Loosen team password confirmation to also accept team captain password (#1598)

* Loosen team password confirmation to also accept team captain password * Make team settings modal larger in the core theme * Add help text in team settings form * Closes #1545
2025-12-17 22:14:25 +01:00 · 2020-08-13 14:08:44 -04:00
parent da4357b07b
commit 92a40b6eff
4 changed files with 82 additions and 21 deletions
--- a/tests/api/v1/test_teams.py
+++ b/tests/api/v1/test_teams.py
@@ -633,7 +633,9 @@ def test_api_team_patch_password():
    """Can a user change their team password /api/v1/teams/me if logged in as the captain"""
    app = create_ctfd(user_mode="teams")
    with app.app_context():
-        user1 = gen_user(app.db, name="user1", email="user1@ctfd.io")  # ID 2
+        user1 = gen_user(
+            app.db, name="user1", email="user1@ctfd.io", password="captain"
+        )  # ID 2
        user2 = gen_user(app.db, name="user2", email="user2@ctfd.io")  # ID 3
        team = gen_team(app.db)
        team.members.append(user1)
@@ -660,16 +662,38 @@ def test_api_team_patch_password():
                is False
            )

-        with login_as_user(app, name="user1") as client:
+        with login_as_user(app, name="user1", password="captain") as client:
+            # Test that invalid passwords aren't accepted
+            r = client.patch(
+                "/api/v1/teams/me",
+                json={"confirm": "incorrect_password", "password": "new_password"},
+            )
+            assert r.status_code == 400
+            assert (
+                verify_password(plaintext="new_password", ciphertext=team.password)
+                is False
+            )
+
+            # Test that the team's password is accepted
            r = client.patch(
                "/api/v1/teams/me",
                json={"confirm": "password", "password": "new_password"},
            )
            assert r.status_code == 200
-
            team = Teams.query.filter_by(id=1).first()
            assert verify_password(plaintext="new_password", ciphertext=team.password)

+            # Test that the captain's password is also accepted
+            r = client.patch(
+                "/api/v1/teams/me",
+                json={"confirm": "captain", "password": "captain_password"},
+            )
+            assert r.status_code == 200
+            team = Teams.query.filter_by(id=1).first()
+            assert verify_password(
+                plaintext="captain_password", ciphertext=team.password
+            )
+

 def test_api_accessing_hidden_banned_users():
    """Hidden/Banned users should not be visible to normal users, only to admins"""