2.1.3 / 2019-06-22
==================
**General**
* Fix issue with downloading files after CTF end when `view_after_ctf` is enabled
* Sort solves in admin challenge view by date
* Link to appropriate user and challenge in team, user, and challenge pages
* Redirect to `/team` instead of `/challenges` after a user registers in team mode
* Fixes bug where pages marked as `hidden` weren't loading
* Remove `data-href` from `pages.html` in the Admin Panel to fix the delete button
* Add UI to handle team member removal in Admin Panel
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode.
* `utils._get_config` will now return `KeyError` instead of `None` to avoid cache misses
**Deployment**
* Use `/dev/shm` for `--worker-tmp-dir` in gunicorn in Docker
* Cache `get_place` code for users and teams.
* Install `Flask-DebugToolbar` in development
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Make unprivileged `ctfd` user usable for mysql connection in docker-compose by having the db image create the database instead of CTFd
* Fix bug causing apache2 + mod_wsgi deployments to break
**API**
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
* Endpoint was unused so the API change is considered non-breaking.
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
* Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Clear standings cache after award creation/deletion
**Exports**
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
* Add `cache_timeout` parameter to `send_file`response in `/admin/export` to prevent the browser from caching the export
**Tests**
* Fix score changing test helpers to clear standings cache when generating a score changing row
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode.
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
* Likely also disables SQLite but SQLite is permissive about foreign keys to begin with so irrelevant.
* Create a `flask_migrate.stamp()` wrapper in `CTFd.utils.migrations` that always references the migrations folder regardless of how CTFd is run or deployed.
* Closes#257 properly
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Update `tests.api.v1.test_scoreboard:test_scoreboard_is_cached` to also test if `/scoreboard` is cached
* Cache get place code for users and teams.
* Fix score changing test helpers to clear standings cache when generating a score changing row
* `utils._get_config` will now return `KeyError` instead of None.
* Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Install `Flask-DebugToolbar` in development
Main goals covered in #1012
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
* Not even the admin panel was using this endpoint so doesn't seem that drastic of a change
* Add UI to handle team member removal
* Remove `data-href` from `pages.html` to fix the delete button
* The delete action propagates too much causing issues. This should be re-implemented on page editor rewrite.
* Fixes bug where pages marked as `hidden` weren't loading
* It's possible that some users used this behavior however this fix implements the correct behavior. The `draft` setting can be used to completely hide pages.
2.1.2 / 2019-05-13
==================
**General**
* Fix freeze time regressions in 2.x
* Make `/api/v1/[users,teams]/[me]/[solves,fails,awards]` endpoints load as admin so users can see their solves after freeze
* Make `/api/v1/challenges/[id]/solves` only show solves before freeze time
* Add the `?preview=true` GET parameter for admins to preview challenges solves as a user
* Team join attempts are now ratelimited
**Tests**
* More linting and autoformatting rules
* Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
* Format Python with `black`: `black CTFd` and `black tests`
* `make lint` and thus Travis now include the above commands as lint checks
* Travis now uses xenial instead of trusty.
* Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
* Format Python with `black`: `black CTFd` & `black tests`
* Travis now uses xenial instead of trusty.
* Fix freeze time regressions in 2.x
* Make `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` endpoints load as admin to load all rows and bypass freeze
* Closes#988
* Make `/api/v1/challenges/[id]/solves` respect freeze time. `/api/v1/challenges/[id]/solves?preview=true` is exposed for admins to see solves as a user would.
* Closes#986
2.1.1 / 2019-05-04
==================
**General**
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team to fix challenge previews
* Fix rate-limiting of flag submission when using team mode
* Fixes some modal close buttons not working in the admin panel
* Fixes `populate.py` to assign captains to teams.
**Models**
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on Challenges
* Added `ondelete='CASCADE'` to most ForeignKeys in models allowing for deletions to remove associated data
* `Hints` should be deleted when their Challenge is deleted
* `Tags` should be deleted when their Challenge is deleted
* `Flags` should be deleted when their Challenge is deleted
* `ChallengeFiles` should be deleted when their Challenge is deleted
* Deletion of the file itself is not handled by the model/database
* `Awards` should be deleted when their user or team is deleted
* `Unlocks` should be deleted when their user or team is deleted
* `Tracking` should be deleted when their user or team is deleted
* `Teams.captain_id` should be set to NULL when the captain user is deleted
**Exports**
* Force `db.create_all()` to happen for imports on `sqlite` or on failure to create missing tables
* Force `ctf_theme` to be set to `core` in imports in case a theme is missing from the import or the instance
* Fix imports/exports to emit and accept JSON properly under MariaDB
* MariaDB does not properly understand JSON so it must accept strings instead of dicts
* MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects
**Deployment**
* Run as root when using docker-compose
* This is necessary to be able to write to the volumes mounted from the host
* Fixes `populate.py` to assign captains to teams.
* Adds `ondelete='CASCADE'` to most ForeignKeys in models
* Closes#794
* Test reset in team mode to test removing teams with captains
* Test deleting users/teams with awards to test cascading deletion
* `gen_team()` test helper now creates users for the team and assigns the first one as captain
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on `Challenges`
* Fix imports/exports to accept JSON
* MariaDB does not properly understand JSON so it must accept strings instead of dicts
* MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects
* Update Makefile to not lint any uploads
* Update Flask-SQLAlchemy to 2.4.0 to remove a large amount of warnings
* Force `db.create_all` to happen for imports on `sqlite` or on failure to create missing tables
* Force `ctf_theme` to be set to `core` in imports in case a theme is missing from the import or the instance
Drop the default worker count in `docker-entrypoint.sh` because the default memory usage was higher than it needed to be. If you need more workers you can still increase the values and set a `SECRET_KEY` as before.
* Catch IOError issues (i.e. permission issues) with writing to log files
* Related to #844
* Logs now have a sys.stdout handler
* Update Dockerfile to create and chown/chmod the folders used by `docker-compose` to store files/logs (`/var/log/CTFd`, `/var/uploads`)
* Fix admin's modifying their own team or own settings
* Fix some links not working in the admin panel
* Fix extensions with an extra space in `populate.py`
2.0.6 / 2019-04-08
==================
**Security**
* Fixes an issue where user email addresses could be disclosed to non-admins
**General**
* Users/Teams set to hidden or banned are no longer visible by other users
* This affects the API and the main user interface. This does not affect admins.
* Users without Teams can no longer view challenges when the CTF is in Team Mode
* Properly load schemas specified by their key string
* Add test for UserSchema
* Prevent users without teams from interacting with challenges if the CTF is in Team Mode
* Properly hide users/teams if they are set to hidden/banned
* This should be in the API and in the main user panel. This should not affect admins.
* Update tests to reflect this behavior.
* Read smtp server configuration from config.py
The CTFd/utils/email/smtp.py file has a provision to read SMTP
configuration for all fields from either the UI or CTFd/config.py file.
Two fields, `MAIL_SERVER` and `MAIL_PORT`, were not being read from the
config.py file. This commit fixes this issue.
* Update simple SMTP server tests
* Reimplement admin send mail to users as `/api/v1/users/<user_id>/email`
* Update form and related Javascript
* Write test for controller
* Closes#897
Kevin Chung
Patrick Cunningham
Baptiste MOINE
Stitch (StormCTF)
Koki Takahashi
Kevin Chung
s-nirali
Grant Hernandez