Add recaptcha to group creation

de135860 · Drew Blessing · Drew Blessing · 0ac6ffdd · de135860 · de135860
Commit de135860 authored Mar 15, 2021 by Drew Blessing Committed by Drew Blessing Mar 15, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 0 deletions

app/controllers/groups_controller.rb app/controllers/groups_controller.rb +29 -0

app/views/groups/_new_group_fields.html.haml app/views/groups/_new_group_fields.html.haml +5 -0

No files found.
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -8,6 +8,7 @@ class GroupsController < Groups::ApplicationController
  include RecordUserLastActivity
  include SendFileUpload
  include FiltersEvents
+  include Recaptcha::Verify
  extend ::Gitlab::Utils::Override

  respond_to :html
@@ -15,6 +16,7 @@ class GroupsController < Groups::ApplicationController
  prepend_before_action(only: [:show, :issues]) { authenticate_sessionless_user!(:rss) }
  prepend_before_action(only: [:issues_calendar]) { authenticate_sessionless_user!(:ics) }
  prepend_before_action :ensure_export_enabled, only: [:export, :download_export]
+  prepend_before_action :check_captcha, only: :create

  before_action :authenticate_user!, only: [:new, :create]
  before_action :group, except: [:index, :new, :create]
@@ -22,6 +24,7 @@ class GroupsController < Groups::ApplicationController
  # Authorize
  before_action :authorize_admin_group!, only: [:edit, :update, :destroy, :projects, :transfer, :export, :download_export]
  before_action :authorize_create_group!, only: [:new]
+  before_action :load_recaptcha, only: [:new]

  before_action :group_projects, only: [:projects, :activity, :issues, :merge_requests]
  before_action :event_filter, only: [:activity]
@@ -38,6 +41,8 @@ class GroupsController < Groups::ApplicationController

  before_action :export_rate_limit, only: [:export, :download_export]

+  helper_method :captcha_enabled?, :captcha_required?
+
  skip_cross_project_access_check :index, :new, :create, :edit, :update,
                                  :destroy, :projects
  # When loading show as an atom feed, we render events that could leak cross
@@ -317,6 +322,22 @@ class GroupsController < Groups::ApplicationController
    render_404 unless Feature.enabled?(:group_import_export, @group, default_enabled: true)
  end

+  def load_recaptcha
+    Gitlab::Recaptcha.load_configurations!
+  end
+
+  def check_captcha
+    return unless captcha_enabled? && load_recaptcha
+    return if group_params[:parent_id].present? # Only require for top-level groups
+
+    return if verify_recaptcha
+
+    flash[:alert] = _('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.')
+    flash.delete :recaptcha_error
+    @group = Group.new(group_params)
+    render action: 'new'
+  end
+
  private

  def successful_creation_hooks; end
@@ -336,6 +357,14 @@ class GroupsController < Groups::ApplicationController
  def has_project_list?
    %w(details show index).include?(action_name)
  end
+
+  def captcha_enabled?
+    Gitlab::Recaptcha.enabled?
+  end
+
+  def captcha_required?
+    !params[:parent_id]
+  end
 end

 GroupsController.prepend_if_ee('EE::GroupsController')
--- a/app/views/groups/_new_group_fields.html.haml
+++ b/app/views/groups/_new_group_fields.html.haml
@@ -16,6 +16,11 @@
 .row
  .col-sm-4
    = render_if_exists 'shared/groups/invite_members'
+
+- if captcha_enabled? && captcha_required?
+  .row.recaptcha
+    .col-sm-4
+      = recaptcha_tags
 .row
  .form-actions.col-sm-12
    = f.submit _('Create group'), class: "btn gl-button btn-confirm"