From ac6e5b8c4ff849bf292e381b4b794dd70f410e1b Mon Sep 17 00:00:00 2001 From: CodeKevin Date: Fri, 8 Jan 2016 21:28:45 -0500 Subject: [PATCH] Replacing hardcoded redirects with url_for() --- CTFd/admin.py | 20 ++++++++++---------- CTFd/auth.py | 19 +++++++++++++------ CTFd/challenges.py | 8 ++++---- CTFd/utils.py | 4 ++-- CTFd/views.py | 6 +++--- 5 files changed, 32 insertions(+), 25 deletions(-) diff --git a/CTFd/admin.py b/CTFd/admin.py index ca3b08a..3f65511 100644 --- a/CTFd/admin.py +++ b/CTFd/admin.py @@ -34,10 +34,10 @@ def admin_view(): session['admin'] = True session['nonce'] = sha512(os.urandom(10)) db.session.close() - return redirect('/admin/graphs') + return redirect(url_for('admin.admin_graphs')) if is_admin(): - return redirect('/admin/graphs') + return redirect(url_for('admin.admin_graphs')) return render_template('admin/login.html') @@ -90,7 +90,7 @@ def admin_config(): db.session.add(db_end) db.session.commit() - return redirect('/admin/config') + return redirect(url_for('admin.admin_config')) ctf_name = get_config('ctf_name') if not ctf_name: @@ -173,11 +173,11 @@ def admin_pages(route): page.route = route page.html = html db.session.commit() - return redirect('/admin/pages') + return redirect(url_for('admin.admin_pages')) page = Pages(route, html) db.session.add(page) db.session.commit() - return redirect('/admin/pages') + return redirect(url_for('admin.admin_pages')) pages = Pages.query.all() return render_template('admin/pages.html', routes=pages, css=get_config('css')) @@ -305,7 +305,7 @@ def admin_files(chalid): db.session.commit() db.session.close() - return redirect('/admin/chals') + return redirect(url_for('admin.admin_chals')) @admin.route('/admin/teams', defaults={'page':'1'}) @@ -395,7 +395,7 @@ def ban(teamid): user = Teams.query.filter_by(id=teamid).first() user.banned = 1 db.session.commit() - return redirect('/admin/scoreboard') + return redirect(url_for('admin.admin_scoreboard')) @admin.route('/admin/team//unban', methods=['POST']) @@ -404,7 +404,7 @@ def unban(teamid): user = Teams.query.filter_by(id=teamid).first() user.banned = None db.session.commit() - return redirect('/admin/scoreboard') + return redirect(url_for('admin.admin_scoreboard')) @admin.route('/admin/team//delete', methods=['POST']) @@ -591,7 +591,7 @@ def admin_create_chal(): db.session.commit() db.session.close() - return redirect('/admin/chals') + return redirect(url_for('admin.admin_chals')) @admin.route('/admin/chal/delete', methods=['POST']) @@ -625,4 +625,4 @@ def admin_update_chal(): db.session.add(challenge) db.session.commit() db.session.close() - return redirect('/admin/chals') + return redirect(url_for('admin.admin_chals')) diff --git a/CTFd/auth.py b/CTFd/auth.py index f09afb0..457c181 100644 --- a/CTFd/auth.py +++ b/CTFd/auth.py @@ -29,7 +29,7 @@ def reset_password(data=None): team.password = bcrypt_sha256.encrypt(request.form['password'].strip()) db.session.commit() db.session.close() - return redirect('/login') + return redirect(url_for('auth.login')) if request.method == 'POST': email = request.form['email'].strip() @@ -54,7 +54,7 @@ Did you initiate a password reset? @auth.route('/register', methods=['POST', 'GET']) def register(): if not can_register(): - return redirect('/login') + return redirect(url_for('auth.login')) if request.method == 'POST': errors = [] name = request.form['name'] @@ -88,6 +88,13 @@ def register(): team = Teams(name, email, password) db.session.add(team) db.session.commit() + db.session.flush() + + session['username'] = team.name + session['id'] = team.id + session['admin'] = team.admin + session['nonce'] = sha512(os.urandom(10)) + if