Commit Graph

128 Commits (cee6fe3593809712f14f74e9d9c0b1ab66dd5415)

Author SHA1 Message Date
Kevin Chung c88e0556eb
1092 fix solve count leak during freeze (#1095)
* Challenges properly get solve count during freeze time
* Closes #1092
2019-08-29 23:22:24 -04:00
MartinJM 941ca8f506 The place indicator on the team page now excludes counting hidden teams (#1094)
* The place indicator in Team Mode on the team pages and user pages now excludes counting hidden teams.
* Updated `flask-marshmallow` to 0.10.1, `marshmallow-sqlalchemy` to 0.17.0 
* Pinned `marshmallow` to 2.20.2
* Closes #1093
* Closes #1088
2019-08-29 22:04:05 -04:00
Kevin Chung 71240bb13d
Require password for email change (#1077)
* Require password for email changes
2019-08-04 20:28:20 -04:00
Kevin Chung 3453eafcab
Flaky redis events tests (#1072)
* Fix flaky redis tests
* Add a random integer helper for tests
2019-07-30 03:25:29 -04:00
Sachin S. Kamath 34bab12a99 Add feature to search users by IP address (#1059)
* Allows admins to search users by IP address
* Closes #1054
2019-07-30 01:09:41 -04:00
Kevin Chung cf7959ab16
Attempt to fix randomly failing tests (#1071)
* Fix flaky tests that require redis which were occasionally failing
2019-07-29 23:15:26 -04:00
Kevin Chung 2bdf7b64d6
Fix place ordinal calculation (#1067)
* Fix scoreboard place ordinalization in Python 3
* Extract ordinalization code to `CTFd.utils.humanize.numbers.ordinalize`.
2019-07-24 01:44:20 -04:00
Kevin Chung b453125726
Fix missing Team API exceptions (#1058)
* Add require_team decorator to endpoints that request teams.
* Change status code for captain endpoints to return 403 instead of 400
2019-07-12 00:53:35 -04:00
Kevin Chung 447f71d41b
Disable foreign keys during import (#1031)
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
    * Likely also disables SQLite but SQLite is permissive about foreign keys to begin with so irrelevant.
2019-06-21 12:35:55 -04:00
Kevin Chung b5632f9289
Cache scoreboard page (#1025)
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Update `tests.api.v1.test_scoreboard:test_scoreboard_is_cached` to also test if `/scoreboard` is cached
2019-06-16 13:29:50 -04:00
Kevin Chung e627391b12
Improve caching (#1014)
* Cache get place code for users and teams. 
    * Fix score changing test helpers to clear standings cache when generating a score changing row
    * `utils._get_config` will now return `KeyError` instead of None. 
    * Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Install `Flask-DebugToolbar` in development

