fix(sign_up): temporarily disable recaptcha on create_unauthenticated#8258
fix(sign_up): temporarily disable recaptcha on create_unauthenticated#8258adi-herwana-nus wants to merge 1 commit intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR disables the reCAPTCHA check for the unauthenticated enrol-request creation endpoint (Course::EnrolRequestsController#create_unauthenticated), which is part of the course enrolment request flow.
Changes:
- Commented out the
verify_recaptchaenforcement increate_unauthenticated.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # unless verify_recaptcha | ||
| # render json: { errors: { recaptcha: t('errors.user.registrations.verify_recaptcha_alert') } }, | ||
| # status: :unprocessable_entity | ||
| # return | ||
| # end |
There was a problem hiding this comment.
The reCAPTCHA gate in create_unauthenticated has been commented out, which removes the only bot/abuse protection for a publicly accessible endpoint that creates enrol requests and sends emails. This is a security/operational regression (spam enrol requests, mail queue flooding). Please restore the verify_recaptcha check (or gate the bypass behind an explicit config/feature flag limited to non-production environments), and remove the commented-out block once the intended behavior is implemented.
| # unless verify_recaptcha | |
| # render json: { errors: { recaptcha: t('errors.user.registrations.verify_recaptcha_alert') } }, | |
| # status: :unprocessable_entity | |
| # return | |
| # end | |
| if Rails.env.production? && !verify_recaptcha | |
| render json: { errors: { recaptcha: t('errors.user.registrations.verify_recaptcha_alert') } }, | |
| status: :unprocessable_entity | |
| return | |
| end |
Temporarily disable captcha check on unauthenticated user signup.
Preceding operation (creation of new user) is still protected by captcha.
To follow-up with long term solution (merging user creation & enrolment into single request) ASAP.