From 0dc42605ac8c017255009af55e69b0ecbac374a7 Mon Sep 17 00:00:00 2001 From: Kevin Chung Date: Wed, 29 Apr 2020 22:24:52 -0400 Subject: [PATCH] Handle other cases for attrs invalidation --- CTFd/api/v1/teams.py | 14 ++++++++++---- CTFd/auth.py | 5 +++++ CTFd/cache/__init__.py | 6 ++++++ CTFd/teams.py | 10 +++++++++- CTFd/utils/initialization/__init__.py | 5 +++-- CTFd/utils/user/__init__.py | 2 +- 6 files changed, 34 insertions(+), 8 deletions(-) diff --git a/CTFd/api/v1/teams.py b/CTFd/api/v1/teams.py index 070cbc3..d387f81 100644 --- a/CTFd/api/v1/teams.py +++ b/CTFd/api/v1/teams.py @@ -3,7 +3,7 @@ import copy from flask import abort, request, session from flask_restx import Namespace, Resource -from CTFd.cache import clear_standings +from CTFd.cache import clear_standings, clear_team_session, clear_user_session from CTFd.models import Awards, Submissions, Teams, Unlocks, Users, db from CTFd.schemas.awards import AwardSchema from CTFd.schemas.submissions import SubmissionSchema @@ -91,25 +91,31 @@ class TeamPublic(Resource): response = schema.dump(response.data) db.session.commit() - db.session.close() + clear_team_session(team_id=team.id) clear_standings() + db.session.close() + return {"success": True, "data": response.data} @admins_only def delete(self, team_id): team = Teams.query.filter_by(id=team_id).first_or_404() + team_id = team.id for member in team.members: member.team_id = None + clear_user_session(user_id=member.id) db.session.delete(team) db.session.commit() - db.session.close() + clear_team_session(team_id=team_id) clear_standings() + db.session.close() + return {"success": True} @@ -150,7 +156,7 @@ class TeamPrivate(Resource): return {"success": False, "errors": response.errors}, 400 db.session.commit() - + clear_team_session(team_id=team.id) response = TeamSchema("self").dump(response.data) db.session.close() diff --git a/CTFd/auth.py b/CTFd/auth.py index 93ca3bb..4e77813 100644 --- a/CTFd/auth.py +++ b/CTFd/auth.py @@ -9,6 +9,7 @@ from itsdangerous.exc import BadSignature, BadTimeSignature, SignatureExpired from CTFd.models import Teams, Users, db from CTFd.utils import config, email, get_app_config, get_config from CTFd.utils import user as current_user +from CTFd.cache import clear_user_session, clear_team_session from CTFd.utils import validators from CTFd.utils.config import is_teams_mode from CTFd.utils.config.integrations import mlc_registration @@ -57,6 +58,7 @@ def confirm(data=None): name=user.name, ) db.session.commit() + clear_user_session(user_id=user.id) email.successful_registration_notification(user.email) db.session.close() if current_user.authed(): @@ -126,6 +128,7 @@ def reset_password(data=None): user.password = password db.session.commit() + clear_user_session(user_id=user.id) log( "logins", format="[{date}] {ip} - successful password reset for {name}", @@ -411,6 +414,7 @@ def oauth_redirect(): team = Teams(name=team_name, oauth_id=team_id, captain_id=user.id) db.session.add(team) db.session.commit() + clear_team_session(team_id=team.id) team_size_limit = get_config("team_size", default=0) if team_size_limit and len(team.members) >= team_size_limit: @@ -428,6 +432,7 @@ def oauth_redirect(): user.oauth_id = user_id user.verified = True db.session.commit() + clear_user_session(user_id=user.id) login_user(user) diff --git a/CTFd/cache/__init__.py b/CTFd/cache/__init__.py index fcb8b61..9181a9a 100644 --- a/CTFd/cache/__init__.py +++ b/CTFd/cache/__init__.py @@ -50,3 +50,9 @@ def clear_user_session(user_id): from CTFd.utils.user import get_user_attrs cache.delete_memoized(get_user_attrs, user_id=user_id) + + +def clear_team_session(team_id): + from CTFd.utils.user import get_team_attrs + + cache.delete_memoized(get_team_attrs, team_id=team_id) diff --git a/CTFd/teams.py b/CTFd/teams.py index c26e41a..5030e54 100644 --- a/CTFd/teams.py +++ b/CTFd/teams.py @@ -1,5 +1,6 @@ from flask import Blueprint, redirect, render_template, request, url_for +from CTFd.cache import clear_user_session, clear_team_session from CTFd.models import Teams, db from CTFd.utils import config, get_config from CTFd.utils.crypto import verify_password @@ -63,7 +64,6 @@ def join(): passphrase = request.form.get("password", "").strip() team = Teams.query.filter_by(name=teamname).first() - user = get_current_user() if team and verify_password(passphrase, team.password): team_size_limit = get_config("team_size", default=0) @@ -77,6 +77,7 @@ def join(): "teams/join_team.html", infos=infos, errors=errors ) + user = get_current_user() user.team_id = team.id db.session.commit() @@ -84,6 +85,9 @@ def join(): team.captain_id = user.id db.session.commit() + clear_user_session(user_id=user.id) + clear_team_session(team_id=team.id) + return redirect(url_for("challenges.listing")) else: errors.append("That information is incorrect") @@ -130,6 +134,10 @@ def new(): user.team_id = team.id db.session.commit() + + clear_user_session(user_id=user.id) + clear_team_session(team_id=team.id) + return redirect(url_for("challenges.listing")) diff --git a/CTFd/utils/initialization/__init__.py b/CTFd/utils/initialization/__init__.py index 85c7694..eca2fb8 100644 --- a/CTFd/utils/initialization/__init__.py +++ b/CTFd/utils/initialization/__init__.py @@ -40,8 +40,6 @@ from CTFd.utils.security.auth import login_user, logout_user, lookup_user_token from CTFd.utils.security.csrf import generate_nonce from CTFd.utils.user import ( authed, - get_current_team, - get_current_user, get_current_user_attrs, get_current_team_attrs, get_ip, @@ -84,6 +82,9 @@ def init_template_globals(app): app.jinja_env.globals.update(integrations=integrations) app.jinja_env.globals.update(authed=authed) app.jinja_env.globals.update(is_admin=is_admin) + app.jinja_env.globals.update(get_current_user_attrs=get_current_user_attrs) + app.jinja_env.globals.update(get_current_team_attrs=get_current_team_attrs) + app.jinja_env.globals.update(get_ip=get_ip) def init_logs(app): diff --git a/CTFd/utils/user/__init__.py b/CTFd/utils/user/__init__.py index 68c2989..c221d44 100644 --- a/CTFd/utils/user/__init__.py +++ b/CTFd/utils/user/__init__.py @@ -59,7 +59,7 @@ def get_team_attrs(team_id): if team: d = {} for field in TeamAttrs._fields: - d[field] = getattr(user, field) + d[field] = getattr(team, field) return TeamAttrs(**d) return None