fix: Ensure hidden users see their own solves (#1840) (#1846)

* Closes #1839

Co-authored-by: maybe-sybr <58414429+maybe-sybr@users.noreply.github.com>

tests/api/v1/test_challenges.py

@@ -364,6 +364,13 @@ def test_api_challenges_get_solve_count_hidden_user():
             assert r.status_code == 200
             chal_data = r.get_json()["data"].pop()
             assert chal_data["solves"] == 0
+        # We expect the admin to be able to see their own solve
+        with login_as_user(app, "admin") as admin:
+            r = admin.get("/api/v1/challenges")
+            assert r.status_code == 200
+            chal_data = r.get_json()["data"].pop()
+            assert chal_data["solves"] == 0
+            assert chal_data["solved_by_me"] is True
     destroy_ctfd(app)
 
 
@@ -398,6 +405,110 @@ def test_api_challenges_get_solve_count_banned_user():
     destroy_ctfd(app)
 
 
+def test_api_challenges_challenge_with_requirements():
+    """Does the challenge list API show challenges with requirements met?"""
+    app = create_ctfd()
+    with app.app_context():
+        prereq_id = gen_challenge(app.db).id
+        chal_obj = gen_challenge(app.db)
+        chal_obj.requirements = {"prerequisites": [prereq_id]}
+        chal_id = chal_obj.id
+        # Create a new user which will solve the prerequisite
+        register_user(app)
+        # Confirm that only the prerequisite challenge is listed initially
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/challenges")
+            assert r.status_code == 200
+            (chal_data,) = r.get_json()["data"]
+            assert chal_data["id"] == prereq_id
+        # Generate a solve and then confirm the second challenge is visible
+        gen_solve(app.db, user_id=2, challenge_id=prereq_id)
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/challenges")
+            assert r.status_code == 200
+            data = r.get_json()["data"]
+            assert len(data) == 2
+            chal_ids = {c["id"] for c in r.get_json()["data"]}
+            assert chal_ids == {prereq_id, chal_id}
+    destroy_ctfd(app)
+
+
+def test_api_challenges_challenge_with_requirements_hidden_user():
+    """Does the challenge list API show gated challenges to a hidden user?"""
+    app = create_ctfd()
+    with app.app_context():
+        prereq_id = gen_challenge(app.db).id
+        chal_obj = gen_challenge(app.db)
+        chal_obj.requirements = {"prerequisites": [prereq_id]}
+        chal_id = chal_obj.id
+        # Create a new user which will solve the prerequisite and hide them
+        register_user(app)
+        Users.query.get(2).hidden = True
+        app.db.session.commit()
+        # Confirm that only the prerequisite challenge is listed initially
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/challenges")
+            assert r.status_code == 200
+            (chal_data,) = r.get_json()["data"]
+            assert chal_data["id"] == prereq_id
+        # Generate a solve and then confirm the second challenge is visible
+        gen_solve(app.db, user_id=2, challenge_id=prereq_id)
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/challenges")
+            assert r.status_code == 200
+            data = r.get_json()["data"]
+            assert len(data) == 2
+            chal_ids = {c["id"] for c in r.get_json()["data"]}
+            assert chal_ids == {prereq_id, chal_id}
+    destroy_ctfd(app)
+
+
+def test_api_challenges_challenge_with_requirements_banned_user():
+    """Does the challenge list API show gated challenges to a banned user?"""
+    app = create_ctfd()
+    with app.app_context():
+        prereq_id = gen_challenge(app.db).id
+        chal_obj = gen_challenge(app.db)
+        chal_obj.requirements = {"prerequisites": [prereq_id]}
+        # Create a new user which will solve the prerequisite and ban them
+        register_user(app)
+        Users.query.get(2).banned = True
+        app.db.session.commit()
+        # Generate a solve just in case and confirm the API 403s
+        gen_solve(app.db, user_id=2, challenge_id=prereq_id)
+        with login_as_user(app) as client:
+            assert client.get("/api/v1/challenges").status_code == 403
+    destroy_ctfd(app)
+
+
+def test_api_challenges_challenge_with_requirements_no_user():
+    """Does the challenge list API show gated challenges to the public?"""
+    app = create_ctfd()
+    with app.app_context():
+        set_config("challenge_visibility", "public")
+        prereq_id = gen_challenge(app.db).id
+        chal_obj = gen_challenge(app.db)
+        chal_obj.requirements = {"prerequisites": [prereq_id]}
+        # Create a new user which will solve the prerequisite
+        register_user(app)
+        # Confirm that only the prerequisite challenge is listed publicly
+        with app.test_client() as client:
+            r = client.get("/api/v1/challenges")
+            assert r.status_code == 200
+            initial_data = r.get_json()["data"]
+            (chal_data,) = initial_data
+            assert chal_data["id"] == prereq_id
+            # Fix up the solve count for later comparison with `initial_data`
+            chal_data["solves"] += 1
+        # Generate a solve and then confirm the response is unchanged
+        gen_solve(app.db, user_id=2, challenge_id=prereq_id)
+        with app.test_client() as client:
+            r = client.get("/api/v1/challenges")
+            assert r.status_code == 200
+            assert r.get_json()["data"] == initial_data
+    destroy_ctfd(app)
+
+
 def test_api_challenges_post_admin():
     """Can a user post /api/v1/challenges if admin"""
     app = create_ctfd()