Open orchardbot opened 11 years ago
@sebastienros commented:
Should be extensible, LogOn is a Part. We use a fake content item in edit mode to render the login form. / registration.
???? http://english.orchardproject.hu/blog/the-orchard-dynamic-page-pattern
kurtmang commented:
I am getting overloaded by spam user registrations and I'm afraid it's not apparent how to recaptcha protect the registration form.
@Piedone commented:
LogOn is NOT a part neither registration what this issue is about.
As I can see the best generic way to fight spam with registration would be to inject a fake content item's display into the registration page (can be done through an MVC filter) so you can attach antispam parts to itand in IUserEventHandler.Created() check for validity.
That is, if you want to implement it yourself. Otherwise we could have some official way of doing this, even by building a dynamic page for registration.
Implemented in https://lombiqantispam.codeplex.com/ but it's a bit hackish: still, we'd need an extensible registration (and login) screen.
As with #4130 and #516, we could provide a recipe that creates a "RegistrationWidget" using the LayoutPart and accompanying workflow, and then users have the option of enhancing the registration form by adding the ReCaptcha element (which comes out of the box with Orchard 1.9).
Just an FYI:
My network services team used Tinfoil Security to scan one of my Orchard 1.10.1 sites. They supposedly used a "light" attack setting, and it created over 600 users that I couldn't delete within admin interface (they had some crazy code inject names). Moreover, it caused database blocking alerts during the attack.
If it had been a prolonged (or real) attack, I would of had to take the site off-line.
I have since manually added ReCaptcha to my registration page by modifying Orchard.Users and the registration template in my theme. This meant both Orchard.Users and the theme module required Orchard.AntiSpam to be turned on (a dependency).
@dalenewman could you please open a separate issue about users not being removable? That sounds like another serious, but separate issue.
Agreed with @Piedone that you should file another issue with the non-deletable users. We fixed a related issue for special chars but you mention 1.10.1 so I assume we really care about it.
I agree we could use a recaptcha on this screen. A mitigation is to remove registration, or at least enable email confirmation.
@bleroy created: https://orchard.codeplex.com/workitem/19286
Captcha protection on registration is even more important than on comments.