Optionally allow unregistered users to view challenges

Add a Config entry `view_challenges_unregistered` to indicate whether unregistered users can view challenges. Add the setting to the admin config page. Add can_view_challenges() to utils to test if a user is either authed, or the configuration allow unauthenticated users to view the challenges. Return a HTTP 401 Unauthorized error when the /chals/solves API can't provide results for an unauthenticated user. This is needed because the client side code in `chalboard.js` doesn't know if it's logged in or not and requests this anyway. (And AJAX doesn't handle redirects very well.) Alternately the client could actually know if they're logged in and not make needless API calls. When an unregistered user attempts to submit a flag, it will also fail. The user will be redirected to a login page.
2025-12-17 14:04:20 +01:00 · 2015-01-07 22:11:31 -06:00
parent c5c3126bb4
commit 2972cf506d
5 changed files with 38 additions and 11 deletions
--- a/CTFd/challenges.py
+++ b/CTFd/challenges.py
@@ -1,6 +1,6 @@
 from flask import current_app as app, render_template, request, redirect, abort, jsonify, json as json_mod, url_for, session

-from CTFd.utils import ctftime, authed, unix_time, get_kpm
+from CTFd.utils import ctftime, authed, unix_time, get_kpm, can_view_challenges
 from CTFd.models import db, Challenges, Files, Solves, WrongKeys, Keys

 import time
@@ -12,7 +12,7 @@ def init_challenges(app):
    def challenges():
        if not ctftime():
            return redirect('/')
-        if authed():
+        if can_view_challenges():
            return render_template('chals.html')
        else:
            return redirect(url_for('login', next="challenges"))
@@ -21,7 +21,7 @@ def init_challenges(app):
    def chals():
        if not ctftime():
            return redirect('/')
-        if authed():
+        if can_view_challenges():
            chals = Challenges.query.add_columns('id', 'name', 'value', 'description', 'category').order_by(Challenges.value).all()
            
            json = {'game':[]}
@@ -37,7 +37,7 @@ def init_challenges(app):

    @app.route('/chals/solves')
    def chals_per_solves():
-        if authed():
+        if can_view_challenges():
            solves = Solves.query.add_columns(db.func.count(Solves.chalid)).group_by(Solves.chalid).all()
            json = {}        
            for chal, count in solves:
@@ -52,7 +52,7 @@ def init_challenges(app):
            if authed():
                solves = Solves.query.filter_by(teamid=session['id']).all()
            else:
-                return redirect('/login')
+                abort(401)
        else:
            solves = Solves.query.filter_by(teamid=teamid).all()
        db.session.close()