Allow unauthed users to attempt challenges if visibility is public but get redirected (Closes #797) (#798)

2018-12-10 22:58:23 -05:00 · 2018-12-10 22:58:23 -05:00 · 087443467f
parent f3a97f7344
commit 087443467f
2 changed files with 10 additions and 9 deletions
--- a/CTFd/api/v1/challenges.py
+++ b/CTFd/api/v1/challenges.py
@ -266,8 +266,15 @@ class Challenge(Resource):
 class ChallengeAttempt(Resource):
    @during_ctf_time_only
    @require_verified_emails
-    @authed_only
    def post(self):
+        if authed() is False:
+            return {
+                'success': True,
+                'data': {
+                    'status': "authentication_required",
+                }
+            }, 403
+
        if request.content_type != 'application/json':
            request_data = request.form
        else:
--- a/tests/users/test_challenges.py
+++ b/tests/users/test_challenges.py
@ -317,13 +317,6 @@ def test_that_view_challenges_unregistered_works():
        r = client.get('/api/v1/challenges')
        assert r.get_json()['data']

-        # r = client.get('/chals/solves')
-        # data = r.get_data(as_text=True)
-        # assert json.loads(data) == json.loads('''{
-        #       "1": 0
-        #     }
-        #     ''')
-
        r = client.get('/api/v1/challenges/1/solves')
        assert r.get_json().get('data') is not None

@ -333,7 +326,8 @@ def test_that_view_challenges_unregistered_works():
        }
        r = client.post('/api/v1/challenges/attempt'.format(chal_id), json=data)
        assert r.status_code == 403
-        resp = r.get_json().get('data') is None
+        assert r.get_json().get('data').get('status') == "authentication_required"
+        assert r.get_json().get('data').get('message') is None
    destroy_ctfd(app)