Fix freeze time regressions (#989)

* Fix freeze time regressions in 2.x * Make `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` endpoints load as admin to load all rows and bypass freeze * Closes #988 * Make `/api/v1/challenges/[id]/solves` respect freeze time. `/api/v1/challenges/[id]/solves?preview=true` is exposed for admins to see solves as a user would. * Closes #986
2025-12-23 00:34:21 +01:00 · 2019-05-11 00:18:56 -04:00
parent b7a19f74ff
commit 3d23ece370
8 changed files with 321 additions and 42 deletions
--- a/CTFd/api/v1/challenges.py
+++ b/CTFd/api/v1/challenges.py
@@ -38,6 +38,7 @@ from CTFd.utils.dates import ctf_ended, ctf_paused, ctftime
 from CTFd.utils.logging import log
 from CTFd.utils.security.signing import serialize
 from sqlalchemy.sql import and_
+import datetime

 challenges_namespace = Namespace('challenges',
                                 description="Endpoint to retrieve Challenges")
@@ -523,6 +524,13 @@ class ChallengeSolves(Resource):
            .filter(Solves.challenge_id == challenge_id, Model.banned == False, Model.hidden == False)\
            .order_by(Solves.date.asc())

+        freeze = get_config('freeze')
+        if freeze:
+            preview = request.args.get('preview')
+            if (is_admin() is False) or (is_admin() is True and preview):
+                dt = datetime.datetime.utcfromtimestamp(freeze)
+                solves = solves.filter(Solves.date < dt)
+
        endpoint = None
        if get_config('user_mode') == TEAMS_MODE:
            endpoint = 'teams.public'
--- a/CTFd/api/v1/teams.py
+++ b/CTFd/api/v1/teams.py
@@ -304,6 +304,7 @@ class TeamSolves(Resource):
            if not authed():
                abort(403)
            team = get_current_team()
+            solves = team.get_solves(admin=True)
        else:
            if accounts_visible() is False or scores_visible() is False:
                abort(404)
@@ -311,10 +312,7 @@ class TeamSolves(Resource):

            if (team.banned or team.hidden) and is_admin() is False:
                abort(404)
-
-        solves = team.get_solves(
-            admin=is_admin()
-        )
+            solves = team.get_solves(admin=is_admin())

        view = 'admin' if is_admin() else 'user'
        schema = SubmissionSchema(view=view, many=True)
@@ -341,6 +339,7 @@ class TeamFails(Resource):
            if not authed():
                abort(403)
            team = get_current_team()
+            fails = team.get_fails(admin=True)
        else:
            if accounts_visible() is False or scores_visible() is False:
                abort(404)
@@ -348,10 +347,7 @@ class TeamFails(Resource):

            if (team.banned or team.hidden) and is_admin() is False:
                abort(404)
-
-        fails = team.get_fails(
-            admin=is_admin()
-        )
+            fails = team.get_fails(admin=is_admin())

        view = 'admin' if is_admin() else 'user'

@@ -388,6 +384,7 @@ class TeamAwards(Resource):
            if not authed():
                abort(403)
            team = get_current_team()
+            awards = team.get_awards(admin=True)
        else:
            if accounts_visible() is False or scores_visible() is False:
                abort(404)
@@ -395,10 +392,7 @@ class TeamAwards(Resource):

            if (team.banned or team.hidden) and is_admin() is False:
                abort(404)
-
-        awards = team.get_awards(
-            admin=is_admin()
-        )
+            awards = team.get_awards(admin=is_admin())

        schema = AwardSchema(many=True)
        response = schema.dump(awards)
--- a/CTFd/api/v1/users.py
+++ b/CTFd/api/v1/users.py
@@ -200,6 +200,7 @@ class UserSolves(Resource):
            if not authed():
                abort(403)
            user = get_current_user()
+            solves = user.get_solves(admin=True)
        else:
            if accounts_visible() is False or scores_visible() is False:
                abort(404)
@@ -207,12 +208,7 @@ class UserSolves(Resource):

            if (user.banned or user.hidden) and is_admin() is False:
                abort(404)
-
-        solves = user.get_solves(
-            admin=is_admin()
-        )
-        for solve in solves:
-            setattr(solve, 'value', 100)
+            solves = user.get_solves(admin=is_admin())

        view = 'user' if not is_admin() else 'admin'
        response = SubmissionSchema(view=view, many=True).dump(solves)
@@ -237,6 +233,7 @@ class UserFails(Resource):
            if not authed():
                abort(403)
            user = get_current_user()
+            fails = user.get_fails(admin=True)
        else:
            if accounts_visible() is False or scores_visible() is False:
                abort(404)
@@ -244,10 +241,7 @@ class UserFails(Resource):

            if (user.banned or user.hidden) and is_admin() is False:
                abort(404)
-
-        fails = user.get_fails(
-            admin=is_admin()
-        )
+            fails = user.get_fails(admin=is_admin())

        view = 'user' if not is_admin() else 'admin'
        response = SubmissionSchema(view=view, many=True).dump(fails)
@@ -280,6 +274,7 @@ class UserAwards(Resource):
            if not authed():
                abort(403)
            user = get_current_user()
+            awards = user.get_awards(admin=True)
        else:
            if accounts_visible() is False or scores_visible() is False:
                abort(404)
@@ -287,10 +282,7 @@ class UserAwards(Resource):

            if (user.banned or user.hidden) and is_admin() is False:
                abort(404)
-
-        awards = user.get_awards(
-            admin=is_admin()
-        )
+            awards = user.get_awards(admin=is_admin())

        view = 'user' if not is_admin() else 'admin'
        response = AwardSchema(view=view, many=True).dump(awards)