Commit Graph

836 Commits (7646707b8acd32f412136c4f1f50d4b52e3a6a1d)

Author SHA1 Message Date
Kevin Chung 320feb9179
Re-enable the Jinja LRU Cache (#1308)
* Re-enable the Jinja LRU Cache by overriding the `Environment._load_template` function and adding a theme namespace
2020-04-10 12:50:55 -04:00
Kevin Chung 1249229faf
Closes #1305 (#1309)
* Makes `Account Visibility` subtext clearer by explaining the `Private` setting
2020-04-10 02:51:49 -04:00
淡水 a854bfc50f
Fix scoreboard top 10 graph's title (#1296)
* Scoreboard graph title properly shows Users or Teams
2020-03-31 16:18:27 -04:00
Alan 76af4419b6
Fix typecasting bug when using utils.get_config to get theme (#1298)
* Fix a type issue with config values. Related to #929
2020-03-30 01:17:29 -04:00
Kevin Chung d80051bcda
Mark 2.3.2 (#1292)
2.3.2 / 2020-03-15
==================

**General**
* Fix awards not being properly assigned to teams in `TEAMS_MODE`

**API**
* Set `/api/v1/statistics/users` route to be admins_only
* When POST'ing to `/api/v1/awards`, CTFd will look up a user's team ID if `team_id` is not specified

**Admin Panel**
* Adds a setting to registration visibility to allow for MLC registration while registration is disabled
* Fix setting theme color during the setup flow and from the Admin Panel

**Themes**
* Fixes users/admins being able to remove profile settings.
    * Previously a bug prevented users from removing some profile settings. Now the `core` theme stores the initial value of inputs as a `data` attribute and checks for changes when updating data. This should be a temporary hack until a proper front-end framework is in place.
* Fix `ezToast()` issue that was keeping toast messages visible indefinitely
* Fix `modal-body` parameters in ezq.js for `ezAlert` and `ezQuery` and fix the progress bar for certain cases in `ezProgressBar`
* Use `authed()` function to check if user is authed in `base.html`. This fixes an issue where a page could look as if the user was logged in.

**Miscellaneous**
* Fix behavior for `REVERSE_PROXY` config setting when set to a boolean instead of a string
* Improve `Dockerfile` to run fewer commands and re-use the build cache
* Add `make coverage` to generate an HTML coverage report
* Update `coverage` and `pytest-cov` development dependencies
2020-03-15 15:33:28 -04:00
Kevin Chung e5f128ec9d
Fix awards in teams mode (#1289)
* Fix awards not being properly assigned to teams in `TEAMS_MODE`
2020-03-14 15:36:44 -04:00
Kevin Chung 30d239fb61
Generate a better coverage report with 'who tests what' context (#1291)
* Add `make coverage` to generate an HTML coverage report
* Update `coverage` and `pytest-cov` development dependencies
2020-03-14 14:37:03 -04:00
Kevin Chung 64aa55366f
Fix changing profile settings from admin and user settings pages (#1290)
* Fixes users/admins being able to remove profile settings
2020-03-14 12:15:11 -04:00
Joe Atzberger 123d72ac80
Prune down docker image (#1286)
* Improve `Dockerfile` to run fewer commands and re-use the build cache

