From 9578355143d7af675fc4776b0f2de802be91e261 Mon Sep 17 00:00:00 2001
From: ajvpot <alexjvanderpotwebdesign@gmail.com>
Date: Mon, 14 Sep 2015 21:35:12 -0500
Subject: [PATCH] Fix authentication for certain admin actions

---
 CTFd/admin.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CTFd/admin.py b/CTFd/admin.py
index da42b86a..50bce411 100644
--- a/CTFd/admin.py
+++ b/CTFd/admin.py
@@ -547,6 +547,7 @@ def admin_fails(teamid='all'):
 
 
 @admin.route('/admin/chal/new', methods=['POST'])
+@admins_only
 def admin_create_chal():
     files = request.files.getlist('files[]')
 
@@ -581,6 +582,7 @@ def admin_create_chal():
 
 
 @admin.route('/admin/chal/delete', methods=['POST'])
+@admins_only
 def admin_delete_chal():
     challenge = Challenges.query.filter_by(id=request.form['id']).first()
     if challenge:
@@ -600,6 +602,7 @@ def admin_delete_chal():
 
 
 @admin.route('/admin/chal/update', methods=['POST'])
+@admins_only
 def admin_update_chal():
     challenge = Challenges.query.filter_by(id=request.form['id']).first()
     challenge.name = request.form['name']