Remove warning from CF7 if honeypot is added

[Zodiac1978]

CF7 introduced a new validator: unsafe email config in version 5.8.1: https://contactform7.com/2023/09/28/contact-form-7-581/

See this document for more details: https://contactform7.com/configuration-errors/unsafe-email-without-protection/

As stated here in this issue this error message will not go away, if Honeypot is used: https://github.com/rocklobster-in/contact-form-7/issues/1284

But as explained in this doc article it can be disabled: https://contactform7.com/2023/10/15/disabling-only-specific-error-types-of-config-validator/

Using this code:

add_filter(
    'wpcf7_config_validator_available_error_codes',
    function ( $error_codes, $contact_form ) {

        // List error codes to disable here.
        $error_codes_to_disable = array(
            'unsafe_email_without_protection',
        );

        $error_codes = array_diff( $error_codes, $error_codes_to_disable );

        return $error_codes;
    },
    10, 2
);

Maybe you could add this to your plugin.

Edit: This could also be a setting or only apply if every form has a honeypot.

[nocean]

It's early and coffee not fully absorbed yet, but if my understanding is correct, this has been developed to protect users from accidentally turning their forms into something that spam bots can exploit, correct? And if a form is found to be vulnerable a warning is given unless reCaptcha is installed. I think I might agree with Takayuki Miyoshi that honeypots aren't enough security to disable this function. My concerns are:

1. Silently disabling this in the honeypot plugin will make many sites unknowingly vulnerable to being abused in the way this function is meant to prevent. In a perfect world the honeypot plugin would stop the behaviour, but I know honeypot protection isn't foolproof.
2. Making it an option is better, but it still feels like I'd be overriding core CF7 functionality, which isn't really the purview of this plugin. This type of option seems like it should be a CF7 option, and that it is not seems like a statement from Miyoshi that he feels it is an essential component.

I'm definitely open to debate on either of the above, and if I've misunderstood how this function works, please let me know.

-Ryan

[Zodiac1978]

I think I might agree with Takayuki Miyoshi that honeypots aren't enough security to disable this function.

I have maintained Antispam Bee for 8 years now and I use your plugin on hundreds of websites. I think honeypots are safe enough. Not 100% safe, but safe enough to protect against most spam. As reCaptcha itself which is not perfect either.

Many companies couldn't use reCaptcha due to GDPR (or don't want to). But this is the only way to get rid of this warning.

I wrote a little helper plugin which checks if a honeypot is used in a form and if yes, disables this warning for this form. This will work for me.

Not sure what to debate now. If you think this warning is essential and a honeypot is not safe enough, then every user with "Mail 2" in use will get a warning.

[Zodiac1978]

Hey @syedaliObjects @wpexpertsio great to see new releases here! 👍

Any plans to tackle this issue here? I can share my code if you are interested.

[syedaliObjects]

@Zodiac1978 regarding this issue, I wasn't able to view the mentioned warning on my end. Is it still there, if yes can you share the steps/screenshots on how to make it visible. Once we are able to view it we can discuss the possibilities as suggested by @nocean Looking forward to your response.

Thanks.

[Zodiac1978]

I wasn't able to view the mentioned warning on my end. Is it still there, if yes can you share the steps/screenshots on how to make it visible.

You need to configure a "Mail 2" which is sent to the visitor mail filling out the contact form - without ReCaptcha configured.

Because now this email is sent to a third person (maybe without consent) we must be sure it is not misused by spammers. The author from CF7 is only accepting ReCaptcha to avoid this warning.

I think the Honeypot is secure enough to prevent this warning.

Hope this makes it more clear.

If not, please don't hesitate to ask again for more detailed steps.

[syedaliObjects]

@Zodiac1978, please share the patch so we can manage the release for it.

Thanks

[Zodiac1978]

I check for the existence of the honeypot looking for the string "[honeypot" and then remove the warning. Maybe you have another solution. This is my way:

/**
 * Remove "unsafe email config" error message
 *
 * @param array  $error_codes  List of error codes.
 * @param object $contact_form Current contact form object.
 * @return array               Modified array of error codes, without "unsafe_email_without_protection".
 */
function remove_cf7_error_messages( $error_codes, $contact_form ) {
    // List error codes to disable here.
    $error_codes_to_disable = array(
        'unsafe_email_without_protection',
    );

    $form_content = $contact_form->get_properties()['form'];

    if ( strpos( $form_content, '[honeypot' ) ) {
        $error_codes = array_diff( $error_codes, $error_codes_to_disable );
    }

    return $error_codes;
}
add_filter( 'wpcf7_config_validator_available_error_codes', 'remove_cf7_error_messages', 10, 2 );