From 7e3b1962c48cf21405c30828691d06863a11a344 Mon Sep 17 00:00:00 2001 From: Kevin Chung Date: Wed, 29 Apr 2020 12:46:48 -0400 Subject: [PATCH 1/2] Extract user/team banning code into its own initialization function --- CTFd/utils/initialization/__init__.py | 49 ++++++++++++++------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/CTFd/utils/initialization/__init__.py b/CTFd/utils/initialization/__init__.py index 158cb870..c10e3b24 100644 --- a/CTFd/utils/initialization/__init__.py +++ b/CTFd/utils/initialization/__init__.py @@ -164,6 +164,32 @@ def init_request_processors(app): else: return redirect(url_for("views.setup")) + @app.before_request + def banned(): + if request.endpoint == "views.themes": + return + + if authed(): + user = get_current_user() + team = get_current_team() + + if user and user.banned: + return ( + render_template( + "errors/403.html", error="You have been banned from this CTF" + ), + 403, + ) + + if team and team.banned: + return ( + render_template( + "errors/403.html", + error="Your team has been banned from this CTF", + ), + 403, + ) + @app.before_request def tracker(): if request.endpoint == "views.themes": @@ -183,29 +209,6 @@ def init_request_processors(app): db.session.rollback() logout_user() - if authed(): - user = get_current_user() - team = get_current_team() - - if request.path.startswith("/themes") is False: - if user and user.banned: - return ( - render_template( - "errors/403.html", - error="You have been banned from this CTF", - ), - 403, - ) - - if team and team.banned: - return ( - render_template( - "errors/403.html", - error="Your team has been banned from this CTF", - ), - 403, - ) - db.session.close() @app.before_request From abd8aae84fdb13c02c80256275b3b38df079cfeb Mon Sep 17 00:00:00 2001 From: Kevin Chung Date: Wed, 29 Apr 2020 18:41:18 -0400 Subject: [PATCH 2/2] Reorder code and fix tests --- CTFd/utils/initialization/__init__.py | 42 +++++++++++++-------------- tests/teams/test_teams.py | 19 +++++++----- tests/users/test_users.py | 3 +- 3 files changed, 34 insertions(+), 30 deletions(-) diff --git a/CTFd/utils/initialization/__init__.py b/CTFd/utils/initialization/__init__.py index c10e3b24..e245503e 100644 --- a/CTFd/utils/initialization/__init__.py +++ b/CTFd/utils/initialization/__init__.py @@ -164,6 +164,27 @@ def init_request_processors(app): else: return redirect(url_for("views.setup")) + @app.before_request + def tracker(): + if request.endpoint == "views.themes": + return + + if authed(): + track = Tracking.query.filter_by(ip=get_ip(), user_id=session["id"]).first() + if not track: + visit = Tracking(ip=get_ip(), user_id=session["id"]) + db.session.add(visit) + else: + track.date = datetime.datetime.utcnow() + + try: + db.session.commit() + except (InvalidRequestError, IntegrityError): + db.session.rollback() + logout_user() + + db.session.close() + @app.before_request def banned(): if request.endpoint == "views.themes": @@ -190,27 +211,6 @@ def init_request_processors(app): 403, ) - @app.before_request - def tracker(): - if request.endpoint == "views.themes": - return - - if authed(): - track = Tracking.query.filter_by(ip=get_ip(), user_id=session["id"]).first() - if not track: - visit = Tracking(ip=get_ip(), user_id=session["id"]) - db.session.add(visit) - else: - track.date = datetime.datetime.utcnow() - - try: - db.session.commit() - except (InvalidRequestError, IntegrityError): - db.session.rollback() - logout_user() - - db.session.close() - @app.before_request def tokens(): token = request.headers.get("Authorization") diff --git a/tests/teams/test_teams.py b/tests/teams/test_teams.py index fb5b9723..27d34349 100644 --- a/tests/teams/test_teams.py +++ b/tests/teams/test_teams.py @@ -59,28 +59,31 @@ def test_hidden_teams_visibility(): register_user(app) with login_as_user(app) as client: user = Users.query.filter_by(id=2).first() + user_id = user.id team = gen_team(app.db, name="visible_team", hidden=True) + team_id = team.id + team_name = team.name team.members.append(user) user.team_id = team.id app.db.session.commit() r = client.get("/teams") response = r.get_data(as_text=True) - assert team.name not in response + assert team_name not in response r = client.get("/api/v1/teams") response = r.get_json() - assert team.name not in response + assert team_name not in response - gen_award(app.db, user.id, team_id=team.id) + gen_award(app.db, user_id, team_id=team_id) r = client.get("/scoreboard") response = r.get_data(as_text=True) - assert team.name not in response + assert team_name not in response r = client.get("/api/v1/scoreboard") response = r.get_json() - assert team.name not in response + assert team_name not in response # Team should re-appear after disabling hiding # Use an API call to cause a cache clear @@ -90,15 +93,15 @@ def test_hidden_teams_visibility(): r = client.get("/teams") response = r.get_data(as_text=True) - assert team.name in response + assert team_name in response r = client.get("/api/v1/teams") response = r.get_data(as_text=True) - assert team.name in response + assert team_name in response r = client.get("/api/v1/scoreboard") response = r.get_data(as_text=True) - assert team.name in response + assert team_name in response destroy_ctfd(app) diff --git a/tests/users/test_users.py b/tests/users/test_users.py index 2711607e..d9a0288b 100644 --- a/tests/users/test_users.py +++ b/tests/users/test_users.py @@ -48,6 +48,7 @@ def test_hidden_user_visibility(): with login_as_user(app, name="hidden_user") as client: user = Users.query.filter_by(id=2).first() + user_id = user.id user_name = user.name user.hidden = True app.db.session.commit() @@ -60,7 +61,7 @@ def test_hidden_user_visibility(): response = r.get_json() assert user_name not in response - gen_award(app.db, user.id) + gen_award(app.db, user_id) r = client.get("/scoreboard") response = r.get_data(as_text=True)