Contrib.social

Honeypot Facets 3 submodule?

Open on Drupal.org →
Created on 21 August 2025, 23 days ago

Problem/Motivation

With the increasing number of AI bots crawling sites and causing problems, for example for Views with exposed forms Facets filters, I wonder if a Honeypot Facets module could be possible? Idea from #3444984-4: Add support for views-exposed-form .

See also:

Steps to reproduce

Get overrun by AI bots, and want to block them by offering them a hidden Honeypot Facet checkboxes, which when clicked will block the IP address.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

2.2

Component

Code

Created by

🇩🇰Denmark ressa Copenhagen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @ressa
  • Comment 23 days ago
    🇩🇰Denmark ressa Copenhagen
  • Comment 10 days ago
    🇪🇨Ecuador jwilson3

    Follow! My understanding is that AI bots are not actually submitting forms, but that the bots love clicking through links and the Facets issue boils down to the fact that Facet blocks aren't really checkboxes, but are in fact just links styled to look like checkboxes. Facets 3 switches to using actual checkboxes and forms instead of lists of links, which is promising and will probably save us for now.

    But as time wears on and bots get more advanced, there might be real opportunity here. But my suggestion would be to first try adding additional form ids for the Facets 3 block forms to the existing Honeypot module settings on your site, to guage whether Honeypot + Facets forms it is having any effect in rebuffing bot requests. Allow for more flexible form configuration Active seems like a promising solution, if you're not opposed to manually entering facet form ids. If this does help, then maybe adding a UI option to manually enter custom form ids would be a good first step. A more custom UI just for Facet blocks could be possible, but probably complex, and easily doable from a few lines of custom form_alter code.

    Here is what I'm doing to add Honeypot to all Webforms. Presumably it could be adapted for Facet blocks as well assuming they follow some kind of standard form id prefix in their naming conventions.

    
function mymodule_form_alter(&$form, FormStateInterface $form_state, $form_id) {
  // Add honeypot protection to all Webforms.
  // @todo remove when https://drupal.org/i/3544510 lands
  if (strpos($form_id, 'webform_submission') === 0) {
    if (\Drupal::moduleHandler()->moduleExists('honeypot')) {
      // There is no reason to not enable time restriction here since
      // Honeypot respects the time_limit set in the configuration.
      \Drupal::service('honeypot')->addFormProtection($form, $form_state, ['honeypot', 'time_restriction']);
    }
  }
  • Comment 10 days ago
    🇩🇰Denmark ressa Copenhagen

    Thanks for the encouraging comment @jwilson3!

    Your description of the situation between Facets 2 and 3 is correct, and a great summary, so I added it in the Issue Summary. I also now see I use Facets 2, in the intro text, where it really should be Facets 3, so great to get that corrected as well.

    Thanks for sharing your custom solution for Webform. I am in the middle of upgrading from Facets 2 to 3, and will assess the situation, and if needed try to adapt the code. If I can get it to work, I can add it to a doc page, maybe https://www.drupal.org/docs/administering-a-drupal-site/security-in-drup... ?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024