From 4d6bf811eda5ad3df45e185154c804143e310d60 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sat, 19 May 2018 19:18:35 -0400
Subject: [PATCH] Fix banned users not being able to see their own solves
 (#633)

* Fix banned users not being able to see their own solves
---
 CTFd/challenges.py            |  2 +-
 tests/user/test_challenges.py | 52 +++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/CTFd/challenges.py b/CTFd/challenges.py
index 2a059e87..db72a801 100644
--- a/CTFd/challenges.py
+++ b/CTFd/challenges.py
@@ -208,7 +208,7 @@ def solves_private():
         if utils.authed():
             solves = Solves.query\
                 .join(Teams, Solves.teamid == Teams.id)\
-                .filter(Solves.teamid == session['id'], Teams.banned == False)\
+                .filter(Solves.teamid == session['id'])\
                 .all()
         else:
             return jsonify({'solves': []})
diff --git a/tests/user/test_challenges.py b/tests/user/test_challenges.py
index db837526..1c764c69 100644
--- a/tests/user/test_challenges.py
+++ b/tests/user/test_challenges.py
@@ -614,3 +614,55 @@ def test_challenges_cannot_be_solved_while_paused():
         wrong_keys = WrongKeys.query.all()
         assert len(wrong_keys) == 0
     destroy_ctfd(app)
+
+
+def test_challenge_solves_can_be_seen():
+    """Test that the /solves endpoint works properly for users"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+
+        with app.test_client() as client:
+            r = client.get('/solves')
+            assert r.location.startswith("http://localhost/login?next=")
+            assert r.status_code == 302
+
+        client = login_as_user(app)
+
+        r = client.get('/solves')
+        data = r.get_data(as_text=True)
+        data = json.loads(data)
+
+        assert len(data['solves']) == 0
+
+        chal = gen_challenge(app.db)
+        chal_id = chal.id
+        flag = gen_flag(app.db, chal=chal_id, flag='flag')
+        with client.session_transaction() as sess:
+            data = {
+                "key": 'flag',
+                "nonce": sess.get('nonce')
+            }
+        r = client.post('/chal/{}'.format(chal_id), data=data)
+
+        data = r.get_data(as_text=True)
+        data = json.loads(data)
+
+        r = client.get('/solves')
+        data = r.get_data(as_text=True)
+        data = json.loads(data)
+
+        assert len(data['solves']) > 0
+
+        team = Teams.query.filter_by(id=2).first()
+        team.banned = True
+        db.session.commit()
+
+        r = client.get('/solves')
+        data = r.get_data(as_text=True)
+        data = json.loads(data)
+
+        team = Teams.query.filter_by(id=2).first()
+        assert team.banned
+        assert len(data['solves']) > 0
+    destroy_ctfd(app)