'. t("Mollom can be used to block all types of spam received on your website's protected forms. Each form can be set to one of the following options:") .'
'. ''. t("Data is processsed and stored as explained in our Web Service Privacy Policy. It is your responsibility to provide any necessary notices and obtain the appropriate consent regarding Mollom's use of your data. For more information, see How Mollom Works and the Mollom FAQ.") .'
', '#collapsible' => TRUE, ); $forms = _mollom_protectable_forms(); foreach ($forms as $form_id => $details) { $mode = _mollom_get_mode($form_id); $name = 'mollom_'. $form_id; $options = array_slice(array( MOLLOM_MODE_DISABLED => t('No protection'), MOLLOM_MODE_CAPTCHA => t('CAPTCHA only'), MOLLOM_MODE_ANALYSIS => t('Text analysis and CAPTCHA backup'), ), 0, $details['mode'] + 1); $form['spam'][$name] = array( '#type' => 'select', '#title' => t('Protect @name', array('@name' => $details['name'])), '#options' => $options, '#default_value' => $mode, ); } $form['server'] = array( '#type' => 'fieldset', '#title' => t('Server settings'), '#collapsible' => TRUE, '#collapsed' => $keys, ); $form['server']['mollom_fallback'] = array( '#type' => 'radios', '#title' => t('Fallback strategy'), '#default_value' => variable_get('mollom_fallback', MOLLOM_FALLBACK_BLOCK), // we default to treating everything as inappropriate '#options' => array( MOLLOM_FALLBACK_BLOCK => t('Block all submissions of protected forms until the server problems are resolved'), MOLLOM_FALLBACK_ACCEPT => t('Leave all forms unprotected and accept all submissions'), ), '#description' => t('When the Mollom servers are down or otherwise unreachable, no text analysis is performed and no CAPTCHAs are generated. If this occurs, your Drupal site will use the configured fallback strategy, and will either accept all submissions without spam checking, or block all submissions until the server or connection problems are resolved. Subscribers to Mollom Plus receive access to Mollom\'s high-availability backend infrastructure, not available to free users, reducing potential downtime.', array('@pricing' => 'http://mollom.com/pricing', '@sla' => 'http://mollom.com/standard-service-level-agreement')), ); } $form['access-keys'] = array( '#type' => 'fieldset', '#title' => t('Mollom access keys'), '#description' => t('In order to use Mollom, you need both a public and private key. To obtain your keys, simply create a user account on mollom.com, login to mollom.com, and create a subscription for your site. Once you created a subscription, your private and public access keys will be available from the site manager on mollom.com. Copy-paste them in the form below, and you are ready to go.'), '#collapsible' => TRUE, '#collapsed' => $keys, ); $form['access-keys']['mollom_public_key'] = array( '#type' => 'textfield', '#title' => t('Public key'), '#default_value' => variable_get('mollom_public_key', ''), '#description' => t('The public key is used to uniquely identify you.'), '#required' => TRUE, ); $form['access-keys']['mollom_private_key'] = array( '#type' => 'textfield', '#title' => t('Private key'), '#default_value' => variable_get('mollom_private_key', ''), '#description' => t('The private key is used to prevent someone from hijacking your requests. Similar to a password, it should never be shared with anyone.'), '#required' => TRUE, ); return system_settings_form($form); } /** * A helper function that returns the OpenID identifiers associated with the specified user account. */ function _mollom_get_openid($account) { if (isset($account->uid)) { $result = db_query("SELECT * FROM {authmap} WHERE module = 'openid' AND uid = %d", $account->uid); $ids = array(); while ($identity = db_fetch_object($result)) { $ids[] = $identity->authname; } if (count($ids)) { return implode($ids, ' '); } } } function _mollom_fallback() { $fallback = variable_get('mollom_fallback', MOLLOM_FALLBACK_BLOCK); if ($fallback == MOLLOM_FALLBACK_BLOCK) { form_set_error('mollom', t("The spam filter installed on this site is currently unavailable. Per site policy, we are unable to accept new submissions until that problem is resolved. Please try resubmitting the form in a couple of minutes.")); } watchdog('mollom', 'All Mollom servers were unavailable: %servers, last error: @errno - %error_msg', array('%servers' => print_r(variable_get('mollom_servers', array()), TRUE), '@errno' => xmlrpc_errno(), '%error_msg' => xmlrpc_error_msg()), WATCHDOG_ERROR); } /** * Implementation of hook_elements(). */ function mollom_elements() { return array( 'mollom' => array( '#input' => TRUE, '#process' => array( 'mollom_expand_element', ), ), ); } /** * Expand the mollom element via #process. * * @param $element * An associative array containing the properties of the element. * @param $edit * An associative array of values posted specifically to that element. * @param $form_state * The state of the parent form. * @return * The mollom element expanded with a captcha if necessary. */ function mollom_expand_element($element, $edit, &$form_state, $form) { $element['#tree'] = TRUE; // The mollom form is stateful. The Mollom Session ID, exchanged between // Drupal, the mollom back-end and the user, allow us to keep track of the // state of validation of a form. That ID is valid for a specific user session // and for a given form_id only. We expire it as soon as the form is // submitted, to avoid it being replayed. // The current state can come either from the $form_state, if the form // was just rebuilt in the same request... if (!empty($form_state['mollom'])) { $mollom_state = $form_state['mollom']; } // ... or from data posted by the user. In that case we validate that the correct // form_id and user session ID is used... elseif (!empty($edit['session_id']) && ($cache = cache_get($edit['session_id'], 'cache_mollom')) && $cache->data['#form_id'] === $form_state['values']['form_id'] && $cache->data['#user_session_id'] === session_id()) { $mollom_state = $cache->data; } // ... finally, if no valid state has been found, we generate an empty one. if (empty($mollom_state)) { $mollom_state = array( '#session_id' => NULL, '#form_id' => $form_state['values']['form_id'], '#require_analysis' => $element['#mode'] == MOLLOM_MODE_ANALYSIS, '#require_captcha' => $element['#mode'] == MOLLOM_MODE_CAPTCHA, '#passed_captcha' => FALSE, '#user_session_id' => session_id(), ); } if (!empty($form['#post'])) { _mollom_debug("mollom_expand_element: submitted handler"); // First, perform captcha validation if required. if (!empty($mollom_state['#require_captcha']) && empty($mollom_state['#passed_captcha'])) { mollom_validate_captcha($mollom_state, $edit); } // Then, perform text analysis if required. if (!empty($mollom_state['#require_analysis'])) { mollom_validate_analysis($mollom_state, $form_state, $edit); } } if (!empty($mollom_state['#require_captcha']) && empty($mollom_state['#passed_captcha'])) { _mollom_debug('mollom_form_alter registered mollom_validate_captcha handler'); _mollom_insert_captcha($mollom_state, $element); // This prevents the Drupal page cache from storing the page when we // generated a captcha or when the user already passed the captcha. // This is not required for text analysis, because the above code will // simply generate a new session if the cached one doesn't match the user. // TODO: find a better way to do this in D7. $_SERVER['REQUEST_METHOD'] = 'POST'; } if (!empty($mollom_state['#session_id'])) { // We store the Mollom session only if something useful was done. // We save it in two places: as an hidden form field and in the cache // so that it persists form submission, and in $form_state so that it // persists form rebuilds. $element['session_id'] = array( '#type' => 'hidden', '#value' => $mollom_state['#session_id'], ); cache_set($mollom_state['#session_id'], $mollom_state, 'cache_mollom', 60*30); $form_state['mollom'] = $mollom_state; } return $element; } /** * Clean the Mollom state as soon as the form has been submitted. */ function mollom_clean_state($form_id, $form_state) { if (!empty($form_state['values']['mollom']['session_id'])) { cache_clear_all($form_state['values']['mollom']['session_id'], 'cache_mollom'); } } /** * Implementation of hook_theme(). */ function mollom_theme() { return array( 'mollom' => array( 'arguments' => array('element' => NULL), ), ); } /** * Theme function of the Mollom form element. */ function theme_mollom($element) { return isset($element['#children']) ? $element['#children'] : ''; } /** * This form API validator function performs text analysis on a form. */ function mollom_validate_analysis(&$mollom_state, $form_state, &$edit) { _mollom_debug("mollom_validate_analysis for '". $form_state['values']['form_id'] ."'"); $data = array(); $form_id = $form_state['values']['form_id']; $pos = strpos($form_id, '_node_form'); if ($pos !== FALSE) { // The node forms use dynamic form IDs so must use a special // case for these. $data = mollom_data_node_form($form_state['values']); } else { $function = 'mollom_data_'. $form_id; if (function_exists($function)) { $data = $function($form_state['values']); } } //watchdog('mollom', print_r($form_state['values'], TRUE)); $mollom = !empty($mollom_state['#session_id']) ? array('session_id' => $mollom_state['#session_id']) : array(); $result = mollom('mollom.checkContent', $data + $mollom); if (isset($result['session_id']) && isset($result['spam'])) { _mollom_debug('mollom_validate_analysis retrieved spam status '. $result['spam'] ." and session ID '". $result['session_id'] ."'"); // Store the session ID that Mollom returned and make sure that it persists across page requests: $mollom_state['#session_id'] = $result['session_id']; // Check the spam results and act accordingly: if ($result['spam'] == MOLLOM_ANALYSIS_HAM) { // Keep track of the response so we can use it later to save the data in the database: $GLOBALS['mollom_response'] = $result; watchdog('mollom', 'Ham: %message', array('%message' => $data['post_body'])); } elseif ($result['spam'] == MOLLOM_ANALYSIS_SPAM) { form_set_error('mollom', t('Your submission has triggered the spam filter and will not be accepted.')); watchdog('mollom', 'Spam: %message', array('%message' => $data['post_body'])); } else { if (empty($mollom_state['#passed_captcha'])) { // A captcha will be generated. form_set_error('mollom', t("We're sorry, but the spam filter thinks your submission could be spam. Please complete the CAPTCHA.")); watchdog('mollom', 'Unsure: %message', array('%message' => $data['post_body'])); $mollom_state['#require_captcha'] = TRUE; } } } else { return _mollom_fallback(); } } /** * This form API validator function is called to check a CAPTCHA on a form. */ function mollom_validate_captcha(&$mollom_state, $edit) { _mollom_debug("mollom_validate_captcha"); if (!empty($edit['captcha'])) { // Check the CAPTCHA result: $result = mollom('mollom.checkCaptcha', array( 'session_id' => $mollom_state['#session_id'], 'captcha_result' => $edit['captcha'], 'author_ip' => ip_address(), )); _mollom_debug('mollom_validate_captcha the captcha result was '. (int)$result); if ($result == FALSE) { watchdog('mollom', 'Incorrect CAPTCHA'); form_set_error('mollom][captcha', t('The CAPTCHA was not completed correctly. Please complete this new CAPTCHA and try again.')); } else { watchdog('mollom', 'Correct CAPTCHA'); $mollom_state['#passed_captcha'] = TRUE; } } else { form_set_error('mollom][captcha', t('The CAPTCHA field is required.')); } } /** * This function inserts a CAPTCHA into the form. It is called * during the construction of the form, just before the form * is rendered. */ function _mollom_insert_captcha(&$mollom_state, &$element) { _mollom_debug('_mollom_insert_captcha'); // Prepare the author's IP: $data['author_ip'] = ip_address(); if (!empty($mollom_state['#session_id'])) { $data['session_id'] = $mollom_state['#session_id']; } // Request a CAPTCHA -- we always default to an image CAPTCHA: $response = mollom('mollom.getImageCaptcha', $data); if (isset($response['session_id']) && isset($response['url'])) { _mollom_debug("_mollom_insert_captcha retrieved URL '". $response['url'] ."' and session ID '". $response['session_id'] ."'"); // Include the JavaScript allowing the user to switch to an // AUDIO captcha instead: drupal_add_js(drupal_get_path('module', 'mollom') .'/mollom.js'); drupal_add_css(drupal_get_path('module', 'mollom') .'/mollom.css'); // Add the CAPTCHA to the form: $element['captcha'] = array( '#type' => 'textfield', '#processed' => TRUE, '#title' => t('Word verification'), '#field_prefix' => ' ('. t('play audio CAPTCHA') .')', '#required' => TRUE, '#size' => 10, // The previously entered value is useless because the captcha is regenerated at each form rebuild. '#value' => '', '#description' => t("Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated."), ); // Store the session ID that Mollom returned so that it persists across page requests: $mollom_state['#session_id'] = $response['session_id']; } } /** * This function contacts Mollom to verify the configured key pair. */ function _mollom_verify_key() { $status = mollom('mollom.verifyKey'); if ($status === NETWORK_ERROR) { drupal_set_message(t('We tried to contact the Mollom servers but we encountered a network error. Please make sure that your web server can make outgoing HTTP requests.'), 'error'); } else if ($status === MOLLOM_ERROR) { drupal_set_message(t('We contacted the Mollom servers to verify your keys: your keys do not exist or are no longer valid. Please visit the Manage sites page on the Mollom website again: @mollom-user.', array('@mollom-user' => 'http://mollom.com/user')), 'error'); } else { drupal_set_message(t('We contacted the Mollom servers to verify your keys: the Mollom services are operating correctly. We are now blocking spam.')); } } /** * This function refreshes the list of servers that can be used to contact Mollom. */ function _mollom_retrieve_server_list() { // Start from a hard coded list of servers: $servers = array('http://xmlrpc1.mollom.com', 'http://xmlrpc2.mollom.com', 'http://xmlrpc3.mollom.com'); // Use the list of servers to retrieve a list of servers from mollom.com: foreach ($servers as $server) { $result = xmlrpc($server .'