changeset:   75:83477f735132
user:        erik.forsberg
date:        Sat Mar 24 21:18:28 2007 +0000
files:       extensions/timestamp.py html/user.register.html
description:
Limit the registration form - make sure there's a reasonable delay
between form generation and form submission. If not, there's a good
chance that the submitter is not human, but rather a spambot.

See http://psf.upfronthosting.co.za/roundup/meta/issue105.


diff -r 419079befb2c -r 83477f735132 extensions/timestamp.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/timestamp.py	Sat Mar 24 21:18:28 2007 +0000
@@ -0,0 +1,28 @@
+import time, struct, base64
+from roundup.cgi.actions import RegisterAction
+from roundup.cgi.exceptions import *
+
+def timestamp():
+    return base64.encodestring(struct.pack("i", time.time())).strip()
+
+def unpack_timestamp(s):
+    return struct.unpack("i",base64.decodestring(s))[0]
+
+class Timestamped:
+    def check(self):
+        try:
+            created = unpack_timestamp(self.form['opaque'].value)
+        except KeyError:
+            raise FormError, "somebody tampered with the form"
+        if time.time() - created < 4:
+            raise FormError, "responding to the form too quickly"
+        return True
+
+class TimestampedRegister(Timestamped, RegisterAction):
+    def permission(self):
+        self.check()
+        RegisterAction.permission(self)
+
+def init(instance):
+    instance.registerUtil('timestamp', timestamp)
+    instance.registerAction('register', TimestampedRegister)
diff -r 419079befb2c -r 83477f735132 html/user.register.html
--- a/html/user.register.html	Sat Mar 24 20:47:19 2007 +0000
+++ b/html/user.register.html	Sat Mar 24 21:18:28 2007 +0000
@@ -18,6 +18,7 @@
       enctype="multipart/form-data"
       tal:attributes="action context/designator">
 
+<input type="hidden" name="opaque" tal:attributes="value python: utils.timestamp()" />
 <table class="form">
  <tr>
   <th i18n:translate="">Name</th>