From 9374c2a0a85308310d25538cdcea43c7c2d0d99d Mon Sep 17 00:00:00 2001 From: Kevin Chung Date: Wed, 9 Dec 2020 14:53:19 -0500 Subject: [PATCH] Mark 3.2.1 (#1757) # 3.2.1 / 2020-12-09 - Fixed an issue where Users could not unlock hints --- CHANGELOG.md | 4 ++++ CTFd/__init__.py | 2 +- CTFd/api/v1/unlocks.py | 14 ++++-------- tests/api/v1/user/test_hints.py | 33 ++++++++++++++++++++++++++++ tests/teams/test_hints.py | 39 +++++++++++++++++++++++++++++++++ 5 files changed, 81 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 813ca768..253682ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# 3.2.1 / 2020-12-09 + +- Fixed an issue where Users could not unlock Hints + # 3.2.0 / 2020-12-07 **General** diff --git a/CTFd/__init__.py b/CTFd/__init__.py index 98046ad9..5146449f 100644 --- a/CTFd/__init__.py +++ b/CTFd/__init__.py @@ -26,7 +26,7 @@ from CTFd.utils.migrations import create_database, migrations, stamp_latest_revi from CTFd.utils.sessions import CachingSessionInterface from CTFd.utils.updates import update_check -__version__ = "3.2.0" +__version__ = "3.2.1" __channel__ = "oss" diff --git a/CTFd/api/v1/unlocks.py b/CTFd/api/v1/unlocks.py index 6cfb0a7b..f143abb7 100644 --- a/CTFd/api/v1/unlocks.py +++ b/CTFd/api/v1/unlocks.py @@ -11,7 +11,6 @@ from CTFd.constants import RawEnum from CTFd.models import Unlocks, db, get_class_by_tablename from CTFd.schemas.awards import AwardSchema from CTFd.schemas.unlocks import UnlockSchema -from CTFd.utils.config import is_teams_mode from CTFd.utils.decorators import ( admins_only, authed_only, @@ -19,7 +18,7 @@ from CTFd.utils.decorators import ( require_verified_emails, ) from CTFd.utils.helpers.models import build_model_filters -from CTFd.utils.user import get_current_team, get_current_user +from CTFd.utils.user import get_current_user unlocks_namespace = Namespace("unlocks", description="Endpoint to retrieve Unlocks") @@ -109,13 +108,8 @@ class UnlockList(Resource): target = Model.query.filter_by(id=req["target"]).first_or_404() # We should use the team's score if in teams mode - if is_teams_mode(): - team = get_current_team() - score = team.score - else: - score = user.score - - if target.cost > score: + # user.account gives the appropriate account based on team mode + if target.cost > user.account.score: return ( { "success": False, @@ -137,7 +131,7 @@ class UnlockList(Resource): existing = Unlocks.query.filter( Unlocks.target == req["target"], Unlocks.type == req["type"], - (Unlocks.user_id == req["user_id"]) | (Unlocks.team_id == req["team_id"]), + Unlocks.account_id == user.account_id, ).first() if existing: return ( diff --git a/tests/api/v1/user/test_hints.py b/tests/api/v1/user/test_hints.py index ff51bd0a..fe4b4dc1 100644 --- a/tests/api/v1/user/test_hints.py +++ b/tests/api/v1/user/test_hints.py @@ -116,6 +116,39 @@ def test_api_hint_double_unlock(): destroy_ctfd(app) +def test_users_dont_prevent_other_users_from_unlocking_hints(): + """Unlocks from one user don't affect other users""" + app = create_ctfd() + with app.app_context(): + chal = gen_challenge(app.db) + gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard") + register_user(app) + register_user(app, name="user2", email="user2@ctfd.io") + + # Give users points with an award + gen_award(app.db, user_id=2) + gen_award(app.db, user_id=3) + + # First user unlocks hints + with login_as_user(app) as client: + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) + assert r.status_code == 200 + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + + # Second user unlocks hints + with login_as_user(app, name="user2") as client: + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) + assert r.status_code == 200 + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + destroy_ctfd(app) + + def test_api_hints_admin_access(): """Can the users access /api/v1/hints if not admin""" app = create_ctfd() diff --git a/tests/teams/test_hints.py b/tests/teams/test_hints.py index ba6b3008..2024a0b9 100644 --- a/tests/teams/test_hints.py +++ b/tests/teams/test_hints.py @@ -97,3 +97,42 @@ def test_hint_team_unlocking_without_points(): == "You do not have enough points to unlock this hint" ) destroy_ctfd(app) + + +def test_teams_dont_prevent_other_teams_from_unlocking_hints(): + """Unlocks from one user don't affect other users""" + app = create_ctfd(user_mode="teams") + with app.app_context(): + chal = gen_challenge(app.db) + gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard") + + team1 = gen_team(app.db, name="team1", email="team1@ctfd.io") + team2 = gen_team(app.db, name="team2", email="team2@ctfd.io") + + # Give users points with an award + gen_award(app.db, user_id=team1.captain_id) + gen_award(app.db, user_id=team2.captain_id) + + captain1 = team1.captain.name + captain2 = team2.captain.name + + app.db.session.commit() + + # First team unlocks hint + with login_as_user(app, name=captain1) as client: + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) + assert r.status_code == 200 + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + + # Second team unlocks hint + with login_as_user(app, name=captain2) as client: + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"}) + assert r.status_code == 200 + r = client.get("/api/v1/hints/1") + assert r.status_code == 200 + destroy_ctfd(app)