From 1f768dbfaf171a95e7da1d32174af6fc1aee9f24 Mon Sep 17 00:00:00 2001 From: Kevin Chung Date: Sun, 10 Feb 2019 01:55:27 -0500 Subject: [PATCH] =?UTF-8?q?Fix=20for=20hidden=20teams=20being=20visible=20?= =?UTF-8?q?on=20the=20team=20listing=20page=20and=20score=E2=80=A6=20(#880?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix for hidden teams being visible on the team listing page and scoreboard endpoints --- CTFd/api/v1/teams.py | 2 +- CTFd/teams.py | 4 +-- tests/teams/test_teams.py | 52 ++++++++++++++++++++++++++++++++++++ tests/users/test_users.py | 56 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 111 insertions(+), 3 deletions(-) diff --git a/CTFd/api/v1/teams.py b/CTFd/api/v1/teams.py index 691682ed..ff16f748 100644 --- a/CTFd/api/v1/teams.py +++ b/CTFd/api/v1/teams.py @@ -28,7 +28,7 @@ teams_namespace = Namespace('teams', description="Endpoint to retrieve Teams") class TeamList(Resource): @check_account_visibility def get(self): - teams = Teams.query.filter_by(banned=False) + teams = Teams.query.filter_by(hidden=False, banned=False) view = copy.deepcopy(TeamSchema.views.get( session.get('type', 'user') )) diff --git a/CTFd/teams.py b/CTFd/teams.py index cdb0bf8b..2dd2555c 100644 --- a/CTFd/teams.py +++ b/CTFd/teams.py @@ -28,8 +28,8 @@ def listing(): # count = Teams.query.filter_by(verified=True, banned=False).count() # teams = Teams.query.filter_by(verified=True, banned=False).slice(page_start, page_end).all() # else: - count = Teams.query.filter_by(banned=False).count() - teams = Teams.query.filter_by(banned=False).slice(page_start, page_end).all() + count = Teams.query.filter_by(hidden=False, banned=False).count() + teams = Teams.query.filter_by(hidden=False, banned=False).slice(page_start, page_end).all() pages = int(count / results_per_page) + (count % results_per_page > 0) return render_template('teams/teams.html', teams=teams, pages=pages, curr_page=page) diff --git a/tests/teams/test_teams.py b/tests/teams/test_teams.py index 2fd0c8aa..a2ed5915 100644 --- a/tests/teams/test_teams.py +++ b/tests/teams/test_teams.py @@ -22,6 +22,58 @@ def test_teams_get(): destroy_ctfd(app) +def test_hidden_teams_visibility(): + """Hidden teams should not show up on /teams or /api/v1/teams or /api/v1/scoreboard""" + app = create_ctfd(user_mode="teams") + with app.app_context(): + register_user(app) + with login_as_user(app) as client: + user = Users.query.filter_by(id=2).first() + team = gen_team(app.db, name='visible_team', hidden=True) + team.members.append(user) + user.team_id = team.id + app.db.session.commit() + + r = client.get('/teams') + response = r.get_data(as_text=True) + assert team.name not in response + + r = client.get('/api/v1/teams') + response = r.get_json() + assert team.name not in response + + gen_award(app.db, user.id, team_id=team.id) + + r = client.get('/scoreboard') + response = r.get_data(as_text=True) + assert team.name not in response + + r = client.get('/api/v1/scoreboard') + response = r.get_json() + assert team.name not in response + + # Team should re-appear after disabling hiding + # Use an API call to cause a cache clear + with login_as_user(app, name='admin') as admin: + r = admin.patch('/api/v1/teams/1', json={ + "hidden": False, + }) + assert r.status_code == 200 + + r = client.get('/teams') + response = r.get_data(as_text=True) + assert team.name in response + + r = client.get('/api/v1/teams') + response = r.get_data(as_text=True) + assert team.name in response + + r = client.get('/api/v1/scoreboard') + response = r.get_data(as_text=True) + assert team.name in response + destroy_ctfd(app) + + def test_teams_get_user_mode(): """Can a user get /teams if user mode""" app = create_ctfd(user_mode="users") diff --git a/tests/users/test_users.py b/tests/users/test_users.py index e69de29b..acbfac94 100644 --- a/tests/users/test_users.py +++ b/tests/users/test_users.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from tests.helpers import * + + +def test_hidden_user_visibility(): + """Hidden users should not show up on /users or /api/v1/users or /api/v1/scoreboard""" + app = create_ctfd() + with app.app_context(): + register_user(app, name="hidden_user") + + with login_as_user(app, name="hidden_user") as client: + user = Users.query.filter_by(id=2).first() + user_name = user.name + user.hidden = True + app.db.session.commit() + + r = client.get('/users') + response = r.get_data(as_text=True) + assert user_name not in response + + r = client.get('/api/v1/users') + response = r.get_json() + assert user_name not in response + + gen_award(app.db, user.id) + + r = client.get('/scoreboard') + response = r.get_data(as_text=True) + assert user_name not in response + + r = client.get('/api/v1/scoreboard') + response = r.get_json() + assert user_name not in response + + # User should re-appear after disabling hiding + # Use an API call to cause a cache clear + with login_as_user(app, name='admin') as admin: + r = admin.patch('/api/v1/users/2', json={ + "hidden": False, + }) + assert r.status_code == 200 + + r = client.get('/users') + response = r.get_data(as_text=True) + assert user_name in response + + r = client.get('/api/v1/users') + response = r.get_data(as_text=True) + assert user_name in response + + r = client.get('/api/v1/scoreboard') + response = r.get_data(as_text=True) + assert user_name in response + destroy_ctfd(app)