Jan 27, 2009
collective.captcha provides a simple way to create and verify captcha image and sounds to protect your forms from spambots.

We are using Plone for some community sites with blogs and newsitems with comments and we were attacked by spambots and found ourselves writing spam-deleting scripts until we found collective.captcha.

collective.captcha provides a very simple browser view to generate captcha images (and also sound-captchas) and to verify user input. We are using it in Plone 2.5.x and also in 3.x (like in this blog) and it works great in both of them.

First of all, you need to include in your buildout, both in eggs and zcml sections of your instance and then run the buildout to get it installed.

Then you need to integrate the captcha generated image and the form to get user input, we use a simple page template for that, called captcha_widget with the following content:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"


<span metal:define-macro="captcha">

<div class="field"
tal:define="error errors/captcha|nothing;"
tal:attributes="class python:test(error, 'field error', 'field')">
<label for="captcha" i18n:translate="label_captcha">Captcha</label>

<span class="fieldRequired" title="Required"

<div class="formHelp" i18n:translate="help_captcha">
Provide the text in the image. Just to avoid spambots
<p tal:replace="structure here/@@captcha/image_tag" />

<input type="text"
value="" />



The relevant part in this page template is the line in which the captcha image is rendered:

<p tal:replace="structure here/@@captcha/image_tag" />

The first part is completed. Now we just have to check that the user input and the string shown in the captcha are the same. We mainly use collective.captcha together with qPloneComments and we use CMFFormController based forms so we need to create the .cpt with the form in which we include the captcha with the following sentence:

<metal:captcha use-macro="here/captcha_widget/macros/captcha" />

After that you have to write the validator script and tie together with the .metadata file of your form. The script we use is this:

from Products.CMFPlone import PloneMessageFactory as _

captcha = context.REQUEST.get('captcha')

view = context.restrictedTraverse('@@captcha')

if not view.verify(captcha):
state.setError('captcha', _(u'Are you a bot? Try again...'))

return state

With this, you will have your form protected from spambots.

But collective.captcha has some sort of bug (or at least it has a bug with our configuration) in which zope can't start if you do not override the captcha view in your product. We reported the error in plone-users but had no input about it, so I just reproduce it here.

To get collective.captcha work correctly and zope start, you have to add an overrides.zcml file to your product and add the following ZCML snippet in it:


So now you know how to protect your hand-made plone forms with collective.captcha.

Jean Jordaan
May 31, 2014 01:03 PM
The security issue is addressed by this pull request: https://github.com/mjpieters/collective.captcha/pull/3
Mikel Larreategi
Jun 03, 2014 09:39 AM
Thank you for your comment!!

Indeed this is an old approach we were using on old Plone 2.5 and Plone 3.x sites. Nowadays we use plone.app.discussion and collective.z3cform.norobots for question/answer based captchas.
Commenting has been disabled.

You may be interested in these other articles