fill.
Please help!
You can add honeypot to your own forms, or to any form through your own module's hook_form_alter's, by simply place the following function call inside your form builder function (or inside a hook_form_alter):
honeypot_add_form_protection($form, $form_state, array('honeypot', 'time_restriction'));
Note that you can enable or disable either the honeypot field, or the time restriction on the form by including or not including the option in the array.
In you case, you could remove the time_restriction in your newsletter form.
You can also use Honeypot's API to modify the time delay for forms, add or remove protections for certain forms, etc.
I hope it will help you resolve your issue.
Related
I have several complex class-based views for modelforms with inline formsets, new forms being displayed fetched by AJAX and other such stuff. I want to allow unauthorized users to view everything, but only edit one field in a specific form. What I'm currently thinking of is to disable fields on the frontend via JS, then clean out disallowed fields during form cleaning for the one editable form and disallow POSTing everything else, but this seems somewhat clunky. Are there any other viable approaches for doing this without involvement of Javascript?
Without javascript you will have to disable each input with the 'disabled' attribute, setting it within your form via php echos.
<inputtype="text" name="lname" <? if(!$enabled) echo 'disabled' ?>>
Which could end up being even more clunky. Because on the front end with javascript you could use jquery to disable al inputs with one line of code:
$('input').prop('disabled', true);
Then enable just the specific input(s) after that. Which is clean way to go.
$('#elid).prop('disabled', false);
At this point then, you just have to authenticate the user and use this method if the user is not alllowed to edit fields.
Nevermind. I did not notice the Django tag.
My answer is irrelevant.
I want that my users can fill a post form partially, save as draft and then edit, finish and publish it. So the draft can have some required (text) fields empty. However I want the fields secure to store in the database (so, no special character, etc).
What's the best (or a good way) way to do this?
I think these solutions:
1) make two different models, one with required=False fields or
2) fill the empty text field with a temporary string ('draft'), then delete it e redraw as needed while edit, publish, save the draft. Or
3) deactivate the validation (novalidation, I'm not sure this works).
or what else?
I'm looking to the second way because the first I think will give me problems to manage two models and the third maybe is not secure.
PS I'm using ajax to call the views.
I am new to Django and tried looking at documentation and a few posts on this forum, but I haven't been able to resolve my problem yet. I'd appreciate any pointers/examples and thanks for your time and help.
I have a working setup for a form with ChoiceField that has 4 choices (CharField). I am trying to include a 5th open option so the User could type their own response. I tried including code for widget, but that made a text box appear below the drop down list. Even with the widget, the validation fails (unless one of the 4 choices is selected) and I have not been able to resolve this problem either.
Is there a solution so the form could accept User inputs within the ChoiceField drop down list?
Best,
Aya
You haven't posted any code, or error message, so I am guessing a bit.
Make sure your form has required=False for the Choice widget. If that is set to True, it will fail the validation.
check out Allow dynamic choice in Django ChoiceField
Optional values will result in an error if you call:
if form.is_valid():
I'm trying to create a way for the user to change url such that if the current url is something like
website.com/section/part/this
if he inputs in a textbox 'hello', it will become
website.com/section/part/hello
Do I need to make a form and send hello as a parameter and then redirect the user to that page, or is there a easier/Django way to do this?
The other option is to play with JavaScript, detect changes to the textbox and reflect them in the form action argument. The way to do this also depends on the JavaScript framework you are willing to use, if any.
AFAIK there's no built-in feature provided by Django to make this easier.
Using: ColdFusion 10, JQuery 1.9, IIS
I made a CFC (allows remote access) which handles the insertion of comments into a database, whether they are new comments or replies to an existing one.
I have a Form which submits to this CFC when you want to make a comment.
At the moment I am passing (as hidden fields) form variables to the CFC to tell it various things about the comment that's to be inserted: e.g. which User the comment is for (the RecipientID) and which CommentID its in reference to (if its a reply). These values change a lot because sometimes a user is replying to another user's comment.
I don't want to send the hidden variables in my form because it can easily be modified by a malicious person. How can I send the main Form information using form variables (e.g. the comment body) but pass the sensitive variables using just ColdFusion so its not manipulable by a hacker?
One thing I could do is submit back to the page itself and then use <cfinvoke> to call the CFC and pass in the arguments. I would set the arguments in the invocation rather than in the Form. Would this be the correct way to do it?
The only place where the malicious users can't modify easily is in the Session.
Keep sensitive stuff in the Session, and make sure the logged in user has the proper right to do the action they requested (e.g. can delete their own stuff only, not other ppl's stuff)
Regarding, "One thing I could do is submit back to the page itself and then use to call the CFC and pass in the arguments. I would set the arguments in the invocation rather than in the Form. Would this be the correct way to do it?"
I think this would be a lot better than submitting to the cfc which is what you say you are doing now. Slight variations of this theme are:
Submit to another page which invokes the cfc method.
Forget the cfc and put the database call into a .cfm page. In
fact, if the cfc contains nothing but the insert query and is not
used elsewhere, it's unnecessary.
As far as not using hidden form fields goes, you might be in trouble. The user info can be stored in the session scope as suggested by Henry, but the recipient info is harder to protect. You could make the recipient id part of the form field name. Then to protect yourself from neer do wells, add another check on the cgi.http_referrer variable.