Fix creating users, teams from the API (#768)

* Fix creating users, teams from the API, hash password in models vs in schemas, stop caching CSS at the decorator level, fix tests * Fix whitelisted emails and add test * Set proper defaults in accounts config
2025-12-17 22:14:25 +01:00 · 2018-11-30 20:12:48 -05:00
parent c342ca85b4
commit 4233d683b8
10 changed files with 139 additions and 55 deletions
--- a/tests/api/v1/test_teams.py
+++ b/tests/api/v1/test_teams.py
@@ -2,12 +2,13 @@
 # -*- coding: utf-8 -*-

 from CTFd.utils import set_config
+from CTFd.utils.crypto import verify_password
 from tests.helpers import *


 def test_api_teams_get_public():
    """Can a user get /api/v1/teams if teams are public"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            set_config('account_visibility', 'public')
@@ -24,7 +25,7 @@ def test_api_teams_get_public():

 def test_api_teams_get_private():
    """Can a user get /api/v1/teams if teams are private"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        register_user(app)
        with login_as_user(app) as client:
@@ -43,7 +44,7 @@ def test_api_teams_get_private():

 def test_api_teams_get_admin():
    """Can a user get /api/v1/teams if teams are viewed by admins only"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with login_as_user(app, 'admin') as client:
            set_config('account_visibility', 'public')
@@ -60,7 +61,7 @@ def test_api_teams_get_admin():

 def test_api_teams_post_non_admin():
    """Can a user post /api/v1/teams if not admin"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            r = client.post('/api/v1/teams', json="")
@@ -70,24 +71,47 @@ def test_api_teams_post_non_admin():

 def test_api_teams_post_admin():
    """Can a user post /api/v1/teams if admin"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with login_as_user(app, 'admin') as client:
-            r = client.post('/api/v1/teams', json={
-                "website": "http://www.team.com",
-                "name": "team",
-                "country": "TW",
-                "email": "team@team.com",
-                "affiliation": "team",
-                "password": "pass"
-            })
+            # Create team
+            r = client.post(
+                '/api/v1/teams',
+                json={
+                    "website": "http://www.team.com",
+                    "name": "team",
+                    "country": "TW",
+                    "email": "team@team.com",
+                    "affiliation": "team",
+                    "password": "password"
+                }
+            )
            assert r.status_code == 200
+
+            # Make sure password was hashed properly
+            team = Teams.query.filter_by(email='team@team.com').first()
+            assert team
+            assert verify_password('password', team.password)
+
+            # Make sure team can actually be joined
+            register_user(app)
+            client = login_as_user(app)
+
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "team",
+                    "password": "password",
+                    "nonce": sess.get('nonce')
+                }
+            r = client.post('/teams/join', data=data)
+            user = Users.query.filter_by(id=2).first()
+            assert user.team_id == 1
    destroy_ctfd(app)


 def test_api_team_get_public():
    """Can a user get /api/v1/team/<team_id> if teams are public"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            set_config('account_visibility', 'public')
@@ -105,7 +129,7 @@ def test_api_team_get_public():

 def test_api_team_get_private():
    """Can a user get /api/v1/teams/<team_id> if teams are private"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        register_user(app)
        with login_as_user(app) as client:
@@ -125,7 +149,7 @@ def test_api_team_get_private():

 def test_api_team_get_admin():
    """Can a user get /api/v1/teams/<team_id> if teams are viewed by admins only"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with login_as_user(app, 'admin') as client:
            gen_team(app.db)
@@ -143,7 +167,7 @@ def test_api_team_get_admin():

 def test_api_team_patch_non_admin():
    """Can a user patch /api/v1/teams/<team_id> if not admin"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        gen_team(app.db)
        with app.test_client() as client:
@@ -154,22 +178,26 @@ def test_api_team_patch_non_admin():

 def test_api_team_patch_admin():
    """Can a user patch /api/v1/teams/<team_id> if admin"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        gen_team(app.db)
        with login_as_user(app, 'admin') as client:
            r = client.patch('/api/v1/teams/1', json={
                "name": "team_name",
+                "password": "password",
                "affiliation": "changed"
            })
+            team = Teams.query.filter_by(id=1).first()
            assert r.status_code == 200
            assert r.get_json()['data']['affiliation'] == 'changed'
+            assert verify_password('password', team.password)
+
    destroy_ctfd(app)


 def test_api_team_delete_non_admin():
    """Can a user delete /api/v1/teams/<team_id> if not admin"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        gen_team(app.db)
        with app.test_client() as client:
@@ -180,7 +208,7 @@ def test_api_team_delete_non_admin():

 def test_api_team_delete_admin():
    """Can a user patch /api/v1/teams/<team_id> if admin"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        gen_team(app.db)
        with login_as_user(app, 'admin') as client:
@@ -192,7 +220,7 @@ def test_api_team_delete_admin():

 def test_api_team_get_me_not_logged_in():
    """Can a user get /api/v1/teams/me if not logged in"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            r = client.get('/api/v1/teams/me')
@@ -217,7 +245,7 @@ def test_api_team_get_me_logged_in():

 def test_api_team_patch_me_not_logged_in():
    """Can a user patch /api/v1/teams/me if not logged in"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            r = client.patch('/api/v1/teams/me', json="")
@@ -242,7 +270,7 @@ def test_api_team_patch_me_logged_in():

 def test_api_team_get_me_solves_not_logged_in():
    """Can a user get /api/v1/teams/me/solves if not logged in"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            r = client.get('/api/v1/teams/me/solves')
@@ -284,7 +312,7 @@ def test_api_team_get_solves():

 def test_api_team_get_me_fails_not_logged_in():
    """Can a user get /api/v1/teams/me/fails if not logged in"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            r = client.get('/api/v1/teams/me/fails')
@@ -326,7 +354,7 @@ def test_api_team_get_fails():

 def test_api_team_get_me_awards_not_logged_in():
    """Can a user get /api/v1/teams/me/awards if not logged in"""
-    app = create_ctfd()
+    app = create_ctfd(user_mode="teams")
    with app.app_context():
        with app.test_client() as client:
            r = client.get('/api/v1/teams/me/awards')