3.0.0a1 (#1523)

Alpha release of CTFd v3. # 3.0.0a1 / 2020-07-01 **General** - CTFd is now Python 3 only - Render markdown with the CommonMark spec provided by `cmarkgfm` - Render markdown stripped of any malicious JavaScript or HTML. - This is a significant change from previous versions of CTFd where any HTML content from an admin was considered safe. - Inject `Config`, `User`, `Team`, `Session`, and `Plugin` globals into Jinja - User sessions no longer store any user-specific attributes. - Sessions only store the user's ID, CSRF nonce, and an hmac of the user's password - This allows for session invalidation on password changes - The user facing side of CTFd now has user and team searching - GeoIP support now available for converting IP addresses to guessed countries **Admin Panel** - Use EasyMDE as an improved description/text editor for Markdown enabled fields. - Media Library button now integrated into EasyMDE enabled fields - VueJS now used as the underlying implementation for the Media Library - Fix setting theme color in Admin Panel - Green outline border has been removed from the Admin Panel **API** - Significant overhauls in API documentation provided by Swagger UI and Swagger json - Make almost all API endpoints provide filtering and searching capabilities - Change `GET /api/v1/config/<config_key>` to return structured data according to ConfigSchema **Themes** - Themes now have access to the `Configs` global which provides wrapped access to `get_config`. - For example, `{{ Configs.ctf_name }}` instead of `get_ctf_name()` or `get_config('ctf_name')` - Themes must now specify a `challenge.html` which control how a challenge should look. - The main library for charts has been changed from Plotly to Apache ECharts. - Forms have been moved into wtforms for easier form rendering inside of Jinja. - From Jinja you can access forms via the Forms global i.e. `{{ Forms }}` - This allows theme developers to more easily re-use a form without having to copy-paste HTML. - Themes can now provide a theme settings JSON blob which can be injected into the theme with `{{ Configs.theme_settings }}` - Core theme now includes the challenge ID in location hash identifiers to always refer the right challenge despite duplicate names **Plugins** - Challenge plugins have changed in structure to better allow integration with themes and prevent obtrusive Javascript/XSS. - Challenge rendering now uses `challenge.html` from the provided theme. - Accessing the challenge view content is now provided by `/api/v1/challenges/<challenge_id>` in the `view` section. This allows for HTML to be properly sanitized and rendered by the server allowing CTFd to remove client side Jinja rendering. - `challenge.html` now specifies what's required and what's rendered by the theme. This allows the challenge plugin to avoid having to deal with aspects of the challenge besides the description and input. - A more complete migration guide will be provided when CTFd v3 leaves beta - Display current attempt count in challenge view when max attempts is enabled - `get_standings()`, `get_team_stanadings()`, `get_user_standings()` now has a fields keyword argument that allows for specificying additional fields that SQLAlchemy should return when building the response set. - Useful for gathering additional data when building scoreboard pages - Flags can now control the message that is shown to the user by raising `FlagException` - Fix `override_template()` functionality **Deployment** - Enable SQLAlchemy's `pool_pre_ping` by default to reduce the likelihood of database connection issues - Mailgun email settings are now deprecated. Admins should move to SMTP email settings instead. - Postgres is now considered a second class citizen in CTFd. It is tested against but not a main database backend. If you use Postgres, you are entirely on your own with regards to supporting CTFd. - Docker image now uses Debian instead of Alpine. See https://github.com/CTFd/CTFd/issues/1215 for rationale. - `docker-compose.yml` now uses a non-root user to connect to MySQL/MariaDB - `config.py` should no longer be editting for configuration, instead edit `config.ini` or the environment variables in `docker-compose.yml`
2025-12-20 07:14:24 +01:00 · 2020-07-01 12:06:05 -04:00
parent 9ca6270752
commit adc70fb320
298 changed files with 8789 additions and 5107 deletions
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -6,10 +6,10 @@ from flask import current_app as app
 from flask import redirect, render_template, request, session, url_for
 from itsdangerous.exc import BadSignature, BadTimeSignature, SignatureExpired

+from CTFd.cache import clear_team_session, clear_user_session
 from CTFd.models import Teams, Users, db
 from CTFd.utils import config, email, get_app_config, get_config
 from CTFd.utils import user as current_user
-from CTFd.cache import clear_user_session, clear_team_session
 from CTFd.utils import validators
 from CTFd.utils.config import is_teams_mode
 from CTFd.utils.config.integrations import mlc_registration
@@ -17,7 +17,7 @@ from CTFd.utils.config.visibility import registration_visible
 from CTFd.utils.crypto import verify_password
 from CTFd.utils.decorators import ratelimit
 from CTFd.utils.decorators.visibility import check_registration_visibility
-from CTFd.utils.helpers import error_for, get_errors
+from CTFd.utils.helpers import error_for, get_errors, markup
 from CTFd.utils.logging import log
 from CTFd.utils.modes import TEAMS_MODE
 from CTFd.utils.security.auth import login_user, logout_user
@@ -66,7 +66,7 @@ def confirm(data=None):
        return redirect(url_for("auth.login"))

    # User is trying to start or restart the confirmation flow
-    if not current_user.authed():
+    if current_user.authed() is False:
        return redirect(url_for("auth.login"))

    user = Users.query.filter_by(id=session["id"]).first_or_404()
@@ -82,19 +82,27 @@ def confirm(data=None):
                format="[{date}] {ip} - {name} initiated a confirmation email resend",
            )
            return render_template(
-                "confirm.html",
-                user=user,
-                infos=["Your confirmation email has been resent!"],
+                "confirm.html", infos=[f"Confirmation email sent to {user.email}!"]
            )
        elif request.method == "GET":
            # User has been directed to the confirm page
-            return render_template("confirm.html", user=user)
+            return render_template("confirm.html")


@auth.route("/reset_password", methods=["POST", "GET"])
@auth.route("/reset_password/<data>", methods=["POST", "GET"])
@ratelimit(method="POST", limit=10, interval=60)
 def reset_password(data=None):
+    if config.can_send_mail() is False:
+        return render_template(
+            "reset_password.html",
+            errors=[
+                markup(
+                    "This CTF is not configured to send email.<br> Please contact an organizer to have your password reset."
+                )
+            ],
+        )
+
    if data is not None:
        try:
            email_address = unserialize(data, max_age=1800)
@@ -115,7 +123,7 @@ def reset_password(data=None):
            if user.oauth_id:
                return render_template(
                    "reset_password.html",
-                    errors=[
+                    infos=[
                        "Your account was registered via an authentication provider and does not have an associated password. Please login via your authentication provider."
                    ],
                )
@@ -144,16 +152,10 @@ def reset_password(data=None):

        get_errors()

-        if config.can_send_mail() is False:
-            return render_template(
-                "reset_password.html",
-                errors=["Email could not be sent due to server misconfiguration"],
-            )
-
        if not user:
            return render_template(
                "reset_password.html",
-                errors=[
+                infos=[
                    "If that account exists you will receive an email, please check your inbox"
                ],
            )
@@ -161,7 +163,7 @@ def reset_password(data=None):
        if user.oauth_id:
            return render_template(
                "reset_password.html",
-                errors=[
+                infos=[
                    "The email address associated with this account was registered via an authentication provider and does not have an associated password. Please login via your authentication provider."
                ],
            )
@@ -170,7 +172,7 @@ def reset_password(data=None):

        return render_template(
            "reset_password.html",
-            errors=[
+            infos=[
                "If that account exists you will receive an email, please check your inbox"
            ],
        )