From ef39c3ef41ddb70cb4beb56b635895924005c45a Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sun, 15 Oct 2017 14:58:17 -0400
Subject: [PATCH] Fixing users being able to see their own graphs when scores
 are hidden (#412)

---
 CTFd/challenges.py | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/CTFd/challenges.py b/CTFd/challenges.py
index 7cfd824..20cb121 100644
--- a/CTFd/challenges.py
+++ b/CTFd/challenges.py
@@ -189,7 +189,20 @@ def solves(teamid=None):
         else:
             return redirect(url_for('auth.login', next='solves'))
     else:
-        if utils.hide_scores():
+        if utils.authed() and session['id'] == teamid:
+            solves = Solves.query.filter_by(teamid=teamid)
+            awards = Awards.query.filter_by(teamid=teamid)
+
+            freeze = utils.get_config('freeze')
+            if freeze:
+                freeze = utils.unix_time_to_utc(freeze)
+                if teamid != session.get('id'):
+                    solves = solves.filter(Solves.date < freeze)
+                    awards = awards.filter(Awards.date < freeze)
+
+            solves = solves.all()
+            awards = awards.all()
+        elif utils.hide_scores():
             # Use empty values to hide scores
             solves = []
             awards = []
@@ -251,7 +264,10 @@ def fails(teamid=None):
         fails = WrongKeys.query.filter_by(teamid=session['id']).count()
         solves = Solves.query.filter_by(teamid=session['id']).count()
     else:
-        if utils.hide_scores():
+        if utils.authed() and session['id'] == teamid:
+            fails = WrongKeys.query.filter_by(teamid=teamid).count()
+            solves = Solves.query.filter_by(teamid=teamid).count()
+        elif utils.hide_scores():
             fails = 0
             solves = 0
         else: