Commit Graph

845 Commits (bulk-clear-sessions)

Author SHA1 Message Date
Kevin Chung 154e281612 Remove Python 2.7 2020-04-14 17:03:38 -04:00
Kevin Chung 2a90f77ed3 Run on any push 2020-04-14 17:00:32 -04:00
Kevin Chung c5ec896b38
Add Github Action for lint (#1321) 2020-04-14 16:58:09 -04:00
‏‏Dave 6f87129846
Replace flask_restful with flask_restx (#1282)
Co-authored-by: Kevin Chung <kchung@ctfd.io>
2020-04-14 15:26:50 -04:00
Kevin Chung 05e5730c54
Fix media library refresh on upload (#1319) 2020-04-14 12:42:15 -04:00
Kevin Chung 4b6c9ec8bd
Mark 2.3.3 (#1316)
2.3.3 / 2020-04-12
==================

**General**
* Re-enable the Jinja LRU Cache for **significant speedups** when returning HTML content

**API**
* `POST /api/v1/unlocks` will no longer allow duplicate unlocks to happen

**Admin Panel**
* Makes `Account Visibility` subtext clearer by explaining the `Private` setting in Config Panel

**Themes**
* Fixes an issue with using a theme with a purely numeric name
* Fixes issue where the scoreboard graph always said Teams regardless of mode

**Miscellaneous**
* Bump max log file size to 10 MB and fix log rotation
* Docker image dependencies (apk & pip) are no longer cached reducing the image size slightly
2020-04-12 15:33:00 -04:00
Kevin Chung 04e6b2011f
Prevent accidental double unlocks (#1315)
* Prevent a hint from being unlocked twice
* Closes  #1301
2020-04-11 22:03:51 -04:00
HuiFeng Tang 96f317293f
Questions about optimizing Dockerfile play (#1312)
* Don't cache dependencies in Dockerfile
2020-04-11 15:50:06 -04:00
Kevin Chung aeab4ded6e
Add fix for logrotation (#1311)
* Bump max log file size to 10 MB and fix log rotation on RotatingFileHandler
* Closes #1302
2020-04-11 14:33:40 -04:00
Kevin Chung 320feb9179
Re-enable the Jinja LRU Cache (#1308)
* Re-enable the Jinja LRU Cache by overriding the `Environment._load_template` function and adding a theme namespace
2020-04-10 12:50:55 -04:00
Kevin Chung 1249229faf
Closes #1305 (#1309)
* Makes `Account Visibility` subtext clearer by explaining the `Private` setting
2020-04-10 02:51:49 -04:00
淡水 a854bfc50f
Fix scoreboard top 10 graph's title (#1296)
* Scoreboard graph title properly shows Users or Teams
2020-03-31 16:18:27 -04:00
Alan 76af4419b6
Fix typecasting bug when using utils.get_config to get theme (#1298)
* Fix a type issue with config values. Related to #929
2020-03-30 01:17:29 -04:00
Kevin Chung d80051bcda
Mark 2.3.2 (#1292)
2.3.2 / 2020-03-15
==================

**General**
* Fix awards not being properly assigned to teams in `TEAMS_MODE`

**API**
* Set `/api/v1/statistics/users` route to be admins_only
* When POST'ing to `/api/v1/awards`, CTFd will look up a user's team ID if `team_id` is not specified

**Admin Panel**
* Adds a setting to registration visibility to allow for MLC registration while registration is disabled
* Fix setting theme color during the setup flow and from the Admin Panel

**Themes**
* Fixes users/admins being able to remove profile settings.
    * Previously a bug prevented users from removing some profile settings. Now the `core` theme stores the initial value of inputs as a `data` attribute and checks for changes when updating data. This should be a temporary hack until a proper front-end framework is in place.
* Fix `ezToast()` issue that was keeping toast messages visible indefinitely
* Fix `modal-body` parameters in ezq.js for `ezAlert` and `ezQuery` and fix the progress bar for certain cases in `ezProgressBar`
* Use `authed()` function to check if user is authed in `base.html`. This fixes an issue where a page could look as if the user was logged in.

**Miscellaneous**
* Fix behavior for `REVERSE_PROXY` config setting when set to a boolean instead of a string
* Improve `Dockerfile` to run fewer commands and re-use the build cache
* Add `make coverage` to generate an HTML coverage report
* Update `coverage` and `pytest-cov` development dependencies
2020-03-15 15:33:28 -04:00
Kevin Chung e5f128ec9d
Fix awards in teams mode (#1289)
* Fix awards not being properly assigned to teams in `TEAMS_MODE`
2020-03-14 15:36:44 -04:00
Kevin Chung 30d239fb61
Generate a better coverage report with 'who tests what' context (#1291)
* Add `make coverage` to generate an HTML coverage report
* Update `coverage` and `pytest-cov` development dependencies
2020-03-14 14:37:03 -04:00
Kevin Chung 64aa55366f
Fix changing profile settings from admin and user settings pages (#1290)
* Fixes users/admins being able to remove profile settings
2020-03-14 12:15:11 -04:00
Joe Atzberger 123d72ac80
Prune down docker image (#1286)
* Improve `Dockerfile` to run fewer commands and re-use the build cache

Co-authored-by: Joe Atzberger <atz@corelight.com>
Co-authored-by: Kevin Chung <kchung@nyu.edu>
2020-03-14 03:16:12 -04:00
Kevin Chung 464f7bde58
Use authed function to check if user is authed in base.html (#1283)
* Use `authed` function to check if user is authed in `base.html`
2020-03-08 19:45:24 -04:00
Kevin Chung 348fe5504e
Fix modal-body parameters in ezq.js and fix the progress bar for certain cases in ezProgressBar (#1278)
* Fix `modal-body` parameters in ezq.js for `ezAlert` and `ezQuery` and fix the progress bar for certain cases in `ezProgressBar`
* Mostly copied from #1275
2020-03-04 19:51:01 -05:00
Kevin Chung ae1c2ec50d
Set UserStatistics route to be admins_only (#1276)
* Set UserStatistics route to be admins_only
2020-03-04 01:08:13 -05:00
Kevin Chung 1e86718232
Fix setting theme color from the setup flow (#1273)
* Fix setting theme color from the setup flow
2020-03-03 00:24:57 -05:00
Zander Work 2f106d4fc3
Fix #1249 (#1250)
* Fix behavior for `REVERSE_PROXY` setting when set to a boolean instead of a string
2020-02-29 23:37:57 -05:00
Kevin Chung 65a640184b
Only run the sqlite datetime hack on columns that are expecting a datetime object (#1270)
* Only run the SQLite datetime hack (#246) on columns that are expecting a datetime object
* Closes #1255
2020-02-29 20:17:54 -05:00
Kevin Chung e764bb16b8
Fix custom theme color setting in config panel (#1268)
* Properly update the theme header with custom theme color values 
* Closes #1263
2020-02-29 16:56:05 -05:00
Kevin Chung 2f46f61ed0
Fix ezq toast timeout and fix yarn build command for Python 3 (#1266)
* Fix `ezToast()` timeout
* Force `yarn build` to use Python 3
* Closes #1265
2020-02-29 15:21:22 -05:00
Kevin Chung 7ee47b0abe
Add setting to allow MLC registration only (#1259)
* Adds a setting to registration visibility to allow for MLC registration while registration is disabled
2020-02-23 23:33:34 -05:00
Kevin Chung 0bae69bee4
Prevent double confirmations from happening (#1253)
* Prevents user from confirming their account twice
2020-02-17 21:46:24 -05:00
Kevin Chung 7cd8d90e0c
2.3.1 dev (#1252)
2.3.1 / 2020-02-17
==================

**General**
* User confirmation emails now have the correct URL format
2020-02-17 20:07:17 -05:00
Kevin Chung 22c132358e
2.3.0 (#1248)
2.3.0 / 2020-02-17
==================

**General**
* During setup, admins can register their email address with the CTFd LLC newsletter for news and updates
* Fix editting hints from the admin panel
* Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature.
    * The `views.custom_css` route has been removed.
* Admins can now customize the content of outgoing emails and inject certain variables into email content.
* The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`)

