Fix authentication for certain admin actions

2025-12-18 14:34:21 +01:00 · 2015-09-14 21:35:12 -05:00
parent 310d6b8071
commit 9578355143
1 changed files with 3 additions and 0 deletions
--- a/CTFd/admin.py
+++ b/CTFd/admin.py
@@ -547,6 +547,7 @@ def admin_fails(teamid='all'):


@admin.route('/admin/chal/new', methods=['POST'])
+@admins_only
 def admin_create_chal():
    files = request.files.getlist('files[]')

@@ -581,6 +582,7 @@ def admin_create_chal():


@admin.route('/admin/chal/delete', methods=['POST'])
+@admins_only
 def admin_delete_chal():
    challenge = Challenges.query.filter_by(id=request.form['id']).first()
    if challenge:
@@ -600,6 +602,7 @@ def admin_delete_chal():


@admin.route('/admin/chal/update', methods=['POST'])
+@admins_only
 def admin_update_chal():
    challenge = Challenges.query.filter_by(id=request.form['id']).first()
    challenge.name = request.form['name']