Commit Graph

819 Commits (76bd626c3633b7c8de0297dda043622d4f0ebe10)

Author SHA1 Message Date
Kevin Chung 8b3bb92c9d
Only add team_captain_id foreign key if the db backend isn't SQLite (#1048)
* Only add `teams.team_captain_id` foreign key if the db backend isn't SQLite. SQLite does not support ALTER for the manipulation of columns/constraints. 
* Closes #1041
2019-07-03 00:04:50 -04:00
Kevin Chung 03058716a0
Add a Content-Disposition header to s3 downloads (#1047)
* Add a Content-Disposition header to s3 downloads so `wget` doesn't generate long invalid filenames.
2019-06-30 12:02:52 -04:00
Kevin Chung 2bca60790d
Mark 2.1.3 (#1036)
2.1.3 / 2019-06-22
==================

**General**
* Fix issue with downloading files after CTF end when `view_after_ctf` is enabled
* Sort solves in admin challenge view by date
* Link to appropriate user and challenge in team, user, and challenge pages
* Redirect to `/team` instead of `/challenges` after a user registers in team mode
* Fixes bug where pages marked as `hidden` weren't loading
* Remove `data-href` from `pages.html` in the Admin Panel to fix the delete button
* Add UI to handle team member removal in Admin Panel
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode.
* `utils._get_config` will now return `KeyError` instead of `None` to avoid cache misses

**Deployment**
* Use `/dev/shm` for `--worker-tmp-dir` in gunicorn in Docker
* Cache `get_place` code for users and teams.
* Install `Flask-DebugToolbar` in development
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Make unprivileged `ctfd` user usable for mysql connection in docker-compose by having the db image create the database instead of CTFd
* Fix bug causing apache2 + mod_wsgi deployments to break

**API**
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
    * Endpoint was unused so the API change is considered non-breaking.
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
* Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Clear standings cache after award creation/deletion

**Exports**
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
* Add `cache_timeout` parameter to `send_file`response in `/admin/export` to prevent the browser from caching the export

**Tests**
* Fix score changing test helpers to clear standings cache when generating a score changing row
2019-06-22 20:07:01 -07:00
Kevin Chung 6eb0d1ea34
Clear standings on award creation and deletion (#1035)
* Clear standings on award creation and deletion
2019-06-22 19:02:27 -07:00
Kevin Chung 97f52756bc
Fix scoreboard links created by update() in user mode (#1034)
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode. 
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
2019-06-22 16:17:53 -07:00
Kevin Chung d8ca73ac18
Prevent browser from caching the export (#1033)
* Add `cache_timeout` parameter to `send_file`response in `/admin/export` to prevent the browser from caching the export
* Closes #1032
2019-06-22 13:36:45 -07:00
Kevin Chung 447f71d41b
Disable foreign keys during import (#1031)
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
    * Likely also disables SQLite but SQLite is permissive about foreign keys to begin with so irrelevant.
2019-06-21 12:35:55 -04:00
Patrick Cunningham ff0f2c2a0b Fixed bug that caused apache2+wsgi deployment to break (#1030)
* Create a `flask_migrate.stamp()` wrapper in `CTFd.utils.migrations` that always references the migrations folder regardless of how CTFd is run or deployed.
* Closes #257 properly
2019-06-21 02:00:33 -04:00
Baptiste MOINE 420e4f4dc7 Make ctfd user usable for mysql connection (#1028)
* Make unprivileged `ctfd` user usable for mysql connection in docker-compose by having the db image create the database instead of CTFd
2019-06-21 00:55:44 -04:00
Kevin Chung b5632f9289
Cache scoreboard page (#1025)
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Update `tests.api.v1.test_scoreboard:test_scoreboard_is_cached` to also test if `/scoreboard` is cached
2019-06-16 13:29:50 -04:00
Kevin Chung e627391b12
Improve caching (#1014)
* Cache get place code for users and teams. 
    * Fix score changing test helpers to clear standings cache when generating a score changing row
    * `utils._get_config` will now return `KeyError` instead of None. 
    * Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Install `Flask-DebugToolbar` in development

