Posted by wundo on July 10, 2007 at 6:13pm
Just a different challenge by captcha point, ever role with enable captcha sees the same challenge.
75% (3 votes)
Just a different challenge by captcha role, all the points of that role shows the same challenge.
25% (1 vote)
A different challenge for each role/point, a different challenge for each point depending from the role configuration.
0% (0 votes)
Total votes: 4
Comments
One Type Of Captcha, Multiple Roles
I have a question: Why would you ever want to use two different types of captcha in your site? If you find that TextImage is the most secure captcha challenge, why would you want to use anything else? That's why the solution of one Captcha challenge with the ability to disable or enable via multiple roles is the best solution.
Here's how it would work:
Having the workflow function like that, you'll be able to have anonymous and untrusted logged in users require the use of Captcha to post comments, but you can have your moderator users post comments without the use of Captcha.
more captcha types
First of all: considering the recent news that the hotmail and yahoo image captchas would be gamed, I think it's important to offer a wide range of captcha types. If drupal would only offer one captcha type (e.g. an image captcha), spammers would only need one image captcha solver to spam all drupal sites. If we offer a wide range of captcha types (or even meta/polymorphic captchas, like the the random_captcha_type module in my rewrite) it is much harder (and less profitable) for spammers to target drupal sites. As long as humans are more flexible than spam bots, this should work.
Secondly, the image captcha is probably a hard one for spammers (but also for some humans I guess), but it also is more server cpu intensive (you have to generate and png/jpg encode an image), compared to the math captcha. I can imagine there are situations where one can't/don't want to use the image captcha or where you want to balance captcha effectiveness and cpu load (e.g. image captcha on user registration and math captcha on comments).
Different Captchas and Image Captcha
I don't think you understood what I was saying. I meant two different types of captcha challenges in one site. Why would you offer Image Captcha with one form, and Text Captcha in another? Wouldn't you rather just offer Image captcha in both? Users like to see consistency when it comes to websites. I haven't seen any Web 2.0 websites that offers two different types of captcha challenges. In a past post of yours, you actually made an argument saying that having that feature bloated the settings page.
And I was just using image captcha as an example. I personally find that reCAPTCHA is the most secure. You also brought up server intensity? reCAPTCHA is less server intensive than image captcha since all processor work is done on their web server rather then the local web server.
It's always a trade-off
when you ask should this module support feature X. Often the tradeoff is Admin UI clutter. In this case (multiple types of captchas on a single site) I thought Soxofaan's UI approach was pretty simple, only a single extra column, so I'd be OK with that.
The supporting multiple roles had the potential to really complicate the settings page, so punting to the user access page was a reasonable compromise.
Issued
Just a quick note that this has moved to an issue. With the proposed solution, we won't be bloating either the settings or the user access page, but still be giving all the functionality to have different captcha form permissions for each role.