can disable the captcha

[edalzell]

Missed something in previous PR.

In some cases it would be nice to be able to disable the captcha, like if doing something via AJAX.

Allow the user to send a disable_captcha set to true to not check it (cuz it won't be there).

[aryehraber]

Hey @edalzell, I'm not sure about this one, feels like an easy way to get around spamming a site...

In the past, when I've needed a particular form to be accessible via ajax from an external source, I turned captcha off for that form (removed the form from the forms config option). In cases where a form exists on the site + ajax from an external source is needed (very rare in my experience), I'd duplicate the form to keep captcha protection for the on-site version.

I realise every use-case is different, so could you explain a little bit about yours?

If we go through with this feature, perhaps a different implementation is possible? Something that doesn't make all forms insecure due to this 1 extra request input. Or maybe simply an extra config option that opts-in to this behaviour? Plus, I'd like to see a check if the request is indeed an ajax request (see comment).

[edalzell]

Hey @edalzell, I'm not sure about this one, feels like an easy way to get around spamming a site...

[snip] I realise every use-case is different, so could you explain a little bit about yours?

Ya @aryehraber, I totally get what you're saying, it was a concern to me too. Let's get a good solution figured out.

Our situation is that we have created a way to save entries from the front end, a custom one since Workshop isn't supported. We'd like captcha to work there, and it does, which is great.

However people are able to "like" posts, which also updates (and therefore saves) the entry and we don't have captcha there (it's only a button click, no chance for spam). So I'd like a way of disabling captcha for one request.

In Charge, I encrypt the form params (see here), so that folks can't change them, we could do that here?

i.e. have an options param that must be encrypted. That way no one on the front end can disable cuz they can't encrypt it properly, etc.

[aryehraber]

Hey @edalzell, thanks for going into more detail! It sounds like this feature will only be needed for Entries, since any Statamic forms that need to be bypassed can simply be removed from the config.

I'd like to mull this over a little longer. I have an idea but need to verify whether it'd work and whether the DX would be good.

In short: I envision an advanced option for the collections config which allows for additional config options to be defined as an associative array. We could then allow for an "exceptions" or "ignore" attribute where we add whitelisted fields which if a form request only contains those fields will ignore Captcha verification. Eg:

config/captcha.php

<?php

return [
    // ...
    'collections' => [
        'blog' => [
            'ignore' => ['some_field', 'another_field'],
        ],
    ],
    // ...
];

[edalzell]

Ya that would work great @aryehraber a simple array_intersect on that array plus $request->all().

[aryehraber]

Exactly, glad you agree 😊 Will try and find some time for this over the coming weeks, or if you'd like to take a stab at updating this PR sooner, let me know!

[aryehraber]

Closing due to merged alternate PR: https://github.com/aryehraber/statamic-captcha/pull/11

Thanks for the help, especially with reviewing the other PR!