**Themes**
* Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme.

**Plugins**
* Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq`

**Miscellaneous**
* Python imports sorted with `isort` and import order enforced
* Black formatter running on a majority of Python code
2020-02-17 02:17:25 -05:00
Kevin Chung 354954bbe9
Add config manipulation to manage.py (#1233)
* Adds `get_config` and `set_config` commands to `manage.py` to manipulate the Config table from a CLI
* Closes #1226
2020-02-12 01:27:06 -05:00
Kevin Chung 1049a14b90
Fix SMTP email From header and remove 'Admin' from the From header (#1229)
* Fix SMTP email From header and remove 'Admin' from the From header
2020-02-11 21:35:58 -05:00
Kevin Chung 309e62520e
Fix dynamic challenge hint loading (#1224)
* Fixes hint loading for dynamic challenges
2020-01-28 22:16:44 -05:00
Kevin Chung d59bfa3578
Mark 2.2.3 (#1222)
2.2.3 / 2020-01-21
==================

### This release includes a critical security fix for CTFd versions >= 2.0.0

All CTFd administrators are recommended to take the following steps:
1. Upgrade their installations to the latest version
2. Rotate the `SECRET_KEY` value
3. Reset the passwords for all administrator users

**Security**
* This release includes a fix for a vulnerability allowing an arbitrary user to take over other accounts given their username and a CTFd instance with emails enabled

**General**
* Users will receive an email notification when their passwords are reset
* Fixed an error when users provided incorrect team join information
2020-01-21 00:06:03 -05:00
Kevin Chung a2551db690
Add a password change notification email (#1221)
* Adds an email notification for password resets
2020-01-20 23:05:44 -05:00
Kevin Chung 60c46af58a
Sign sessions using SECRET_KEY to simplify revocation (#1219)
* Sign sessions using `SECRET_KEY`
* Add `CTFd.utils.security.signing.sign` and `CTFd.utils.security.signing.unsign`
2020-01-20 21:53:08 -05:00
Kevin Chung 83efc4d5eb
Fix error with invalid team information and team size limits (#1220)
* Fix error when joining teams with a size limit
2020-01-20 20:34:11 -05:00
Kevin Chung f660ed1fb7
Strip spaces on registration and have reset password use email address instead of names (#1218)
* Usernames are now properly stripped before being used in registration checks
* Reset password function now uses email addresses instead of user names for tokens
* Prevent MLC users from resetting their password
2020-01-20 14:22:06 -05:00
Kevin Chung fe85fdf1e5
Mark 2.2.2 (#1212)
2.2.2 / 2020-01-09
==================

**General**
* Add jQuery, Moment, nunjucks, and Howl to window globals to make it easier for plugins to access JS modules
* Fix issue with timezone loading in config page which was preventing display of CTF times
2020-01-09 20:32:50 -05:00
Kevin Chung d37805b6fe
Fix timezone loading in time config page (#1211)
* Fix an issue where CTF times could not be displayed in the admin panel because timezones weren't available
2020-01-09 18:41:41 -05:00
Kevin Chung d30bd182d2
Add jQuery, Moment, nunjucks, and Howl to window globals (#1209)
* Add jQuery, Moment, nunjucks, and Howl to window globals
2020-01-08 18:06:15 -05:00
Kevin Chung dc492c97af
Mark 2.2.1 (#1208)
2.2.1 / 2020-01-04
==================

**General**
* Fix issue preventing admins from creating users or teams
* Fix issue importing backups that contained empty directories
2020-01-04 01:20:50 -05:00
fengkx 7ff6163309 fix: fix import uploads (#1173)
* Fixes issue with importing backups that contain invalid empty directories
2020-01-03 23:56:12 -05:00
Kevin Chung 5b65a6ced0
Remove CTFd Slack references in README to reference MLC Discourse (#1204)
* Replace references to the CTFd Slack with MLC Discourse references
2020-01-03 23:07:46 -05:00
Kevin Chung d5128c2fa4
Seperate out admin theme from core more to fix #1200 (#1202)
* Separate out admin theme from core more to fix #1200
2020-01-03 22:18:05 -05:00
Kevin Chung b8d0f80d01
2.2.0 (#1188)
2.2.0 / 2019-12-22
==================

## Notice
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with ***any*** kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0. 

