Support requiring users to pass a CAPTCHA to log in

Resolves #128.

README.md

@@ -14,7 +14,9 @@ See [TinyIB Installations](https://gitlab.com/tslocum/tinyib/wikis/Home) for dem
 
  - GIF, JPG, PNG, SWF, MP4 and WebM upload.
  - YouTube, Vimeo and SoundCloud embedding.
- - CAPTCHA  (A simple implementation is included, reCAPTCHA is also supported)
+ - CAPTCHA
+   - A simple, self-hosted implementation is included
+   - [ReCAPTCHA](https://www.google.com/recaptcha/about/) is supported but [not recommended](https://nearcyan.com/you-probably-dont-need-recaptcha/)
  - Reference links >>###
  - Delete post via password.
  - Management panel:

imgboard.php

@@ -80,14 +80,6 @@ if (!defined('TINYIB_LOCALE') || TINYIB_LOCALE == '') {
 	$translator->register();
 }
 
-if (TINYIB_TRIPSEED == '' || TINYIB_ADMINPASS == '') {
-	fancyDie(__('TINYIB_TRIPSEED and TINYIB_ADMINPASS must be configured.'));
-}
-
-if (TINYIB_CAPTCHA === 'recaptcha' && (TINYIB_RECAPTCHA_SITE == '' || TINYIB_RECAPTCHA_SECRET == '')) {
-	fancyDie(__('TINYIB_RECAPTCHA_SITE and TINYIB_RECAPTCHA_SECRET  must be configured.'));
-}
-
 $database_modes = array('flatfile', 'mysql', 'mysqli', 'sqlite', 'sqlite3', 'pdo');
 if (!in_array(TINYIB_DBMODE, $database_modes)) {
 	fancyDie(__('Unknown database mode specified.'));
@@ -196,6 +188,14 @@ foreach ($includes as $include) {
 	require $include;
 }
 
+if (TINYIB_TRIPSEED == '' || TINYIB_ADMINPASS == '') {
+	fancyDie(__('TINYIB_TRIPSEED and TINYIB_ADMINPASS must be configured.'));
+}
+
+if ((TINYIB_CAPTCHA === 'recaptcha' || TINYIB_MANAGECAPTCHA === 'recaptcha') && (TINYIB_RECAPTCHA_SITE == '' || TINYIB_RECAPTCHA_SECRET == '')) {
+	fancyDie(__('TINYIB_RECAPTCHA_SITE and TINYIB_RECAPTCHA_SECRET  must be configured.'));
+}
+
 if (TINYIB_TIMEZONE != '') {
 	date_default_timezone_set(TINYIB_TIMEZONE);
 }
@@ -211,7 +211,7 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name'])
 	$rawpost = isRawPost();
 	$rawposttext = '';
 	if (!$loggedin) {
-		checkCAPTCHA();
+		checkCAPTCHA(TINYIB_CAPTCHA);
 		checkBanned();
 		checkMessageSize();
 		checkFlood();

inc/defines.php

@@ -37,6 +37,9 @@ if (!defined('TINYIB_NOFILEOK')) {
 if (!defined('TINYIB_CAPTCHA')) {
 	define('TINYIB_CAPTCHA', '');
 }
+if (!defined('TINYIB_MANAGECAPTCHA')) {
+	define('TINYIB_MANAGECAPTCHA', '');
+}
 if (!defined('TINYIB_REQMOD')) {
 	define('TINYIB_REQMOD', '');
 }

inc/functions.php

@@ -196,8 +196,8 @@ function deletePostImages($post) {
 	}
 }
 
-function checkCAPTCHA() {
-	if (TINYIB_CAPTCHA === 'recaptcha') {
+function checkCAPTCHA($mode) {
+	if ($mode === 'recaptcha') {
 		require_once 'inc/recaptcha/autoload.php';
 
 		$captcha = isset($_POST['g-recaptcha-response']) ? $_POST['g-recaptcha-response'] : '';
@@ -228,7 +228,7 @@ function checkCAPTCHA() {
 			}
 			fancyDie($captcha_error);
 		}
-	} else if (TINYIB_CAPTCHA) { // Simple CAPTCHA
+	} else if ($mode) { // Simple CAPTCHA
 		$captcha = isset($_POST['captcha']) ? strtolower(trim($_POST['captcha'])) : '';
 		$captcha_solution = isset($_SESSION['tinyibcaptcha']) ? strtolower(trim($_SESSION['tinyibcaptcha'])) : '';
 