Co-authored-by: Joe Atzberger <atz@corelight.com>
Co-authored-by: Kevin Chung <kchung@nyu.edu>
2020-03-14 03:16:12 -04:00
Kevin Chung 464f7bde58
Use authed function to check if user is authed in base.html (#1283)
* Use `authed` function to check if user is authed in `base.html`
2020-03-08 19:45:24 -04:00
Kevin Chung 348fe5504e
Fix modal-body parameters in ezq.js and fix the progress bar for certain cases in ezProgressBar (#1278)
* Fix `modal-body` parameters in ezq.js for `ezAlert` and `ezQuery` and fix the progress bar for certain cases in `ezProgressBar`
* Mostly copied from #1275
2020-03-04 19:51:01 -05:00
Kevin Chung ae1c2ec50d
Set UserStatistics route to be admins_only (#1276)
* Set UserStatistics route to be admins_only
2020-03-04 01:08:13 -05:00
Kevin Chung 1e86718232
Fix setting theme color from the setup flow (#1273)
* Fix setting theme color from the setup flow
2020-03-03 00:24:57 -05:00
Zander Work 2f106d4fc3
Fix #1249 (#1250)
* Fix behavior for `REVERSE_PROXY` setting when set to a boolean instead of a string
2020-02-29 23:37:57 -05:00
Kevin Chung 65a640184b
Only run the sqlite datetime hack on columns that are expecting a datetime object (#1270)
* Only run the SQLite datetime hack (#246) on columns that are expecting a datetime object
* Closes #1255
2020-02-29 20:17:54 -05:00
Kevin Chung e764bb16b8
Fix custom theme color setting in config panel (#1268)
* Properly update the theme header with custom theme color values 
* Closes #1263
2020-02-29 16:56:05 -05:00
Kevin Chung 2f46f61ed0
Fix ezq toast timeout and fix yarn build command for Python 3 (#1266)
* Fix `ezToast()` timeout
* Force `yarn build` to use Python 3
* Closes #1265
2020-02-29 15:21:22 -05:00
Kevin Chung 7ee47b0abe
Add setting to allow MLC registration only (#1259)
* Adds a setting to registration visibility to allow for MLC registration while registration is disabled
2020-02-23 23:33:34 -05:00
Kevin Chung 0bae69bee4
Prevent double confirmations from happening (#1253)
* Prevents user from confirming their account twice
2020-02-17 21:46:24 -05:00
Kevin Chung 7cd8d90e0c
2.3.1 dev (#1252)
2.3.1 / 2020-02-17
==================

**General**
* User confirmation emails now have the correct URL format
2020-02-17 20:07:17 -05:00
Kevin Chung 22c132358e
2.3.0 (#1248)
2.3.0 / 2020-02-17
==================

**General**
* During setup, admins can register their email address with the CTFd LLC newsletter for news and updates
* Fix editting hints from the admin panel
* Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature.
    * The `views.custom_css` route has been removed.
* Admins can now customize the content of outgoing emails and inject certain variables into email content.
* The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`)

**Themes**
* Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme.

**Plugins**
* Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq`

**Miscellaneous**
* Python imports sorted with `isort` and import order enforced
* Black formatter running on a majority of Python code
2020-02-17 02:17:25 -05:00
Kevin Chung 354954bbe9
Add config manipulation to manage.py (#1233)
* Adds `get_config` and `set_config` commands to `manage.py` to manipulate the Config table from a CLI
* Closes #1226
2020-02-12 01:27:06 -05:00
Kevin Chung 1049a14b90
Fix SMTP email From header and remove 'Admin' from the From header (#1229)
* Fix SMTP email From header and remove 'Admin' from the From header
2020-02-11 21:35:58 -05:00
Kevin Chung 309e62520e
Fix dynamic challenge hint loading (#1224)
* Fixes hint loading for dynamic challenges
2020-01-28 22:16:44 -05:00
Kevin Chung d59bfa3578
Mark 2.2.3 (#1222)
2.2.3 / 2020-01-21
==================

### This release includes a critical security fix for CTFd versions >= 2.0.0

All CTFd administrators are recommended to take the following steps:
1. Upgrade their installations to the latest version
2. Rotate the `SECRET_KEY` value
3. Reset the passwords for all administrator users

**Security**
* This release includes a fix for a vulnerability allowing an arbitrary user to take over other accounts given their username and a CTFd instance with emails enabled

**General**
* Users will receive an email notification when their passwords are reset
* Fixed an error when users provided incorrect team join information
2020-01-21 00:06:03 -05:00
Kevin Chung a2551db690
Add a password change notification email (#1221)
* Adds an email notification for password resets
2020-01-20 23:05:44 -05:00
Kevin Chung 60c46af58a
Sign sessions using SECRET_KEY to simplify revocation (#1219)
* Sign sessions using `SECRET_KEY`
* Add `CTFd.utils.security.signing.sign` and `CTFd.utils.security.signing.unsign`
2020-01-20 21:53:08 -05:00
Kevin Chung 83efc4d5eb
Fix error with invalid team information and team size limits (#1220)
* Fix error when joining teams with a size limit
2020-01-20 20:34:11 -05:00
Kevin Chung f660ed1fb7
Strip spaces on registration and have reset password use email address instead of names (#1218)
* Usernames are now properly stripped before being used in registration checks
* Reset password function now uses email addresses instead of user names for tokens
* Prevent MLC users from resetting their password
2020-01-20 14:22:06 -05:00
Kevin Chung fe85fdf1e5
Mark 2.2.2 (#1212)
2.2.2 / 2020-01-09
==================

