Commit Graph

137 Commits (c21707c14dd277a1cc81636b34e8bcc791ce013f)

Author SHA1 Message Date
Kevin Chung 04e6b2011f
Prevent accidental double unlocks (#1315)
* Prevent a hint from being unlocked twice
* Closes  #1301
2020-04-11 22:03:51 -04:00
Kevin Chung e5f128ec9d
Fix awards in teams mode (#1289)
* Fix awards not being properly assigned to teams in `TEAMS_MODE`
2020-03-14 15:36:44 -04:00
Zander Work 2f106d4fc3
Fix #1249 (#1250)
* Fix behavior for `REVERSE_PROXY` setting when set to a boolean instead of a string
2020-02-29 23:37:57 -05:00
Kevin Chung 22c132358e
2.3.0 (#1248)
2.3.0 / 2020-02-17
==================

**General**
* During setup, admins can register their email address with the CTFd LLC newsletter for news and updates
* Fix editting hints from the admin panel
* Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature.
    * The `views.custom_css` route has been removed.
* Admins can now customize the content of outgoing emails and inject certain variables into email content.
* The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`)

**Themes**
* Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme.

**Plugins**
* Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq`

**Miscellaneous**
* Python imports sorted with `isort` and import order enforced
* Black formatter running on a majority of Python code
2020-02-17 02:17:25 -05:00
Kevin Chung 1049a14b90
Fix SMTP email From header and remove 'Admin' from the From header (#1229)
* Fix SMTP email From header and remove 'Admin' from the From header
2020-02-11 21:35:58 -05:00
Kevin Chung f660ed1fb7
Strip spaces on registration and have reset password use email address instead of names (#1218)
* Usernames are now properly stripped before being used in registration checks
* Reset password function now uses email addresses instead of user names for tokens
* Prevent MLC users from resetting their password
2020-01-20 14:22:06 -05:00
Kevin Chung b8d0f80d01
2.2.0 (#1188)
2.2.0 / 2019-12-22
==================

## Notice
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with ***any*** kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0. 

**General**
* Team size limits can now be enforced from the configuration panel
* Access tokens functionality for API usage
* Admins can now choose how to deliver their notifications
    * Toast (new default)
    * Alert
    * Background
    * Sound On / Sound Off
* There is now a notification counter showing how many unread notifications were received
* Setup has been redesigned to have multiple steps
    * Added Description
    * Added Start time and End time,
    * Added MajorLeagueCyber integration
    * Added Theme and color selection
* Fixes issue where updating dynamic challenges could change the value to an incorrect value
* Properly use a less restrictive regex to validate email addresses
* Bump Python dependencies to latest working versions
* Admins can now give awards to team members from the team's admin panel page

**API**
* Team member removals (`DELETE /api/v1/teams/[team_id]/members`) from the admin panel will now delete the removed members's Submissions, Awards, Unlocks

**Admin Panel**
* Admins can now user a color input box to specify a theme color which is injected as part of the CSS configuration. Theme developers can use this CSS value to change colors and styles accordingly.
* Challenge updates will now alert you if the challenge doesn't have a flag
* Challenge entry now allows you to upload files and enter simple flags from the initial challenge creation page

**Themes**
* Significant JavaScript and CSS rewrite to use ES6, Webpack, yarn, and babel
* Theme asset specially generated URLs
    * Static theme assets are now loaded with either .dev.extension or .min.extension depending on production or development (i.e. debug server)
    * Static theme assets are also given a `d` GET parameter that changes per server start. Used to bust browser caches.
* Use `defer` for script tags to not block page rendering
* Only show the MajorLeagueCyber button if configured in configuration
* The admin panel now links to https://help.ctfd.io/ in the top right
* Create an `ezToast()` function to use [Bootstrap's toasts](https://getbootstrap.com/docs/4.3/components/toasts/)
* The user-facing navbar now features icons
* Awards shown on a user's profile can now have award icons
* The default MarkdownIt render created by CTFd will now open links in new tabs
* Country flags can now be shown on the user pages