mailserver(): sendmail(request.form['email'], "You've successfully registered for the CTF") @@ -95,7 +102,7 @@ def register(): logger = logging.getLogger('regs') logger.warn("[{0}] {1} registered with {2}".format(time.strftime("%m/%d/%Y %X"), request.form['name'].encode('utf-8'), request.form['email'].encode('utf-8'))) - return redirect('/login') + return redirect(url_for('challenges.challenges_view')) else: return render_template('register.html') @@ -120,9 +127,9 @@ def login(): logger = logging.getLogger('logins') logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8'))) - # if request.args.get('next') and is_safe_url(request.args.get('next')): - # return redirect(request.args.get('next')) - return redirect('/team/{0}'.format(team.id)) + if request.args.get('next') and is_safe_url(request.args.get('next')): + return redirect(request.args.get('next')) + return redirect(url_for('challenges.challenges_view')) else: errors.append("That account doesn't seem to exist") db.session.close() diff --git a/CTFd/challenges.py b/CTFd/challenges.py index 74382af..c8d15fa 100644 --- a/CTFd/challenges.py +++ b/CTFd/challenges.py @@ -22,7 +22,7 @@ def challenges_view(): if can_view_challenges(): return render_template('chals.html', ctftime=ctftime()) else: - return redirect('/login') + return redirect(url_for('auth.login', next='challenges')) @challenges.route('/chals', methods=['GET']) @@ -45,7 +45,7 @@ def chals(): return jsonify(json) else: db.session.close() - return redirect('/login') + return redirect(url_for('auth.login', next='chals')) @challenges.route('/chals/solves') @@ -56,7 +56,7 @@ def chals_per_solves(): for chal, count in solves: json[chal.chal.name] = count return jsonify(json) - return redirect('/login') + return redirect(url_for('auth.login', next='chals/solves')) @challenges.route('/solves') @@ -108,7 +108,7 @@ def who_solved(chalid): @challenges.route('/chal/', methods=['POST']) def chal(chalid): if not ctftime(): - return redirect('/challenges') + return redirect(url_for('challenges.challenges_view')) if authed(): fails = WrongKeys.query.filter_by(team=session['id'], chalid=chalid).count() logger = logging.getLogger('keys') diff --git a/CTFd/utils.py b/CTFd/utils.py index 73b84fd..0e25787 100644 --- a/CTFd/utils.py +++ b/CTFd/utils.py @@ -96,7 +96,7 @@ def init_utils(app): if request.path == '/setup' or request.path.startswith('/static'): return if not is_setup(): - return redirect('/setup') + return redirect(url_for('views.setup')) def ctf_name(): @@ -140,7 +140,7 @@ def admins_only(f): @wraps(f) def decorated_function(*args, **kwargs): if session.get('admin', None) is None: - return redirect('/login') + return redirect(url_for('auth.login')) return f(*args, **kwargs) return decorated_function diff --git a/CTFd/views.py b/CTFd/views.py index e8f825d..4afbd20 100644 --- a/CTFd/views.py +++ b/CTFd/views.py @@ -40,7 +40,7 @@ def redirect_setup(): if request.path == "/static/css/style.css": return if not is_setup() and request.path != "/setup": - return redirect('/setup') + return redirect(url_for('views.setup')) @views.route('/setup', methods=['GET', 'POST']) @@ -207,7 +207,7 @@ def profile(): team.country = country db.session.commit() db.session.close() - return redirect('/profile') + return redirect(url_for('views.profile')) else: user = Teams.query.filter_by(id=session['id']).first() name = user.name @@ -219,4 +219,4 @@ def profile(): return render_template('profile.html', name=name, email=email, website=website, affiliation=affiliation, country=country, prevent_name_change=prevent_name_change) else: - return redirect('/login') + return redirect(url_for('auth.login'))