Main goals covered in #1012
2019-06-15 02:07:24 -04:00
Kevin Chung e978867a2f
Add UI code to handle team member removal (#1022)
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
    * Not even the admin panel was using this endpoint so doesn't seem that drastic of a change
* Add UI to handle team member removal
2019-06-09 00:27:36 -04:00
Kevin Chung 6f616878b6
Remove data-href from pages.html to fix delete button (#1021)
* Remove `data-href` from `pages.html` to fix the delete button
    * The delete action propagates too much causing issues. This should be re-implemented on page editor rewrite.
2019-06-08 19:57:30 -04:00
Kevin Chung 8d91a3fa8d
Fix hidden pages not being able to load (#1019)
* Fixes bug where pages marked as `hidden` weren't loading
    * It's possible that some users used this behavior however this fix implements the correct behavior. The `draft` setting can be used to completely hide pages.
2019-06-08 01:00:28 -04:00
Kevin Chung 41bc92dab9
Properly redirect to teams.private instead of teams.new (#1016)
* Properly redirect to `teams.private` instead of `teams.new`
2019-06-04 10:57:17 -04:00
Kevin Chung f4819fa10e
Redirect to /teams/new after user registers if in team mode (#1015)
* Redirect to `/teams/new` instead of `/challenges` after the user registers in team mode
2019-06-04 01:38:03 -04:00
Kevin Chung 4983adf78a
Challenge team mode improvements (#1013)
* Sort solves in admin challenge view by date
* Link to appropriate user and challenge in team, user, and challenge pages
2019-06-03 22:41:45 -04:00
Kevin Chung 458ce2e518
Fixing issue downloading files when view_after_ctf is enabled (#1011) 2019-06-03 21:08:30 -04:00
Kevin Chung 8a35557f08
Use /dev/shm for worker-tmp-dir in gunicorn in Docker (#1003)
* Use `/dev/shm` for `--worker-tmp-dir` in gunicorn in Docker
2019-05-25 01:25:24 -04:00
Stitch (StormCTF) e6b865b61d Fixed updatescores() (#1000)
* Fixes client side scoreboard updating (Closes #999)
2019-05-19 01:47:46 -04:00
Kevin Chung ac236e26ea
Docs (#1001)
* Copy over and update content from the Wiki to CTFd Sphinx docs
* Closes #947
* Closes #742
2019-05-19 00:39:53 -04:00
Kevin Chung 49b48a9e53
Mark 2.1.2 (#994)
2.1.2 / 2019-05-13
==================

**General**
* Fix freeze time regressions in 2.x
    * Make `/api/v1/[users,teams]/[me]/[solves,fails,awards]` endpoints load as admin so users can see their solves after freeze
    * Make `/api/v1/challenges/[id]/solves` only show solves before freeze time
        * Add the `?preview=true` GET parameter for admins to preview challenges solves as a user
* Team join attempts are now ratelimited

**Tests**
* More linting and autoformatting rules
    * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
    * Format Python with `black`: `black CTFd` and `black tests`
    * `make lint` and thus Travis now include the above commands as lint checks
* Travis now uses xenial instead of trusty.
2019-05-13 23:50:34 -04:00
Kevin Chung 387b6880d2
Ratelimit team join attempts (#993)
* Ratelimit team join attempts
2019-05-13 22:53:58 -04:00
Kevin Chung 6833378c36
Format all the things (#991)
* Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
* Format Python with `black`: `black CTFd` & `black tests`
* Travis now uses xenial instead of trusty.
2019-05-11 21:09:37 -04:00
Kevin Chung 3d23ece370
Fix freeze time regressions (#989)
* Fix freeze time regressions in 2.x
* Make `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` endpoints load as admin to load all rows and bypass freeze
    * Closes #988
* Make `/api/v1/challenges/[id]/solves` respect freeze time. `/api/v1/challenges/[id]/solves?preview=true` is exposed for admins to see solves as a user would. 
    * Closes #986
2019-05-11 00:18:56 -04:00
Kevin Chung b7a19f74ff
Mark 2.1.1 (#982)
2.1.1 / 2019-05-04
==================

**General**
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team to fix challenge previews
* Fix rate-limiting of flag submission when using team mode
* Fixes some modal close buttons not working in the admin panel
* Fixes `populate.py` to assign captains to teams.