@@ -274,10 +274,14 @@ function manageCheckLogIn() {
 	$loggedin = false;
 	$isadmin = false;
 	if (isset($_POST['managepassword'])) {
+		checkCAPTCHA(TINYIB_MANAGECAPTCHA);
+
 		if ($_POST['managepassword'] === TINYIB_ADMINPASS) {
 			$_SESSION['tinyib'] = TINYIB_ADMINPASS;
 		} elseif (TINYIB_MODPASS != '' && $_POST['managepassword'] === TINYIB_MODPASS) {
 			$_SESSION['tinyib'] = TINYIB_MODPASS;
+		} else {
+			fancyDie(__('Invalid password.'));
 		}
 	}
 

inc/html.php

@@ -4,7 +4,7 @@ if (!defined('TINYIB_BOARD')) {
 }
 
 function pageHeader() {
-	$js_captcha = TINYIB_CAPTCHA === 'recaptcha' ? '<script src="https://www.google.com/recaptcha/api.js" async defer></script>' : '';
+	$js_captcha = (TINYIB_CAPTCHA === 'recaptcha' || TINYIB_MANAGECAPTCHA === 'recaptcha') ? '<script src="https://www.google.com/recaptcha/api.js" async defer></script>' : '';
 
 	$return = <<<EOF
 <!DOCTYPE html>
@@ -610,7 +610,7 @@ EOF;
 	}
 	$replies = numRepliesToThreadByID($post['id']);
 	$subject = trim($post['subject']) != '' ? $post['subject'] : substr(trim(str_ireplace("\n", '', strip_tags($post['message']))), 0, 75);
-	
+
 	return <<<EOF
 <div class="catalogpost" style="max-width: {$maxwidth}px;">
 	<a href="res/{$post['id']}.html">
@@ -757,12 +757,38 @@ function manageOnLoad($page) {
 function manageLogInForm() {
 	$txt_login = __('Log In');
 	$txt_login_prompt = __('Enter an administrator or moderator password');
+	$captcha_inner_html = '';
+	if (TINYIB_MANAGECAPTCHA === 'recaptcha') {
+		$captcha_inner_html = '
+<br>
+<div style="min-height: 80px;">
+	<div class="g-recaptcha" data-sitekey="' . TINYIB_RECAPTCHA_SITE . '"></div>
+	<noscript>
+		<div>
+			<div style="width: 302px; height: 422px; position: relative;">
+				<div style="width: 302px; height: 422px; position: absolute;">
+					<iframe src="https://www.google.com/recaptcha/api/fallback?k=' . TINYIB_RECAPTCHA_SITE . '" frameborder="0" scrolling="no" style="width: 302px; height:422px; border-style: none;"></iframe>
+				</div>
+			</div>
+			<div style="width: 300px; height: 60px; border-style: none;bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px;background: #f9f9f9; border: 1px solid #c1c1c1; border-radius: 3px;">
+				<textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid #c1c1c1; margin: 10px 25px; padding: 0px; resize: none;"></textarea>
+			</div>
+		</div>
+	</noscript>
+</div><br><br>';
+	} else if (TINYIB_MANAGECAPTCHA) { // Simple CAPTCHA
+		$captcha_inner_html = '
+<br>
+<input type="text" name="captcha" id="captcha" size="6" accesskey="c" autocomplete="off">&nbsp;&nbsp;' . __('(enter the text below)') . '<br>
+<img id="captchaimage" src="inc/captcha.php" width="175" height="55" alt="CAPTCHA" onclick="javascript:reloadCAPTCHA()" style="margin-top: 5px;cursor: pointer;"><br><br>';
+	}
 	return <<<EOF
 	<form id="tinyib" name="tinyib" method="post" action="?manage">
 	<fieldset>
 	<legend align="center">$txt_login_prompt</legend>
 	<div class="login">
 	<input type="password" id="managepassword" name="managepassword"><br>
+	$captcha_inner_html
 	<input type="submit" value="$txt_login" class="managebutton">
 	</div>
 	</fieldset>

settings.default.php

@@ -19,10 +19,12 @@ define('TINYIB_ADMINPASS', '');       // Administrators have full access to the
 define('TINYIB_MODPASS', '');         // Moderators only have access to delete (and moderate if TINYIB_REQMOD is set) posts  ['' to disable]
 
 // Board description and behavior
+//   Warning: Enabling ReCAPTCHA will cause all visitors to be tracked by Google.  See https://nearcyan.com/you-probably-dont-need-recaptcha/
 define('TINYIB_BOARD', 'b');          // Unique identifier for this board using only letters and numbers
 define('TINYIB_BOARDDESC', 'TinyIB'); // Displayed at the top of every page
 define('TINYIB_ALWAYSNOKO', false);   // Redirect to thread after posting
 define('TINYIB_CAPTCHA', '');         // Reduce spam by requiring users to pass a CAPTCHA when posting: simple / recaptcha  (click Rebuild All in the management panel after enabling)  ['' to disable]
+define('TINYIB_MANAGECAPTCHA', '');   // Improve security by requiring users to pass a CAPTCHA when logging in to the management panel: simple / recaptcha  ['' to disable]
 define('TINYIB_REQMOD', '');          // Require moderation before displaying posts: files / all  ['' to disable]
 
 // Board appearance