Widelands Website

Upgrade to recaptach v2

Bug #1473023 reported by SirVer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Widelands Website
Fix Released
High
kaputtnik

Bug Description

I got a nag mail from google saying that we must update to recaptcha v2. The porting guide is somewhere at [2] or [3].

The new captchas are much better actually - no more typing of stupid text.

[1] http://googleonlinesecurity.blogspot.de/2014/12/are-you-robot-introducing-no-captcha.html
[2] https://www.google.com/recaptcha/intro/index.html
[3] https://developers.google.com/recaptcha/intro

Related branches

lp:~widelands-dev/widelands-website/django1_8
SirVer: Approve
Diff: 17072 lines (+10636/-2739) (has conflicts)
249 files modified
.bzrignore (+6/-7)
README.txt (+16/-26)
atomformat.py (+0/-542)
djangoratings/LICENSE (+22/-0)
djangoratings/__init__.py (+46/-0)
djangoratings/admin.py (+15/-0)
djangoratings/default_settings.py (+5/-0)
djangoratings/exceptions.py (+5/-0)
djangoratings/fields.py (+394/-0)
djangoratings/forms.py (+6/-0)
djangoratings/management/commands/update_recommendations.py (+7/-0)
djangoratings/managers.py (+114/-0)
djangoratings/migrations/0001_initial.py (+79/-0)
djangoratings/models.py (+93/-0)
djangoratings/runtests.py (+31/-0)
djangoratings/templatetags/ratings.py (+89/-0)
djangoratings/tests.py (+149/-0)
djangoratings/views.py (+124/-0)
local_settings.py.sample (+5/-1)
local_urls.py.sample (+3/-3)
mainpage/context_processors.py (+3/-1)
mainpage/forms.py (+9/-7)
mainpage/templatetags/wl_markdown.py (+21/-18)
mainpage/urls.py (+1/-1)
mainpage/views.py (+27/-30)
manage.py (+7/-8)
media/css/base.css (+3/-0)
news/admin.py (+1/-1)
news/feeds.py (+24/-25)
news/managers.py (+1/-1)
news/migrations/0001_initial.py (+57/-0)
news/models.py (+3/-3)
news/templatetags/news.py (+0/-136)
news/templatetags/news_extras.py (+133/-0)
news/urls.py (+41/-36)
news/views.py (+0/-162)
news/views.py.delete (+164/-0)
notification/AUTHORS (+13/-0)
notification/LICENSE (+22/-0)
notification/README (+19/-0)
notification/__init__.py (+9/-0)
notification/admin.py (+17/-0)
notification/atomformat.py (+542/-0)
notification/context_processors.py (+9/-0)
notification/decorators.py (+62/-0)
notification/engine.py (+74/-0)
notification/feeds.py (+71/-0)
notification/lockfile.py (+500/-0)
notification/management/commands/emit_notices.py (+15/-0)
notification/migrations/0001_initial.py (+107/-0)
notification/models.py (+431/-0)
notification/urls.py (+10/-0)
notification/views.py (+92/-0)
pip_requirements.txt (+30/-25)
pybb/feeds.py (+26/-41)
pybb/forms.py (+8/-5)
pybb/migrations/0001_initial.py (+0/-261)
pybb/migrations/0002_auto__del_field_topic_post_count.py (+0/-132)
pybb/models.py (+5/-6)
pybb/settings.py (+0/-1)
pybb/south_migrations/0001_initial.py (+261/-0)
pybb/south_migrations/0002_auto__del_field_topic_post_count.py (+132/-0)
pybb/templatetags/pybb_extras.py (+0/-1)
pybb/urls.py (+9/-10)
pybb/util.py (+17/-12)
pybb/views.py (+2/-3)
settings.py (+197/-150)
sphinxdoc/admin.py (+16/-0)
sphinxdoc/migrations/0001_initial.py (+22/-0)
sphinxdoc/models.py (+23/-0)
sphinxdoc/templates/sphinxdoc/app_list.html (+14/-0)
sphinxdoc/templates/sphinxdoc/documentation.html (+65/-0)
sphinxdoc/templates/sphinxdoc/genindex.html (+38/-0)
sphinxdoc/templates/sphinxdoc/modindex.html (+13/-0)
sphinxdoc/templates/sphinxdoc/search_form.html (+12/-0)
sphinxdoc/urls.py (+49/-0)
sphinxdoc/views.py (+87/-0)
templates/base.html (+2/-1)
templates/django_messages/base.html (+4/-4)