**General**
* Team size limits can now be enforced from the configuration panel
* Access tokens functionality for API usage
* Admins can now choose how to deliver their notifications
    * Toast (new default)
    * Alert
    * Background
    * Sound On / Sound Off
* There is now a notification counter showing how many unread notifications were received
* Setup has been redesigned to have multiple steps
    * Added Description
    * Added Start time and End time,
    * Added MajorLeagueCyber integration
    * Added Theme and color selection
* Fixes issue where updating dynamic challenges could change the value to an incorrect value
* Properly use a less restrictive regex to validate email addresses
* Bump Python dependencies to latest working versions
* Admins can now give awards to team members from the team's admin panel page

**API**
* Team member removals (`DELETE /api/v1/teams/[team_id]/members`) from the admin panel will now delete the removed members's Submissions, Awards, Unlocks

**Admin Panel**
* Admins can now user a color input box to specify a theme color which is injected as part of the CSS configuration. Theme developers can use this CSS value to change colors and styles accordingly.
* Challenge updates will now alert you if the challenge doesn't have a flag
* Challenge entry now allows you to upload files and enter simple flags from the initial challenge creation page

**Themes**
* Significant JavaScript and CSS rewrite to use ES6, Webpack, yarn, and babel
* Theme asset specially generated URLs
    * Static theme assets are now loaded with either .dev.extension or .min.extension depending on production or development (i.e. debug server)
    * Static theme assets are also given a `d` GET parameter that changes per server start. Used to bust browser caches.
* Use `defer` for script tags to not block page rendering
* Only show the MajorLeagueCyber button if configured in configuration
* The admin panel now links to https://help.ctfd.io/ in the top right
* Create an `ezToast()` function to use [Bootstrap's toasts](https://getbootstrap.com/docs/4.3/components/toasts/)
* The user-facing navbar now features icons
* Awards shown on a user's profile can now have award icons
* The default MarkdownIt render created by CTFd will now open links in new tabs
* Country flags can now be shown on the user pages

**Deployment**
* Switch `Dockerfile` from `python:2.7-alpine` to `python:3.7-alpine`
* Add `SERVER_SENT_EVENTS` config value to control whether Notifications are enabled
* Challenge ID is now recorded in the submission log

**Plugins**
* Add an endpoint parameter to `register_plugin_assets_directory()` and `register_plugin_asset()` to control what endpoint Flask uses for the added route

**Miscellaneous**
* `CTFd.utils.email.sendmail()` now allows the caller to specify subject as an argument
    * The subject allows for injecting custom variable via the new `CTFd.utils.formatters.safe_format()` function
* Admin user information is now error checked during setup
* Added yarn to the toolchain and the yarn dev, yarn build, yarn verify, and yarn clean scripts
* Prevent old CTFd imports from being imported
2019-12-22 23:17:34 -05:00
Christian Clauss 6d192a7c14 Fix NameError in 1_2_0_upgrade_2_0_0.py
Fixes a NameError in `1_2_0_upgrade_2_0_0.py`
2019-12-19 21:26:19 -05:00
Dave 97f5dcaf8c Strip password before length check (#1155)
* Strip password before length check
* Pin black to an older version
2019-11-05 23:25:39 -05:00
Kevin Chung 6c5c63d667
Don't redirect the /events endpoint to login (#1132)
* Detect `text/event-stream` in `authed_only` to prevent unnecessary redirects to `/login`
2019-10-11 23:18:44 -07:00
Kevin Chung a9b2fe15e3
Mark 2.1.5 (#1126)
2.1.5 / 2019-10-2
=================

**General**
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
* Avoid exception on sessions without a valid user and force logout
* Fix several issues in Vagrant provisioning

**API**
* Prevent users from nulling out profile values and breaking certain pages
2019-10-02 02:25:30 -04:00