diff --git a/CTFd/teams.py b/CTFd/teams.py index 94597445..1e6fcfb0 100644 --- a/CTFd/teams.py +++ b/CTFd/teams.py @@ -278,7 +278,14 @@ def new(): if errors: return render_template("teams/new_team.html", errors=errors), 403 - team = Teams(name=teamname, password=passphrase, captain_id=user.id) + # Hide the created team if the creator is an admin + hidden = False + if user.type == "admin": + hidden = True + + team = Teams( + name=teamname, password=passphrase, captain_id=user.id, hidden=hidden + ) if website: team.website = website diff --git a/tests/teams/test_auth.py b/tests/teams/test_auth.py index aa693b4b..3c11403a 100644 --- a/tests/teams/test_auth.py +++ b/tests/teams/test_auth.py @@ -1,7 +1,7 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -from CTFd.models import Users, db +from CTFd.models import Teams, Users, db from tests.helpers import ( create_ctfd, destroy_ctfd, @@ -210,3 +210,36 @@ def test_teams_new_post_when_already_on_team(): user = Users.query.filter_by(name="user").first() assert user.team.name == "team1" destroy_ctfd(app) + + +def test_teams_from_admin_hidden(): + """Test that teams created by admins in /teams/new are hidden by default""" + app = create_ctfd(user_mode="teams") + with app.app_context(): + gen_user(app.db, name="user") + with login_as_user(app) as client: + with client.session_transaction() as sess: + data = { + "name": "team_user", + "password": "password", + "nonce": sess.get("nonce"), + } + r = client.post("/teams/new", data=data) + assert r.status_code == 302 + + team = Teams.query.filter_by(name="team_user").first() + assert team.hidden == False + + with login_as_user(app, "admin") as client: + with client.session_transaction() as sess: + data = { + "name": "team_admin", + "password": "password", + "nonce": sess.get("nonce"), + } + r = client.post("/teams/new", data=data) + assert r.status_code == 302 + + team = Teams.query.filter_by(name="team_admin").first() + assert team.hidden == True + destroy_ctfd(app)