XF 2.1 Core HoneyPots

[Ozzy47]

When someone registers, there are HoneyPots to try and stop bots. I have some questions about them.

1) How can I enable them so I as a user can see them on the register form?
2) If a bot fills them out, is that information stored, and if so where?
3) If they are filled out, how does it reject the bot?

I will probably have more questions.

 

[Blatchy]

1) How can I enable them so I as a user can see them on the register form?

Doesnt that defeat the whole purpose?

 

[Ozzy47]

No, I want to see them, for testing.

 

[Max Taxable]

Doesnt that defeat the whole purpose?

"please_leave_this_field_blank" already does.

 

[Ozzy47]

 

[Case]

Not tested but try adding this to extra.less

.formRow.formRow--limited {
display: table;
}

 

[Ozzy47]

Not tested but try adding this to extra.less

.formRow.formRow--limited {
display: table;
}

That might work, I'll check it out later.

 

[Ozzy47]

Yes, that works fine, thank you.

Now my list is down to this:
1) How can I enable them so I as a user can see them on the register form?
2) If a bot fills them out, is that information stored, and if so where?
3) If they are filled out, how does it reject the bot?

 

[Paul B]

No, the data is not stored.

They are rejected because the field is filled - a human registering would not see the field and therefore wouldn't enter anything.

 

[Ozzy47]

No, the data is not stored.

Ok good to know.

They are rejected because the field is filled - a human registering would not see the field and therefore wouldn't enter anything.

What file could I look into to see how that happens?

 

[Paul B]

I wouldn't know offhand - I would have to check the code.

 

[Max Taxable]

Not tested but try adding this to extra.less

.formRow.formRow--limited {
display: table;
}

That's helpful but seems to display only one of the four "Spam Catcher Fields" I see in the register_form template.

EDIT: Interestingly it does display all of the hidden fields but only if you don't use the popup registration form... if you navigate to yoursite.com/register it does diaplay all of the hidden fields.

 

[Max Taxable]

3) If they are filled out, how does it reject the bot?

In my testing I have learned it merely reloads the register form, clearing the fields and no account is created. There is no error message.

 

[Ozzy47]

That's helpful but seems to display only one of the four "Spam Catcher Fields" I see in the register_form template.

EDIT: Interestingly it does display all of the hidden fields but only if you don't use the popup registration form... if you navigate to yoursite.com/register it does diaplay all of the hidden fields.

That is because it inserts two of them at random, they are like that to confuse the bots.

 

[Ozzy47]

What file could I look into to see how that happens?

Anyone know?

 

[Ozzy47]

Does anyone know what file handles the registration rejection process of a bot fills out a core honeypot? Or what file handles registrations in general.

 

[Ozzy47]

Okay, I have found them at, src/XF/Service/User/Registration.php and src/XF/Service/User/RegisterForm.php. Now in the register form one I see this:

class RegisterForm extends \XF\Service\AbstractService
{
    protected $hashedFields = [
        'username',
        'email',
        'password',
        'timezone'
    ];

    protected $honeyPotFields = [
        'username_hp',
        'email_hp',
        'password_hp'
    ];

Question I now have is how do I extend this to add my own entries to the protected $hashedFields and protected $honeyPotFields?

 

[Chris D]

There is a section about extending classes in the documentation:

General concepts | Developer Documentation | XenForo

Developer documentation for XenForo

xenforo.com

 

[Ozzy47]

There is a section about extending classes in the documentation:

General concepts | Developer Documentation | XenForo

Developer documentation for XenForo

xenforo.com

Okay, I’ll have to poke around, thanks.

 

[Ozzy47]

Ok, so I have created a file in src/addons/SPAMINATOR/XP/Pub/Controller/Register.php

In this file I have the following code:

<?php

namespace SPAMINATOR\XF\Pub\Controller;

use XF\ConnectedAccount\Provider\AbstractProvider;
use XF\ConnectedAccount\ProviderData\AbstractProviderData;
use XF\Mvc\ParameterBag;

class RegisterForm extends \XF\Service\AbstractService
{
    protected $hashedFields = [
        'accepts'
    ];

    protected $honeyPotFields = [
        'accepts_hp'
    ];
}  

class Register extends XFCP_Register
{
    public function actionHelloWorld()
    {
        return $this->message('Hello world!');
    }
}

Now I also created a class extension in the ACP:

Base class name: XF\Pub\Controller\Register
Extension class name: SPAMINATOR\XF\Pub\Controller\Register

It is enabled and assigned to the addon.

Now if I go to mysite.com/index.php?register/hello-world I see a Hello World message which is good.

Problem is, when someone registers, and fills out one of the honeypots that have a name of "accepts" the registration is not denied, which it should be.