templates/django_messages/compose.html (+1/-1)
templates/django_messages/inbox.html (+2/-2)
templates/django_messages/inlines/message_row.html (+1/-1)
templates/django_messages/inlines/navigation.html (+4/-4)
templates/django_messages/new_message.html (+2/-2)
templates/django_messages/outbox.html (+2/-2)
templates/django_messages/trash.html (+2/-2)
templates/django_messages/view.html (+3/-3)
templates/footer.html (+3/-1)
templates/login_box.html (+11/-8)
templates/mainpage.html (+9/-10)
templates/mainpage/legal_notice.html (+7/-2)
templates/mainpage/online_users.html (+2/-2)
templates/navigation.html (+44/-17)
templates/news/feeds/posts_description.html (+1/-1)
templates/news/inlines/post_detail.html (+6/-7)
templates/news/post_archive_day.html (+1/-1)
templates/news/post_archive_month.html (+5/-5)
templates/news/post_archive_year.html (+5/-6)
templates/news/post_detail.html (+5/-3)
templates/news/post_list.html (+23/-13)
templates/notification/base.html (+1/-1)
templates/notification/forum_new_post/notice.html (+5/-2)
templates/notification/forum_new_topic/notice.html (+4/-2)
templates/notification/messages_received/notice.html (+1/-1)
templates/notification/messages_replied/notice.html (+1/-1)
templates/notification/messages_reply_received/notice.html (+1/-1)
templates/notification/messages_sent/notice.html (+1/-1)
templates/notification/notices.html (+5/-5)
templates/notification/wiki_article_edited/notice.html (+4/-2)
templates/pybb/add_post.html (+1/-1)
templates/pybb/base.html (+2/-2)
templates/pybb/category.html (+1/-1)
templates/pybb/edit_post.html (+1/-1)
templates/pybb/forum.html (+6/-6)
templates/pybb/inlines/display_category.html (+1/-1)
templates/pybb/inlines/forum_row.html (+1/-1)
templates/pybb/inlines/post.html (+7/-7)
templates/pybb/inlines/topic_row.html (+1/-1)
templates/pybb/last_posts.html (+2/-2)
templates/pybb/post_form.html (+10/-3)
templates/pybb/topic.html (+28/-28)
templates/registration/activate.html (+1/-1)
templates/registration/activation_complete.html (+1/-1)
templates/registration/activation_email.txt (+1/-1)
templates/registration/base.html (+1/-0)
templates/registration/login.html (+3/-3)
templates/registration/password_reset_complete.html (+1/-1)
templates/registration/password_reset_email.html (+1/-1)
templates/registration/registration_form.html (+12/-15)
templates/right_boxes.html (+9/-10)
templates/threadedcomments/inlines/comments.html (+4/-4)
templates/threadedcomments/inlines/reply_to.js (+7/-4)
templates/wiki/article_content.html (+4/-4)
templates/wiki/article_teaser.html (+2/-2)
templates/wiki/base.html (+2/-2)
templates/wiki/changeset.html (+2/-2)
templates/wiki/edit.html (+5/-5)
templates/wiki/history.html (+4/-4)
templates/wiki/index.html (+3/-3)
templates/wiki/recentchanges.html (+3/-3)
templates/wiki/view.html (+8/-8)
templates/wlggz/view_ggz_highscore.html (+2/-2)
templates/wlggz/view_ggz_matches.html (+1/-1)
templates/wlggz/view_ggz_overview.html (+5/-5)
templates/wlggz/view_ggz_playerstats.html (+1/-1)
templates/wlhelp/building_details.html (+6/-6)
templates/wlhelp/buildings.html (+2/-2)
templates/wlhelp/index.html (+1/-1)
templates/wlhelp/inlines/display_buildings.html (+52/-0)
templates/wlhelp/tribe_details.html (+4/-4)
templates/wlhelp/ware_details.html (+3/-3)
templates/wlhelp/wares.html (+4/-4)
templates/wlhelp/worker_details.html (+3/-3)
templates/wlhelp/workers.html (+4/-4)
templates/wlmaps/edit_comment.html (+2/-2)
templates/wlmaps/index.html (+3/-3)
templates/wlmaps/map_detail.html (+8/-8)
templates/wlmaps/upload.html (+4/-4)
