update for rename of ikiwikiusers.mdwn to jasatamanjogja.mdwn

[git.ikiwiki.info.git] / doc / todo / require_CAPTCHA_to_edit.mdwn

diff --git a/doc/todo/require_CAPTCHA_to_edit.mdwn b/doc/todo/require_CAPTCHA_to_edit.mdwn
index d87c7326034b380200f30393da0250fa72f60be8..921e6254afffb02308bebdb9cf319b62bae29e00 100644 (file)
--- a/doc/todo/require_CAPTCHA_to_edit.mdwn
+++ b/doc/todo/require_CAPTCHA_to_edit.mdwn
@@ -2,6 +2,8 @@ I don't necessarily trust all OpenID providers to stop bots.  I note that ikiwik
 
 I imagine a plugin that modifies the login screen to use <http://recaptcha.net/>.  You would then be required to fill in the captcha as well as log in in the normal way.
 
 
 I imagine a plugin that modifies the login screen to use <http://recaptcha.net/>.  You would then be required to fill in the captcha as well as log in in the normal way.
 

+-- [[users/Will]]
+

 > I hate CAPTCHAs with a passion. Someone else is welcome to write such a
 > plugin.
 >
 > I hate CAPTCHAs with a passion. Someone else is welcome to write such a
 > plugin.
 >


@@ -14,6 +16,30 @@ I imagine a plugin that modifies the login screen to use <http://recaptcha.net/>
 >> Something like the moinmoin global <http://master.moinmo.in/BadContent>
 >> list?
 
 >> Something like the moinmoin global <http://master.moinmo.in/BadContent>
 >> list?
 

+>>> OpenID can be thought of as pushing the problem of determining if
+>>> someone is a human or a spambot back from the openid consumer to the
+>>> openid provider. So, providers that make it possible for spambots to
+>>> use their openids, or that are even set up explicitly for use in
+>>> spamming, would be the ones to block. Or, providers that are known to
+>>> use very good screening for humans would be the ones to allow.
+>>> (Openid delegation makes it a bit harder than just looking at the
+>>> openid url though.) --[[Joey]]
+
+>>>> Well, OpenID only addresses authentication issues, not authorisation issues.
+>>>> Given that it is trivial to set up your own OpenID provider (a full provider, not
+>>>> just a forward to another provider), I can't see a
+>>>> blacklist working in the long term (it would be like blacklisting email).
+>>>> A whitelist might work (it would not be quite as bad as whitelisting email).  In any case,
+>>>> there is now a captcha plugin for those that want it.  It is accessible
+>>>> (there is an audio option) and serves a social purpose along with
+>>>> keeping bots out (the captcha is used to help digitise hard to read
+>>>> words in books for [Carnegie Mellon University](http://www.cs.cmu.edu/) and
+>>>> [The Internet Archive](http://www.archive.org/) ).  Finally, because the actual captcha is outsourced
+>>>> it means that someone else is taking care of keeping it ahead of
+>>>> the bot authors.
+
+>> As [[spam_fighting]] shows, OpenID spam is now real. Yahoo, at least, would need to be blocked, according to the above, which seems like a bold move. --[[anarcat]]
+

 Okie - I have a first pass of this.  There are still some issues.
 
 Currently the code verifies the CAPTCHA.  If you get it right then you're fine.
 Okie - I have a first pass of this.  There are still some issues.
 
 Currently the code verifies the CAPTCHA.  If you get it right then you're fine.


@@ -33,17 +59,78 @@ ignored.
 > This is still not fixed.  I would have thought the following patch would
 > have fixed this second issue, but it doesn't.
 
 > This is still not fixed.  I would have thought the following patch would
 > have fixed this second issue, but it doesn't.
 

+(code snipped as a working [[patch]] is below)
+
+>> What seems to be happing here is that the openid plugin defines a
+>> validate hook for openid_url that calls validate(). validate() in turn
+>> redirects the user to the openid server for validation, and exits. If
+>> the openid plugins' validate hook is called before your recaptcha
+>> validator, your code never gets a chance to run. I don't know how to
+>> control the other that FormBuilder validates fields, but the only fix I
+>> can see is to somehow influence that order. 
+>>
+>> Hmm, maybe you need to move your own validation code out of the validate
+>> hook. Instead, just validate the captcha in the formbuilder_setup hook.
+>> The problem with this approach is that if validation fails, you can't
+>> just flag it as invalid and let formbuilder handle that. Instead, you'd
+>> have to hack something in to redisplay the captcha by hand. --[[Joey]]
+
+>>> Fixed this.  I just modified the OpenID plugin to check if the captcha
+>>> succeeded or failed.  Seeing as the OpenID plugin is the one that is
+>>> abusing the normal validate method, I figured it was best to keep
+>>> the fix in the same place.  I also added a config switch so you can set if
+>>> the captcha is needed for OpenID logins. OpenID defaults to ignoring
+>>> the captcha.
+>>> Patch is inline below.
+>>> I think this whole thing is working now.
+
+>>>> Ok, glad it's working. Not thrilled that it needs to modify the
+>>>> openid plugin, especially as I'm not sure if i I will integrate the
+>>>> captcha plugin into mainline. Also because it's not very clean to have
+>>>> the oprnid plugin aware of another plugin like that. I'd like to
+>>>> prusue my idea of not doing the captcha validation in the validate
+>>>> hook.
+
+[[!format diff """