**General**
* Add jQuery, Moment, nunjucks, and Howl to window globals to make it easier for plugins to access JS modules
* Fix issue with timezone loading in config page which was preventing display of CTF times
2020-01-09 20:32:50 -05:00
Kevin Chung d37805b6fe
Fix timezone loading in time config page (#1211)
* Fix an issue where CTF times could not be displayed in the admin panel because timezones weren't available
2020-01-09 18:41:41 -05:00
Kevin Chung d30bd182d2
Add jQuery, Moment, nunjucks, and Howl to window globals (#1209)
* Add jQuery, Moment, nunjucks, and Howl to window globals
2020-01-08 18:06:15 -05:00
Kevin Chung dc492c97af
Mark 2.2.1 (#1208)
2.2.1 / 2020-01-04
==================

**General**
* Fix issue preventing admins from creating users or teams
* Fix issue importing backups that contained empty directories
2020-01-04 01:20:50 -05:00
fengkx 7ff6163309 fix: fix import uploads (#1173)
* Fixes issue with importing backups that contain invalid empty directories
2020-01-03 23:56:12 -05:00
Kevin Chung 5b65a6ced0
Remove CTFd Slack references in README to reference MLC Discourse (#1204)
* Replace references to the CTFd Slack with MLC Discourse references
2020-01-03 23:07:46 -05:00
Kevin Chung d5128c2fa4
Seperate out admin theme from core more to fix #1200 (#1202)
* Separate out admin theme from core more to fix #1200
2020-01-03 22:18:05 -05:00
Kevin Chung b8d0f80d01
2.2.0 (#1188)
2.2.0 / 2019-12-22
==================

## Notice
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with ***any*** kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0. 

**General**
* Team size limits can now be enforced from the configuration panel
* Access tokens functionality for API usage
* Admins can now choose how to deliver their notifications
    * Toast (new default)
    * Alert
    * Background
    * Sound On / Sound Off
* There is now a notification counter showing how many unread notifications were received
* Setup has been redesigned to have multiple steps
    * Added Description
    * Added Start time and End time,
    * Added MajorLeagueCyber integration
    * Added Theme and color selection
* Fixes issue where updating dynamic challenges could change the value to an incorrect value
* Properly use a less restrictive regex to validate email addresses
* Bump Python dependencies to latest working versions
* Admins can now give awards to team members from the team's admin panel page

**API**
* Team member removals (`DELETE /api/v1/teams/[team_id]/members`) from the admin panel will now delete the removed members's Submissions, Awards, Unlocks

**Admin Panel**
* Admins can now user a color input box to specify a theme color which is injected as part of the CSS configuration. Theme developers can use this CSS value to change colors and styles accordingly.
* Challenge updates will now alert you if the challenge doesn't have a flag
* Challenge entry now allows you to upload files and enter simple flags from the initial challenge creation page

**Themes**
* Significant JavaScript and CSS rewrite to use ES6, Webpack, yarn, and babel
* Theme asset specially generated URLs
    * Static theme assets are now loaded with either .dev.extension or .min.extension depending on production or development (i.e. debug server)
    * Static theme assets are also given a `d` GET parameter that changes per server start. Used to bust browser caches.
* Use `defer` for script tags to not block page rendering
* Only show the MajorLeagueCyber button if configured in configuration
* The admin panel now links to https://help.ctfd.io/ in the top right
* Create an `ezToast()` function to use [Bootstrap's toasts](https://getbootstrap.com/docs/4.3/components/toasts/)
* The user-facing navbar now features icons
* Awards shown on a user's profile can now have award icons
* The default MarkdownIt render created by CTFd will now open links in new tabs
* Country flags can now be shown on the user pages

**Deployment**
* Switch `Dockerfile` from `python:2.7-alpine` to `python:3.7-alpine`
* Add `SERVER_SENT_EVENTS` config value to control whether Notifications are enabled
* Challenge ID is now recorded in the submission log

**Plugins**
* Add an endpoint parameter to `register_plugin_assets_directory()` and `register_plugin_asset()` to control what endpoint Flask uses for the added route

