* Require CSRF-Token header on state changing API requests
* Require CSRF nonces on more than just POSTs,
* Replace usage of `fetch()` with custom `CTFd.fetch()` implementation
* Fix subdirectory deployments in a generic manner by modifying`request.path` to combine both `request.script_root` and `request.path` and also creating a request preprocessor to redirect users into the true CTFd app. Without this sessions will be invalid because sessions will be set to a subdirectory.
* Add a test for testing subdirectory deployments and the customized CTFdRequest object.
* Fix `TestingConfig.SAFE_MODE` getting stuck in between tests.
* Order AWS keys properly in travis.yml
* Redirect to `request.full_path` instead of just `request.path`
* Adds plugin functions to register javascript and CSS in the admin panel
* Move global plugin script/stylesheet lists into application factory specific lists
* Closes#804
* Show notification titles on the notification list page
* Allow for deleting notifications
* Update notification UI in admin panel
* Make /api/v1/notifications/<id> accessible to all
* Default `login_as_user()` and `register_user()` to fail on invalid credentials
* Disable user mode switching on client side (Closes#799)
* It's ill advised to switch user modes after a CTF is setup. The simplest thing to do here is to require CTF resetting in order to switch modes. If it makes sense this can be re-enabled and re-evaluated.
* Fix email confirmations and improve test.
* Breaks confirm.html page because of change from team to user
* Clean up admin mail settings to use new label/small structure
* Fix password resets from double hashing passwords
* Fixing a bug where prerequisites could not be set for dynamic challenges due to a division by zero error where defaults were being set unnecessarily.
* Creating unit test for adding requirement to dynamic challenges
* Fix downloading files as an anonymous user.
* Fix viewing challenges anonymously if they have empty requirements. Closes#789
* Allow anonymous users to see see challenges with empty requirements or anonymized challenges
* Disable jinja cache properly by setting cache_size to 0 (#662)
* Without disabling the cache you get some difficult to debug rendering errors. Regression from 1.2.0.
* Fix setting mail_username, mail_password; Fix setting auth for get_smtp
* Add MAIL_USEAUTH to config.py
* Add more mail documentation to config.py
* Prevent overriding smtp attributes on config update; update email tests to use mail_userauth
* Grant admin write access to verified field in UserSchema.
* Add test admin can view and modify verified status
* Add test for creating users with settings
* Add codecov threshold for test failures
* Update base.html to move custom_css precedence
* Fix Page creation & caching
* Add Page loading test
* Fix creating Page with an invalid route
* Don't call cache.clear() unless it's absolutely needed
* Fix showing uploaded files after uploading to media library
* Fix previewing challenges from the admin panel if it has requirements
* Hardcode CACHE_THRESHOLD to 0 in FileSystemCache to prevent random sessions getting deleted (Closes#772)
* Fix creating users, teams from the API, hash password in models vs in schemas, stop caching CSS at the decorator level, fix tests
* Fix whitelisted emails and add test
* Set proper defaults in accounts config
* Fix dynamic challenges to work in user mode and team mode (Closes#759)
* Add test for solving dynamic challenges and challenge de-valuation
* Add missing oauth_login link to team_enrollment.html
* Update CHANGELOG
* Update README
* Upgrade migration script to port visibility settings
* Add message about visibility settings and port over visibility settings
* Close#758
* Add tests for dynamic value challenges