spam checking - boards are not handling CAPTCHA display properly

Summary

Boards are not handling CAPTCHA display properly.

This bug is separate from others related to SpamCheck being too restrictive in some cases, but that's a separate issue. However, combined, they make the problem with boards more severe than otherwise would be the case.

Setting severity2 as the only workaround is to leave the board to create the issue, rendering the "issue creation from boards" feature unusable in some situations.

Steps to reproduce

Example Project

What is the current bug behavior?

When creating an issue from a board, if the spam check suspects the issue is a spam issue, a CAPTCHA isn't being displayed.

What is the expected correct behavior?

A CAPTCHA should be displayed.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Related issues

GitLab team members can find out more in some support tickets relating to creating issues from boards. (1, 2) plus some linked confidential issues.

Possible fixes

From https://gitlab.com/gitlab-org/gitlab/-/issues/29400#note_649211467 (multiple comments edited and consolidated for clarity):

I haven't looked into this bug at all, but it's in all likelihood because the backend doesn't yet have the proper support for GraphQL updates.

Normal Rails actions (including REST APIs and both HTML/JSON form submissions) go through one path for spam, whereas GraphQL API calls go through a different path.

Even though they may share Services (which also need proper spam/CAPTCHA support added), you also need to add spam/CAPTCHA support in the relevant controller/helper OR mutation.

So, in this case, it's likely that the service already has the support, but the GraphQL mutation does not.