Replacing hardcoded redirects with url_for()

CTFd/admin.py

@@ -34,10 +34,10 @@ def admin_view():
             session['admin'] = True
             session['nonce'] = sha512(os.urandom(10))
             db.session.close()
-            return redirect('/admin/graphs')
+            return redirect(url_for('admin.admin_graphs'))
 
     if is_admin():
-        return redirect('/admin/graphs')
+        return redirect(url_for('admin.admin_graphs'))
 
     return render_template('admin/login.html')
 
@@ -90,7 +90,7 @@ def admin_config():
         db.session.add(db_end)
 
         db.session.commit()
-        return redirect('/admin/config')
+        return redirect(url_for('admin.admin_config'))
 
     ctf_name = get_config('ctf_name')
     if not ctf_name:
@@ -173,11 +173,11 @@ def admin_pages(route):
             page.route = route
             page.html = html
             db.session.commit()
-            return redirect('/admin/pages')
+            return redirect(url_for('admin.admin_pages'))
         page = Pages(route, html)
         db.session.add(page)
         db.session.commit()
-        return redirect('/admin/pages')
+        return redirect(url_for('admin.admin_pages'))
     pages = Pages.query.all()
     return render_template('admin/pages.html', routes=pages, css=get_config('css'))
 
@@ -305,7 +305,7 @@ def admin_files(chalid):
 
             db.session.commit()
             db.session.close()
-            return redirect('/admin/chals')
+            return redirect(url_for('admin.admin_chals'))
 
 
 @admin.route('/admin/teams', defaults={'page':'1'})
@@ -395,7 +395,7 @@ def ban(teamid):
     user = Teams.query.filter_by(id=teamid).first()
     user.banned = 1
     db.session.commit()
-    return redirect('/admin/scoreboard')
+    return redirect(url_for('admin.admin_scoreboard'))
 
 
 @admin.route('/admin/team/<teamid>/unban', methods=['POST'])
@@ -404,7 +404,7 @@ def unban(teamid):
     user = Teams.query.filter_by(id=teamid).first()
     user.banned = None
     db.session.commit()
-    return redirect('/admin/scoreboard')
+    return redirect(url_for('admin.admin_scoreboard'))
 
 
 @admin.route('/admin/team/<teamid>/delete', methods=['POST'])
@@ -591,7 +591,7 @@ def admin_create_chal():
 
     db.session.commit()
     db.session.close()
-    return redirect('/admin/chals')
+    return redirect(url_for('admin.admin_chals'))
 
 
 @admin.route('/admin/chal/delete', methods=['POST'])
@@ -625,4 +625,4 @@ def admin_update_chal():
     db.session.add(challenge)
     db.session.commit()
     db.session.close()
-    return redirect('/admin/chals')
+    return redirect(url_for('admin.admin_chals'))

CTFd/auth.py

@@ -29,7 +29,7 @@ def reset_password(data=None):
         team.password = bcrypt_sha256.encrypt(request.form['password'].strip())
         db.session.commit()
         db.session.close()
-        return redirect('/login')
+        return redirect(url_for('auth.login'))
 
     if request.method == 'POST':
         email = request.form['email'].strip()
@@ -54,7 +54,7 @@ Did you initiate a password reset?
 @auth.route('/register', methods=['POST', 'GET'])
 def register():
     if not can_register():
-        return redirect('/login')
+        return redirect(url_for('auth.login'))
     if request.method == 'POST':
         errors = []
         name = request.form['name']
@@ -88,6 +88,13 @@ def register():
                 team = Teams(name, email, password)
                 db.session.add(team)
                 db.session.commit()
+                db.session.flush()
+
+                session['username'] = team.name
+                session['id'] = team.id
+                session['admin'] = team.admin
+                session['nonce'] = sha512(os.urandom(10))
+
             if mailserver():
                 sendmail(request.form['email'], "You've successfully registered for the CTF")
 
@@ -95,7 +102,7 @@ def register():
 
         logger = logging.getLogger('regs')
         logger.warn("[{0}] {1} registered with {2}".format(time.strftime("%m/%d/%Y %X"), request.form['name'].encode('utf-8'), request.form['email'].encode('utf-8')))
-        return redirect('/login')
+        return redirect(url_for('challenges.challenges_view'))
     else:
         return render_template('register.html')
 
@@ -120,9 +127,9 @@ def login():
             logger = logging.getLogger('logins')
             logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8')))
 
-            # if request.args.get('next') and is_safe_url(request.args.get('next')):
+            if request.args.get('next') and is_safe_url(request.args.get('next')):
-            #     return redirect(request.args.get('next'))
+                return redirect(request.args.get('next'))
-            return redirect('/team/{0}'.format(team.id))
+            return redirect(url_for('challenges.challenges_view'))
         else:
             errors.append("That account doesn't seem to exist")
             db.session.close()

CTFd/challenges.py

@@ -22,7 +22,7 @@ def challenges_view():
     if can_view_challenges():
         return render_template('chals.html', ctftime=ctftime())
     else:
-        return redirect('/login')
+        return redirect(url_for('auth.login', next='challenges'))
 
 
 @challenges.route('/chals', methods=['GET'])
@@ -45,7 +45,7 @@ def chals():
         return jsonify(json)
     else:
         db.session.close()
-        return redirect('/login')
+        return redirect(url_for('auth.login', next='chals'))
 
 
 @challenges.route('/chals/solves')
@@ -56,7 +56,7 @@ def chals_per_solves():
         for chal, count in solves:
             json[chal.chal.name] = count
         return jsonify(json)
-    return redirect('/login')
+    return redirect(url_for('auth.login', next='chals/solves'))
 
 
 @challenges.route('/solves')
@@ -108,7 +108,7 @@ def who_solved(chalid):
 @challenges.route('/chal/<chalid>', methods=['POST'])
 def chal(chalid):
     if not ctftime():
-        return redirect('/challenges')
+        return redirect(url_for('challenges.challenges_view'))
     if authed():
         fails = WrongKeys.query.filter_by(team=session['id'], chalid=chalid).count()
         logger = logging.getLogger('keys')

CTFd/utils.py

@@ -96,7 +96,7 @@ def init_utils(app):
         if request.path == '/setup' or request.path.startswith('/static'):
             return
         if not is_setup():
-            return redirect('/setup')
+            return redirect(url_for('views.setup'))
 
 
 def ctf_name():
@@ -140,7 +140,7 @@ def admins_only(f):
     @wraps(f)
     def decorated_function(*args, **kwargs):
         if session.get('admin', None) is None:
-            return redirect('/login')
+            return redirect(url_for('auth.login'))
         return f(*args, **kwargs)
     return decorated_function
 

CTFd/views.py

@@ -40,7 +40,7 @@ def redirect_setup():
     if request.path == "/static/css/style.css":
         return
     if not is_setup() and request.path != "/setup":
-        return redirect('/setup')
+        return redirect(url_for('views.setup'))
 
 
 @views.route('/setup', methods=['GET', 'POST'])
@@ -207,7 +207,7 @@ def profile():
                 team.country = country
                 db.session.commit()
                 db.session.close()
-                return redirect('/profile')
+                return redirect(url_for('views.profile'))
         else:
             user = Teams.query.filter_by(id=session['id']).first()
             name = user.name
@@ -219,4 +219,4 @@ def profile():
             return render_template('profile.html', name=name, email=email, website=website, affiliation=affiliation,
                                    country=country, prevent_name_change=prevent_name_change)
     else:
-        return redirect('/login')
+        return redirect(url_for('auth.login'))