templates/wlpoll/poll_detail.html (+5/-4)
templates/wlpoll/poll_list.html (+33/-16)
templates/wlprofile/edit_profile.html (+3/-3)
templates/wlprofile/view_profile.html (+3/-3)
templates/wlsearch/search.html (+2/-2)
threadedcomments/LICENSE.txt (+28/-0)
threadedcomments/admin.py (+31/-0)
threadedcomments/forms.py (+41/-0)
threadedcomments/management/commands/migratecomments.py (+59/-0)
threadedcomments/migrations/0001_initial.py (+76/-0)
threadedcomments/models.py (+348/-0)
threadedcomments/moderation.py (+53/-0)
threadedcomments/templatetags/gravatar.py (+118/-0)
threadedcomments/templatetags/threadedcommentstags.py (+438/-0)
threadedcomments/tests/__init__.py (+8/-0)
threadedcomments/tests/moderator_tests.py (+400/-0)
threadedcomments/tests/templatetags_tests.py (+519/-0)
threadedcomments/tests/threadedcomments_urls.py (+6/-0)
threadedcomments/tests/views_tests.py (+833/-0)
threadedcomments/urls.py (+29/-0)
threadedcomments/utils.py (+33/-0)
threadedcomments/views.py (+183/-0)
tracking/AUTHORS (+6/-0)
tracking/CHANGES (+44/-0)
tracking/LICENSE (+19/-0)
tracking/__init__.py (+8/-0)
tracking/admin.py (+5/-0)
tracking/listeners.py (+34/-0)
tracking/locale/de/LC_MESSAGES/django.po (+110/-0)
tracking/media/tracking/js/jquery-1.4.4.min.js (+167/-0)
tracking/middleware.py (+185/-0)
tracking/migrations/0001_initial.py (+61/-0)
tracking/models.py (+130/-0)
tracking/templates/base.html (+21/-0)
tracking/templates/tracking/_active_users.html (+21/-0)
tracking/templates/tracking/_active_users.js (+155/-0)
tracking/templates/tracking/refresh_active_users.js (+26/-0)
tracking/templates/tracking/visitor_map.html (+24/-0)
tracking/templatetags/tracking_tags.py (+50/-0)
tracking/urls.py (+13/-0)
tracking/utils.py (+71/-0)
tracking/views.py (+112/-0)
update_problems.txt (+75/-0)
urls.py (+30/-29)
wiki/__init__.py (+2/-2)
wiki/feeds.py (+48/-148)
wiki/forms.py (+1/-1)
wiki/migrations/0001_initial.py (+61/-0)
wiki/models.py (+8/-6)
wiki/static_urls.py (+1/-1)
wiki/templatetags/wiki.py (+0/-95)
wiki/templatetags/wiki_extras.py (+95/-0)
wiki/urls.py (+13/-10)
wiki/views.py (+32/-74)
wlevents/migrations/0001_initial.py (+23/-0)
wlevents/models.py (+1/-1)
wlevents/templatetags/wlevents.py (+0/-35)
wlevents/templatetags/wlevents_extras.py (+35/-0)
wlggz/migrations/0001_initial.py (+31/-0)
wlggz/urls.py (+3/-3)
wlhelp/migrations/0001_initial.py (+105/-0)
wlhelp/urls.py (+19/-0)
wlimages/migrations/0001_initial.py (+38/-0)
wlimages/models.py (+4/-3)
wlimages/templatetags/wlimages.py (+0/-40)
wlimages/templatetags/wlimages_extras.py (+38/-0)
wlimages/urls.py (+3/-4)
wlmaps/migrations/0001_initial.py (+43/-0)
wlmaps/test_urls.py (+1/-1)
wlmaps/tests/test_views.py (+2/-1)
wlmaps/urls.py (+15/-15)
wlmaps/views.py (+1/-2)
wlpoll/migrations/0001_initial.py (+49/-0)
wlpoll/models.py (+12/-5)
wlpoll/templatetags/wlpoll.py (+0/-95)
wlpoll/templatetags/wlpoll_extras.py (+96/-0)
wlpoll/urls.py (+8/-6)
wlpoll/views.py (+10/-0)
wlprofile/migrations/0001_initial.py (+39/-0)
wlprofile/models.py (+1/-4)
wlprofile/templatetags/custom_date.py (+3/-2)
wlprofile/templatetags/wlprofile.py (+0/-31)
wlprofile/templatetags/wlprofile_extras.py (+31/-0)
wlprofile/urls.py (+3/-3)
wlrecaptcha/forms.py (+0/-131)
wlscreens/models.py (+1/-0)
wlscreens/test_urls.py (+1/-1)
wlscreens/urls.py (+3/-3)
wlsearch/urls.py (+3/-3)
wlwebchat/urls.py (+3/-4)
wlwebsite_wsgi.py (+3/-2)
SirVer (sirver)
Changed in widelands-website:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
kaputtnik (franku) wrote :