**Deployment**
* Switch `Dockerfile` from `python:2.7-alpine` to `python:3.7-alpine`
* Add `SERVER_SENT_EVENTS` config value to control whether Notifications are enabled
* Challenge ID is now recorded in the submission log

**Plugins**
* Add an endpoint parameter to `register_plugin_assets_directory()` and `register_plugin_asset()` to control what endpoint Flask uses for the added route

**Miscellaneous**
* `CTFd.utils.email.sendmail()` now allows the caller to specify subject as an argument
    * The subject allows for injecting custom variable via the new `CTFd.utils.formatters.safe_format()` function
* Admin user information is now error checked during setup
* Added yarn to the toolchain and the yarn dev, yarn build, yarn verify, and yarn clean scripts
* Prevent old CTFd imports from being imported
2019-12-22 23:17:34 -05:00
Kevin Chung b15f1787e4
Prevent users from nulling out profile values (#1125)
* Prevent users from nulling out profile values
2019-10-02 01:22:54 -04:00
Kevin Chung b8c1970b8e
Fix CSV exports in Python 3 by converting StringIO to BytesIO (#1107)
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
2019-09-10 03:22:01 -04:00
Kevin Chung c88e0556eb
1092 fix solve count leak during freeze (#1095)
* Challenges properly get solve count during freeze time
* Closes #1092
2019-08-29 23:22:24 -04:00
MartinJM 941ca8f506 The place indicator on the team page now excludes counting hidden teams (#1094)
* The place indicator in Team Mode on the team pages and user pages now excludes counting hidden teams.
* Updated `flask-marshmallow` to 0.10.1, `marshmallow-sqlalchemy` to 0.17.0 
* Pinned `marshmallow` to 2.20.2
* Closes #1093
* Closes #1088
2019-08-29 22:04:05 -04:00
Kevin Chung 71240bb13d
Require password for email change (#1077)
* Require password for email changes
2019-08-04 20:28:20 -04:00
Kevin Chung 3453eafcab
Flaky redis events tests (#1072)
* Fix flaky redis tests
* Add a random integer helper for tests
2019-07-30 03:25:29 -04:00
Sachin S. Kamath 34bab12a99 Add feature to search users by IP address (#1059)
* Allows admins to search users by IP address
* Closes #1054
2019-07-30 01:09:41 -04:00
Kevin Chung cf7959ab16
Attempt to fix randomly failing tests (#1071)
* Fix flaky tests that require redis which were occasionally failing
2019-07-29 23:15:26 -04:00
Kevin Chung 2bdf7b64d6
Fix place ordinal calculation (#1067)
* Fix scoreboard place ordinalization in Python 3
* Extract ordinalization code to `CTFd.utils.humanize.numbers.ordinalize`.
2019-07-24 01:44:20 -04:00
Kevin Chung b453125726
Fix missing Team API exceptions (#1058)
* Add require_team decorator to endpoints that request teams.
* Change status code for captain endpoints to return 403 instead of 400
2019-07-12 00:53:35 -04:00
Kevin Chung 447f71d41b
Disable foreign keys during import (#1031)
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
    * Likely also disables SQLite but SQLite is permissive about foreign keys to begin with so irrelevant.
2019-06-21 12:35:55 -04:00
Kevin Chung b5632f9289
Cache scoreboard page (#1025)
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Update `tests.api.v1.test_scoreboard:test_scoreboard_is_cached` to also test if `/scoreboard` is cached
2019-06-16 13:29:50 -04:00
Kevin Chung e627391b12
Improve caching (#1014)
* Cache get place code for users and teams. 
    * Fix score changing test helpers to clear standings cache when generating a score changing row
    * `utils._get_config` will now return `KeyError` instead of None. 
    * Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Install `Flask-DebugToolbar` in development

