diff --git a/CTFd/views.py b/CTFd/views.py index 6b3fae58..dc6311dd 100644 --- a/CTFd/views.py +++ b/CTFd/views.py @@ -409,8 +409,17 @@ def files(path): else: abort(403) else: + # User cannot view challenges based on challenge visibility + # e.g. ctf requires registration but user isn't authed or + # ctf requires admin account but user isn't admin if not ctftime(): - abort(403) + # It's not CTF time. The only edge case is if the CTF is ended + # but we have view_after_ctf enabled + if ctf_ended() and view_after_ctf(): + pass + else: + # In all other situations we should block challenge files + abort(403) # Allow downloads if a valid token is provided token = request.args.get("token", "") diff --git a/tests/test_views.py b/tests/test_views.py index ac594534..3b814940 100644 --- a/tests/test_views.py +++ b/tests/test_views.py @@ -383,6 +383,19 @@ def test_user_can_access_files_with_auth_token(): r = admin.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" + + with freeze_time("2017-10-7"): + # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST + set_config("end", "1507262400") + set_config("view_after_ctf", True) + for v in ("public", "private"): + set_config("challenge_visibility", v) + + # Unauthed users should be able to download if view_after_ctf + client = app.test_client() + r = client.get(file_url) + assert r.status_code == 200 + assert r.get_data(as_text=True) == "testing file load" finally: rmdir(directory) destroy_ctfd(app) @@ -428,6 +441,12 @@ def test_user_can_access_files_if_view_after_ctf(): r = client.get(file_url) assert r.status_code == 200 assert r.get_data(as_text=True) == "testing file load" + + # Unauthed users should be able to download if view_after_ctf + client = app.test_client() + r = client.get(file_url) + assert r.status_code == 200 + assert r.get_data(as_text=True) == "testing file load" finally: rmdir(directory)