-
-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run on_spam callback if timestamp triggers but passes through #132
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #132 +/- ##
==========================================
+ Coverage 98.39% 98.44% +0.05%
==========================================
Files 22 22
Lines 435 449 +14
==========================================
+ Hits 428 442 +14
Misses 7 7 ☔ View full report in Codecov by Sentry. |
Thanks @bb! I think that change makes sense 🤔 but I'm a bit worried if this can potentially break any app during the upgrade. |
Let's analyze the code paths to see whats happening to see if we find any potentially breaking codepaths:
So, we only need to look at the last bullet. Next question is: Has this been a supported code path? If no: we could break it. If yes: why wasn't it in the tests/specs? Now let's look at the use case an app could have implemented: if and only if timespan spam is detected, skip both the honeypot spam check and the spinner check and let the action be performed. Is this something which you currently want to have supported and don't want to change? Personally, I was surprised why the honeypot check was not performed when I out-commented code in my timespan callback. Did I cover everything? Does this reasoning convince you? If it doesn't, are you considering this for the next major version? Or would you prefer to make the change opt-in? |
Thanks for such detailed analysis 👍🏼
You know, having 100% mutant coverage testing would be the perfect situation in the perfect world, but at the end of the day this is just a gem I built and maintained for free for more than 10 years, so yeah probably there are things that aren't covered. But after your reasoning, I now think that probably this is not that breaking 😅 ... On the other hand, I don't have the exact numbers, but probably most of the people are using the defaults. We can also introduce a new opt-in setting, but this gem already has a lot of flags and this makes things harder in the long-run. So, I'm now in favor of merging and releasing as it is. Let's add a Changelog entry, so at least if anybody has a problem with that change, they can track it by reading the Changelog file. |
I'm happy you didn't choose the opt-in option 😅 |
If you don't mind, let's add a new "unreleased" section at the top of the file, describing the behavoir change. It will be released soon, probably as v2.3. |
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @bb
I'd like to allow letting pass a request in
on_timespan_spam
.However, when I decide to allow a request in my
on_timespan_spam
callback, the honeypot_spam detection is never run. The reason is obviously theelsif
ininvisible_captcha/lib/invisible_captcha/controller_ext.rb
Line 24 in 6a19a93
This PR changes the controller extension so that the on_spam detection and callback are still performed, even though the
timestamp_spam?
triggered buton_timespan_spam
callback doesn't render/redirect.Use cases
current_visit.events
Specs
All existing specs continue to pass unchanged.
Two new examples were added.
The first one succeeds with the new controller extension code but fails with the old controller extension code.
The second one succeeds also with the old code, but for the wrong reason.