Properly pass remote IP address to recaptcha

In theory, at least, they can make a better decision for people to get past the
captcha with more knowledge. The parameter is currently option, but it's not
unlikely it might become mandatory in the future, so we might as well include it.

diff --git a/pgweb/account/forms.py b/pgweb/account/forms.py
index 9ecb18f1d212ac88a119cdd73d0382b7bacebad9..bf0bafaf3f6696549e57312ced6ef08ab1166a8f 100644 (file)
--- a/pgweb/account/forms.py
+++ b/pgweb/account/forms.py
@@ -16,6 +16,10 @@ class SignupForm(forms.Form):
        email2 = forms.EmailField(label="Repeat email")
        captcha = ReCaptchaField()
 
+       def __init__(self, remoteip, *args, **kwargs):
+               super(SignupForm, self).__init__(*args, **kwargs)
+               self.fields['captcha'].set_ip(remoteip)
+
        def clean_email2(self):
                # If the primary email checker had an exception, the data will be gone
                # from the cleaned_data structure

diff --git a/pgweb/account/recaptcha.py b/pgweb/account/recaptcha.py
index 60a6c1a6c7931905f95505b81fc71381c4aaa016..949d9366d9603294b1590ef98e813e7939ed89db 100644 (file)
--- a/pgweb/account/recaptcha.py
+++ b/pgweb/account/recaptcha.py
@@ -25,10 +25,14 @@ class ReCaptchaWidget(forms.widgets.Widget):
 
 class ReCaptchaField(forms.CharField):
        def __init__(self, *args, **kwargs):
+               self.remoteip = None
                self.widget = ReCaptchaWidget()
                self.required = not settings.NOCAPTCHA
                super(ReCaptchaField, self).__init__(*args, **kwargs)
 
+       def set_ip(self, ip):
+               self.remoteip = ip
+
        def clean(self, value):
                if settings.NOCAPTCHA:
                        return True
@@ -37,12 +41,13 @@ class ReCaptchaField(forms.CharField):
 
                # Validate the recaptcha
                c = httplib.HTTPSConnection('www.google.com', strict=True, timeout=5)
-               param = urllib.urlencode({
+               param = {
                        'secret': settings.RECAPTCHA_SECRET_KEY,
                        'response': value,
-                       # XXX: include remote ip!
-               })
-               c.request('POST', '/recaptcha/api/siteverify', param, {
+               }
+               if self.remoteip:
+                       param['remoteip'] = self.remoteip
+               c.request('POST', '/recaptcha/api/siteverify', urllib.urlencode(param), {
                        'Content-type': 'application/x-www-form-urlencoded',
                })
                c.sock.settimeout(10)

diff --git a/pgweb/account/views.py b/pgweb/account/views.py
index 4a79962215608974e84ba5912404a3aae6fe14c4..c0b27f23cdfb3ab9f40940d2c55cc16f3aec8f61 100644 (file)
--- a/pgweb/account/views.py
+++ b/pgweb/account/views.py
@@ -19,7 +19,7 @@ import json
 
 from pgweb.util.decorators import ssl_required
 from pgweb.util.contexts import NavContext
-from pgweb.util.misc import send_template_mail, generate_random_token
+from pgweb.util.misc import send_template_mail, generate_random_token, get_client_ip
 from pgweb.util.helpers import HttpServerError
 
 from pgweb.news.models import NewsArticle
@@ -240,7 +240,7 @@ def signup(request):
 
        if request.method == 'POST':
                # Attempt to create user then, eh?
-               form = SignupForm(data=request.POST)
+               form = SignupForm(get_client_ip(request), data=request.POST)
                if form.is_valid():
                        # Attempt to create the user here
                        # XXX: Do we need to validate something else?
@@ -263,7 +263,7 @@ def signup(request):
 
                        return HttpResponseRedirect('/account/signup/complete/')
        else:
-               form = SignupForm()
+               form = SignupForm(get_client_ip(request))
 
        return render_to_response('base/form.html', {
                        'form': form,