Properly hide users/teams if they are set to banned/hidden (#932)

* Properly hide users/teams if they are set to hidden/banned
    * This should be in the API and in the main user panel. This should not affect admins. 
* Update tests to reflect this behavior.

CTFd/api/v1/users.py

@@ -32,7 +32,7 @@ users_namespace = Namespace('users', description="Endpoint to retrieve Users")
 class UserList(Resource):
     @check_account_visibility
     def get(self):
-        users = Users.query.filter_by(banned=False)
+        users = Users.query.filter_by(banned=False, hidden=False)
         response = UserSchema(view='user', many=True).dump(users)
 
         if response.errors:
@@ -78,6 +78,9 @@ class UserPublic(Resource):
     def get(self, user_id):
         user = Users.query.filter_by(id=user_id).first_or_404()
 
+        if (user.banned or user.hidden) and is_admin() is False:
+            abort(404)
+
         response = UserSchema(
             view=session.get('type', 'user')
         ).dump(user)
@@ -192,6 +195,9 @@ class UserSolves(Resource):
                 abort(404)
             user = Users.query.filter_by(id=user_id).first_or_404()
 
+            if (user.banned or user.hidden) and is_admin() is False:
+                abort(404)
+
         solves = user.get_solves(
             admin=is_admin()
         )
@@ -226,6 +232,9 @@ class UserFails(Resource):
                 abort(404)
             user = Users.query.filter_by(id=user_id).first_or_404()
 
+            if (user.banned or user.hidden) and is_admin() is False:
+                abort(404)
+
         fails = user.get_fails(
             admin=is_admin()
         )
@@ -266,6 +275,9 @@ class UserAwards(Resource):
                 abort(404)
             user = Users.query.filter_by(id=user_id).first_or_404()
 
+            if (user.banned or user.hidden) and is_admin() is False:
+                abort(404)
+
         awards = user.get_awards(
             admin=is_admin()
         )