ロシアからの攻撃 で話題に出した件です.
reCapchaによる認証箇所は,login/signup_form.phpの
function definition()
if (signup_captcha_enabled()) {
$mform->addElement('recaptcha', 'recaptcha_element', get_string('recaptcha', 'auth'), array('https' => $CFG->loginhttps));
$mform->setHelpButton('recaptcha_element', array('recaptcha', get_string('recaptcha', 'auth')));
}
と,function validation()の
if (signup_captcha_enabled()) {
$recaptcha_element = $this->_form->getElement('recaptcha_element');
if (!empty($this->_form->_submitValues['recaptcha_challenge_field'])) {
$challenge_field = $this->_form->_submitValues['recaptcha_challenge_field'];
$response_field = $this->_form->_submitValues['recaptcha_response_field'];
if (true !== ($result = $recaptcha_element->verify($challenge_field, $response_field))) {
$errors['recaptcha'] = $result;
}
} else {
$errors['recaptcha'] = get_string('missingrecaptchachallengefield');
}
}
未確認ですが,赤で示した認証確認がtrueならば$errors['recapcha']に何も値を入れずに処理が終わります.つまりsignup_captcha_enabled()がtrueで$error['recapcha']がemptyならば認証されたということでしょう.ゴッソリと入れ替えることで独自のreCapchaモドキを導入できそうです.