captcha for filter page (#81)

ankitamk14 · web-flow · commit 7ba2a9b6eb8b · 2026-03-09T23:40:10.000+05:30
diff --git a/forums/settings.py b/forums/settings.py
@@ -276,6 +276,7 @@
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
+    'website.middleware.FilterCaptchaGateMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
diff --git a/static/website/templates/filter_verify.html b/static/website/templates/filter_verify.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>Verifying browser...</title>
+        <script src="https://www.google.com/recaptcha/api.js?render={{ site_key }}"></script>
+    </head>
+    <body>
+        <p>Verifying your browser...</p>
+        <form id="verify-form" method="post" action="{% url 'website:verify_filter_access' %}">
+            {% csrf_token %}
+            <input type="hidden" name="token" id="recaptcha_token">
+            <input type="hidden" name="next" value="{{ next_url }}">
+        </form>
+
+        <script>
+            grecaptcha.ready(function() {
+            grecaptcha.execute('{{ site_key }}', {action: 'filter_page'}).then(function(token) {
+                document.getElementById('recaptcha_token').value = token;
+                document.getElementById('verify-form').submit();
+            });
+        });
+        </script>
+    </body>
+
+</html>
+</html>
diff --git a/website/urls.py b/website/urls.py
@@ -38,4 +38,7 @@
     url(r'^ajax-time-search/$', views.ajax_time_search, name='ajax_time_search'),
     url(r'^ajax-delete-question/$', views.ajax_delete_question, name='ajax_delete_question'),
     url(r'^ajax-hide-question/$', views.ajax_hide_question, name='ajax_hide_question'),
+
+    #captcha
+    url(r'^verify-filter-access/$', views.verify_filter_access, name='verify_filter_access'),
 ]
diff --git a/website/views.py b/website/views.py
@@ -2,7 +2,7 @@
 import requests
 
 from django.http import HttpResponse, HttpResponseRedirect, HttpResponseForbidden
-from django.shortcuts import render, get_object_or_404
+from django.shortcuts import render, get_object_or_404, redirect
 from django.template.context_processors import csrf
 from django.contrib.auth.decorators import login_required
 from django.contrib import messages
@@ -166,7 +166,6 @@ def home(request):
             uids.add(q.last_post_by)
     
     users = {u.id: u.username for u in User.objects.filter(id__in=uids)}
-    
     # Attach usernames to question objects so templates don't trigger queries
     for q in all_questions:
         q.cached_user = users.get(q.uid, "Unknown User")
@@ -1090,3 +1089,40 @@ def unanswered_notification(request):
     if total_count:
         forums_mail(to, subject, message)
     return HttpResponse(message)
+
+
+def verify_filter_access(request):
+    if request.method != 'POST':
+        return HttpResponseForbidden("Invalid request method")
+    
+    token = request.POST.get('token', "").strip()
+    next_url = request.POST.get('next', "").strip()
+
+    if not token:
+        return HttpResponseForbidden("Missing captcha token")
+
+    try:
+        data = {'secret': settings.RECAPTCHA_SECRET_KEY, 'response': token}
+        resp = requests.post('https://www.google.com/recaptcha/api/siteverify',
+                             data, timeout=5)
+        result = resp.json()
+    except Exception:
+        return HttpResponseForbidden("Captcha verification service unavailable")
+    
+    success = result.get('success', False)
+    score = result.get('score', 0.0)
+    action = result.get('action', "")
+    
+
+    # Tune score threshold as needed.
+    if not success:
+        return HttpResponseForbidden("Captcha verification failed")
+    if action != 'filter_page':
+        return HttpResponseForbidden("Invalid captcha action")
+    if score < 0.5:
+        return HttpResponseForbidden("Request looks suspicious")
+
+    request.session["filter_verified"] = True
+    # optionally, set filter_verified_at timestamp session for seperate filter_verify expiiry
+
+    return redirect(next_url)

Original file line number	Diff line number	Diff line change
`@@ -38,4 +38,7 @@`
`38`	`38`	`url(r'^ajax-time-search/$', views.ajax_time_search, name='ajax_time_search'),`
`39`	`39`	`url(r'^ajax-delete-question/$', views.ajax_delete_question, name='ajax_delete_question'),`
`40`	`40`	`url(r'^ajax-hide-question/$', views.ajax_hide_question, name='ajax_hide_question'),`
	`41`	`+`
	`42`	`+ #captcha`
	`43`	`+ url(r'^verify-filter-access/$', views.verify_filter_access, name='verify_filter_access'),`
`41`	`44`	`]`