diff --git a/web/includes/actions.php b/web/includes/actions.php
index f6a1f9aa5..b357d3222 100644
--- a/web/includes/actions.php
+++ b/web/includes/actions.php
@@ -22,6 +22,7 @@
// PP - POST request handler for PHP which does not need extensions
// credit: http://wezfurlong.org/blog/2006/nov/http-post-from-php-without-curl/
+
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array(
@@ -67,8 +68,15 @@ if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST[
if ( !empty($action) )
{
- // PP - lets validate reCaptcha if it exists
- if (ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY && ZM_OPT_GOOG_RECAPTCHA_SITEKEY)
+ if ( $action == "login" && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == "remote" || isset($_REQUEST['password']) ) )
+ {
+ // if true, a popup will display after login
+ // PP - lets validate reCaptcha if it exists
+ if ( defined('ZM_OPT_USE_GOOG_RECAPTCHA')
+ && defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
+ && defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
+ && ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY
+ && ZM_OPT_GOOG_RECAPTCHA_SITEKEY)
{
$url = 'https://www.google.com/recaptcha/api/siteverify';
$fields = array (
@@ -78,16 +86,38 @@ if ( !empty($action) )
);
$res= do_post_request($url, http_build_query($fields));
- $result = json_decode($res);
- if ($result->success != 'true')
+ $responseData = json_decode($res,true);
+ // PP - credit: https://github.com/google/recaptcha/blob/master/src/ReCaptcha/Response.php
+ // if recaptcha resulted in error, we might have to deny login
+ if (isset($responseData['success']) && $responseData['success'] == false)
{
- userLogout();
- $view='login';
- $refreshParent = true;
+ // PP - before we deny auth, let's make sure the error was not 'invalid secret'
+ // because that means the user did not configure the secret key correctly
+ // in this case, we prefer to let him login in and display a message to correct
+ // the key. Unfortunately, there is no way to check for invalid site key in code
+ // as it produces the same error as when you don't answer a recaptcha
+ if (isset($responseData['error-codes']) && is_array($responseData['error-codes']))
+ {
+ if (!in_array('invalid-input-secret',$responseData['error-codes']))
+ {
+ Error ("reCaptcha authentication failed");
+ userLogout();
+ $view='login';
+ $refreshParent = true;
+ }
+ else
+ {
+ //Let them login but show an error
+ echo '';
+ Error ("Invalid recaptcha secret detected");
+
+ }
+ }
}
}
+ }
// General scope actions
if ( $action == "login" && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == "remote" || isset($_REQUEST['password']) ) )
diff --git a/web/lang/en_gb.php b/web/lang/en_gb.php
index 76a71e301..83267ecdd 100644
--- a/web/lang/en_gb.php
+++ b/web/lang/en_gb.php
@@ -578,6 +578,7 @@ $SLANG = array(
'Progress' => 'Progress',
'Protocol' => 'Protocol',
'Rate' => 'Rate',
+ 'RecaptchaWarning' => 'Your reCaptcha secret key is invalid. Please correct it, or reCaptcha will not work', // added Sep 24 2015 - PP
'Real' => 'Real',
'Record' => 'Record',
'RefImageBlendPct' => 'Reference Image Blend %ge',
diff --git a/web/skins/classic/views/js/console.js.php b/web/skins/classic/views/js/console.js.php
index fb5f9eb9e..93cf0cdb7 100644
--- a/web/skins/classic/views/js/console.js.php
+++ b/web/skins/classic/views/js/console.js.php
@@ -26,3 +26,7 @@ elseif ( ZM_DYN_SHOW_DONATE_REMINDER )
?>
var showVersionPopup = ;
var showDonatePopup = ;
+
+
+
+
diff --git a/web/skins/classic/views/login.php b/web/skins/classic/views/login.php
index b91293965..c7be103a1 100644
--- a/web/skins/classic/views/login.php
+++ b/web/skins/classic/views/login.php
@@ -22,7 +22,7 @@ xhtmlHeaders(__FILE__, translate('Login') );
?>
";
}
@@ -52,9 +52,12 @@ xhtmlHeaders(__FILE__, translate('Login') );
";
+ echo "
";
}
?>