aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 14:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix challenge preview for admins (#978)

Browse Source 
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team
* Fixes regression from 2.0.6
This commit is contained in:
Kevin Chung
2019-05-02 00:25:09 -04:00
committed by GitHub
parent e7884c856f
commit 3f4a242b2b
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
CTFd/api/v1/challenges.py
View File

@@ -65,8 +65,11 @@ class ChallengeList(Resource):
solve_ids = set([value for value, in solve_ids]) solve_ids = set([value for value, in solve_ids])
# TODO: Convert this into a re-useable decorator # TODO: Convert this into a re-useable decorator
if config.is_teams_mode() and get_current_team() is None: if is_admin():
abort(403) pass
else:
if config.is_teams_mode() and get_current_team() is None:
abort(403)
else: else:
solve_ids = set() solve_ids = set()
@@ -211,8 +214,11 @@ class Challenge(Resource):
team = get_current_team() team = get_current_team()
# TODO: Convert this into a re-useable decorator # TODO: Convert this into a re-useable decorator
if config.is_teams_mode() and team is None: if is_admin():
abort(403) pass
else:
if config.is_teams_mode() and team is None:
abort(403)
unlocked_hints = set([ unlocked_hints = set([
u.target for u in HintUnlocks.query.filter_by(type='hints', account_id=user.account_id) u.target for u in HintUnlocks.query.filter_by(type='hints', account_id=user.account_id)

16
tests/api/v1/test_challenges.py
View File

@@ -99,6 +99,22 @@ def test_api_challenges_post_non_admin():
destroy_ctfd(app) destroy_ctfd(app)
def test_api_challenges_get_admin():
"""Can a user GET /api/v1/challenges if admin without team"""
app = create_ctfd(user_mode="teams")
with app.app_context():
gen_challenge(app.db)
# Admin does not have a team but should still be able to see challenges
user = Users.query.filter_by(id=1).first()
assert user.team_id is None
with login_as_user(app, 'admin') as admin:
r = admin.get('/api/v1/challenges', json="")
assert r.status_code == 200
r = admin.get('/api/v1/challenges/1', json="")
assert r.status_code == 200
destroy_ctfd(app)
def test_api_challenges_post_admin(): def test_api_challenges_post_admin():
"""Can a user post /api/v1/challenges if admin""" """Can a user post /api/v1/challenges if admin"""
app = create_ctfd() app = create_ctfd()