CaptchaPlugin

A visual confirmation plugin, known as Captcha, for new user registration. This plugin prevents automated scripts in creating users and spam your wiki with their url's to get a better google ranking.

Syntax Rules

• The tag %CAPTCHAURL% expands to the url of the image containing the scrambled text;
• The tag %CAPTCHAHASH% expands to the hash matching the image.

Examples

• N/A

Plugin Settings

Plugin settings are stored as preferences variables. To reference a plugin setting write %<plugin>_<setting>%, i.e. %INTERWIKIPLUGIN_SHORTDESCRIPTION%

• One line description, is shown in the TextFormattingRules topic:
  • Set SHORTDESCRIPTION = Plugin for Captcha verification / visual confirmation of new user registration.

• Debug plugin: (See output in data/debug.txt)
  • Set DEBUG = 0

• Custom settings (defaults shown):
  • Number of characters for Captcha:
    • Set LENGTH = 5
  • The characters that you want to use in Captcha:
    • Set CHARACTERS = abcdefghijklmnopqrstuvwxyz%&?@!1234567890

Additionally, the following settings can be added to lib/LocalSite.cfg. In time, the above options will be moved to that file too.

• $TWiki::cfg{Plugins}{CaptchaPlugin}{Expiry}=3600; # time in seconds after which a captcha will expire and be removed
• $TWiki::cfg{Plugins}{CaptchaPlugin}{EnableSave}=1; # enable captcha for topic save

Plugin Installation Instructions

Note: You do not need to install anything on the browser to use this plugin. The following instructions are for the administrator who installs the plugin on the server where TWiki is running.

• Download the ZIP file from the Plugin web (see below)
• Unzip CaptchaPlugin.zip in your twiki installation directory. Content:

  File:	Description:
  data/TWiki/CaptchaPlugin.txt	Plugin topic
  data/TWiki/CaptchaPlugin.txt,v	Plugin topic repository
  register-4.1.2.patch	Patch for the register module
  templates/oopscaptcha.tmpl	Error template
  lib/TWiki/Plugins/CaptchaPlugin.pm	Plugin Perl module
  pub/TWiki/CaptchaPlugin/fonts/	Fonts directory
  pub/TWiki/CaptchaPlugin/fonts/*	A collection of free fonts to get you started
  pub/TWiki/CaptchaPlugin/_db	Hash database directory
  pub/TWiki/CaptchaPlugin/img	Image directory

• Apply the patch register-4.1.2.patch to lib/TWiki/UI/Register.pm (alternatively, patch Register.pm manually, see section below), be sure to make a backup so you can revert the patch if you want to disable the plugin:
  • cd /path/to/twiki
  • cp lib/TWiki/UI/Register.pm lib/TWiki/UI/Register.pm.dist
  • patch < ../register.patch
• Restrict access to the files, for example, by including the following in your httpd.conf:

         <Directory "/path/to/twiki/pub/TWiki/CaptchaPlugin/_db">
           deny from all
         </Directory>
         <Directory "/path/to/twiki/pub/TWiki/CaptchaPlugin/fonts">
           deny from all
         </Directory>
         <Directory "/path/to/twiki/pub/TWiki/CaptchaPlugin/img">
           deny from all
         </Directory>

• Enable the plugin via the bin/configure script
• Install necessary TrueType fonts in to pub/TWiki/CaptchaPlugin/fonts/
  • This allows the plugin to randomly choose the fonts to use
• Test if the installation was successful:
  • Create a topic containing <IMG SRC="%CAPTCHAURL%"> and %CAPTCHAHASH%
  • When loading this topic you should see an obfuscated character string loaded as a png and a hexadecimal hash.
  • Check whether the hash database is properly protected by going to the url http://my.twiki.server/my/twiki/path/pub/TWiki/CaptchaPlugin/db/hashes.pag, you should see a permission denied message.
• Now edit your TWikiRegistration topic
  • Display the image %CAPTCHAURL% somewhere in your form, along with a text instructing new users to copy the obfuscated text into the appropriate text input.
  • Add the appropriate text input as Twk1CaptchaString
  • Add a hidden input as Twk1CaptchaHash having as value %CAPTCHAHASH%
  • For example, add this to your TWikiRegistration:

            <tr>
              <td valign="top" align="right"><IMG SRC="%CAPTCHAURL%">: <br /> (..)   </td>
              <td><input type="hidden" name="Twk1CaptchaHash" value="%CAPTCHAHASH%">
                  <input type="text" name="Twk1CaptchaString" size="5"></td>  =<font color="red">**</font>=
            </tr>

• That's it.

