Add test for user limit registration behavior

2025-12-17 05:54:19 +01:00 · 2023-06-13 20:02:15 -04:00
parent 5e8ff5d892
commit 5d055f60f6
2 changed files with 50 additions and 8 deletions
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -189,6 +189,14 @@ def register():
    if current_user.authed():
        return redirect(url_for("challenges.listing"))

+    num_users_limit = int(get_config("num_users", default=0))
+    num_users = Users.query.filter_by(banned=False, hidden=False).count()
+    if num_users_limit and num_users >= num_users_limit:
+        abort(
+            403,
+            description=f"Reached the maximum number of users ({num_users_limit}).",
+        )
+
    if request.method == "POST":
        name = request.form.get("name", "").strip()
        email_address = request.form.get("email", "").strip().lower()
@@ -211,14 +219,6 @@ def register():
        valid_email = validators.validate_email(email_address)
        team_name_email_check = validators.validate_email(name)

-        num_users_limit = int(get_config("num_users", default=0))
-        num_users = Users.query.filter_by(banned=False, hidden=False).count()
-        if num_users_limit and num_users >= num_users_limit:
-            abort(
-                403,
-                description=f"Reached the maximum number of users ({num_users_limit}).",
-            )
-
        if get_config("registration_code"):
            if (
                registration_code.lower()
--- a/tests/users/test_users.py
+++ b/tests/users/test_users.py
@@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-

 from CTFd.models import Users
+from CTFd.utils import set_config
 from tests.helpers import (
    create_ctfd,
    destroy_ctfd,
@@ -107,3 +108,44 @@ def test_hidden_user_visibility():
            response = r.get_data(as_text=True)
            assert user_name in response
    destroy_ctfd(app)
+
+
+def test_num_users_limit():
+    """Only num_users users can be created"""
+    app = create_ctfd()
+    with app.app_context():
+        set_config("num_users", 1)
+
+        register_user(app)
+        with app.test_client() as client:
+            r = client.get("/register")
+            assert r.status_code == 403
+
+            # team should be blocked from creation
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "user",
+                    "email": "user@examplectf.com",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+            r = client.post("/register", data=data)
+            resp = r.get_data(as_text=True)
+            # This number is 2 to account for the admin and the registered user
+            assert Users.query.count() == 2
+            assert "Reached the maximum number of users" in resp
+
+            # Can the team be created after the num has been bumped
+            set_config("num_users", 2)
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "user1",
+                    "email": "user1@examplectf.com",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+            r = client.post("/register", data=data)
+            resp = r.get_data(as_text=True)
+            assert r.status_code == 302
+            assert Users.query.count() == 3
+    destroy_ctfd(app)