src/hg/lib/cart.c 64cd6f16d5f331608214b97a2454adaec32d974a

64cd6f16d5f331608214b97a2454adaec32d974a
max
  Wed Jul 2 06:40:13 2025 -0700
small improvements after feedback from Brian, refs #36024

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index b8ac99fbd4b..8c9c9195e56 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1516,87 +1516,88 @@
 /* return true if HTTP user-agent is in list of exceptions in hg.conf */
 {
 char *agent = cgiUserAgent();
 if (!agent)
     return FALSE;
 
 struct slName *excStrs = cfgValsWithPrefix("noCaptchaAgent.");
 if (!excStrs)
     return FALSE;
 
 struct excReStr;
 for (struct slName *sl = excStrs;  sl != NULL;  sl = sl->next)
     {
     if (regexMatch(agent, sl->name))
         {
-        fprintf(stderr, "CAPTCHAPASS %s\n", agent);
+        fprintf(stderr, "CAPTCHAPASS %s matches %s\n", agent, sl->name);
         return TRUE;
         }
     }
 
 return FALSE;
 }
 
-static boolean captchaCheckDone = FALSE;
-
 void forceUserIdOrCaptcha(struct cart* cart, char *userId, boolean userIdFound, boolean fromCommandLine)
 /* print captcha if user did not sent a valid hguid cookie or a valid
  * cloudflare token. Allow certain IPs and user-agents. */
 {
-// no need to do this again. Can happen if cartNew() is called somewhere else in a CGI
+static boolean captchaCheckDone = FALSE;
+
+// No need to do this again. Can happen if cartNew() is called somewhere else in a CGI
 if (captchaCheckDone)
     return;
 
 captchaCheckDone = TRUE;
 
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
+// certain user agents are allowed to use the website without a captcha
 if (isUserAgentException())
     return;
 
 // Do not show a captcha if we have a valid cookie 
 // but for debugging, it's nice to be able to force the captcha
 if (userId && userIdFound && !cgiOptionalString("captcha"))
     return;
 
 // when the captcha is solved, our JS code does a full page-reload, no AJAX. That saves us one round-trip.
 // After the reload, the new page URL has the captcha token in the URL argument list, so now we need to validate it
 // and remove it from the cart
 char *token = cgiOptionalString("token");
 if (token && isValidToken(token))
 {
     cartRemove(cart, "token");
     return;
 }
 
 printCaptcha();
 }
 
 void cartRemove(struct cart *cart, char *var);
 
-static boolean genericSetupDone = FALSE;
-
 static void genericCgiSetup()
 /* Run steps that all CGIs must do that unrelated to the cart: timeout, logging setup, UDC.
  */
 {
-// do this only once per CGI
+static boolean genericSetupDone = FALSE;
+
+// do this only once per execution
 if (genericSetupDone)
     return;
 
 genericSetupDone = TRUE;
 
 cgiApoptosisSetup();
 if (cfgOptionBooleanDefault("showEarlyErrors", FALSE))
     errAbortSetDoContentType(TRUE);
 
 if (cfgOptionBooleanDefault("suppressVeryEarlyErrors", FALSE))
     htmlSuppressErrors();
 
 setUdcCacheDir();
 
 netSetTimeoutErrorMsg("A connection timeout means that either the server is offline or its firewall, the UCSC firewall or any router between the two blocks the connection.");