**Models**
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on Challenges
* Added `ondelete='CASCADE'` to most ForeignKeys in models allowing for deletions to remove associated data
    * `Hints` should be deleted when their Challenge is deleted
    * `Tags` should be deleted when their Challenge is deleted
    * `Flags` should be deleted when their Challenge is deleted
    * `ChallengeFiles` should be deleted when their Challenge is deleted
        * Deletion of the file itself is not handled by the model/database
    * `Awards` should be deleted when their user or team is deleted
    * `Unlocks` should be deleted when their user or team is deleted
    * `Tracking` should be deleted when their user or team is deleted
    * `Teams.captain_id` should be set to NULL when the captain user is deleted

**Exports**
* Force `db.create_all()` to happen for imports on `sqlite` or on failure to create missing tables
* Force `ctf_theme` to be set to `core` in imports in case a theme is missing from the import or the instance
* Fix imports/exports to emit and accept JSON properly under MariaDB
    * MariaDB does not properly understand JSON so it must accept strings instead of dicts
    * MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects

**Deployment**
* Run as root when using docker-compose
    * This is necessary to be able to write to the volumes mounted from the host
2019-05-04 19:49:39 -04:00
Kevin Chung b37684d8ba
Run as root when using docker-compose to be able to write to the volume (#981)
* Docker Compose needs to be run as root to be able to write to the bind mounted volumes.
2019-05-04 17:17:11 -04:00
Kevin Chung dc4db6ff1f
Fix modal close buttons not working (#980)
* Fixes some modal close buttons not working in the admin panel
2019-05-04 15:47:42 -04:00
Kevin Chung d2f8b4090d
Adds ondelete='CASCADE' to some models. (#979)
* Fixes `populate.py` to assign captains to teams.
* Adds `ondelete='CASCADE'` to most ForeignKeys in models
    * Closes #794 
* Test reset in team mode to test removing teams with captains
* Test deleting users/teams with awards to test cascading deletion
* `gen_team()` test helper now creates users for the team and assigns the first one as captain
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on `Challenges`
2019-05-04 02:08:26 -04:00
Koki Takahashi 6fcf143392 Fix rate-limiting of flag submission when using team mode (#977)
* Fix rate-limiting of flag submission when using team mode (Resolves CTFd/CTFd#975)
* Add tests for rate-limiting of flag submission
2019-05-02 00:56:41 -04:00
Kevin Chung 3f4a242b2b
Fix challenge preview for admins (#978)
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team
* Fixes regression from 2.0.6
2019-05-02 00:25:09 -04:00
Kevin Chung e7884c856f
Don't insert or check Tracking on static files or custom CSS (#976)
* No longer incur Tracking hits on theme files or custom CSS
2019-04-30 21:48:29 -04:00
Kevin Chung 4ec45dc4bc
Fix imports/exports and update Flask-SQLAlchemy to reduce warnings (#974)
* Fix imports/exports to accept JSON 
    * MariaDB does not properly understand JSON so it must accept strings instead of dicts
    * MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects
* Update Makefile to not lint any uploads
* Update Flask-SQLAlchemy to 2.4.0 to remove a large amount of warnings
2019-04-30 20:36:25 -04:00
Kevin Chung 376d644de7
Force db.create_all to happen for imports on sqlite. Force ctf_theme to be set to core in imports. (#972)
* Force `db.create_all` to happen for imports on `sqlite` or on failure to create missing tables
* Force `ctf_theme` to be set to `core` in imports in case a theme is missing from the import or the instance
2019-04-28 21:20:49 -04:00
Kevin Chung c4e9b7037a
Reduce default gunicorn worker count to reduce memory usage (#968)
Drop the default worker count in `docker-entrypoint.sh` because the default memory usage was higher than it needed to be. If you need more workers you can still increase the values and set a `SECRET_KEY` as before.
2019-04-25 15:05:20 -04:00
Kevin Chung 069d4382e1
Mark 2.1.0 and update CHANGELOG (#967) 2019-04-24 20:33:17 -04:00
Kevin Chung 367498fd72
Fix logging without root in container (#966)
* Catch IOError issues (i.e. permission issues) with writing to log files
    * Related to #844
* Logs now have a sys.stdout handler
* Update Dockerfile to create and chown/chmod the folders used by `docker-compose` to store files/logs (`/var/log/CTFd`, `/var/uploads`)
2019-04-22 22:22:54 -04:00
Kevin Chung ad5df80979
Documentation improvements (#963)
* Add `SECRET_KEY` instructions to `README.md` for `docker-compose`
* Add a basic `CONTRIBUTING.md`
2019-04-21 12:00:21 -04:00
Kevin Chung 95e4060f15
ProxyFix changes (#960)
* Fixes insufficiently documented changes in ProxyFix
    * https://github.com/pallets/werkzeug/issues/1484
* Pin `Werkzeug==0.15.2` in requirements.txt
* Allow exports test to parallelize
2019-04-19 02:11:09 -04:00
Kevin Chung 0fa480bc14
Some 2.1.0a1 bugfixes (#959)
* Fix admin's modifying their own team or own settings
* Fix some links not working in the admin panel
* Fix extensions with an extra space in `populate.py`
2019-04-18 21:55:55 -04:00
Kevin Chung b1061a3e91
Remove socket.io.min.js from base.html (#958) 2019-04-17 23:15:24 -04:00
Kevin Chung b6d54b9ee9
2.1.0 (#957)
https://github.com/CTFd/CTFd/milestone/6
2019-04-17 01:36:30 -04:00
Kevin Chung 33367422a5
Mark 2.0.6 (#946)
2.0.6 / 2019-04-08
==================