**Miscellaneous**
* `CTFd.utils.email.sendmail()` now allows the caller to specify subject as an argument
    * The subject allows for injecting custom variable via the new `CTFd.utils.formatters.safe_format()` function
* Admin user information is now error checked during setup
* Added yarn to the toolchain and the yarn dev, yarn build, yarn verify, and yarn clean scripts
* Prevent old CTFd imports from being imported
2019-12-22 23:17:34 -05:00
Christian Clauss 6d192a7c14 Fix NameError in 1_2_0_upgrade_2_0_0.py
Fixes a NameError in `1_2_0_upgrade_2_0_0.py`
2019-12-19 21:26:19 -05:00
Dave 97f5dcaf8c Strip password before length check (#1155)
* Strip password before length check
* Pin black to an older version
2019-11-05 23:25:39 -05:00
Kevin Chung 6c5c63d667
Don't redirect the /events endpoint to login (#1132)
* Detect `text/event-stream` in `authed_only` to prevent unnecessary redirects to `/login`
2019-10-11 23:18:44 -07:00
Kevin Chung a9b2fe15e3
Mark 2.1.5 (#1126)
2.1.5 / 2019-10-2
=================

**General**
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
* Avoid exception on sessions without a valid user and force logout
* Fix several issues in Vagrant provisioning

**API**
* Prevent users from nulling out profile values and breaking certain pages
2019-10-02 02:25:30 -04:00
Kevin Chung b15f1787e4
Prevent users from nulling out profile values (#1125)
* Prevent users from nulling out profile values
2019-10-02 01:22:54 -04:00
Kevin Chung b8c1970b8e
Fix CSV exports in Python 3 by converting StringIO to BytesIO (#1107)
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
2019-09-10 03:22:01 -04:00
Kevin Chung 607c517d28
Avoid exception on session without a valid user and force logout (#1106)
* Avoid exception on sessions without a valid user and force logout
2019-09-09 21:18:07 -04:00
Joshua Dugie cee6fe3593 Fix several issues in Vagrant provisioning (#1046)
* Fixes to Vagrantfile
2019-09-08 13:04:48 -04:00
Kevin Chung 7a7595cf03
Fix flask run by not monkey patching for gevent in wsgi.py (#1101)
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Closes #1099
2019-09-05 19:50:52 -04:00
Kevin Chung 3b1b82b9a0
Mark 2.1.4 (#1096)
2.1.4 / 2019-08-30
==================

**General**
* Make user pages show the team's score and place information instead of the user's information if in team mode
* Allow admins to search users by IP address
* Require password for email address changes in the user profile
* The place indicator in `Teams Mode` on the team pages and user pages now correctly excludes hidden teams
* Fix scoreboard place ordinalization in Python 3
* Fix for a crash where imports will fail on SQLite due to lack of ALTER command support
* Fix for an issue where files downloaded via S3 would have the folder name in the filename
* Make `Users.get_place()` and `Teams.get_place()` for return None instead of 0 if the account has no rank/place
* Properly redirect users or 403 if the endpoint requires a team but the user isn't in one
* Show affiliation in user and team pages in the admin panel and public and private user and team pages

**Themes**
* Remove invalid `id='submit'` on submit buttons in various theme files
* Set `tabindex` to 0 since we don't really care for forcing tab order
* Rename `statistics.js` to `graphs.js` in the Admin Panel as it was identified that adblockers can sometimes block the file

**API**
* The team profile endpoint (`/api/v1/teams/me`) will now return 403 instead of 400 if the requesting user is not the captain
* The Challenge API will now properly freeze the solve count to freeze time
2019-08-31 14:45:08 -04:00
Kevin Chung c88e0556eb
1092 fix solve count leak during freeze (#1095)
* Challenges properly get solve count during freeze time
* Closes #1092
2019-08-29 23:22:24 -04:00
MartinJM 941ca8f506 The place indicator on the team page now excludes counting hidden teams (#1094)
* The place indicator in Team Mode on the team pages and user pages now excludes counting hidden teams.
* Updated `flask-marshmallow` to 0.10.1, `marshmallow-sqlalchemy` to 0.17.0 
* Pinned `marshmallow` to 2.20.2
* Closes #1093
* Closes #1088
2019-08-29 22:04:05 -04:00
Kevin Chung 75a9a5a697
Rename statistics.js to graphs.js (#1086)
* Rename `statistics.js` to `graphs.js` in the admin panel to avoid getting blocked by ad blockers
2019-08-17 20:06:22 -04:00