It started with Glen's maths captcha and now captchas are coming to Pebble in the form of pluggable comment confirmation strategies. This is a new type of Pebble plugin that can be used to better assert that somebody leaving a comment is human, as opposed to an automated comment spam agent. It does this by providing a pluggable strategy for asking readers to confirm their comments by means of clicking a button or through some other kind of CAPTCHA. The following comment confirmation strategies will be included with the Pebble 2.0.0 (and M3) distribution.

net.sourceforge.pebble.comment.DefaultCommentConfirmationStrategy
Asks the reader to confirm their comment by clicking a button. This is the simplest strategy but also one that comment spammers can easily work around.

net.sourceforge.pebble.comment.SimpleMathsCommentConfirmationStrategy
Asks the reader to confirm their comment by answering a simple maths question based on the addition, subtraction or multiplication of two numbers.

net.sourceforge.pebble.comment.ImageCaptchaCommentConfirmationStrategy
Asks the reader to confirm their comment by entering the text they see in a distorted image.

net.sourceforge.pebble.comment.NoOpCommentConfirmationStrategy
A strategy that doesn't require comments to be confirmed. This is useful if you want to leave comment spam detection to the set of configured comment listeners and/or don't want to ask readers to confirm their comments.

The interesting part about the implementation is how confirming a comment fits into the overall process of leaving a comment. I'm not a big fan of seeing captchas on sites because it's usually another field that I have to fill out. In Pebble, you'll only be asked to confirm your comment if your comment is thought to be spam. Here's how this works.

1. The reader clicks a link to add (or reply to an existing) comment and fills in the comment form as usual.
2. On submission, Pebble looks at the comment to determine whether comment confirmation is required, based upon the following rules.
   1. If the user is logged in and is a blog owner/contributor for the blog, they are implicitly trusted and confirmation is not required.
   2. Pebble then performs the processing associated with a subset of the default comment listeners (IpAddressListener, LinkSpamListener, ContentSpamListener and SpamScoreListener) to determine whether the comment is spam. If, after running these listeners, the comment is marked as pending or rejected, comment confirmation is required. If the comment is still marked as approved, comment confirmation is not required.
3. If Pebble determines that confirmation is required, the reader will be redirected to a page where they will be asked to confirm their comment, using the strategy configured for the blog.
4. Only successful confirmation will result in the comment being accepted and stored.

Of course, this is all configurable (e.g. you can override step 2.2 and force confirmation to happen) and can be overriden through bespoke implementations. A lot of people have asked for various types of captchas to be supported and I think this implementation provides the flexibility to do this while not unnecessarily annoying regular readers. The M3 release *will* be going up on sf.net this week, so let me know what you think.

Responses[6]

Posted by Simon Brown on 26 June 2006 12:15:00 BST #