 --- a/IkiWiki/Plugin/openid.pm
 +++ b/IkiWiki/Plugin/openid.pm
 --- a/IkiWiki/Plugin/openid.pm
 +++ b/IkiWiki/Plugin/openid.pm

-@@ -61,6 +61,7 @@ sub formbuilder_setup (@) { #{{{
-                        # Skip all other required fields in this case.
-                        foreach my $field ($form->field) {
-                                next if $field eq "openid_url";
-+                               next if $field eq "recaptcha";
-                                $form->field(name => $field, required => 0,
-                                        validate => '/.*/');
-                        }
-
+@@ -18,6 +18,7 @@ sub getopt () {
+       error($@) if $@;
+       Getopt::Long::Configure('pass_through');
+       GetOptions("openidsignup=s" => \$config{openidsignup});
++      GetOptions("openidneedscaptcha=s" => \$config{openidneedscaptcha});
+ }
+ 
+ sub formbuilder_setup (@) {
+@@ -61,6 +62,7 @@ sub formbuilder_setup (@) {
+                       # Skip all other required fields in this case.
+                       foreach my $field ($form->field) {
+                               next if $field eq "openid_url";
++                              next if $config{openidneedscaptcha} && $field eq "recaptcha";
+                               $form->field(name => $field, required => 0,
+                                       validate => '/.*/');
+                       }
+@@ -96,6 +98,18 @@ sub validate ($$$;$) {
+               }
+       }
+ 
++      if ($config{openidneedscaptcha} && defined $form->field("recaptcha")) {
++              foreach my $field ($form->field) {
++                      next unless ($field eq "recaptcha");
++                      if (! $field->validate) {
++                              # if they didn't get the captcha right,
++                              # then just claim we validated ok so the
++                              # captcha can cause a fail
++                              return 1;
++                      }
++              }
++      }
++
+       my $check_url = $claimed_identity->check_url(
+               return_to => IkiWiki::cgiurl(do => "postsignin"),
+               trust_root => $config{cgiurl},
+
+"""]]

 
 Instructions
 =====
 
 Instructions
 =====


@@ -51,8 +138,10 @@ Instructions
 You need to go to <http://recaptcha.net/api/getkey> and get a key set.
 The keys are added as options.
 
 You need to go to <http://recaptcha.net/api/getkey> and get a key set.
 The keys are added as options.
 

-       reCaptchaPubKey => "LONGPUBLICKEYSTRING",
-       reCaptchaPrivKey => "LONGPRIVATEKEYSTRING",
+[[!format perl """
+reCaptchaPubKey => "LONGPUBLICKEYSTRING",
+reCaptchaPrivKey => "LONGPRIVATEKEYSTRING",
+"""]]

 
 You can also use "signInSSL" if you're using ssl for your login screen.
 
 
 You can also use "signInSSL" if you're using ssl for your login screen.
 


@@ -61,6 +150,7 @@ The following code is just inline.  It will probably not display correctly, and
 
 ----------
 
 
 ----------
 

+[[!format perl """

 #!/usr/bin/perl
 # Ikiwiki password authentication.
 package IkiWiki::Plugin::recaptcha;
 #!/usr/bin/perl
 # Ikiwiki password authentication.
 package IkiWiki::Plugin::recaptcha;


@@ -69,19 +159,19 @@ use warnings;
 use strict;
 use IkiWiki 2.00;
 
 use strict;
 use IkiWiki 2.00;
 

-sub import { #{{{
+sub import {

        hook(type => "formbuilder_setup", id => "recaptcha", call => \&formbuilder_setup);
        hook(type => "formbuilder_setup", id => "recaptcha", call => \&formbuilder_setup);

-} # }}}
+}

 
 

-sub getopt () { #{{{
+sub getopt () {

        eval q{use Getopt::Long};
        error($@) if $@;
        Getopt::Long::Configure('pass_through');
        GetOptions("reCaptchaPubKey=s" => \$config{reCaptchaPubKey});
        GetOptions("reCaptchaPrivKey=s" => \$config{reCaptchaPrivKey});
        eval q{use Getopt::Long};
        error($@) if $@;
        Getopt::Long::Configure('pass_through');
        GetOptions("reCaptchaPubKey=s" => \$config{reCaptchaPubKey});
        GetOptions("reCaptchaPrivKey=s" => \$config{reCaptchaPrivKey});

-} #}}}
+}

 
 

-sub formbuilder_setup (@) { #{{{
+sub formbuilder_setup (@) {

        my %params=@_;
 
        my $form=$params{form};
        my %params=@_;
 
        my $form=$params{form};


@@ -191,7 +281,7 @@ EOTAGS
                                });
                }
        }
                                });
                }
        }

-} # }}}
+}

 
 # The following function is borrowed from
 # Captcha::reCAPTCHA by Andy Armstrong and are under the PERL Artistic License
 
 # The following function is borrowed from
 # Captcha::reCAPTCHA by Andy Armstrong and are under the PERL Artistic License


@@ -242,4 +332,4 @@ sub check_answer {
 }
 
 1;
 }
 
 1;

-
+"""]]