Captcha on topic edit

If you want to protect edits by TWikiGuest with a captcha, add the following line to your lib/LocalSite.cfg:

$TWiki::cfg{Plugins}{CaptchaPlugin}{EnableSave} = 1;

Of course, you will need the Twk1CaptchaHash and Twk1CaptchaString input fields somewhere in your edit template.

For example, if you are using the default pattern skin, change templates/edit.pattern.tmpl. Find:

%TMPL:DEF{"textarea"}%<textarea class="twikiEditboxStyleProportional" id="topic" name="text" rows="%EDITBOXHEIGHT%" cols="%EDITBOXWIDTH%" style='%EDITBOXSTYLE%' onkeydown='handleKeyDown(event)'>%TEXT%</textarea><script type="text/javascript">initTextAreaHeight();</script>
%TMPL:END%

and add before TMPL:END:

%TMPL:DEF{"textarea"}%<textarea class="twikiEditboxStyleProportional" id="topic" name="text" rows="%EDITBOXHEIGHT%" cols="%EDITBOXWIDTH%" style='%EDITBOXSTYLE%' onkeydown='handleKeyDown(event)'>%TEXT%</textarea><script type="text/javascript">initTextAreaHeight();</script>
              <IMG SRC="%CAPTCHAURL%"/>
              <input type="hidden" name="Twk1CaptchaHash" value="%CAPTCHAHASH%"/>
              <input type="text" name="Twk1CaptchaString" size="5"/>
%TMPL:END%

You might want to hide the captcha for logged in users (context authenticated), see VarIF for more information on conditional rendering.

Manually patching the register binary

Refer to the patch file.

Guide for TWiki 4.0.5

 }
 
 # generate user entry

Insert the code below directly BEFORE the line containing the curly bracket '{':

    # verify captcha
    my %database;
    my $vcHash = $data->{CaptchaHash};
    my $vcTxt = $data->{CaptchaString};

    open(LOCKFILE,">".&TWiki::Func::getPubDir()."/TWiki/CaptchaPlugin/_db/hashes.lock");
    flock(LOCKFILE,2);

    dbmopen(%database, &TWiki::Func::getPubDir()."/TWiki/CaptchaPlugin/_db/hashes",0644);

    my ($time,$txt) = split(',',$database{$vcHash});

    if ( not(lc($txt) eq lc($vcTxt)) || ($txt eq '') ) {
                dbmclose(%database);
                close(LOCKFILE);
                throw TWiki::OopsException( 'captcha',
                                           web => $data->{webName},
                                       topic => $topic,
                                       def => 'invalid_vcstr',
                                       params => [ "wrong" ] );
    }

    dbmclose(%database);

    close(LOCKFILE);

Now find:

             # 'WikiName' omitted because they can't
             # change it, and 'Confirm' is a duplicate
             push( @{$data->{form}}, $form )
              unless ($name eq 'WikiName' || $name eq 'Confirm');

and change the last line to:

             # 'WikiName' omitted because they can't
             # change it, and 'Confirm' is a duplicate
             push( @{$data->{form}}, $form )
              unless ($name eq 'WikiName' || $name eq 'Confirm' || $name eq 'CaptchaHash' || $name eq 'CaptchaString');

Further Development

• Refactor to comply with TWiki's convention
• Remove created .png files -> is already done on expiry, right?
• Adjustable font size range
• Adjustable height and width
• Option of Black and White only

Plugin Info

Related Topics: TWikiPreferences, TWikiPlugins