Making WordPress.org


Ignore:
Timestamp:
04/27/2021 04:24:21 AM (4 years ago)
Author:
dd32
Message:

Login: Allow registrations with "low reCaptcha scores" to register, but go into a pending-moderation state.

This will allow legitimate users who receive a "Please try again" error to be manually approved.

This will also allow us to experiment with more aggressive anti-spam measures, as the majority of current spam registrations are human generated.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-create.php

    r10901 r10928  
    66 */
    77
    8 // Clear the pending cookies, they're no longer needed.
    9 if ( isset( $_COOKIE['wporg_profile_user'] ) ) {
    10     setcookie( 'wporg_profile_user', false, time()-DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
    11     setcookie( 'wporg_profile_key', false,  time()-DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
    12 }
     8$sso = WPOrg_SSO::get_instance();
    139
    1410// Migrate to cookies.
    15 if ( !empty( WP_WPOrg_SSO::$matched_route_params['confirm_user'] ) ) {
    16     setcookie( 'wporg_confirm_user', WP_WPOrg_SSO::$matched_route_params['confirm_user'], time()+DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
    17     setcookie( 'wporg_confirm_key',  WP_WPOrg_SSO::$matched_route_params['confirm_key'],  time()+DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
     11if ( !empty( $sso::$matched_route_params['confirm_user'] ) ) {
     12    setcookie( 'wporg_confirm_user', $sso::$matched_route_params['confirm_user'], time()+DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
     13    setcookie( 'wporg_confirm_key',  $sso::$matched_route_params['confirm_key'],  time()+DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
    1814
    1915    wp_safe_redirect( '/register/create' );
     
    6056}
    6157
    62 
    63 $error_recapcha_status = $error_akismet = false;
    64 if ( isset( $_POST['user_pass'] ) ) {
     58$error_recapcha_status = false;
     59if ( isset( $_POST['user_pass'] ) && 2 !== $pending_user['cleared'] ) {
    6560
    6661    // Check reCaptcha status
    67     if ( ! wporg_login_check_recapcha_status( 'pending_create' ) ) {
    68         // No no. "Please try again."
     62    if ( ! wporg_login_check_recapcha_status( 'pending_create', false ) ) {
     63        unset( $_POST['user_pass'] );
    6964        $error_recapcha_status = true;
    70         unset( $_POST['user_pass'] );
    71     }
    72 
    73     // Check Akismet
    74     $akismet = wporg_login_check_akismet(
     65
     66        // Allow a recaptcha fail to try again, but if they're blocked due to low score, mark them as needing approval.
     67        if ( ! wporg_login_check_recapcha_status( 'pending_create', true ) ) {
     68            $pending_user['cleared'] = 0;
     69        }
     70
     71        // Store for reference.
     72        if ( isset( $_POST['_reCaptcha_v3_token'] ) ) {
     73            $recaptcha_api = wporg_login_recaptcha_api(
     74                $_POST['_reCaptcha_v3_token'],
     75                RECAPTCHA_V3_PRIVKEY
     76            );
     77            $pending_user['scores']['create_attempt'] = -1;
     78            if ( $recaptcha_api && $recaptcha_api['success'] && 'pending_create' == $recaptcha_api['action'] ) {
     79                $pending_user['scores']['create_attempt'] = $recaptcha_api['score'];
     80            }
     81        }
     82    }
     83
     84    // Check Akismet with new profile information
     85    $pending_user['meta']['akismet_result'] = wporg_login_check_akismet(
    7586        $pending_user['user_login'],
    7687        $pending_user['user_email'],
     
    8394    );
    8495
    85     // Store for reference.
    86     $pending_user['meta']['akismet_result'] = $akismet;
     96    if ( 'spam' === $pending_user['meta']['akismet_result'] ) {
     97        $pending_user['cleared'] = 0;
     98        unset( $_POST['user_pass'] );
     99    }
     100
    87101    wporg_update_pending_user( $pending_user );
    88 
    89     if ( 'spam' == $akismet ) {
    90         // No no. "Please try again."
    91         $error_akismet = true;
    92         unset( $_POST['user_pass'] );
    93     }
    94 
     102}
     103
     104if ( ! $pending_user['cleared'] ) {
     105    if ( ! empty( $_COOKIE['wporg_profile_user'] ) ) {
     106        // Throw the user back to the pending screen after being detected as spam at this point.
     107        wp_safe_redirect( '/register/create-profile/' );
     108        die();
     109    }
     110
     111    unset( $_POST['user_pass'] );
    95112}
    96113
     
    101118        $user = wporg_login_create_user_from_pending( $pending_user, $user_pass );
    102119        if ( $user ) {
     120
     121            // Clear the cookies, they're no longer needed.
     122            setcookie( 'wporg_profile_user', false, time()-DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
     123            setcookie( 'wporg_profile_key',  false, time()-DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
    103124            setcookie( 'wporg_confirm_user', false, time()-DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
    104125            setcookie( 'wporg_confirm_key',  false, time()-DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
     
    121142?>
    122143
    123 <p class="intro">
    124 <?php _e( 'Set your password and complete your WordPress.org Profile information.', 'wporg' ); ?>
    125 </p>
    126 
    127144<form name="registerform" id="registerform" action="" method="post">
    128145
    129         <p class="login-login">
    130             <label for="user_login"><?php _e( 'Username', 'wporg' ); ?></label>
    131             <input type="text" disabled="disabled" class=" disabled" value="<?php echo esc_attr( $activation_user ); ?>" size="20" />
    132         </p>
    133 
    134         <div class="user-pass1-wrap">
     146    <?php if ( ! $pending_user['cleared'] ) { ?>
     147    <div class="message info">
     148        <p><?php
     149            printf(
     150                /* translators: %s Email address */
     151                __( 'Your account is pending approval. You will receive an email at %s to set your password when approved.', 'wporg' ) . '<br>' .
     152                __( 'Please contact %s for more details.', 'wporg' ),
     153                '<code>' . esc_html( $pending_user['user_email'] ) . '</code>',
     154                '<a href="mailto:' . $sso::SUPPORT_EMAIL . '">' . $sso::SUPPORT_EMAIL . '</a>'
     155            );
     156        ?></p>
     157    </div>
     158    <?php } ?>
     159
     160    <p class="intro">
     161        <?php _e( 'Set your password and complete your WordPress.org Profile information.', 'wporg' ); ?>
     162    </p>
     163
     164    <p class="login-login">
     165        <label for="user_login"><?php _e( 'Username', 'wporg' ); ?></label>
     166        <input type="text" disabled="disabled" class=" disabled" value="<?php echo esc_attr( $activation_user ); ?>" size="20" />
     167    </p>
     168
     169    <div class="user-pass1-wrap">
    135170        <p>
    136171            <label for="pass1"><?php _e( 'Password', 'wporg' ); ?></label>
     
    145180    </div>
    146181
    147 <!--    <p class="description indicator-hint"><?php _e( 'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ &amp; ).', 'wporg' ); ?></p> -->
    148 
    149182    <?php
    150183        $fields = &$pending_user['meta'];
    151184        include __DIR__ . '/partials/register-profilefields.php';
    152185    ?>
     186
    153187    <?php
    154         if ( $error_recapcha_status || $error_akismet ) {
     188        if ( $error_recapcha_status ) {
    155189            echo '<div class="message error"><p>' . __( 'Please try again.', 'wporg' ) . '</p></div>';
    156190        }
Note: See TracChangeset for help on using the changeset viewer.