Mark 3.1.0 (#1634)

# 3.1.0 / 2020-09-08

**General**

- Loosen team password confirmation in team settings to also accept the team captain's password to make it easier to change the team password
- Adds the ability to add custom user and team fields for registration/profile settings.
- Improve Notifications pubsub events system to use a subscriber per server instead of a subscriber per browser. This should improve the reliability of CTFd at higher load and make it easier to deploy the Notifications system

**Admin Panel**

- Add a comments functionality for admins to discuss challenges, users, teams, pages
- Adds a legal section in Configs where users can add a terms of service and privacy policy
- Add a Custom Fields section in Configs where admins can add/edit custom user/team fields
- Move user graphs into a modal for Admin Panel

**API**

- Add `/api/v1/comments` to manipulate and create comments

**Themes**

- Make scoreboard caching only cache the score table instead of the entire page. This is done by caching the specific template section. Refer to #1586, specifically the changes in `scoreboard.html`.
- Add rel=noopener to external links to prevent tab napping attacks
- Change the registration page to reference links to Terms of Service and Privacy Policy if specified in configuration

**Miscellaneous**

- Make team settings modal larger in the core theme
- Update tests in Github Actions to properly test under MySQL and Postgres
- Make gevent default in serve.py and add a `--disable-gevent` switch in serve.py
- Add `tenacity` library for retrying logic
- Add `pytest-sugar` for slightly prettier pytest output
- Add a `listen()` method to `CTFd.utils.events.EventManager` and `CTFd.utils.events.RedisEventManager`.
  - This method should implement subscription for a CTFd worker to whatever underlying notification system there is. This should be implemented with gevent or a background thread.
  - The `subscribe()` method (which used to implement the functionality of the new `listen()` function) now only handles passing notifications from CTFd to the browser. This should also be implemented with gevent or a background thread.

tests/api/v1/test_comments.py

@@ -0,0 +1,108 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from CTFd.models import Comments
+from tests.helpers import (
+    create_ctfd,
+    destroy_ctfd,
+    gen_challenge,
+    gen_comment,
+    login_as_user,
+    register_user,
+)
+
+
+def test_api_post_comments():
+    app = create_ctfd()
+    with app.app_context():
+        gen_challenge(app.db)
+        with login_as_user(app, "admin") as admin:
+            r = admin.post(
+                "/api/v1/comments",
+                json={
+                    "content": "this is a challenge comment",
+                    "type": "challenge",
+                    "challenge_id": 1,
+                },
+            )
+            # Check that POST response has comment data
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert resp["data"]["content"] == "this is a challenge comment"
+            assert "this is a challenge comment" in resp["data"]["html"]
+            assert resp["data"]["type"] == "challenge"
+
+            # Check that the comment shows up in the list of comments for the given challenge
+            r = admin.get("/api/v1/comments?challenge_id=1", json="")
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert resp["data"][0]["content"] == "this is a challenge comment"
+            assert "this is a challenge comment" in resp["data"][0]["html"]
+            assert resp["data"][0]["type"] == "challenge"
+    destroy_ctfd(app)
+
+
+def test_api_post_comments_with_invalid_author_id():
+    app = create_ctfd()
+    with app.app_context():
+        gen_challenge(app.db)
+        register_user(app)
+        with login_as_user(app, "admin") as admin:
+            r = admin.post(
+                "/api/v1/comments",
+                json={
+                    "content": "this is a challenge comment",
+                    "type": "challenge",
+                    "challenge_id": 1,
+                    "author_id": 2,
+                },
+            )
+            # Check that POST response has comment data
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert resp["data"]["author_id"] == 1
+    destroy_ctfd(app)
+
+
+def test_api_get_comments():
+    app = create_ctfd()
+    with app.app_context():
+        gen_challenge(app.db)
+        with login_as_user(app, "admin") as admin:
+            gen_comment(
+                app.db,
+                content="this is a challenge comment",
+                author_id=1,
+                challenge_id=1,
+            )
+            r = admin.get("/api/v1/comments", json="")
+
+            # Check that the comment shows up in the list of all comments
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert resp["data"][0]["content"] == "this is a challenge comment"
+            assert "this is a challenge comment" in resp["data"][0]["html"]
+            assert resp["data"][0]["type"] == "challenge"
+    destroy_ctfd(app)
+
+
+def test_api_delete_comments():
+    app = create_ctfd()
+    with app.app_context():
+        gen_challenge(app.db)
+        with login_as_user(app, "admin") as admin:
+            gen_comment(
+                app.db,
+                content="this is a challenge comment",
+                author_id=1,
+                challenge_id=1,
+            )
+            assert Comments.query.count() == 1
+
+            # Check that the comment can be deleted
+            r = admin.delete("/api/v1/comments/1", json="")
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert Comments.query.count() == 0
+            assert resp["success"] is True
+    destroy_ctfd(app)