Main goals covered in #1012
2019-06-15 02:07:24 -04:00
Kevin Chung e978867a2f
Add UI code to handle team member removal (#1022)
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
    * Not even the admin panel was using this endpoint so doesn't seem that drastic of a change
* Add UI to handle team member removal
2019-06-09 00:27:36 -04:00
Kevin Chung 8d91a3fa8d
Fix hidden pages not being able to load (#1019)
* Fixes bug where pages marked as `hidden` weren't loading
    * It's possible that some users used this behavior however this fix implements the correct behavior. The `draft` setting can be used to completely hide pages.
2019-06-08 01:00:28 -04:00
Kevin Chung 458ce2e518
Fixing issue downloading files when view_after_ctf is enabled (#1011) 2019-06-03 21:08:30 -04:00
Kevin Chung 387b6880d2
Ratelimit team join attempts (#993)
* Ratelimit team join attempts
2019-05-13 22:53:58 -04:00
Kevin Chung 6833378c36
Format all the things (#991)
* Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
* Format Python with `black`: `black CTFd` & `black tests`
* Travis now uses xenial instead of trusty.
2019-05-11 21:09:37 -04:00
Kevin Chung 3d23ece370
Fix freeze time regressions (#989)
* Fix freeze time regressions in 2.x
* Make `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` endpoints load as admin to load all rows and bypass freeze
    * Closes #988
* Make `/api/v1/challenges/[id]/solves` respect freeze time. `/api/v1/challenges/[id]/solves?preview=true` is exposed for admins to see solves as a user would. 
    * Closes #986
2019-05-11 00:18:56 -04:00
Kevin Chung d2f8b4090d
Adds ondelete='CASCADE' to some models. (#979)
* Fixes `populate.py` to assign captains to teams.
* Adds `ondelete='CASCADE'` to most ForeignKeys in models
    * Closes #794 
* Test reset in team mode to test removing teams with captains
* Test deleting users/teams with awards to test cascading deletion
* `gen_team()` test helper now creates users for the team and assigns the first one as captain
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on `Challenges`
2019-05-04 02:08:26 -04:00
Koki Takahashi 6fcf143392 Fix rate-limiting of flag submission when using team mode (#977)
* Fix rate-limiting of flag submission when using team mode (Resolves CTFd/CTFd#975)
* Add tests for rate-limiting of flag submission
2019-05-02 00:56:41 -04:00
Kevin Chung 3f4a242b2b
Fix challenge preview for admins (#978)
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team
* Fixes regression from 2.0.6
2019-05-02 00:25:09 -04:00
Kevin Chung 4ec45dc4bc
Fix imports/exports and update Flask-SQLAlchemy to reduce warnings (#974)
* Fix imports/exports to accept JSON 
    * MariaDB does not properly understand JSON so it must accept strings instead of dicts
    * MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects
* Update Makefile to not lint any uploads
* Update Flask-SQLAlchemy to 2.4.0 to remove a large amount of warnings
2019-04-30 20:36:25 -04:00
Kevin Chung 95e4060f15
ProxyFix changes (#960)
* Fixes insufficiently documented changes in ProxyFix
    * https://github.com/pallets/werkzeug/issues/1484
* Pin `Werkzeug==0.15.2` in requirements.txt
* Allow exports test to parallelize
2019-04-19 02:11:09 -04:00
Kevin Chung 0fa480bc14
Some 2.1.0a1 bugfixes (#959)
* Fix admin's modifying their own team or own settings
* Fix some links not working in the admin panel
* Fix extensions with an extra space in `populate.py`
2019-04-18 21:55:55 -04:00
Kevin Chung b6d54b9ee9
2.1.0 (#957)
https://github.com/CTFd/CTFd/milestone/6
2019-04-17 01:36:30 -04:00
Kevin Chung c0a32a836b
Properly load schemas specified as strings (#943)
* Properly load schemas specified by their key string
* Add test for UserSchema 
* Prevent users without teams from interacting with challenges if the CTF is in Team Mode
2019-04-08 01:47:26 -04:00
Kevin Chung 7c60c697ee
Properly hide users/teams if they are set to banned/hidden (#932)
* Properly hide users/teams if they are set to hidden/banned
    * This should be in the API and in the main user panel. This should not affect admins. 
* Update tests to reflect this behavior.
2019-04-04 22:44:18 -04:00
Kevin Chung f75d7b62ed
Record a new solve before calculating the new dynamic value. (#919)
* Record a new solve before calculating the new dynamic value so hidden solves can't unintentionally move the challenge value
2019-03-22 12:26:57 -04:00
Kevin Chung fadb8271d2
Dont calculate hidden users in place (#918)
* Fix for hidden users bumping a user's place in their profile 
* Don't calculate hidden users in a user's place
2019-03-22 04:07:53 -04:00
s-nirali 37dcfdc568 Read smtp server configuration from config.py (#914)
* Read smtp server configuration from config.py

The CTFd/utils/email/smtp.py file has a provision to read SMTP
configuration for all fields from either the UI or CTFd/config.py file.
Two fields, `MAIL_SERVER` and `MAIL_PORT`, were not being read from the
config.py file. This commit fixes this issue.

