CTFd/tests/users/test_users.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from CTFd.models import Users
from tests.helpers import (
    create_ctfd,
    destroy_ctfd,
    gen_award,
    login_as_user,
    register_user,
)


def test_accessing_hidden_users():
    """Hidden users should not give any data from /users or /api/v1/users"""
    app = create_ctfd()
    with app.app_context():
        register_user(app, name="visible_user", email="visible_user@ctfd.io")  # ID 2
        register_user(app, name="hidden_user", email="hidden_user@ctfd.io")  # ID 3
        register_user(app, name="banned_user", email="banned_user@ctfd.io")  # ID 4
        user = Users.query.filter_by(name="hidden_user").first()
        user.hidden = True
        app.db.session.commit()
        user = Users.query.filter_by(name="banned_user").first()
        user.banned = True
        app.db.session.commit()

        with login_as_user(app, name="visible_user") as client:
            assert client.get("/users/3").status_code == 404
            assert client.get("/api/v1/users/3").status_code == 404
            assert client.get("/api/v1/users/3/solves").status_code == 404
            assert client.get("/api/v1/users/3/fails").status_code == 404
            assert client.get("/api/v1/users/3/awards").status_code == 404

            assert client.get("/users/4").status_code == 404
            assert client.get("/api/v1/users/4").status_code == 404
            assert client.get("/api/v1/users/4/solves").status_code == 404
            assert client.get("/api/v1/users/4/fails").status_code == 404
            assert client.get("/api/v1/users/4/awards").status_code == 404
    destroy_ctfd(app)


def test_hidden_user_visibility():
    """Hidden users should not show up on /users or /api/v1/users or /api/v1/scoreboard"""
    app = create_ctfd()
    with app.app_context():
        register_user(app, name="hidden_user")

        with login_as_user(app, name="hidden_user") as client:
            user = Users.query.filter_by(id=2).first()
            user_name = user.name
            user.hidden = True
            app.db.session.commit()

            r = client.get("/users")
            response = r.get_data(as_text=True)
            assert user_name not in response

            r = client.get("/api/v1/users")
            response = r.get_json()
            assert user_name not in response

            gen_award(app.db, user.id)

            r = client.get("/scoreboard")
            response = r.get_data(as_text=True)
            assert user_name not in response

            r = client.get("/api/v1/scoreboard")
            response = r.get_json()
            assert user_name not in response

            # User should re-appear after disabling hiding
            # Use an API call to cause a cache clear
            with login_as_user(app, name="admin") as admin:
                r = admin.patch("/api/v1/users/2", json={"hidden": False})
                assert r.status_code == 200

            r = client.get("/users")
            response = r.get_data(as_text=True)
            assert user_name in response

            r = client.get("/api/v1/users")
            response = r.get_data(as_text=True)
            assert user_name in response

            r = client.get("/api/v1/scoreboard")
            response = r.get_data(as_text=True)
            assert user_name in response
    destroy_ctfd(app)
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`

2.1.0 (#957) https://github.com/CTFd/CTFd/milestone/6 2019-04-17 05:36:30 +00:00			`from CTFd.models import Users`
			`from tests.helpers import (`
			`create_ctfd,`
			`destroy_ctfd,`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`gen_award,`
2.3.0 (#1248) 2.3.0 / 2020-02-17 ================== General * During setup, admins can register their email address with the CTFd LLC newsletter for news and updates * Fix editting hints from the admin panel * Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature. * The `views.custom_css` route has been removed. * Admins can now customize the content of outgoing emails and inject certain variables into email content. * The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`) Themes * Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme. Plugins * Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq` Miscellaneous * Python imports sorted with `isort` and import order enforced * Black formatter running on a majority of Python code 2020-02-17 07:17:25 +00:00			`login_as_user,`
			`register_user,`
2.1.0 (#957) https://github.com/CTFd/CTFd/milestone/6 2019-04-17 05:36:30 +00:00			`)`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00

Properly hide users/teams if they are set to banned/hidden (#932) * Properly hide users/teams if they are set to hidden/banned * This should be in the API and in the main user panel. This should not affect admins. * Update tests to reflect this behavior. 2019-04-05 02:44:18 +00:00			`def test_accessing_hidden_users():`
			`"""Hidden users should not give any data from /users or /api/v1/users"""`
			`app = create_ctfd()`
			`with app.app_context():`
			`register_user(app, name="visible_user", email="visible_user@ctfd.io") # ID 2`
			`register_user(app, name="hidden_user", email="hidden_user@ctfd.io") # ID 3`
			`register_user(app, name="banned_user", email="banned_user@ctfd.io") # ID 4`
			`user = Users.query.filter_by(name="hidden_user").first()`
			`user.hidden = True`
			`app.db.session.commit()`
			`user = Users.query.filter_by(name="banned_user").first()`
			`user.banned = True`
			`app.db.session.commit()`

			`with login_as_user(app, name="visible_user") as client:`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`assert client.get("/users/3").status_code == 404`
			`assert client.get("/api/v1/users/3").status_code == 404`
			`assert client.get("/api/v1/users/3/solves").status_code == 404`
			`assert client.get("/api/v1/users/3/fails").status_code == 404`
			`assert client.get("/api/v1/users/3/awards").status_code == 404`

			`assert client.get("/users/4").status_code == 404`
			`assert client.get("/api/v1/users/4").status_code == 404`
			`assert client.get("/api/v1/users/4/solves").status_code == 404`
			`assert client.get("/api/v1/users/4/fails").status_code == 404`
			`assert client.get("/api/v1/users/4/awards").status_code == 404`
Properly hide users/teams if they are set to banned/hidden (#932) * Properly hide users/teams if they are set to hidden/banned * This should be in the API and in the main user panel. This should not affect admins. * Update tests to reflect this behavior. 2019-04-05 02:44:18 +00:00			`destroy_ctfd(app)`


Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`def test_hidden_user_visibility():`
			`"""Hidden users should not show up on /users or /api/v1/users or /api/v1/scoreboard"""`
			`app = create_ctfd()`
			`with app.app_context():`
			`register_user(app, name="hidden_user")`

			`with login_as_user(app, name="hidden_user") as client:`
			`user = Users.query.filter_by(id=2).first()`
			`user_name = user.name`
			`user.hidden = True`
			`app.db.session.commit()`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/users")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_data(as_text=True)`
			`assert user_name not in response`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/api/v1/users")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_json()`
			`assert user_name not in response`

			`gen_award(app.db, user.id)`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/scoreboard")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_data(as_text=True)`
			`assert user_name not in response`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/api/v1/scoreboard")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_json()`
			`assert user_name not in response`

			`# User should re-appear after disabling hiding`
			`# Use an API call to cause a cache clear`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`with login_as_user(app, name="admin") as admin:`
			`r = admin.patch("/api/v1/users/2", json={"hidden": False})`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`assert r.status_code == 200`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/users")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_data(as_text=True)`
			`assert user_name in response`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/api/v1/users")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_data(as_text=True)`
			`assert user_name in response`

Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`r = client.get("/api/v1/scoreboard")`
Fix for hidden teams being visible on the team listing page and score… (#880) * Fix for hidden teams being visible on the team listing page and scoreboard endpoints 2019-02-10 06:55:27 +00:00			`response = r.get_data(as_text=True)`
			`assert user_name in response`
			`destroy_ctfd(app)`