Main goals covered in #1012
2019-06-15 02:07:24 -04:00
Kevin Chung e978867a2f
Add UI code to handle team member removal (#1022)
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
    * Not even the admin panel was using this endpoint so doesn't seem that drastic of a change
* Add UI to handle team member removal
2019-06-09 00:27:36 -04:00
Kevin Chung 8d91a3fa8d
Fix hidden pages not being able to load (#1019)
* Fixes bug where pages marked as `hidden` weren't loading
    * It's possible that some users used this behavior however this fix implements the correct behavior. The `draft` setting can be used to completely hide pages.
2019-06-08 01:00:28 -04:00
Kevin Chung 458ce2e518
Fixing issue downloading files when view_after_ctf is enabled (#1011) 2019-06-03 21:08:30 -04:00
Kevin Chung 387b6880d2
Ratelimit team join attempts (#993)
* Ratelimit team join attempts
2019-05-13 22:53:58 -04:00
Kevin Chung 6833378c36
Format all the things (#991)
* Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
* Format Python with `black`: `black CTFd` & `black tests`
* Travis now uses xenial instead of trusty.
2019-05-11 21:09:37 -04:00
Kevin Chung 3d23ece370
Fix freeze time regressions (#989)
* Fix freeze time regressions in 2.x
* Make `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` endpoints load as admin to load all rows and bypass freeze
    * Closes #988
* Make `/api/v1/challenges/[id]/solves` respect freeze time. `/api/v1/challenges/[id]/solves?preview=true` is exposed for admins to see solves as a user would. 
    * Closes #986
2019-05-11 00:18:56 -04:00
Kevin Chung d2f8b4090d
Adds ondelete='CASCADE' to some models. (#979)
* Fixes `populate.py` to assign captains to teams.
* Adds `ondelete='CASCADE'` to most ForeignKeys in models
    * Closes #794 
* Test reset in team mode to test removing teams with captains
* Test deleting users/teams with awards to test cascading deletion
* `gen_team()` test helper now creates users for the team and assigns the first one as captain
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on `Challenges`
2019-05-04 02:08:26 -04:00
Koki Takahashi 6fcf143392 Fix rate-limiting of flag submission when using team mode (#977)
* Fix rate-limiting of flag submission when using team mode (Resolves CTFd/CTFd#975)
* Add tests for rate-limiting of flag submission
2019-05-02 00:56:41 -04:00
Kevin Chung 3f4a242b2b
Fix challenge preview for admins (#978)
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team
* Fixes regression from 2.0.6
2019-05-02 00:25:09 -04:00
Kevin Chung 4ec45dc4bc
Fix imports/exports and update Flask-SQLAlchemy to reduce warnings (#974)
* Fix imports/exports to accept JSON 
    * MariaDB does not properly understand JSON so it must accept strings instead of dicts
    * MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects
* Update Makefile to not lint any uploads
* Update Flask-SQLAlchemy to 2.4.0 to remove a large amount of warnings
2019-04-30 20:36:25 -04:00
Kevin Chung 95e4060f15
ProxyFix changes (#960)
* Fixes insufficiently documented changes in ProxyFix
    * https://github.com/pallets/werkzeug/issues/1484
* Pin `Werkzeug==0.15.2` in requirements.txt
* Allow exports test to parallelize
2019-04-19 02:11:09 -04:00
Kevin Chung 0fa480bc14
Some 2.1.0a1 bugfixes (#959)
* Fix admin's modifying their own team or own settings
* Fix some links not working in the admin panel
* Fix extensions with an extra space in `populate.py`
2019-04-18 21:55:55 -04:00
Kevin Chung b6d54b9ee9
2.1.0 (#957)
https://github.com/CTFd/CTFd/milestone/6
2019-04-17 01:36:30 -04:00
Kevin Chung c0a32a836b
Properly load schemas specified as strings (#943)
* Properly load schemas specified by their key string
* Add test for UserSchema 
* Prevent users without teams from interacting with challenges if the CTF is in Team Mode
2019-04-08 01:47:26 -04:00
Kevin Chung 7c60c697ee
Properly hide users/teams if they are set to banned/hidden (#932)
* Properly hide users/teams if they are set to hidden/banned
    * This should be in the API and in the main user panel. This should not affect admins. 
* Update tests to reflect this behavior.
2019-04-04 22:44:18 -04:00
Kevin Chung f75d7b62ed
Record a new solve before calculating the new dynamic value. (#919)
* Record a new solve before calculating the new dynamic value so hidden solves can't unintentionally move the challenge value
2019-03-22 12:26:57 -04:00
Kevin Chung fadb8271d2
Dont calculate hidden users in place (#918)
* Fix for hidden users bumping a user's place in their profile 
* Don't calculate hidden users in a user's place
2019-03-22 04:07:53 -04:00
s-nirali 37dcfdc568 Read smtp server configuration from config.py (#914)
* Read smtp server configuration from config.py

The CTFd/utils/email/smtp.py file has a provision to read SMTP
configuration for all fields from either the UI or CTFd/config.py file.
Two fields, `MAIL_SERVER` and `MAIL_PORT`, were not being read from the
config.py file. This commit fixes this issue.

