* Fixes `populate.py` to assign captains to teams.
* Adds `ondelete='CASCADE'` to most ForeignKeys in models
* Closes#794
* Test reset in team mode to test removing teams with captains
* Test deleting users/teams with awards to test cascading deletion
* `gen_team()` test helper now creates users for the team and assigns the first one as captain
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on `Challenges`
* Fix imports/exports to accept JSON
* MariaDB does not properly understand JSON so it must accept strings instead of dicts
* MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects
* Update Makefile to not lint any uploads
* Update Flask-SQLAlchemy to 2.4.0 to remove a large amount of warnings
* Force `db.create_all` to happen for imports on `sqlite` or on failure to create missing tables
* Force `ctf_theme` to be set to `core` in imports in case a theme is missing from the import or the instance
Drop the default worker count in `docker-entrypoint.sh` because the default memory usage was higher than it needed to be. If you need more workers you can still increase the values and set a `SECRET_KEY` as before.
* Catch IOError issues (i.e. permission issues) with writing to log files
* Related to #844
* Logs now have a sys.stdout handler
* Update Dockerfile to create and chown/chmod the folders used by `docker-compose` to store files/logs (`/var/log/CTFd`, `/var/uploads`)
* Fix admin's modifying their own team or own settings
* Fix some links not working in the admin panel
* Fix extensions with an extra space in `populate.py`
2.0.6 / 2019-04-08
==================
**Security**
* Fixes an issue where user email addresses could be disclosed to non-admins
**General**
* Users/Teams set to hidden or banned are no longer visible by other users
* This affects the API and the main user interface. This does not affect admins.
* Users without Teams can no longer view challenges when the CTF is in Team Mode
* Properly load schemas specified by their key string
* Add test for UserSchema
* Prevent users without teams from interacting with challenges if the CTF is in Team Mode
* Properly hide users/teams if they are set to hidden/banned
* This should be in the API and in the main user panel. This should not affect admins.
* Update tests to reflect this behavior.
* Read smtp server configuration from config.py
The CTFd/utils/email/smtp.py file has a provision to read SMTP
configuration for all fields from either the UI or CTFd/config.py file.
Two fields, `MAIL_SERVER` and `MAIL_PORT`, were not being read from the
config.py file. This commit fixes this issue.
* Update simple SMTP server tests
* Reimplement admin send mail to users as `/api/v1/users/<user_id>/email`
* Update form and related Javascript
* Write test for controller
* Closes#897
* Closes#876
* Fixes overflowing admin panel content by adding the `.text-break` CSS class.
* This is .text-break cloned from Bootstrap 4.3 with a fix for browsers not supporting break-word. It will be removed from the main CTFd classes when Bootstrap is upgraded internally.
* Fix creating users from the admin panel while name changes are disabled; clean up user & team schema validators
* Closes#832
* Coerce /api/v1/teams/<team_id> to /api/v1/teams/<int:team_id>
* Allow DATABASE_URL to contain custom MySQL ports for docker-entrypoint.sh
* Drop WORKERS count to 1 to avoid dealing with Flask-SocketIO sticky sessions
* Stop gunicorn from logging to `LOG_FOLDER` in docker without explicit opt-in
* Re-add the `LOG_FOLDER` envvar to docker-compose so we don't try to write to the read-only host
* Add `ACCESS_LOG` and `ERROR_LOG` envvars to docker to specify where gunicorn will log to
* Consider account configs when user patches their own account
* Add test for name changing
* Add test to ensure that users changing emails are marked unconfirmed
* Only allow users to change to emails in whitelisted domains
* Simplify assertion for error check
* Require CSRF-Token header on state changing API requests
* Require CSRF nonces on more than just POSTs,
* Replace usage of `fetch()` with custom `CTFd.fetch()` implementation
Kevin Chung
Koki Takahashi
Kevin Chung
s-nirali
Grant Hernandez
David Chan