* Update simple SMTP server tests
2019-03-21 22:10:08 -04:00
Kevin Chung 4f7c4687d7
Reimplement admin send mail to users (#903)
* Reimplement admin send mail to users as `/api/v1/users/<user_id>/email`
* Update form and related Javascript
* Write test for controller
* Closes #897
2019-03-17 18:54:44 -07:00
Kevin Chung 79b7b1dd5c
Fix removing profile details (Closes #894) (#899)
* Fix removing profile details (Closes #894)
* Update tests to properly check setting and removing profile values
2019-03-17 09:08:52 -07:00
Kevin Chung 1f768dbfaf
Fix for hidden teams being visible on the team listing page and score… (#880)
* Fix for hidden teams being visible on the team listing page and scoreboard endpoints
2019-02-10 01:55:27 -05:00
Kevin Chung 2f49477465
Fix creating users from the admin panel while name changes disabled (#862)
* Fix creating users from the admin panel while name changes are disabled; clean up user & team schema validators
* Closes #832
* Coerce /api/v1/teams/<team_id> to /api/v1/teams/<int:team_id>
2019-01-31 01:18:46 -05:00
Kevin Chung 2935a76722
Fix showing incorrect 'CTF has ended' error if view_after_ctf is set (#859)
* Fix showing incorrect 'CTF has ended' error if view_after_ctf is set
2019-01-30 19:46:31 -05:00
Kevin Chung 3af036b4b2
Block new user registration if registering via MLC (#840)
* Block new user registration if registering via MLC
* Allow login with MLC while registration is disabled
2019-01-19 16:00:29 -05:00
Kevin Chung a181c0a1e2
Consider account configs when user patches their own account (#836)
* Consider account configs when user patches their own account
* Add test for name changing
* Add test to ensure that users changing emails are marked unconfirmed
* Only allow users to change to emails in whitelisted domains
* Simplify assertion for error check
2019-01-17 22:54:42 -05:00
Kevin Chung 6e8c7aaa50
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827)
* Require CSRF-Token header on state changing API requests
* Require CSRF nonces on more than just POSTs, 
* Replace usage of `fetch()` with custom `CTFd.fetch()` implementation
2019-01-10 22:38:37 -05:00
Kevin Chung 9ee743de7e
Simplify url_for calls in themes, rework CTFd.js, fix flaky test (#826)
* Simplify url_for calls in themes, rework CTFd.js, fix flaky test
2019-01-10 01:58:39 -05:00
Kevin Chung 83e294057e
Default SameSite session cookie setting to Lax (#824) 2019-01-08 02:52:51 -05:00
FaultyMach1ine 08c39c01a3 Fix wrong user mode in challenge_solves_box (#812)
* Fix incorrect user/team link in the challenge solves tab
* Change /api/v1/<challenge_id>/solves to also return account_url
2019-01-02 02:22:58 -05:00
Kevin Chung 324f8859a1
Fix subdirectory deployments in a generic manner (#802)
* Fix subdirectory deployments in a generic manner by modifying`request.path` to combine both `request.script_root` and `request.path` and also creating a request preprocessor to redirect users into the true CTFd app. Without this sessions will be invalid because sessions will be set to a subdirectory. 
* Add a test for testing subdirectory deployments and the customized CTFdRequest object.
* Fix `TestingConfig.SAFE_MODE` getting stuck in between tests. 
* Order AWS keys properly in travis.yml
* Redirect to `request.full_path` instead of just `request.path`
2018-12-16 13:18:08 -05:00
Kevin Chung f4f4bd5333
Adds plugin functions to register javascript and CSS in the admin panel. Move global plugin script/stylesheet lists into application factory specific lists. Closes #804 (#805)
* Adds plugin functions to register javascript and CSS in the admin panel
* Move global plugin script/stylesheet lists into application factory specific lists
* Closes #804
2018-12-15 13:48:21 -05:00
Kevin Chung 367110969e
Update admin notification UI and allow for deleting notifications (#803)
* Show notification titles on the notification list page
* Allow for deleting notifications
* Update notification UI in admin panel
* Make /api/v1/notifications/<id> accessible to all
* Default `login_as_user()` and `register_user()` to fail on invalid credentials
2018-12-14 23:23:02 -05:00
Kevin Chung 087443467f
Allow unauthed users to attempt challenges if visibility is public but get redirected (Closes #797) (#798) 2018-12-10 22:58:23 -05:00
Kevin Chung 234d9ec57d
Fix email confirmations and password resets (#795)
* Fix email confirmations and improve test.
* Breaks confirm.html page because of change from team to user
* Clean up admin mail settings to use new label/small structure
* Fix password resets from double hashing passwords
2018-12-09 14:47:40 -05:00
Peter b331bb3e0e Fix divison-by-zero when adding requirement to dynamic challenge (#782)
* Fixing a bug where prerequisites could not be set for dynamic challenges due to a division by zero error where defaults were being set unnecessarily. 
* Creating unit test for adding requirement to dynamic challenges
2018-12-08 00:36:29 -05:00
Kevin Chung e4fd1c47dd
Fix downloading files as an anonymous user. (#792)
* Fix downloading files as an anonymous user. 
* Fix viewing challenges anonymously if they have empty requirements. Closes #789
* Allow anonymous users to see see challenges with empty requirements or anonymized challenges
2018-12-07 23:37:30 -05:00
Kevin Chung 5cedcb7372
Fix hint loading for admins with /api/v1/hints/<id>?preview=true (#786)
* Fix hint loading for admins by adding /api/v1/hints/<id>?preview=true for use by admins
* Add tests for admin Hint preview
2018-12-06 21:46:47 -05:00
Kevin Chung afdfaa15da
Fix CTF resets in mysql (#785)
* Extend test for CTFd resets and fix issue in MySQL
* Expand reset test and fix helper for fails and tracking
2018-12-06 20:43:14 -05:00
Kevin Chung 547fe61870
Fix syncing down an empty S3 bucket (#783)
* Fix syncing down an empty S3 bucket
* Add test for S3 uploader
* Remove boto.cfg because of https://github.com/travis-ci/travis-ci/issues/7940#issuecomment-310759657
* Specify dummy AWS creds in travis.yml
* Fix S3Uploader in Python 3 and fix test
2018-12-06 01:39:39 -05:00