2.0.6 / 2019-04-08
==================
**Security**
* Fixes an issue where user email addresses could be disclosed to non-admins
**General**
* Users/Teams set to hidden or banned are no longer visible by other users
* This affects the API and the main user interface. This does not affect admins.
* Users without Teams can no longer view challenges when the CTF is in Team Mode
* Properly load schemas specified by their key string
* Add test for UserSchema
* Prevent users without teams from interacting with challenges if the CTF is in Team Mode
* Properly hide users/teams if they are set to hidden/banned
* This should be in the API and in the main user panel. This should not affect admins.
* Update tests to reflect this behavior.
* Read smtp server configuration from config.py
The CTFd/utils/email/smtp.py file has a provision to read SMTP
configuration for all fields from either the UI or CTFd/config.py file.
Two fields, `MAIL_SERVER` and `MAIL_PORT`, were not being read from the
config.py file. This commit fixes this issue.
* Update simple SMTP server tests
* Reimplement admin send mail to users as `/api/v1/users/<user_id>/email`
* Update form and related Javascript
* Write test for controller
* Closes#897
* Closes#876
* Fixes overflowing admin panel content by adding the `.text-break` CSS class.
* This is .text-break cloned from Bootstrap 4.3 with a fix for browsers not supporting break-word. It will be removed from the main CTFd classes when Bootstrap is upgraded internally.
* Fix creating users from the admin panel while name changes are disabled; clean up user & team schema validators
* Closes#832
* Coerce /api/v1/teams/<team_id> to /api/v1/teams/<int:team_id>
* Allow DATABASE_URL to contain custom MySQL ports for docker-entrypoint.sh
* Drop WORKERS count to 1 to avoid dealing with Flask-SocketIO sticky sessions
* Stop gunicorn from logging to `LOG_FOLDER` in docker without explicit opt-in
* Re-add the `LOG_FOLDER` envvar to docker-compose so we don't try to write to the read-only host
* Add `ACCESS_LOG` and `ERROR_LOG` envvars to docker to specify where gunicorn will log to
* Consider account configs when user patches their own account
* Add test for name changing
* Add test to ensure that users changing emails are marked unconfirmed
* Only allow users to change to emails in whitelisted domains
* Simplify assertion for error check
* Require CSRF-Token header on state changing API requests
* Require CSRF nonces on more than just POSTs,
* Replace usage of `fetch()` with custom `CTFd.fetch()` implementation
* Fix subdirectory deployments in a generic manner by modifying`request.path` to combine both `request.script_root` and `request.path` and also creating a request preprocessor to redirect users into the true CTFd app. Without this sessions will be invalid because sessions will be set to a subdirectory.
* Add a test for testing subdirectory deployments and the customized CTFdRequest object.
* Fix `TestingConfig.SAFE_MODE` getting stuck in between tests.
* Order AWS keys properly in travis.yml
* Redirect to `request.full_path` instead of just `request.path`
* Adds plugin functions to register javascript and CSS in the admin panel
* Move global plugin script/stylesheet lists into application factory specific lists
* Closes#804
* Show notification titles on the notification list page
* Allow for deleting notifications
* Update notification UI in admin panel
* Make /api/v1/notifications/<id> accessible to all
* Default `login_as_user()` and `register_user()` to fail on invalid credentials
* Disable user mode switching on client side (Closes#799)
* It's ill advised to switch user modes after a CTF is setup. The simplest thing to do here is to require CTF resetting in order to switch modes. If it makes sense this can be re-enabled and re-evaluated.
* Fix email confirmations and improve test.
* Breaks confirm.html page because of change from team to user
* Clean up admin mail settings to use new label/small structure
* Fix password resets from double hashing passwords
* Fixing a bug where prerequisites could not be set for dynamic challenges due to a division by zero error where defaults were being set unnecessarily.
* Creating unit test for adding requirement to dynamic challenges
* Fix downloading files as an anonymous user.
* Fix viewing challenges anonymously if they have empty requirements. Closes#789
* Allow anonymous users to see see challenges with empty requirements or anonymized challenges
* Disable jinja cache properly by setting cache_size to 0 (#662)
* Without disabling the cache you get some difficult to debug rendering errors. Regression from 1.2.0.
Kevin Chung
s-nirali
Grant Hernandez
David Chan
FaultyMach1ine
Peter