Mark 3.2.1 (#1757)

# 3.2.1 / 2020-12-09

- Fixed an issue where Users could not unlock hints

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 3.2.1 / 2020-12-09
+
+- Fixed an issue where Users could not unlock Hints
+
 # 3.2.0 / 2020-12-07
 
 **General**

CTFd/__init__.py

@@ -26,7 +26,7 @@ from CTFd.utils.migrations import create_database, migrations, stamp_latest_revi
 from CTFd.utils.sessions import CachingSessionInterface
 from CTFd.utils.updates import update_check
 
-__version__ = "3.2.0"
+__version__ = "3.2.1"
 __channel__ = "oss"
 
 

CTFd/api/v1/unlocks.py

@@ -11,7 +11,6 @@ from CTFd.constants import RawEnum
 from CTFd.models import Unlocks, db, get_class_by_tablename
 from CTFd.schemas.awards import AwardSchema
 from CTFd.schemas.unlocks import UnlockSchema
-from CTFd.utils.config import is_teams_mode
 from CTFd.utils.decorators import (
     admins_only,
     authed_only,
@@ -19,7 +18,7 @@ from CTFd.utils.decorators import (
     require_verified_emails,
 )
 from CTFd.utils.helpers.models import build_model_filters
-from CTFd.utils.user import get_current_team, get_current_user
+from CTFd.utils.user import get_current_user
 
 unlocks_namespace = Namespace("unlocks", description="Endpoint to retrieve Unlocks")
 
@@ -109,13 +108,8 @@ class UnlockList(Resource):
         target = Model.query.filter_by(id=req["target"]).first_or_404()
 
         # We should use the team's score if in teams mode
-        if is_teams_mode():
-            team = get_current_team()
-            score = team.score
-        else:
-            score = user.score
-
-        if target.cost > score:
+        # user.account gives the appropriate account based on team mode
+        if target.cost > user.account.score:
             return (
                 {
                     "success": False,
@@ -137,7 +131,7 @@ class UnlockList(Resource):
         existing = Unlocks.query.filter(
             Unlocks.target == req["target"],
             Unlocks.type == req["type"],
-            (Unlocks.user_id == req["user_id"]) | (Unlocks.team_id == req["team_id"]),
+            Unlocks.account_id == user.account_id,
         ).first()
         if existing:
             return (

tests/api/v1/user/test_hints.py

@@ -116,6 +116,39 @@ def test_api_hint_double_unlock():
     destroy_ctfd(app)
 
 
+def test_users_dont_prevent_other_users_from_unlocking_hints():
+    """Unlocks from one user don't affect other users"""
+    app = create_ctfd()
+    with app.app_context():
+        chal = gen_challenge(app.db)
+        gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard")
+        register_user(app)
+        register_user(app, name="user2", email="user2@ctfd.io")
+
+        # Give users points with an award
+        gen_award(app.db, user_id=2)
+        gen_award(app.db, user_id=3)
+
+        # First user unlocks hints
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+            r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
+            assert r.status_code == 200
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+
+        # Second user unlocks hints
+        with login_as_user(app, name="user2") as client:
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+            r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
+            assert r.status_code == 200
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+    destroy_ctfd(app)
+
+
 def test_api_hints_admin_access():
     """Can the users access /api/v1/hints if not admin"""
     app = create_ctfd()

tests/teams/test_hints.py

@@ -97,3 +97,42 @@ def test_hint_team_unlocking_without_points():
                 == "You do not have enough points to unlock this hint"
             )
     destroy_ctfd(app)
+
+
+def test_teams_dont_prevent_other_teams_from_unlocking_hints():
+    """Unlocks from one user don't affect other users"""
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        chal = gen_challenge(app.db)
+        gen_hint(app.db, chal.id, content="This is a hint", cost=1, type="standard")
+
+        team1 = gen_team(app.db, name="team1", email="team1@ctfd.io")
+        team2 = gen_team(app.db, name="team2", email="team2@ctfd.io")
+
+        # Give users points with an award
+        gen_award(app.db, user_id=team1.captain_id)
+        gen_award(app.db, user_id=team2.captain_id)
+
+        captain1 = team1.captain.name
+        captain2 = team2.captain.name
+
+        app.db.session.commit()
+
+        # First team unlocks hint
+        with login_as_user(app, name=captain1) as client:
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+            r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
+            assert r.status_code == 200
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+
+        # Second team unlocks hint
+        with login_as_user(app, name=captain2) as client:
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+            r = client.post("/api/v1/unlocks", json={"target": 1, "type": "hints"})
+            assert r.status_code == 200
+            r = client.get("/api/v1/hints/1")
+            assert r.status_code == 200
+    destroy_ctfd(app)