Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 2.0
-
Fix Version/s: 2.2.0
-
Component/s: None
-
Labels:None
Description
We'll prevent bots and spammers from abusing this form by allowing admin to include reCAPTCHA in the subscribe form. reCAPTCHA will be included automatically in the form if the reCAPTCHA keys are configured for the site.
Also allow admin to control the page which a user is sent to after subscribing by passing in a "destination" parameter (URL).
If destination is not set, user should be redirected back to the referer page after submitting the form (the page they to the form from).
— Original Post from Nathan —
When subscribing to a mailing list (/civicrm/mailing/subscribe?reset=1) a new user is created in the database before the double opt-in process has completed, and to compound that there isn't a captcha on the form. Unless I've missed something, this would mean that anyone, including a bot, could spam the database mercilessly, creating an unlimited number of new CRM users that have nothing more than an email address an a pending Group subscription.
It seems to me that at the very least a new user should never be entered into the database until the email has been verified (double opt-in completed), and it would be even wiser to have a captcha to prevent bots from being able to cause mass amounts of verification emails to be sent to arbitrary people. Maybe this has already been fixed or implemented in 2.1??