Properly load schemas specified as strings (#943)

* Properly load schemas specified by their key string * Add test for UserSchema * Prevent users without teams from interacting with challenges if the CTF is in Team Mode
2025-12-18 14:34:21 +01:00 · 2019-04-08 01:47:26 -04:00
parent 7c60c697ee
commit c0a32a836b
16 changed files with 111 additions and 24 deletions
--- a/tests/api/v1/test_teams.py
+++ b/tests/api/v1/test_teams.py
@@ -480,3 +480,37 @@ def test_api_accessing_hidden_banned_users():
            assert client.get('/api/v1/teams/2/fails').status_code == 200
            assert client.get('/api/v1/teams/2/awards').status_code == 200
    destroy_ctfd(app)
+
+
+def test_api_user_without_team_challenge_interaction():
+    """Can a user interact with challenges without having joined a team?"""
+    app = create_ctfd(user_mode="teams")
+    with app.app_context():
+        register_user(app)
+        gen_challenge(app.db)
+        gen_flag(app.db, 1)
+
+        with login_as_user(app) as client:
+            assert client.get('/api/v1/challenges').status_code == 403
+            assert client.get('/api/v1/challenges/1').status_code == 403
+            assert client.post('/api/v1/challenges/attempt', json={
+                "challenge_id": 1,
+                "submission": "wrong_flag"
+            }).status_code == 403
+
+        # Create a user with a team
+        user = gen_user(app.db, email='user_name@ctfd.io')
+        team = gen_team(app.db)
+        team.members.append(user)
+        user.team_id = team.id
+        app.db.session.commit()
+
+        # Test if user with team can interact with challenges
+        with login_as_user(app, name="user_name") as client:
+            assert client.get('/api/v1/challenges').status_code == 200
+            assert client.get('/api/v1/challenges/1').status_code == 200
+            assert client.post('/api/v1/challenges/attempt', json={
+                "challenge_id": 1,
+                "submission": "flag"
+            }).status_code == 200
+    destroy_ctfd(app)
--- a/tests/api/v1/test_users.py
+++ b/tests/api/v1/test_users.py
@@ -3,6 +3,7 @@

 from CTFd.utils import set_config
 from CTFd.utils.crypto import verify_password
+from CTFd.schemas.users import UserSchema
 from tests.helpers import *


@@ -674,3 +675,22 @@ def test_api_user_send_email():
            assert r.status_code == 200

    destroy_ctfd(app)
+
+
+def test_api_user_get_schema():
+    """Can a user get /api/v1/users/<user_id> doesn't return unnecessary data"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app, name="user1", email="user1@ctfd.io")  # ID 2
+        register_user(app, name="user2", email="user2@ctfd.io")  # ID 3
+
+        with app.test_client() as client:
+            r = client.get('/api/v1/users/3')
+            data = r.get_json()['data']
+            assert sorted(data.keys()) == sorted(UserSchema.views['user'] + ['score', 'place'])
+
+        with login_as_user(app, name="user1") as client:
+            r = client.get('/api/v1/users/3')
+            data = r.get_json()['data']
+            assert sorted(data.keys()) == sorted(UserSchema.views['user'] + ['score', 'place'])
+    destroy_ctfd(app)