Properly hide users/teams if they are set to banned/hidden (#932)

* Properly hide users/teams if they are set to hidden/banned * This should be in the API and in the main user panel. This should not affect admins. * Update tests to reflect this behavior.
2025-12-17 14:04:20 +01:00 · 2019-04-04 22:44:18 -04:00
parent 268ed85f60
commit 7c60c697ee
10 changed files with 181 additions and 12 deletions
--- a/tests/api/v1/test_users.py
+++ b/tests/api/v1/test_users.py
@@ -571,6 +571,54 @@ def test_api_user_get_awards():
    destroy_ctfd(app)


+def test_api_accessing_hidden_users():
+    """Hidden users should not be visible to normal users, only to admins"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app, name="visible_user", email="visible_user@ctfd.io")
+        register_user(app, name="hidden_user", email="hidden_user@ctfd.io")  # ID 3
+        user = Users.query.filter_by(name="hidden_user").first()
+        user.hidden = True
+        app.db.session.commit()
+
+        with login_as_user(app, name="visible_user") as client:
+            assert client.get('/api/v1/users/3').status_code == 404
+            assert client.get('/api/v1/users/3/solves').status_code == 404
+            assert client.get('/api/v1/users/3/fails').status_code == 404
+            assert client.get('/api/v1/users/3/awards').status_code == 404
+
+        with login_as_user(app, name="admin") as client:
+            assert client.get('/api/v1/users/3').status_code == 200
+            assert client.get('/api/v1/users/3/solves').status_code == 200
+            assert client.get('/api/v1/users/3/fails').status_code == 200
+            assert client.get('/api/v1/users/3/awards').status_code == 200
+    destroy_ctfd(app)
+
+
+def test_api_accessing_banned_users():
+    """Banned users should not be visible to normal users, only to admins"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app, name="visible_user", email="visible_user@ctfd.io")
+        register_user(app, name="banned_user", email="banned_user@ctfd.io")  # ID 3
+        user = Users.query.filter_by(name="banned_user").first()
+        user.banned = True
+        app.db.session.commit()
+
+        with login_as_user(app, name="visible_user") as client:
+            assert client.get('/api/v1/users/3').status_code == 404
+            assert client.get('/api/v1/users/3/solves').status_code == 404
+            assert client.get('/api/v1/users/3/fails').status_code == 404
+            assert client.get('/api/v1/users/3/awards').status_code == 404
+
+        with login_as_user(app, name="admin") as client:
+            assert client.get('/api/v1/users/3').status_code == 200
+            assert client.get('/api/v1/users/3/solves').status_code == 200
+            assert client.get('/api/v1/users/3/fails').status_code == 200
+            assert client.get('/api/v1/users/3/awards').status_code == 200
+    destroy_ctfd(app)
+
+
 def test_api_user_send_email():
    """Can an admin post /api/v1/users/<user_id>/email"""
    app = create_ctfd()