wWagtail honeypot package
Project description
Wagtail Honeypot
Use this package to add optional honeypot proection to your Wagtail forms.
Honey pot protection is a way to trick bots into submitting data in fields that should remain empty. The package prvides a text field that should remain empty and checks a time interval between the form being displayed and submitted. The defualt interval is 3 seconds. If the form is submitted before the interval expires the submission is ignored.
How it works
When the Wagtail Form is submitted, and the honeypot protection is enabled the honeypot fields & values are in the POST
data.
- If the fields and values are valid or the Honeypot feature is not enabled then the form is submitted normally.
- If the Honeypot feature is enabled and the validation fails the form is not processed but visibly and to a bot the form was successfully submitted.
# process_form_submission is overriding the function in AbstractEmailForm
def process_form_submission(self, form):
honeypot_name = getattr(settings, "HONEYPOT_NAME", "whf_name")
honeypot_time = getattr(settings, "HONEYPOT_TIME", "whf_time")
honeypot_interval = getattr(settings, "HONEYPOT_INTERVAL", 3)
# honey pot disabled
if not self.honeypot:
return super().process_form_submission(form)
# honeypot enabled
score = []
if honeypot_name in form.data and honeypot_time in form.data:
score.append(form.data[honeypot_name] == "")
score.append(self.time_diff(form.data[honeypot_time], honeypot_interval))
return (
super().process_form_submission(form)
if len(score) and all(score)
else None
)
@staticmethod
def time_diff(value, interval):
now_time = str(time.time()).split(".")[0]
diff = abs(int(now_time) - int(value))
return True if diff > interval else False
You can provide your own process_form_submission
method if you need an alternative behaviour.
Installation
pip install wagtail-honeypot
Wagtail Setup
Honeypot Text Field
<input type="text" name="whf_name" id="whf_name" data-whf_name="" tabindex="-1" autocomplete="off">
You can change the text field name by adding the following to your settings.
HONEYPOT_NAME="foo"
Honeypot Time Field
<input type="hidden" name="whf_time" id="whf_time" data-whf_name="" tabindex="-1" autocomplete="off">
You can change the time field name by adding the following to your settings.
HONEYPOT_TIME="bar"
You can change the time interval by adding the following to your settings.
HONEYPOT_INTERVAL=1
Honeypot Template Tag
To render the honeypot fields in your form page template use the provided template tag.
{% load honeypot_tags %} # load the template tag
<form>
...
{% honeypot_fields %} # add the honeypot fields to your form
...
</form>
Honeypot Model Mixin
The mixin will add a honeypot field to your form page model.
honeypot = models.BooleanField(default=False, verbose_name="Honeypot Enabled")
It also adds a form panel you can use.
If you follow the official Wagtail docs for the Form Builder your form should look something like this...
class FormPage(HoneypotMixin): # <-- add the mixin
intro = RichTextField(blank=True)
thank_you_text = RichTextField(blank=True)
content_panels = AbstractEmailForm.content_panels + [
FieldPanel("intro", classname="full"),
InlinePanel("form_fields", label="Form fields"),
FieldPanel("thank_you_text", classname="full"),
MultiFieldPanel(
[
FieldRowPanel(
[
FieldPanel("from_address", classname="col6"),
FieldPanel("to_address", classname="col6"),
]
),
FieldPanel("subject"),
],
"Email",
),
]
# add a edit_handler to enable the Honeypot tab
edit_handler = TabbedInterface(
[
ObjectList(content_panels, heading="Content"),
ObjectList(HoneypotMixin.honeypot_panels, heading="Honeypot"),
ObjectList(Page.promote_panels, heading="Promote"),
ObjectList(Page.settings_panels, heading="Settings", classname="settings"),
]
)
Create a form page and enable the Honeypot protection.
Hide the Honeypot field
View the newly created form page. You will see that the honeypot field is visible and could be submitted with any value. That would block the form submission and that's how it should work.
You can try it out by submitting the form with the honeypot field set to any value. It won't save the form submission.
Use css to hide the honeypot field
Add the following css style to your own sites css...
input[data-whf_name] {
position: absolute;
top: 0;
left: 0;
margin-left: 100vw;
}
Use javascript to hide the honeypot field
var whf_name = "whf_name";
var data_whf_name = "[data-" + whf_name + "]";
document.querySelectorAll(data_whf_name).forEach(function(el) {
el.classList.add(whf_name);
el.setAttribute("style", "position: absolute;top: 0;left: 0;margin-left: 100%;");
});
The end result is the field should be visibly hidden and not be available to receive any value form a site visitor.
When rendered, the fields will have the html attributes tabindex="-1" autocomplete="off"
to prevent a site visitor from using the tab key to move to the field and disable any autocomplete browser functions.
A more complete example is form_page.html from the package test files.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file wagtail-honeypot-0.2.0.tar.gz
.
File metadata
- Download URL: wagtail-honeypot-0.2.0.tar.gz
- Upload date:
- Size: 15.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | b4708e473649914e75a7cdc3ef35d1331cb90323fe211a433d9844e5bb2da7a5 |
|
MD5 | f46576fb92068304738fe0ce8b5480fa |
|
BLAKE2b-256 | 78452c44c89e10ee59f01f594249e3b474f16ee1ec9de20645d6a8d9f286efab |
File details
Details for the file wagtail_honeypot-0.2.0-py3-none-any.whl
.
File metadata
- Download URL: wagtail_honeypot-0.2.0-py3-none-any.whl
- Upload date:
- Size: 18.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | bd4a7cf5401aa2d89f737d40db10ecd83498dc14877100fe24de873610ce0adc |
|
MD5 | eabb97f25eda7129cf4f6ef51511c382 |
|
BLAKE2b-256 | 18cca016061bdf843e9303ef7ead1109ea2f1a036f7cc450a9c427c25538c15d |