I will take a look at this...

Changed in widelands-website:
assignee: nobody → kaputtnik (franku)
Revision history for this message
kaputtnik (franku) wrote :

Just a reminder:

Testsite to see how it looks like: https://www.google.com/recaptcha/api2/demo
We need a new key/secret-key pair: https://developers.google.com/recaptcha/docs/faq#im-using-the-recaptcha-v1-now-how-do-i-upgrade-to-v2

Revision history for this message
kaputtnik (franku) wrote :

I am quite busy with normal work, so it could take some time to solve this (two weeks i think). If someone else get a solution earlier please tell it here.

Revision history for this message
kaputtnik (franku) wrote :

Forgotten possibly solution(s): http://stackoverflow.com/questions/29548574/how-to-validate-google-recaptcha-v2-in-django

Revision history for this message
kaputtnik (franku) wrote :

I have it half to run.... there are some failures:

1. The normal functionality with the small "i am no robot" button (like in the demo) does not work on widelands.org. So we have to use the fallback mode... this is much ugly as the demo :-§ In fallback mode the window with the food/whatever is shown directly and the user has to mark the solutions. After clicking on "confirm" a window with a long string is displayed which has to be copied in a text field. After that the user could "send" the account request.

2. Currently the return value from google is always "success = True". Because i am not the only one who has this problem it may be a problem from google...

I am currently using the test values from google for the "secret key" and "site key".

I am wiling to provide a branch if i made some cleanups and further tests.

Revision history for this message
SirVer (sirver) wrote :

Why is the "I am not a robot" not working on Widelands.org?

Revision history for this message
kaputtnik (franku) wrote :

I don't know. If i use the normal code and click on "I am not a robot" something is happen, but there is no popup window which shows the food pictures. If i wait until the timeout is gone ( 2 minutes i think) the whole process is reloaded and after that clicking on "i am not a robot" works (the "food" popup appears).

I think the description (https://developers.google.com/recaptcha/docs/display) is updated and i will make some more tests. Or should we use the third party app described in http://stackoverflow.com/questions/29548574/how-to-validate-google-recaptcha-v2-in-django?answertab=votes#tab-top ?

