Edward Correct me if I'm wrong but as I mentioned in my first reply to your post a hacker can use GET method to post registration request in the URL. The hacker can set the value of register to 1 and this will pass your check and register. As you already know having incorrect captcher doesn't matter, new user still gets registered. Try GET method yourself!!! I hope I'm wrong :-( Ajdin -----Original Message----- From: users-bounces(a)xwiki.org [mailto:users-bounces@xwiki.org] On Behalf Of Edward Laptop Sent: 09 July 2009 15:22 To: XWiki Users Subject: [xwiki-users] working captcha Dear All I have spent quite a few hours playing with the captcha trying to get it to work. There were some useful posts on the new group, but none of them was a complete solution. The below has worked for me... hopefully it will prove useful to someone else. This code is taken from a fairly old xwiki that my client didn't want to upgrade. It is based around registerinline.vm, which had previously been edited to add a lot more fields. I am not an expert on OOP but got it to work with a selection of conditional statements. First declare the plugin - you have to make sure its enabled - but apparently it is by default. "if ($reg)..." will evaluate to true/false and if the value is negative its an error. You test the state of the captcha using $captchaPlugin.verifyCaptcha("edit") where edit is the name - set much later on. One of the problems was that the form would come back with the correct messages eg it would tell you if the captcha filled in wrong, but the new user would still be regsitered (assuming all the other fields filled in correctly). By playing I found that <input type="hidden" name="register" value="1"/> was the key - if value="1" then registration occurs, if ="0" then it doesn't. So put this in a conditional - which seems to only depend on the captcha being ture/flase - which was odd, because I would ahve thought you'd want to test with $reg as well. However, I couldn't get it to work with $reg at this stage - reg=$reg usually prints out the nunber - but at this point it just printed out ref=$reg... Don't forget to put "verifyCaptcha" into the action of the form tag. call the displayCaptcha pass the class name as "register_captcha" which should map to the css classname to render the image with $captchaPlugin.displayCaptcha("edit","register_captcha") pass the name as edit go to http://<host>:<port>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object & find XWiki.XWikiPreferences[0]: XWiki.DefaultSkin select the values for Anonymous: and Registered: as image or text - text gives you a simple sum to fill in. There were 3 sets of each on mine, I set them all to imgae or all to text Anyway, back to work... ## declare the plugin #set($captchaPlugin = $xwiki.jcaptcha) #if(!$reg||$reg<0 ) <p>Welcome .....</p> #end #* if reg is true (ie form filled), but less than zero OR the captcha is wrong *# #if( ($reg && $reg<=0) || !$captchaPlugin.verifyCaptcha("edit") ) #if($reg==-2) #error("$msg.get('core.register.passwordMismatch')") #elseif($reg==-3) #error("$msg.get('core.register.userAlreadyExists')") #elseif($reg==-4) #error("$msg.get('core.register.invalidUsername')") #elseif($reg==-8) #error("$msg.get('core.register.userAlreadyExists')") #else ##error("$msg.get('core.register.registerFailed', [$reg])") #error("The captcha field was filled in wrongly.") #end #elseif($reg && $captchaPlugin.verifyCaptcha("edit")) #set($xwname = "XWiki.${request.xwikiname}") #info("$msg.get('core.register.successful', [$xwiki.getUserName($xwname), $request.xwikiname])") #end ##form appears if reg is not true or its -ve or capatcha is wrong #if(!$reg||$reg<0 || !$captchaPlugin.verifyCaptcha("edit") ) <form id="register" action="verifyCaptcha" method="post"> <div> <input type="hidden" name="template" value="XWiki.XWikiUserTemplate" /> ##this is a key statement #if ($captchaPlugin.verifyCaptcha("edit")) ##set it to 1 <input type="hidden" name="register" value="1"/> #else ##set it to 0 <input type="hidden" name="register" value="0"/> #end #set($class = $xwiki.getClass("XWiki.XWikiUsers")) #set($obj = $class.newObject()) #set($serverobj = $class.newObject()) #set($discard = $doc.use("XWiki.XWikiUsers")) #if($request.register_first_name) $doc.set("first_name", $request.register_first_name) #end #if($request.register_last_name) $doc.set("last_name", $request.register_last_name) #end <dl> ##username <dt>$msg.get("core.register.username")</dt> <dd><input name="xwikiname" type="text" size="20" onfocus=" prepareName(document.forms.register);" /></dd> ... lots more fields #if ($captchaPlugin) $captchaPlugin.displayCaptcha("edit","register_captcha") #end <span class="buttonwrapper"><input type="submit" value="$msg.get("core.register.submit")"/></span></div> </form> #end _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users -------------------------------------------------------- NOTICE This message and any files transmitted with it is intended for the addressee only and may contain information that is confidential or privileged. Unauthorised use is strictly prohibited. If you are not the addressee, you should not read, copy, disclose or otherwise use this message, except for the purpose of delivery to the addressee. Any views or opinions expressed within this e-mail are those of the author and do not necessarily represent those of Coventry University.