Skip to content

Commit 5710f3c

Browse files
committed
Improved API integration for reCAPTCHA. Closes #8
1 parent 4129db2 commit 5710f3c

6 files changed

Lines changed: 32 additions & 31 deletions

File tree

code/FormGenerator.class.php

Lines changed: 21 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -347,6 +347,7 @@ public static function processFormBuilderPage($params)
347347
$finalize = isset($params["finalize"]) ? $params["finalize"] : false;
348348

349349
$failed_validation = false;
350+
$update_successful = true;
350351
$validation_error = "";
351352
if ($page_type == "form") {
352353
$tabs = ViewTabs::getViewTabs($view_id, true);
@@ -384,29 +385,35 @@ public static function processFormBuilderPage($params)
384385
}
385386
}
386387

387-
// TODO. This is insufficient - can be bypassed!
388-
$has_captcha = isset($form_data["g-recaptcha-response"]) ? true : false;
388+
// reCAPTCHA just adds a "g-recaptcha-response" key to the POST form values. Looking for that isn't sufficient
389+
// because a hacker could just simulate the request without the property and bypass it. So instead the {{captcha}}
390+
// function makes a note in sessions that the page contains a CAPTCHA - which can't be bypassed
391+
$has_captcha = isset($_SESSION[$namespace]["has_captcha"]) ? $_SESSION[$namespace]["has_captcha"] : false;
389392

390393
// the reCAPTCHA can be placed on the form or review page only
391394
if ($has_captcha && ($page_type == "form" || $page_type == "review")) {
395+
$recaptcha_error_msg = "•  Sorry, you didn't enter the reCAPTCHA correctly. Please try again.";
392396

393-
// was there a reCAPTCHA response? If so, a recaptcha was just submitted, check it was entered correctly
394-
$resp = $api->validateRecaptcha($params["form_data"]["g-recaptcha-response"]);
395-
396-
if ($resp->isSuccess()) {
397-
$_SESSION[$namespace]["passed_captcha"] = true;
398-
} else {
399-
// if the main update was successful, but they failed validation, just display the single "wrong captcha" error
400-
if ($update_successful) {
401-
$validation_error = "•  Sorry, you didn't enter the reCAPTCHA correctly. Please try again.";
397+
if (isset($params["form_data"]["g-recaptcha-response"])) {
398+
$resp = $api->validateRecaptcha($params["form_data"]["g-recaptcha-response"]);
399+
if ($resp->isSuccess()) {
400+
$_SESSION[$namespace]["passed_captcha"] = true;
402401
} else {
403-
$br = (!empty($validation_error)) ? "<br />" : "";
404-
$validation_error .= $br . "&bull;&nbsp; Sorry, you didn't enter the reCAPTCHA correctly. Please try again.";
402+
// if the main update was successful, but they failed validation, just display the single "wrong captcha" error
403+
if ($update_successful) {
404+
$validation_error = $recaptcha_error_msg;
405+
} else {
406+
$br = (!empty($validation_error)) ? "<br />" : "";
407+
$validation_error .= $br . $recaptcha_error_msg;
408+
}
409+
$failed_validation = true;
405410
}
406-
$failed_validation = true;
407411
}
408412
}
409413

414+
// always reset the has_captcha flag for the next page load
415+
$_SESSION[$namespace]["has_captcha"] = false;
416+
410417
// this automatically sends any emails set to the on_submission trigger.
411418
if (!$failed_validation) {
412419
if ($finalize) {

code/Forms.class.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -874,7 +874,7 @@ public static function getGeneratedFormContent($published_form_id, $filename)
874874
*/
875875
require_once("$root_dir/global/library.php");
876876
use FormTools\Core;
877-
Core::init(array("start_sessions" => false));
877+
Core::init(array("auto_logout" => false));
878878
\$root_dir = Core::getRootDir();
879879
\$published_form_id = $published_form_id;
880880
\$filename = "$filename";

form.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
$module = Modules::getModuleInstance("form_builder");
3838
$namespace = "form_builder_{$published_form_id}";
3939

40-
// find out about the page: form / review / thanks. That determines what values we pass to ft_api_process_form_builder_page()
40+
// find out about the page: form / review / thanks. That determines what values we pass to processFormBuilderPage
4141
$config = Forms::getFormConfiguration($published_form_id);
4242

4343
$form_id = $config["form_id"];

preview.php

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,10 @@
11
<?php
22

3-
//require_once("../../global/session_start.php");
43
require_once("../../global/library.php");
54

65
use FormTools\Modules;
76
use FormTools\Modules\FormBuilder\Forms;
87
use FormTools\Modules\FormBuilder\General;
9-
use FormTools\Modules\FormBuilder\FormGenerator;
108
use FormTools\Modules\FormBuilder\Placeholders;
119
use FormTools\Modules\FormBuilder\TemplateSets;
1210
use FormTools\Views;

preview_form.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,17 @@
88

99
require_once("../../global/library.php");
1010

11+
use FormTools\Core;
1112
use FormTools\Modules;
1213
use FormTools\Modules\FormBuilder\FormGenerator;
1314

1415
$module = Modules::initModulePage("admin");
1516

17+
if (Core::isAPIAvailable()) {
18+
require_once(__DIR__ . "/../../global/api/API.class.php");
19+
$api = new FormTools\API(array("init_core" => false));
20+
}
21+
1622
// convert the placeholder info in the request into a simple hash of placeholder_id => value
1723
$placeholders = array();
1824
$placeholder_ids = isset($request["placeholder_ids"]) ? $request["placeholder_ids"] : array();
@@ -25,7 +31,6 @@
2531
// pulled from the database
2632
$_SESSION["ft"]["form_builder"]["placeholders"] = $placeholders;
2733

28-
2934
// creating a new array here isn't strictly needed, since we COULD just tweak and pass along the POST request,
3035
// but it helps to see precisely what info is being sent
3136
$settings = array(

smarty_plugins/function.captcha.php

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@
1212
function smarty_function_captcha($params, &$smarty)
1313
{
1414
if (!Core::isAPIAvailable()) {
15-
echo "API not available.";
16-
exit;
15+
echo "<div class=\"error\"><div style=\"padding: 8px\">You need to install the Form Tools API to use the {{captcha}} tag.</div></div>";
16+
return;
1717
}
1818

1919
require_once(__DIR__ . "/../../../global/api/API.class.php");
@@ -28,14 +28,5 @@ function smarty_function_captcha($params, &$smarty)
2828
$_SESSION[$form_namespace]["has_captcha"] = true;
2929

3030
$api = $smarty->getTemplateVars("api");
31-
$response = $api->displayCaptcha();
32-
33-
// $error_message = "";
34-
// if (is_array($response) && $response[0] === false) {
35-
// $error_message = "You need to define the reCAPTCHA public and private keys.";
36-
// }
37-
//
38-
// if (!empty($error_message)) {
39-
// echo "<div class=\"ft_error\">$error_message</div>";
40-
// }
31+
$api->displayCaptcha();
4132
}

0 commit comments

Comments
 (0)