**Security**
* Fixes an issue where user email addresses could be disclosed to non-admins

**General**
* Users/Teams set to hidden or banned are no longer visible by other users
    * This affects the API and the main user interface. This does not affect admins.
* Users without Teams can no longer view challenges when the CTF is in Team Mode
2019-04-08 07:57:40 -04:00
Kevin Chung c0a32a836b
Properly load schemas specified as strings (#943)
* Properly load schemas specified by their key string
* Add test for UserSchema 
* Prevent users without teams from interacting with challenges if the CTF is in Team Mode
2019-04-08 01:47:26 -04:00
Kevin Chung 7c60c697ee
Properly hide users/teams if they are set to banned/hidden (#932)
* Properly hide users/teams if they are set to hidden/banned
    * This should be in the API and in the main user panel. This should not affect admins. 
* Update tests to reflect this behavior.
2019-04-04 22:44:18 -04:00
Kevin Chung 268ed85f60
Update CHANGELOG and bump version (#920)
* Bump version to 2.0.5
2019-03-23 01:26:46 -04:00
Kevin Chung f75d7b62ed
Record a new solve before calculating the new dynamic value. (#919)
* Record a new solve before calculating the new dynamic value so hidden solves can't unintentionally move the challenge value
2019-03-22 12:26:57 -04:00
Kevin Chung fadb8271d2
Dont calculate hidden users in place (#918)
* Fix for hidden users bumping a user's place in their profile 
* Don't calculate hidden users in a user's place
2019-03-22 04:07:53 -04:00
s-nirali 37dcfdc568 Read smtp server configuration from config.py (#914)
* Read smtp server configuration from config.py

The CTFd/utils/email/smtp.py file has a provision to read SMTP
configuration for all fields from either the UI or CTFd/config.py file.
Two fields, `MAIL_SERVER` and `MAIL_PORT`, were not being read from the
config.py file. This commit fixes this issue.

* Update simple SMTP server tests
2019-03-21 22:10:08 -04:00
Grant Hernandez 1eb687a065 Fix email confirmation log line (#913) 2019-03-21 20:23:16 -04:00