diff --git a/Gemfile b/Gemfile index 79cd5c839c0d1d3e8e7478caeb90970265d8b643..ad6e321f0bcdfd81e2924c8988eab6069ad6ae8b 100644 --- a/Gemfile +++ b/Gemfile @@ -113,6 +113,10 @@ gem 'acts_as_list', '~> 0.4' # locking in to latest major to fix API gem 'validates_email_format_of', '~> 1.6' +# Used to keep spammers from creating accounts +# locking in to latest major to fix API +gem 'invisible_captcha', '~>1.0' + ## ## GEMS required, and compilation is required to install ## diff --git a/Gemfile.lock b/Gemfile.lock index f1f20dea0747c3e6cc4b712fde93f67c92fb1183..fea9733b41d609e6fab589cbf40721fe7967159f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -131,6 +131,8 @@ GEM i18n (0.9.5) concurrent-ruby (~> 1.0) innertube (1.1.0) + invisible_captcha (1.0.1) + rails (>= 4.2) joiner (0.4.2) activerecord (>= 5.2.beta1) json (2.3.0) @@ -306,6 +308,7 @@ DEPENDENCIES haml-rails (~> 1.0) http_accept_language (~> 2.0) i18n (~> 0.7) + invisible_captcha (~> 1.0) json (~> 2.3) mail-gpg (~> 0.3.3) mime-types diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index d95719a7cb649af2ff8cfaa6a0a84a708463c2e6..27ac57a3dc83dde1e81a28bdf1ea8dd2ed8c439d 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -8,6 +8,9 @@ class AccountsController < ApplicationController layout 'notice' + invisible_captcha only: [:create], + honeypot: :email_confirmation, + scope: :user ## ## SIGNUP diff --git a/app/views/accounts/new.html.haml b/app/views/accounts/new.html.haml index ece0c6dc21e9b599b2a82b467a47225aad0fa2ca..0325545c1c9aee347de3475cd90887873e15fe14 100644 --- a/app/views/accounts/new.html.haml +++ b/app/views/accounts/new.html.haml @@ -16,6 +16,8 @@ - r.input user.text_field(:email, class: 'form-control') - unless Conf.require_user_email - r.info :signup_email_info.t + - f.row do |r| + - r.input user.invisible_captcha :email_confirmation - f.button submit_tag(:signup_button.t, class: 'btn btn-primary') - if params[:redirect] diff --git a/config/initializers/invisible_captcha.rb b/config/initializers/invisible_captcha.rb new file mode 100644 index 0000000000000000000000000000000000000000..823e93fb47ce5058fa562e614091545b7df92b7a --- /dev/null +++ b/config/initializers/invisible_captcha.rb @@ -0,0 +1,7 @@ +InvisibleCaptcha.setup do |config| + config.timestamp_enabled = !Rails.env.test? +end + +ActiveSupport::Notifications.subscribe('invisible_captcha.spam_detected') do |*args, data| + Rails.logger.warn 'Potential spam detected. Signup refused.' +end diff --git a/test/functional/accounts_controller_test.rb b/test/functional/accounts_controller_test.rb index 2792bd662ad556a93d4c51d91d65460a97a58749..0988b40716f7a323b0550553228cd2845e9cbc88 100644 --- a/test/functional/accounts_controller_test.rb +++ b/test/functional/accounts_controller_test.rb @@ -36,6 +36,13 @@ class AccountsControllerTest < ActionController::TestCase end end + def test_should_refuse_signup_with_honeypot + assert_no_difference 'User.count' do + post_signup_form(user: { email_confirmation: 'I filled this out' }) + assert_response :success + end + end + def test_should_not_allow_duplicate_username_or_groupname [users(:quentin).login, groups(:rainbow).name].each do |login| assert_no_difference 'User.count', "number of users should not increase when creating #{login}" do