Properly hide users/teams if they are set to banned/hidden (#932)

* Properly hide users/teams if they are set to hidden/banned * This should be in the API and in the main user panel. This should not affect admins. * Update tests to reflect this behavior.
2025-12-17 14:04:20 +01:00 · 2019-04-04 22:44:18 -04:00
parent 268ed85f60
commit 7c60c697ee
10 changed files with 181 additions and 12 deletions
--- a/tests/teams/test_teams.py
+++ b/tests/teams/test_teams.py
@@ -22,6 +22,27 @@ def test_teams_get():
    destroy_ctfd(app)


+def test_accessing_hidden_teams():
+    """Hidden teams should not give any data from /teams or /api/v1/teams"""
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        register_user(app)
+        register_user(app, name="visible_user", email="visible_user@ctfd.io")
+        with login_as_user(app, name="visible_user") as client:
+            user = Users.query.filter_by(id=2).first()
+            team = gen_team(app.db, name='visible_team', hidden=True)
+            team.members.append(user)
+            user.team_id = team.id
+            app.db.session.commit()
+
+            assert client.get('/teams/1').status_code == 404
+            assert client.get('/api/v1/teams/1').status_code == 404
+            assert client.get('/api/v1/teams/1/solves').status_code == 404
+            assert client.get('/api/v1/teams/1/fails').status_code == 404
+            assert client.get('/api/v1/teams/1/awards').status_code == 404
+    destroy_ctfd(app)
+
+
 def test_hidden_teams_visibility():
    """Hidden teams should not show up on /teams or /api/v1/teams or /api/v1/scoreboard"""
    app = create_ctfd(user_mode="teams")