Mark 3.1.0 (#1634)

# 3.1.0 / 2020-09-08

**General**

- Loosen team password confirmation in team settings to also accept the team captain's password to make it easier to change the team password
- Adds the ability to add custom user and team fields for registration/profile settings.
- Improve Notifications pubsub events system to use a subscriber per server instead of a subscriber per browser. This should improve the reliability of CTFd at higher load and make it easier to deploy the Notifications system

**Admin Panel**

- Add a comments functionality for admins to discuss challenges, users, teams, pages
- Adds a legal section in Configs where users can add a terms of service and privacy policy
- Add a Custom Fields section in Configs where admins can add/edit custom user/team fields
- Move user graphs into a modal for Admin Panel

**API**

- Add `/api/v1/comments` to manipulate and create comments

**Themes**

- Make scoreboard caching only cache the score table instead of the entire page. This is done by caching the specific template section. Refer to #1586, specifically the changes in `scoreboard.html`.
- Add rel=noopener to external links to prevent tab napping attacks
- Change the registration page to reference links to Terms of Service and Privacy Policy if specified in configuration

**Miscellaneous**

- Make team settings modal larger in the core theme
- Update tests in Github Actions to properly test under MySQL and Postgres
- Make gevent default in serve.py and add a `--disable-gevent` switch in serve.py
- Add `tenacity` library for retrying logic
- Add `pytest-sugar` for slightly prettier pytest output
- Add a `listen()` method to `CTFd.utils.events.EventManager` and `CTFd.utils.events.RedisEventManager`.
  - This method should implement subscription for a CTFd worker to whatever underlying notification system there is. This should be implemented with gevent or a background thread.
  - The `subscribe()` method (which used to implement the functionality of the new `listen()` function) now only handles passing notifications from CTFd to the browser. This should also be implemented with gevent or a background thread.

tests/api/v1/test_teams.py

@@ -633,7 +633,9 @@ def test_api_team_patch_password():
     """Can a user change their team password /api/v1/teams/me if logged in as the captain"""
     app = create_ctfd(user_mode="teams")
     with app.app_context():
-        user1 = gen_user(app.db, name="user1", email="user1@ctfd.io")  # ID 2
+        user1 = gen_user(
+            app.db, name="user1", email="user1@ctfd.io", password="captain"
+        )  # ID 2
         user2 = gen_user(app.db, name="user2", email="user2@ctfd.io")  # ID 3
         team = gen_team(app.db)
         team.members.append(user1)
@@ -660,16 +662,38 @@ def test_api_team_patch_password():
                 is False
             )
 
-        with login_as_user(app, name="user1") as client:
+        with login_as_user(app, name="user1", password="captain") as client:
+            # Test that invalid passwords aren't accepted
+            r = client.patch(
+                "/api/v1/teams/me",
+                json={"confirm": "incorrect_password", "password": "new_password"},
+            )
+            assert r.status_code == 400
+            assert (
+                verify_password(plaintext="new_password", ciphertext=team.password)
+                is False
+            )
+
+            # Test that the team's password is accepted
             r = client.patch(
                 "/api/v1/teams/me",
                 json={"confirm": "password", "password": "new_password"},
             )
             assert r.status_code == 200
-
             team = Teams.query.filter_by(id=1).first()
             assert verify_password(plaintext="new_password", ciphertext=team.password)
 
+            # Test that the captain's password is also accepted
+            r = client.patch(
+                "/api/v1/teams/me",
+                json={"confirm": "captain", "password": "captain_password"},
+            )
+            assert r.status_code == 200
+            team = Teams.query.filter_by(id=1).first()
+            assert verify_password(
+                plaintext="captain_password", ciphertext=team.password
+            )
+
 
 def test_api_accessing_hidden_banned_users():
     """Hidden/Banned users should not be visible to normal users, only to admins"""