Add honeypot on forum

2025-10-31 17:13:08 +00:00 · 2024-07-22 11:40:11 +02:00
parent c7f8cdd098
commit 2c8f18d7fc
4 changed files with 33 additions and 2 deletions
--- a/forum/templates/forum/reply.jinja
+++ b/forum/templates/forum/reply.jinja
@@ -29,6 +29,7 @@
 {% endif %}
    <form action="" method="post" enctype="multipart/form-data">
        {% csrf_token %}
+        {% render_honeypot_field settings.HONEYPOT_FIELD_NAME_FORUM %}
        {{ form.as_p() }}
        <p><input type="submit" value="{% trans %}Save{% endtrans %}" /></p>
    </form>
--- a/forum/tests.py
+++ b/forum/tests.py
@@ -14,6 +14,7 @@
 #

 import pytest
+from django.conf import settings
 from django.test import Client
 from django.urls import reverse
 from pytest_django.asserts import assertRedirects
@@ -24,13 +25,14 @@ from forum.models import Forum, ForumMessage, ForumTopic

@pytest.mark.django_db
 class TestTopicCreation:
-    def test_topic_creation_success(self, client: Client):
+    def test_topic_creation_ok(self, client: Client):
        user: User = User.objects.get(username="root")
        forum = Forum.objects.get(name="AE")
        client.force_login(user)
        payload = {
            "title": "Hello IT.",
            "message": "Have you tried turning it off and on again ?",
+            settings.HONEYPOT_FIELD_NAME_FORUM: settings.HONEYPOT_VALUE,
        }
        assert not ForumTopic.objects.filter(_title=payload["title"]).exists()
        response = client.post(reverse("forum:new_topic", args=str(forum.id)), payload)
@@ -46,13 +48,28 @@ class TestTopicCreation:
        assert topic
        assert topic.last_message.message == payload["message"]

-    def test_topic_creation_failure(self, client: Client):
+    def test_topic_creation_honeypot_fail(self, client: Client):
+        user: User = User.objects.get(username="root")
+        forum = Forum.objects.get(name="AE")
+        client.force_login(user)
+        payload = {
+            "title": "You shall",
+            "message": "Not pass !",
+            settings.HONEYPOT_FIELD_NAME_FORUM: settings.HONEYPOT_VALUE + "random",
+        }
+        assert not ForumTopic.objects.filter(_title=payload["title"]).exists()
+        response = client.post(reverse("forum:new_topic", args=str(forum.id)), payload)
+        assert response.status_code == 200
+        assert not ForumTopic.objects.filter(_title=payload["title"]).exists()
+
+    def test_topic_creation_fail(self, client: Client):
        user: User = User.objects.get(username="krophil")
        forum = Forum.objects.get(name="AE")
        client.force_login(user)
        payload = {
            "title": "You shall",
            "message": "Not pass !",
+            settings.HONEYPOT_FIELD_NAME_FORUM: settings.HONEYPOT_VALUE,
        }
        assert not ForumTopic.objects.filter(_title=payload["title"]).exists()
        response = client.post(reverse("forum:new_topic", args=str(forum.id)), payload)
--- a/forum/views.py
+++ b/forum/views.py
@@ -22,6 +22,7 @@
 #
 #
 import math
+from functools import partial

 from ajax_select import make_ajax_field
 from django import forms
@@ -32,11 +33,13 @@ from django.db import IntegrityError
 from django.shortcuts import get_object_or_404
 from django.urls import reverse_lazy
 from django.utils import html, timezone
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, ListView, RedirectView
 from django.views.generic.detail import SingleObjectMixin
 from django.views.generic.edit import CreateView, DeleteView, UpdateView
 from haystack.query import RelatedSearchQuerySet
+from honeypot.decorators import check_honeypot

 from core.views import (
    CanCreateMixin,
@@ -242,6 +245,9 @@ class TopicForm(forms.ModelForm):
    title = forms.CharField(required=True, label=_("Title"))


+@method_decorator(
+    partial(check_honeypot, field_name=settings.HONEYPOT_FIELD_NAME_FORUM), name="post"
+)
 class ForumTopicCreateView(CanCreateMixin, CreateView):
    model = ForumMessage
    form_class = TopicForm
@@ -331,6 +337,9 @@ class ForumMessageView(SingleObjectMixin, RedirectView):
        return self.object.get_url()


+@method_decorator(
+    partial(check_honeypot, field_name=settings.HONEYPOT_FIELD_NAME_FORUM), name="post"
+)
 class ForumMessageEditView(CanEditMixin, UpdateView):
    model = ForumMessage
    form_class = forms.modelform_factory(
@@ -381,6 +390,9 @@ class ForumMessageUndeleteView(SingleObjectMixin, RedirectView):
        return self.object.get_absolute_url()


+@method_decorator(
+    partial(check_honeypot, field_name=settings.HONEYPOT_FIELD_NAME_FORUM), name="post"
+)
 class ForumMessageCreateView(CanCreateMixin, CreateView):
    model = ForumMessage
    form_class = forms.modelform_factory(
--- a/sith/settings.py
+++ b/sith/settings.py
@@ -287,6 +287,7 @@ REST_FRAMEWORK["UNAUTHENTICATED_USER"] = "core.models.AnonymousUser"
 HONEYPOT_FIELD_NAME = "body2"
 HONEYPOT_VALUE = "content"
 HONEYPOT_RESPONDER = custom_honeypot_error  # Make honeypot errors less suspicious
+HONEYPOT_FIELD_NAME_FORUM = "message2"  # Only used on forum


 # Email