* Update simple SMTP server tests
2019-03-21 22:10:08 -04:00
Kevin Chung 4f7c4687d7
Reimplement admin send mail to users (#903)
* Reimplement admin send mail to users as `/api/v1/users/<user_id>/email`
* Update form and related Javascript
* Write test for controller
* Closes #897
2019-03-17 18:54:44 -07:00
Kevin Chung 79b7b1dd5c
Fix removing profile details (Closes #894) (#899)
* Fix removing profile details (Closes #894)
* Update tests to properly check setting and removing profile values
2019-03-17 09:08:52 -07:00
Kevin Chung 1f768dbfaf
Fix for hidden teams being visible on the team listing page and score… (#880)
* Fix for hidden teams being visible on the team listing page and scoreboard endpoints
2019-02-10 01:55:27 -05:00
Kevin Chung 2f49477465
Fix creating users from the admin panel while name changes disabled (#862)
* Fix creating users from the admin panel while name changes are disabled; clean up user & team schema validators
* Closes #832
* Coerce /api/v1/teams/<team_id> to /api/v1/teams/<int:team_id>
2019-01-31 01:18:46 -05:00
Kevin Chung 2935a76722
Fix showing incorrect 'CTF has ended' error if view_after_ctf is set (#859)
* Fix showing incorrect 'CTF has ended' error if view_after_ctf is set
2019-01-30 19:46:31 -05:00
Kevin Chung 3af036b4b2
Block new user registration if registering via MLC (#840)
* Block new user registration if registering via MLC
* Allow login with MLC while registration is disabled
2019-01-19 16:00:29 -05:00
Kevin Chung a181c0a1e2
Consider account configs when user patches their own account (#836)
* Consider account configs when user patches their own account
* Add test for name changing
* Add test to ensure that users changing emails are marked unconfirmed
* Only allow users to change to emails in whitelisted domains
* Simplify assertion for error check
2019-01-17 22:54:42 -05:00
Kevin Chung 6e8c7aaa50
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827)
* Require CSRF-Token header on state changing API requests
* Require CSRF nonces on more than just POSTs, 
* Replace usage of `fetch()` with custom `CTFd.fetch()` implementation
2019-01-10 22:38:37 -05:00
Kevin Chung 9ee743de7e
Simplify url_for calls in themes, rework CTFd.js, fix flaky test (#826)
* Simplify url_for calls in themes, rework CTFd.js, fix flaky test
2019-01-10 01:58:39 -05:00
Kevin Chung 83e294057e
Default SameSite session cookie setting to Lax (#824) 2019-01-08 02:52:51 -05:00
FaultyMach1ine 08c39c01a3 Fix wrong user mode in challenge_solves_box (#812)
* Fix incorrect user/team link in the challenge solves tab
* Change /api/v1/<challenge_id>/solves to also return account_url
2019-01-02 02:22:58 -05:00
Kevin Chung 324f8859a1
Fix subdirectory deployments in a generic manner (#802)
* Fix subdirectory deployments in a generic manner by modifying`request.path` to combine both `request.script_root` and `request.path` and also creating a request preprocessor to redirect users into the true CTFd app. Without this sessions will be invalid because sessions will be set to a subdirectory. 
* Add a test for testing subdirectory deployments and the customized CTFdRequest object.
* Fix `TestingConfig.SAFE_MODE` getting stuck in between tests. 
* Order AWS keys properly in travis.yml
* Redirect to `request.full_path` instead of just `request.path`
2018-12-16 13:18:08 -05:00