Clarify Score Visibility and Account Visibility (#2227)

* Don't show /scoreboard if we do not have account_visibility
* Clarify the behavior of Score Visibility with respect to Account Visibility

CTFd/scoreboard.py

@@ -2,7 +2,10 @@ from flask import Blueprint, render_template
 
 from CTFd.utils import config
 from CTFd.utils.config.visibility import scores_visible
-from CTFd.utils.decorators.visibility import check_score_visibility
+from CTFd.utils.decorators.visibility import (
+    check_account_visibility,
+    check_score_visibility,
+)
 from CTFd.utils.helpers import get_infos
 from CTFd.utils.scores import get_standings
 from CTFd.utils.user import is_admin
@@ -11,6 +14,7 @@ scoreboard = Blueprint("scoreboard", __name__)
 
 
 @scoreboard.route("/scoreboard")
+@check_account_visibility
 @check_score_visibility
 def listing():
     infos = get_infos()

CTFd/themes/admin/templates/configs/settings.html

@@ -20,6 +20,26 @@
 			</select>
 		</div>
 
+		<div class="form-group">
+			<label>
+				Account Visibility<br>
+				<small class="form-text text-muted">
+					Control whether accounts (users &amp; teams) are shown to everyone, only to authenticated users, or only to admins
+				</small>
+			</label>
+			<select class="form-control custom-select" name="account_visibility">
+				<option value="public" {% if account_visibility == 'public' %}selected{% endif %}>
+					Public
+				</option>
+				<option value="private" {% if account_visibility == 'private' %}selected{% endif %}>
+					Private
+				</option>
+				<option value="admins" {% if account_visibility == 'admins' %}selected{% endif %}>
+					Admins Only
+				</option>
+			</select>
+		</div>
+
 		<div class="form-group">
 			<label>
 				Score Visibility<br>
@@ -42,30 +62,9 @@
 				</option>
 			</select>
 			<small class="form-text text-muted">
-				This setting should generally be the same as Account Visibility to avoid conflicts.
+				Score Visibility is a subset of Account Visibility. 
-			</small>
+				This means that if accounts are visible to a user then score visibility will control whether they can see the score of that user. 
-		</div>
+				If accounts are not visibile then score visibility has no effect.
-
-		<div class="form-group">
-			<label>
-				Account Visibility<br>
-				<small class="form-text text-muted">
-					Control whether accounts (users &amp; teams) are shown to everyone, only to authenticated users, or only to admins
-				</small>
-			</label>
-			<select class="form-control custom-select" name="account_visibility">
-				<option value="public" {% if account_visibility == 'public' %}selected{% endif %}>
-					Public
-				</option>
-				<option value="private" {% if account_visibility == 'private' %}selected{% endif %}>
-					Private
-				</option>
-				<option value="admins" {% if account_visibility == 'admins' %}selected{% endif %}>
-					Admins Only
-				</option>
-			</select>
-			<small class="form-text text-muted">
-				This setting should generally be the same as Score Visibility to avoid conflicts.
 			</small>
 		</div>
 

CTFd/themes/core/templates/components/navbar.html

@@ -30,7 +30,7 @@
                     {% endif %}
                 {% endif %}
 
-                {% if Configs.score_visibility != 'admins' %}
+                {% if Configs.account_visibility != 'admins' and Configs.score_visibility != 'admins' %}
                     <li class="nav-item">
                         <a class="nav-link" href="{{ url_for('scoreboard.listing') }}">Scoreboard</a>
                     </li>