1092 fix solve count leak during freeze (#1095)

* Challenges properly get solve count during freeze time * Closes #1092
2019-08-29 23:22:24 -04:00 · 2019-08-29 23:22:24 -04:00 · c88e0556eb
parent 941ca8f506
commit c88e0556eb
2 changed files with 22 additions and 5 deletions
--- a/CTFd/api/v1/challenges.py
+++ b/CTFd/api/v1/challenges.py
@ -38,7 +38,7 @@ from CTFd.utils import user as current_user
 from CTFd.utils.user import get_current_team
 from CTFd.utils.user import get_current_user
 from CTFd.plugins.challenges import get_chal_class
-from CTFd.utils.dates import ctf_ended, ctf_paused, ctftime
+from CTFd.utils.dates import ctf_ended, ctf_paused, ctftime, unix_time_to_utc
 from CTFd.utils.logging import log
 from CTFd.utils.security.signing import serialize
 from sqlalchemy.sql import and_
@ -267,8 +267,14 @@ class Challenge(Resource):
                    Model.banned == False,
                    Model.hidden == False,
                )
-                .count()
            )
+
+            # Only show solves that happened before freeze time if configured
+            freeze = get_config("freeze")
+            if not is_admin() and freeze:
+                solves = solves.filter(Solves.date < unix_time_to_utc(freeze))
+
+            solves = solves.count()
            response["solves"] = solves
        else:
            response["solves"] = None
--- a/tests/api/v1/test_challenges.py
+++ b/tests/api/v1/test_challenges.py
@ -536,14 +536,25 @@ def test_api_challenge_get_solves_ctf_frozen():
            chal2_id = chal2.id

        with freeze_time("2017-10-8"):
-            chal2 = gen_solve(app.db, user_id=2, challenge_id=chal2_id)
+            # User ID 2 solves Challenge ID 2
+            gen_solve(app.db, user_id=2, challenge_id=chal2_id)
+            # User ID 3 solves Challenge ID 1
+            gen_solve(app.db, user_id=3, challenge_id=chal_id)
+
+            # Challenge 1 has 2 solves
+            # Challenge 2 has 1 solve

            # There should now be two solves assigned to the same user.
-            assert Solves.query.count() == 2
+            assert Solves.query.count() == 3

            client = login_as_user(app, name="user2")

-            # Challenge 1 should have one solve
+            # Challenge 1 should have one solve (after freeze)
+            r = client.get("/api/v1/challenges/1")
+            data = r.get_json()["data"]
+            assert data['solves'] == 1
+
+            # Challenge 1 should have one solve (after freeze)
            r = client.get("/api/v1/challenges/1/solves")
            data = r.get_json()["data"]
            assert len(data) == 1