2.1.0 (#957)

https://github.com/CTFd/CTFd/milestone/6
2025-12-17 22:14:25 +01:00 · 2019-04-17 01:36:30 -04:00
parent 33367422a5
commit b6d54b9ee9
278 changed files with 3659 additions and 13735 deletions
--- a/tests/admin/test_challenges.py
+++ b/tests/admin/test_challenges.py
@@ -1,24 +1,13 @@
-from tests.helpers import *
-
-
-def test_get_admin_challenges():
-    app = create_ctfd()
-    with app.app_context():
-        register_user(app)
-        client = login_as_user(app, name="admin", password="password")
-        r = client.get('/admin/challenges')
-        assert r.status_code == 200
-    destroy_ctfd(app)
-
-
-def test_get_admin_challenges_new():
-    app = create_ctfd()
-    with app.app_context():
-        register_user(app)
-        client = login_as_user(app, name="admin", password="password")
-        r = client.get('/admin/challenges/new')
-        assert r.status_code == 200
-    destroy_ctfd(app)
+from CTFd.models import Challenges
+from CTFd.utils import set_config
+from tests.helpers import (
+    create_ctfd,
+    destroy_ctfd,
+    register_user,
+    login_as_user,
+    gen_challenge,
+    gen_flag
+)


 def test_create_new_challenge():
@@ -54,7 +43,7 @@ def test_hidden_challenge_is_reachable():
        register_user(app)
        client = login_as_user(app, name="admin", password="password")
        chal = gen_challenge(app.db, state='hidden')
-        flag = gen_flag(app.db, challenge_id=chal.id, content='flag')
+        gen_flag(app.db, challenge_id=chal.id, content='flag')
        chal_id = chal.id

        assert Challenges.query.count() == 1
@@ -81,3 +70,32 @@ def test_hidden_challenge_is_reachable():
        resp = r.get_json()['data']
        assert resp.get('status') == "correct"
    destroy_ctfd(app)
+
+
+def test_challenges_admin_only_as_user():
+    app = create_ctfd()
+    with app.app_context():
+        set_config('challenge_visibility', 'admins')
+
+        register_user(app)
+        client = login_as_user(app)
+
+        gen_challenge(app.db)
+        gen_flag(app.db, challenge_id=1, content='flag')
+
+        r = client.get('/challenges')
+        assert r.status_code == 403
+
+        r = client.get('/api/v1/challenges', json='')
+        assert r.status_code == 403
+
+        r = client.get('/api/v1/challenges/1', json='')
+        assert r.status_code == 403
+
+        data = {
+            "submission": 'flag',
+            "challenge_id": 1
+        }
+        r = client.post('/api/v1/challenges/attempt', json=data)
+        assert r.status_code == 403
+    destroy_ctfd(app)