Some 2.1.0a1 bugfixes (#959)

* Fix admin's modifying their own team or own settings * Fix some links not working in the admin panel * Fix extensions with an extra space in `populate.py`
2025-12-17 05:54:19 +01:00 · 2019-04-18 21:55:55 -04:00
parent b1061a3e91
commit 0fa480bc14
8 changed files with 88 additions and 18 deletions
--- a/CTFd/schemas/teams.py
+++ b/CTFd/schemas/teams.py
@@ -54,6 +54,7 @@ class TeamSchema(ma.ModelSchema):
            return

        existing_team = Teams.query.filter_by(name=name).first()
+        current_team = get_current_team()
        # Admins should be able to patch anyone but they cannot cause a collision.
        if is_admin():
            team_id = int(data.get('id', 0))
@@ -63,9 +64,12 @@ class TeamSchema(ma.ModelSchema):
            else:
                # If there's no Team ID it means that the admin is creating a team with no ID.
                if existing_team:
+                    if current_team:
+                        if current_team.id != existing_team.id:
+                            raise ValidationError('Team name has already been taken', field_names=['name'])
+                    else:
                        raise ValidationError('Team name has already been taken', field_names=['name'])
        else:
-            current_team = get_current_team()
            # We need to allow teams to edit themselves and allow the "conflict"
            if data['name'] == current_team.name:
                return data
@@ -135,7 +139,10 @@ class TeamSchema(ma.ModelSchema):

        if is_admin():
            team_id = data.get('id')
+            if team_id:
                target_team = Teams.query.filter_by(id=team_id).first()
+            else:
+                target_team = get_current_team()
            captain = Users.query.filter_by(id=captain_id).first()
            if captain in target_team.members:
                return
--- a/CTFd/schemas/users.py
+++ b/CTFd/schemas/users.py
@@ -62,6 +62,7 @@ class UserSchema(ma.ModelSchema):
            return

        existing_user = Users.query.filter_by(name=name).first()
+        current_user = get_current_user()
        if is_admin():
            user_id = data.get('id')
            if user_id:
@@ -69,9 +70,12 @@ class UserSchema(ma.ModelSchema):
                    raise ValidationError('User name has already been taken', field_names=['name'])
            else:
                if existing_user:
+                    if current_user:
+                        if current_user.id != existing_user.id:
+                            raise ValidationError('User name has already been taken', field_names=['name'])
+                    else:
                        raise ValidationError('User name has already been taken', field_names=['name'])
        else:
-            current_user = get_current_user()
            if name == current_user.name:
                return data
            else:
@@ -88,7 +92,7 @@ class UserSchema(ma.ModelSchema):
            return

        existing_user = Users.query.filter_by(email=email).first()
-
+        current_user = get_current_user()
        if is_admin():
            user_id = data.get('id')
            if user_id:
@@ -96,9 +100,12 @@ class UserSchema(ma.ModelSchema):
                    raise ValidationError('Email address has already been used', field_names=['email'])
            else:
                if existing_user:
+                    if current_user:
+                        if current_user.id != existing_user.id:
+                            raise ValidationError('Email address has already been used', field_names=['email'])
+                    else:
                        raise ValidationError('Email address has already been used', field_names=['email'])
        else:
-            current_user = get_current_user()
            if email == current_user.email:
                return data
            else:
--- a/CTFd/themes/admin/static/js/style.js
+++ b/CTFd/themes/admin/static/js/style.js
@@ -36,5 +36,9 @@ $(function () {
        return false;
    });

+    $("tr a, button").click(function (e) {
+        e.stopPropagation();
+    });
+
    $('[data-toggle="tooltip"]').tooltip()
 });
--- a/CTFd/themes/admin/templates/teams/team.html
+++ b/CTFd/themes/admin/templates/teams/team.html
@@ -138,7 +138,7 @@
 							</a>
 						</td>
 						<td class="text-center">
-							<a href="mailto:{{ member.email }}">
+							<a href="mailto:{{ member.email }}" target="_blank">
 								{{ member.email }}
 							</a>
 						</td>
--- a/CTFd/themes/core/templates/teams/private.html
+++ b/CTFd/themes/core/templates/teams/private.html
@@ -15,7 +15,6 @@
 				</div>
 				<div class="modal-body clearfix">
 					<form id="team-info-form" method="POST">
-						<input type="hidden" name="id">
 						<div class="form-group">
 							<label for="name">Team Name</label>
 							<input type="text" class="form-control" name="name" id="name"
--- a/tests/api/v1/test_teams.py
+++ b/tests/api/v1/test_teams.py
@@ -345,6 +345,35 @@ def test_api_team_patch_me_logged_in_captain():
    destroy_ctfd(app)


+def test_api_team_patch_me_logged_in_admin_captain():
+    """Can an admin patch /api/v1/teams/me if logged in as a team captain"""
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        admin = Users.query.filter_by(id=1).first()
+        user = gen_user(app.db)
+        team = gen_team(app.db)
+        team.members.append(user)
+        team.members.append(admin)
+
+        user.team_id = team.id
+        admin.team_id = team.id
+
+        # We want the admin to be the captain
+        team.captain_id = 1
+
+        app.db.session.commit()
+        with login_as_user(app, name="admin") as client:
+            r = client.patch('/api/v1/teams/me', json={
+                "name": "team_name",
+                "affiliation": "changed"
+            })
+            assert r.status_code == 200
+
+        team = Teams.query.filter_by(id=1).first()
+        assert team.name == "team_name"
+    destroy_ctfd(app)
+
+
 def test_api_team_get_me_solves_not_logged_in():
    """Can a user get /api/v1/teams/me/solves if not logged in"""
    app = create_ctfd(user_mode="teams")
--- a/tests/api/v1/test_users.py
+++ b/tests/api/v1/test_users.py
@@ -381,6 +381,30 @@ def test_api_user_patch_me_logged_in():
    destroy_ctfd(app)


+def test_api_admin_user_patch_me_logged_in():
+    """Can an admin patch /api/v1/users/me"""
+    app = create_ctfd()
+    with app.app_context():
+        with login_as_user(app, name='admin') as client:
+            r = client.patch(
+                '/api/v1/users/me',
+                json={
+                    "name": "user",
+                    "email": "user@ctfd.io",
+                    "password": "password",
+                    "confirm": "password",
+                    "country": "US"
+                }
+            )
+            assert r.status_code == 200
+            assert r.get_json()['data']['country'] == 'US'
+
+            user = Users.query.filter_by(id=1).first()
+            assert user.name == 'user'
+            assert user.email == 'user@ctfd.io'
+    destroy_ctfd(app)
+
+
 def test_api_user_change_name():
    """Can a user change their name via the API"""
    app = create_ctfd()