- Issue created by @the_g_bomb
- Status changed to Needs review
10 months ago 5:02pm 8 May 2024 - last update
10 months ago 29 pass - π¬π§United Kingdom the_g_bomb
Attaching a change to the config yml file. Not sure that much else is needed.
This will enable on install and then be exported on drush cex, I suspect.
I do wonder if there should be a way to edit the list of unprotected forms, that was we could add or remove items as required.
- Status changed to Postponed: needs info
10 months ago 1:35am 9 May 2024 - πΊπΈUnited States tr Cascadia
Why does this need to be part of core Honeypot? It is not scalable to explicitly include all forms from all contributed modules that need to be excluded. That's why there is a configuration setting - so that the tfa module, IF if wants to, can exclude its own form. Or a site developer, if they want to, can exclude any other form.
Right now, Honeypot only excludes forms that are part of core Drupal, because those are forms we know will exist on every site. I would like to keep it that way.
- π¬π§United Kingdom the_g_bomb
Is there a documented way to exclude a form from being protected by honeypot? Could you point it out to me and I'll add an issue to the TFA module to get it added to that modules issue queue.
I have switched off protect all forms and can't see a way to explicitly exclude the TFA form. It might be good to have a setting to protect all forms except the tfa (or another) form.
The only way I can see to exclude it is to manually add the form id to the exported honeypot config yml file, or perhaps to switch off Protect all forms and then enable them all again in the fieldset that opens at that point.
I am keeping my fingers crossed that the config file I exported and edited doesn't get reverted the next time I export my config.
While I agree this approach is not scalable to exclude all modules that may need to be excluded, it was the reason behind my comment regarding needing a way to edit the list of unprotected forms. I know there is another issue in the queue to allow the user login form to be protected, which would also be solved by the config editing ability.
Happy to take advice on how this should be solved.
- πΊπΈUnited States tr Cascadia
It's just a configuration setting, so you treat it just the same way as any other configuration setting in Drupal. There are dozens of ways to do this, depending on your deployment workflow.
The one I would suggest as a start is to use drush:
drush config-get honeypot.settingswill show the current settings if the honeypot module is installed
drush config-edit honeypot.settingswill allow you to edit the settings in your text editor. Make the same change to honeypot.settings as you did in the above patch.
You can then usedrush config-get honeypot.settingsagain to confirm the changes were made.Or you can make these changes in
honeypot/config/install/honeypot.settings.ymlbefore you enable honeypot.