Excluded forms

brad.bulger → made their first commit to this issue’s fork.

No, but I'm happy to review an implementation of an exclusion feature.

Yeah this should be easy to solve, just by adding a setting with form id's once per line.
The forms (please check if the IDs are correct!):

• user_register_form
• user_login_form
• user_pass

should be excluded by default (also added by update hook).

Then we can simply skip if the current form is in the array.

anybody → changed the visibility of the branch 3449889-excluded-forms to hidden.

Everything should be running now!

Added a test only branch which is expected to fail! :)

Fails as expected, GREAT WORK @lrwebks!!! :)

anybody → closed merge request !20

It cares about all bundle forms. When you exclude an id, it affects the entire bundle.Instead of including the entire bundle, it should exclude the types separately.

For example;The flexibility in the forum may not be in the articles. That was the opening purpose of this issue.

İf you exclude node_forum_form (forum type) it will also excludes node_article_form. It will also bypass protection on articles.
or
For comments;
İf you exclude forum comment form id (comment_forum_comments_form) it also excludes article comment form (comment_comment_form)

Also it doesn't work other custom type entity like ECK. It bypass them.
Thanks

Hi @pearls we're currently checking the $form_id, what would you suggest to check against?
I think for example CAPTCHA does it similar, using the $form_id?

Could you add a (failing) test showing what you're talking about in detail? I'd also say we should better open a separate improvement-follow-up?

Everything ok here? I just installed 2.0.7, which includes the update hook 8004 - Add new setting 'excluded_forms', and now the configuration page for Protected Forms crashes with error
TypeError: implode(): Argument #1 ($array) must be of type array, string given in implode() (line 270 of ...web/modules/contrib/protected_forms/src/Form/ProtectedFormsForm.php).

Hi @anybody,
If you check the screencast, you will see that all node types are skipped by protection even if their form ID is not in the excluded list.
But it works for comment forms. Validation cannot be bypassed unless added to the exclude list.

Suggestion 1:
It can work as designed. But, the entity from id should be allowed to be entered separately according to its type. For example: node_article_form, node_page_form, node_forum_form or custom_non-node_entity_type_form etc.

Suggestion2:
It can be specified in text formats-editors as the most comprehensive option.
Thus, there is no need for a form ID. Whether the correct ID is added or not is not a problem. It can be added or excluded in different scenarios in text formats and editors in a very flexible way. Check Wordfilter → module, please.In my opinion, this is the best option.

Suggestion3:
The last option can be allowed in the node type settings, which will be the most restricted option. It will be a problem for other custom entity types.

Thanks for the report @pearls! You're right, this was too quick and not enough testing. On it!

anybody → changed the visibility of the branch 3449889-fixes to hidden.

@pearls please create a separate issue for your follow-up. Feel free to create a MR with the solution you like or take a look at https://www.drupal.org/project/crowdsec → - I think we won't invest much time into this module any more because https://www.drupal.org/project/crowdsec → seems to be the better solution. But let's discuss this in a separate issue.

The current state isn't broken (anymore) right? You're talking about a feature request, right?

2.0.8 fixed the admin page. Thanks!