/'. MOLLOM_API_VERSION, 'mollom.getServerList', _mollom_authentication()); if (!xmlrpc_error()) { return $result; } else { watchdog('mollom', 'Error @errno: %server - %message - mollom.getServerList', array('@errno' => xmlrpc_errno(), '%server' => $server, '%message' => xmlrpc_error_msg()), WATCHDOG_ERROR); } } return array(); } /** * Call a remote procedure at the Mollom server. This function * automatically adds the information required to authenticate against * Mollom. * * TODO: currently this function's return value mixes actual values and * error values. We should rewrite the error handling so that calling * functions can properly handle error situations. */ function mollom($method, $data = array()) { // Initialize refresh variable: $refresh = FALSE; // Retrieve the list of Mollom servers from the database: $servers = variable_get('mollom_servers', NULL); if ($servers == NULL) { // Retrieve a new list of servers: $servers = _mollom_retrieve_server_list(); // Store the list of servers in the database: variable_set('mollom_servers', $servers); } if (is_array($servers)) { // Send the request to the first server; if that fails, try the other servers in the list: reset($servers); while ($server = current($servers)) { $result = xmlrpc($server .'/'. MOLLOM_API_VERSION, $method, $data + _mollom_authentication()); // Debug output: if (isset($data['session_id'])) { _mollom_debug("called $method at server $server with session ID '". $data['session_id'] ."'"); } else { _mollom_debug("called $method at server $server with no session ID"); } if ($result === FALSE && ($error = xmlrpc_error())) { if ($error->code == MOLLOM_REFRESH) { if (!$refresh) { // Safety pal to avoid endless loops. // Retrieve a list of valid Mollom servers from mollom.com: $servers = _mollom_retrieve_server_list(); // Reset the list of servers so we start from the first server in the list: reset($servers); // Store the updated list of servers in the database: variable_set('mollom_servers', $servers); // Log this for debuging purposes: watchdog('mollom', 'The list of available Mollom servers was refreshed: @servers.', array('@servers' => print_r($servers, TRUE))); // Mark that we have refreshed the list: $refresh = TRUE; } } elseif ($error->code == MOLLOM_REDIRECT) { // If this is a network error, we go to the next server in the list. $next = next($servers); // Do nothing, we automatically select the next server. watchdog('mollom', 'The Mollom server %server asked to use the next Mollom server in the list: %next.', array('%server' => $server, '%next' => $next)); } else { watchdog('mollom', 'Error @errno from %server: %message - %method -@data', array('@errno' => $error->code, '%server' => $server, '%message' => $error->message, '%method' => $method, '@data' => print_r($data, TRUE)), WATCHDOG_ERROR); // If it is a 'clean' Mollom error we return instantly. if ($error->code == MOLLOM_ERROR) { return MOLLOM_ERROR; } // If this is a network error, we go to the next server in the list. next($servers); } } else { return $result; } } } // If none of the servers worked, activate the fallback mechanism: _mollom_fallback(); // If everything failed, we reset the server list to force Mollom to request a new list: variable_del('mollom_servers'); // Report this error: watchdog('mollom', 'No Mollom servers could be reached or all servers returned an error -- the server list was emptied.', NULL, WATCHDOG_ERROR); return NETWORK_ERROR; } /** * This function generates an array with all information required to * authenticate against Mollom. To prevent forged requests where you are * impersonated, each request is signed with a hash based on a private * key and a timestamp. * * Both the client and the server share the secret key used to create * the authentication hash. They both hash a timestamp with the secret * key, and if the hashes match, the authenticity of the message is * validated. * * To avoid someone intercepting a (hash, timestamp)-pair and using it * to impersonate a client, Mollom reject any request where the timestamp * is more than 15 minutes off. * * Make sure your server's time is synchronized with the world clocks, * and that you don't share your private key with anyone else. */ function _mollom_authentication() { $public_key = variable_get('mollom_public_key', ''); $private_key = variable_get('mollom_private_key', ''); // Generate a timestamp according to the dateTime format (http://www.w3.org/TR/xmlschema-2/#dateTime): $time = gmdate("Y-m-d\TH:i:s.\\0\\0\\0O", time()); // Generate a random number: $nonce = md5(mt_rand()); // Calculate a HMAC-SHA1 according to RFC2104 (http://www.ietf.org/rfc/rfc2104.txt): $hash = base64_encode( pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x5c), 64))) . pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x36), 64))) . $time .':'. $nonce .':'. $private_key)))) ); // Store everything in an array. Elsewhere in the code, we'll add the // actual data before we pass it onto the XML-RPC library: $data['public_key'] = $public_key; $data['time'] = $time; $data['hash'] = $hash; $data['nonce'] = $nonce; return $data; } /** * This helper function is used by developers to debug the form API workflow in this module. * Uncomment the function body to activate. */ function _mollom_debug($message) { // print $message .'