Personal i would like to understand the code and write our own code. But this would take some time (for me).

Revision history for this message
kaputtnik (franku) wrote :

I tested now the explicit displaying of the boxes (Seehttps://developers.google.com/recaptcha/docs/display#explicit_render). The result is the same: "If i click on I am no robot" no popup appears. The reason for that are malformed values for "left" and "top". By clicking on "i am no robot" the html get following code added:

  <div style="display: block; visibility: hidden; position: absolute; width: 106px; left: -10000px; top: -10000px;">
    <table dir="ltr" style="width:106px;" frame="void" rules="none" class=" gc-bubbleDefault pls-container" cellpadding="0" cellspacing="0">
    </table>
  </div>

Pay attention on the wrong "left" and "top" values which are "-10000px". After waiting until the captcha is reloaded and clicking again on "i am no robot" the values gets right:

  <div style="display: block; visibility: visible; position: absolute; width: 414px; left: 226px; top: 295px; height: 618px; z-index: 2000000001;">
      <table dir="ltr" style="width: 414px; height: 618px;" frame="void" rules="none" class=" gc-bubbleDefault pls-container" cellpadding="0" cellspacing="0">
      </table>
  </div>

In addition by the second click the html gets additional code:

  <ins style="position: absolute ! important; background-color: transparent ! important; left: 198px ! important; top: 388.767px ! important; width: 28px ! important; height: 28px ! important; z-index: -10000 ! important; display: none ! important;"></ins>

I don't know why google calculates the wrong values and why the additional code isn't loaded at first time.

Revision history for this message
SirVer (sirver) wrote :

Have you tried opening a bug on them?

kaputtnik (franku)
Changed in widelands-website:
assignee: kaputtnik (franku) → nobody
Revision history for this message
kaputtnik (franku) wrote :

I don't know where to put bug reports (didn't found any link) except the discussion group: https://groups.google.com/forum/#!forum/recaptcha

And this discussion group seems not very serious. All together the code and the presentation "feels" not very serious. But my personal "feeling" is surely reasoned because i don't like google very much.

I've made a branch with my last state of tests: https://code.launchpad.net/~franku/widelands-website/new_captcha_test

Don't know where to put comments in there.... I leave many print statements, maybe they help to find failures.

Currently i didn't want to work further on this so i removed me from the assignee.Sorry, but this is to hard for me... A company i do not trust, a bad description and javascript code which refers to all google services. I am really sorry....

Is there no other possibility to reject spammers from the website? Something like honeypots or other (additional) possibilty(s)?

Revision history for this message
SirVer (sirver) wrote :

Don't worry and thanks for looking into that. It should also be enjoyable and to a chore to work on Widelands. Maybe somebody else can pick up where you left off.

> Currently i didn't want to work further on this so i removed me from the assignee.Sorry, but this is to hard for me... A company i do not trust, a bad description and javascript code which refers to all google services. I am really sorry....

Not sure if you knew, but I am employed by Google. And I must say that it is the most ethical place I ever worked before. Everybody always tries to do the right thing, from engineering to upper management.

> Is there no other possibility to reject spammers from the website? Something like honeypots or other (additional) possibilty(s)?

I do not know about other possibilities. Captcha was a transformative change for the Website: We had many bots spamming daily before establishing that sign up requires a captcha. Now the only spammers on the site are from sweatshops and actual humans. I doubt that you can do better than that, but if you have any suggestions we can certainly try them.

Revision history for this message
kaputtnik (franku) wrote :

I can't help doing it :-D I will ask in the discussion group... meanwhile i tested the third party app linked in #4 but it do not work because our django version is too old. It needs features from later django versions. We should really take a look on updating django.

kaputtnik (franku)
Changed in widelands-website:
assignee: nobody → kaputtnik (franku)
kaputtnik (franku)
Changed in widelands-website:
status: Confirmed → In Progress
kaputtnik (franku)
Changed in widelands-website:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.